ISA Firewall Deployment Scenarios

By /

On another flight to Redmond today. I’m participating in the Microsoft Forefront Client Security TAP (Technology Adoption Partners) and we’re having a get together about the product before it hits public beta. Forefront Client Security (FCS) is going to be a killer product and I’ll let you know all about it when the time is right. Look forward to me putting out hundreds of articles and a few books on FCS in the future. Yes, it’s that good! I’ll talk later about my interest in FCS but it’s all related to the Microsoft Forefront Security software initiative, and since the ISA Firewall is a key player in that initiative, I figure I better figure out how to help you integrate the ISA Firewall with all the other Forefront products. The next couple of years are going to rock!

The flight from Dallas to Seattle is about four hours and I always enjoy my trips to the Pacific Northwest. I did my Neurology residency at the Oregon Health Sciences University in Portland, Oregon and learn to love that part of the country during my three years there. I’d probably be living there now if I hadn’t fallen in love with and married a Texas law-woman J

My mind tends to wander on these trips, and it wandered to a topic that I think a lot about: why do people limit themselves to the “hork mode” configuration of the ISA Firewall? It never ceases to amaze me that so many ISA Firewall owners gut the ISA Firewall by deploying in unihomed “hork” mode and rip out 90% of the security the ISA Firewall can provide the organization. Is it that they’ve all been “hypomotized” by high margin “hardware” firewall salesman? Do they hang out at ABM’er sites like “firewall wizards” and figure that the ISA Firewall isn’t a real firewall? (if the ISA Firewall can’t be a real firewall, then Check Point must not be a “real” firewall either). Or is it that the “network guys” who know all about routing and switching protocols decided they should hijack network security?

I’m sure these are just some of the reasons. But for those ISA Firewall admins who aren’t being pressured by high margin sales guys, ABM’ers, and political intrigue, they might be deploying the ISA Firewall in Hork Mode because they’re just not aware of all the deployment options. While there are a few network configuration wizards included with the ISA Firewall, these barely scratch the surface of the ISA Firewall’s capabilities.

How and where could the ISA Firewall be placed on your network? While by no means a comprehensive list of deployment options, here’s a list of a few I thought about while staring out the window while flying over the Rocky Mountains:

Standard Edition

  • Front-end firewall in single firewall scenario
  • Front-end firewall in back to back firewall scenario
  • Back-end firewall in back to back firewall scenario
  • Parallel firewall in multiple front-end firewall scenario
  • Parallel firewall in multiple back-end firewall scenario
  • Multihomed front-end firewall with dedicated DMZ network NIC(s)
  • Multihomed back-end firewall with dedicated DMZ network NIC(s)
  • Internal network services segment perimeter network firewall
  • Internal department segmentation firewall
  • Multihomed perimeter network firewall with dedicated services networks
  • Dedicated VPN server and gateway
  • Dedicated Web and Server Publishing Firewall
  • Dedicated outbound access control firewall
  • Dedicated outbound access control Web proxy and caching Firewall
  • Branch office multipurpose firewall, site to site VPN gateway and Web proxy and caching server

Enterprise Edition

  • Front-end redundant firewall array in edge firewall scenario
  • Front-end redundant firewall array in back to back firewall scenario
  • Back-end redundant firewall array in back to back firewall scenario
  • Parallel redundant firewall array in multiple front-end firewall scenario
  • Parallel redundant firewall array in multiple back-end firewall scenario
  • Multihomed redundant front-end firewall array with dedicated DMZ network NIC(s)
  • Multihomed redundant back-end firewall array with dedicated DMZ network NIC(s)
  • Internal network services segment redundant perimeter firewall array
  • Internal department segmentation redundant firewall array
  • Multihomed perimeter network redundant firewall array with dedicated services networks
  • Dedicated redundant VPN server and gateway
  • Dedicated Web and Server Publishing redundant Firewall array
  • Dedicated redundant outbound access control firewall array
  • Dedicated redundant outbound access control Web proxy and caching Firewall array
  • Branch office multipurpose firewall, site to site VPN gateway and Web proxy and caching server with centralized management and control

As you can see, there are plenty of deployment scenarios that help you avoid the dreaded “hork mode”!

Let me know how you’ve creatively deployed the ISA Firewall so that we can add to this list!

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: [email protected]
MVP — Microsoft Firewalls (ISA)

About The Author

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top