Best Practices for Creating ISA Firewall Networks
Every time a network interface on the ISA firewall receives a packet, the ISA firewall checks whether the packet’s source IP address is a valid address for the network adapter that received it. If the address is not considered valid, the ISA firewall triggers an IP spoofing alert. An IP address is considered valid for a specific network adapter if both of the following conditions are true:
- The IP address resides in the ISA firewall Network of the adapter through which it was received.
- The routing table indicates that traffic destined to that address may be routed through the adapter belonging to that ISA firewall Network.
A packet is considered spoofed (and therefore dropped) if one of the following is true:
- The packet contains a source IP address that (according to the routing table) is not reachable through any network adapter associated with the ISA firewall Network.
- The packet contains a source IP address that does not belong to the address range of a network (array network for Enterprise Edition) associated with a network adapter.
Note that any IP address that is not contained in ISA Server protected networks is considered part of the default External network. Understand that there is only one default External Network. You can define custom ISA firewall Network which designed as External Networks, but are not the same as the default External Network because you must define addresses for customer External ISA firewall Networks.
When the ISA firewall detects a spoofed packet, an alert is triggered indicating the reason that the packet is considered spoofed. You should carefully review the alert, and attempt to correct the issue by doing one of the following:
- Fixing potential configuration errors. Verify that packets from the specific IP address should be considered spoofed. If not, determine why ISA Server considers these packets spoofed.
- Blocking traffic from the IP address. If traffic from the IP address should be considered spoofed, block all access from that IP address.
To avoid traffic from legitimate IP addresses being dropped as spoofed, it is essential that ISA firewall Networks are properly configured. To do this, use the following guidelines:
- The ISA firewall must have at least one NIC configured and enabled (for communication with the default Internal Network). An ISA firewall with only one interface should be configured with the Single NIC template, and is subject to many functional restrictions.
- Do not use DHCP on ISA firewall NICs, except for the adapter associated with the External network.
- A network interface can have zero or more addresses, and only be associated with one ISA firewall Network, so that each IP address can only be part of a single ISA firewall Network. There should be no overlap of address ranges on a network. If you include the same IP address in two or more ISA firewall Networks, you will receive an error message.
- If you create a custom Internal or perimeter ISA firewall Network, you must have a NIC installed to associate with the new Network. For example, if you have an ISA firewall with two interfaces, one connected to the Internet, and the other connected to the default Internal network, you will need a third interface to define a perimeter Network.
- All IP addresses that can be reached directly from a network interface must be defined as part of the same ISA firewall Network. To ensure that remote subnets that are reachable by ISA Server through a router are correctly configured:
- Be sure that remote subnets are added correctly to the network definition for the adapter where that traffic will be received
- Verify that the network’s IP address range matches the routing table, and that routes are defined in the routing table for each remote subnet.
For more information on ISA firewall Networks and the ISA firewall’s networking model, check out http://www.microsoft.com/technet/prodtechnol/isa/2006/networks.mspx
Thomas W Shinder, M.D.
MVP -- ISA Firewalls