ISA Server DMZ Scenarios.
A subject that gets a good deal of attention on the www.isaserver.org message boards is that of ISA and DMZ network configuration. ISA Server supports setting up a DMZ segment that separates Internet traffic from your internal network. The DMZ is considered a security zone that allows the partitioning of all Internet traffic away from the internal network.
Setting up a DMZ segment allows you to avoid publishing servers on the internal network. ISA Server makes it easy to publish servers on the internal network. But when you publish an internal network server so that Internet clients can access it, you may create a security risk because if an intruder is able to compromise the internal network server, they may then have access to resources located on the internal network.
To get around this, you can create secure networks outside of the internal network. This is what a DMZ is. The term DMZ or Demilitarized Zone comes from military. The DMZ area is an area that both sides agree there will be no military actions. But if one side does violate the agreement, then both sides can start firing. This is a buffer zone between the two parties and is designed to protect the populace on both sides of the DMZ.
Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder
|The DMZ configurations we'll go over in this article are:
Each of these DMZs has its own advantages and disadvantages and I'll try to address those in each section.
The Trihomed DMZ
The Trihomed DMZ (sometimes referred to as the "three-homed" DMZ) is created by placing three network cards on an ISA Server located on the edge of the network. The network card placement for the Trihomed DMZ is:
The figure below is my weak attempt at drawing this configuration.
There are a few things to note about the Trihomed DMZ configuration:
Trihomed DMZ Must Have Public IP Addresses
The fact that the DMZ segment on a Trihomed DMZ must have public addresses can't be overstated. We see a lot of people who have problems constructing their DMZ because they try to use private addresses on the DMZ segment. All you accomplish by doing this is to create two internal network interfaces or an external network interface that cannot access internal or external resources.
The DMZ must be configured as an external network interface. External resources are not trusted by the internal network. To configure the DMZ segment as an external network resource, you must NOT put IP addresses in the DMZ segment into the LAT. Only the internal network IP addresses are contained in the LAT.
Packets are Routed to the DMZ - NOT Translated
Packets from the Internet to the DMZ are actually routed to the DMZ. This is in contrast to how packets from the Internet to the internal network are handled. Packets from the Internet to the internal network are translated and not routed (in the strictest sense of the term) to the internal network.
In order to get your DMZ IP addresses in order, you are going to need to subnet your IP address block. One of your network IDs will have to be committed to the external interface of the ISA Server. Any remaining Network ID can be used for your DMZ segment.
You need to know how IP addressing, Variable Length Subnet Masking (VLSM), subnetting and supernetting work if you want to be able to manage your ISA Server and you TCP/IP networks competently. There are several good tutorials on these subnets available on the Internet. Check the "Learning Zone" here at www.isaserver.org for links to good TCP/IP tutorials.
Since packets are routed to the DMZ segment, they bypass the rules engine that would apply if the packets were moving between the internal and external network. The only rules that will be applied to packets moving between the DMZ and the Internet are packet filter rules. Inbound and outbound access to and from the DMZ segment will be controlled by packet filters only.
Configure Packet Filtering and IP Routing
In order for the packet filtering mechanism to work, you will have to enable packet filtering. You also need to enable IP Routing. This can be accomplished by right clicking the IP Packet Filters node in the left pane of the ISA Management console and clicking the Properties command. You will see what appears below:
Make sure both the Enable packet filtering and the Enable IP routing checkboxes are checked.
To sum up the Trihomed DMZ, make sure of the following:
Back to Back DMZ with Private Addresses on DMZ Segment
The back to back DMZ using private addresses is the most secure DMZ configuration that an ISA Server setup has to offer. This configuration uses private IP address ranges on the DMZ segment between the ISA Servers. Because you are using private IP addresses and including the DMZ segment on the external ISA Server's LAT, you can take advantages of many of the ISA Server features that are not available using a Trihomed DMZ that requires the use of public, untrusted IP addresses on the DMZ.
The back to back private address DMZ has the following features:
The back to back private address DMZ is shown in the figure below.
External ISA Server Configuration
The external (or edge) ISA Server has an interface directly connected to the Internet and an interface on the DMZ segment. The DMZ segment IP addresses should be in the LAT. By placing the DMZ segment IP addressing in the LAT, you can control access using Web and Server publishing rules.
Note that even though we have placed the DMZ segment in the LAT of the external ISA Server, Internet traffic is still not trusted by the internal network. Therefore, the traffic generated by Internet requests and responses remain segregated from the internal network. This affords the same sort of protection from Internet traffic as the Trihomed DMZ segment does, and it does it better.
Unlike the unwieldy process of creating packet filters to allow inbound and outbound access from the DMZ, the back to back private IP address DMZ can use publishing rules. If you have Web Servers on the DMZ segment you can use Web Publishing rules created on the external ISA Server. If you have other servers, such as SMTP mail servers, you can use Server Publishing Rules on the external ISA Server.
Internal ISA Server Configuration
The internal ISA Server is configured so that only the IP addresses on the internal network are in the LAT. The DMZ segment, even though it contains private IP address, is considered an untrusted network and therefore should not have its IP addresses contained in the LAT. By removing the DMZ IP addresses from the internal ISA Server's LAT, you successfully segregate traffic on the DMZ away from the internal network.
When configuring your LAT, make sure that you only include the internal IP address ranges. There is an option in the LAT configuration dialog box that allows you to configure the LAT to include all private Network ID address ranges. You do not want to do that because the DMZ includes private IP addresses in a back to back private address DMZ configuration.
Allowing DMZ Servers Access to the Internal Network
If you need to make resources on the internal network available to a server on the DMZ, you can configure a publishing rule that allows only a particular server on the DMZ to access the internal server. You might want to do this if you have a Web Server on the DMZ that needs access to a SQL server on the internal network. You would create a Client Address Set that includes the Web Server's IP address and only allow access to that client address set.
Allowing Outbound and Inbound Traffic to and from the Internal Network
Finally, we need to address the issue of traffic from the internal network leave the external ISA Server. You can configure protocol rules on the external ISA Server that allows the same traffic as that of the internal ISA Server. But you might not want to do that for security reasons.
A better solution is to configure the internal ISA Server to use the external ISA Server in a server chain arrangement. You can configure both the Firewall Service and the Web Proxy service to chain with the external ISA Server. In that way, you do not need to reconfigure a bunch of Protocol Rules to allow outbound access to the allowed protocols configured on the internal ISA Server.
Summing Up Back to Back Private Address DMZ Configuration
To sum up the back to back private address DMZ configuration:
to Back DMZ with Public Addresses on DMZ Segment
Some people might want to configure a back to back ISA Server solution and still use public IP addresses on their DMZ. It might be that they already have a DMZ with machines on it and these machines already have hard coded IP address in the public DNS, and they don't want to have to change the addresses to match the IP address on the external interface of the ISA Server. Or, perhaps their bosses just told them to do it this way.
Whatever the reason, you can implement a back to back ISA Server configuration using public IP addresses on the DMZ segment. However, these are some special considerations you should be aware of:
An example of such a configuration is seen in the figure below.
Create a Bogus NIC
The trick to making the back to back public IP address DMZ configuration to work is to configure the external ISA Server to be a Trihomed ISA Server. The difference between the normal Trihomed ISA Server and this one is that you must configure a bogus NIC. The bogus NIC can be the Microsoft Loopback adapter so that you don't have to spend extra money on a physical device that you won't be using.
The reason why you need to install the bogus NIC is that you have to have a NIC on a private network. ISA Server won't let you install two NICs and make them both external interfaces. If you don't include any addresses in the LAT you'll get an error message that tells you that you must include some addresses in the LAT. If you don't, ISA Server won't work.
Therefore, you need to install the bogus NIC and assign it a private IP address and include that private IP address in the LAT. Once you do that ISA Server will be happy. You don't have to connect it to anything (and if you use the loopback adapter you won't be able to), you just need to assign it an IP address.
It's Just Like a Trihomed ISA Server Configuration
All the other rules that apply to a Trihomed DMZ apply to this scenario as well. You will need to create packet filters to allow outbound and inbound access into and out of the DMZ. You will also have to create packet filters to allow outbound traffic from the internal network as well, since this traffic will leave the internal network and travel through the DMZ to the external ISA Server.
As you can see, the back to back public IP address ISA Server setup can turn out to be a bit of a pain in the neck because of the packet filter requirements. However, if you are accustomed to setting up other firewalls, you find the procedure is similar to that of configuring a packet filtering router as a low end firewall.
To sum up the issues with the back to back public IP address DMZ:
In this article we covered three different ISA Server DMZ scenarios. We took a look at the advantages and disadvantage of the Trihomed DMZ configuration, the back to back private IP address DMZ configuration and the back to back public IP address configuration. Using this information from the article, you'll be able to make an accurate assessment as to what type of DMZ configuration will best meet you needs.
I hope you found this article interesting and/or helpful. If you have any comments or questions on the material in this article, please feel free to post them on the www.isaserver.org message board in the DMZ section. You can also write to me at [email protected] and I'll get to your questions ASAP. Please be sure to put the title of this article in the subject line of the email. Thanks! -Tom.