If you would like to read the next parts in this article series please go to:
- Teaching the Boss and the Network Guys About the ISA Firewall (Part 2)
- Teaching the Boss and the Network Guys About the ISA Firewall (Part 3)
In most of the articles we do here at ISAserver.org, I cover the how to’s and the why’s of the ISA Firewall. One thing that we really don’t spend enough time on is what the ISA Firewall is all about. We take it for granted that everyone already knows what the ISA Firewall is all about, and then we take it from there and give you the details on how to get it working and keep it working.
This creates a problem. Many ISA Firewall admins really want to bring the ISA Firewall into their networks but are blocked because the network guys don’t understand the ISA Firewall and the boss usually depends on the network guys to tell him which end eats. In this article series, we’ll go over some information that you might find useful when presenting the features and capabilities of the ISA Firewall to your boss and the network guys.
While some companies are interested only in what ISA Server will do for them, many will want to know how it can protect their networks and increase Web performance, both for internal users accessing the Internet and for external users accessing the company’s own Web sites. Answering these questions requires that you be familiar with common deployment scenarios. When discussing various deployment scenarios with the boss and the network guys, make sure to emphasize that there is no Microsoft preferred deployment scenario, and that the ISA firewall’s flexible deployment capabilities enable you to deploy the ISA firewall to best meet your company’s security requirements.
How the ISA Firewall Functions as a Front End Firewall on the Internet Edge
You can deploy the ISA Firewall as a dedicated Internet edge firewall acting as the secure gateway to the Internet for internal clients. This is a more common configuration for small and medium sized companies, as large organizations will probably already have a hardware based or other high end firewall deployed on the Internet edge. The figure below shows the ISA Firewall as a front end or Internet edge firewall.
There are a number of advantages to this configuration. All communications into and out of the corporate network are exposed to firewall policy, and all inbound and outbound access can be controlled on a granular, user or group basis. Users only access the content and servers you want them to access, based on the ISA firewall Access Rules and Publishing Rules configured by the ISA Firewall administrator.
Administrators only need to learn how to configure the ISA Firewall software; this avoids the potential for firewall misconfiguration when multiple vendor firewalls are used. This configuration is easy to set up and manage. Management and monitoring can be further enhanced and simplified by using System Center Operations Manager to monitor the ISA firewall.
When acting as an edge firewall, the ISA Firewall is transparent to the other parties in the communication path. Internet users should not be able to tell that a firewall is present, unless a user attempts to access a network service, protocol or site where the ISA Firewall denies access.
The network guys will often ask if the ISA firewall is a “transparent” firewall. The term transparent has multiple meanings that you should be aware of. Some people consider a firewall transparent if they do not need to configure the client systems to become aware of the firewall’s existence. In this respect, the ISA firewall is a transparent firewall. However, other people consider a firewall to be transparent at the network level, where the firewall isn’t assigned any IP addresses so that no changes need to be made to the IP addressing and routing infrastructure. In this case, the ISA firewall is not a transparent firewall, as it does not provide what is commonly referred to as “layer 2” transparency.
By setting security access policies, administrators can prevent unauthorized access and malicious content from entering the network, and can restrict outbound traffic by user and group, application, destination, content, day of the week or time of day.
Features that make the ISA Firewall an appropriate solution on the Internet edge include the following:
Multilayered traffic screening — stateful packet inspection and application layer inspection
Intelligent application layer aware inspection filters
Built-in intrusion detection
Worm and flood mitigation
System hardening for locking down the base operating system
Integrated virtual private networking (VPN)
Secure branch office security gateway
Secure remote access solution for Microsoft Exchange and SharePoint Portal Servers
Optimized firewall engine that passes filtered traffic at gigabyte speeds
How the ISA Firewall Functions as a Departmental or Back End Firewall
You can deploy the ISA Firewall as a departmental or back end network firewall that provides secure inbound and outbound access control into and out of protected LANs. This is especially attractive to large companies, as organizations with existing firewall infrastructures will probably want to keep their current very high cost firewalls at the Internet edge and offload sophisticated application layer inspection to the ISA Firewall at the LAN edges. This allows the organization to completely leverage current high speed Internet connections while benefiting from the unique level of application layer protection that the ISA Firewall application layer inspection engines provide.
The network between the third party front-end firewalls is a perimeter network where publicly accessible services can be placed. The third-party packet filtering firewalls have an interface directly connected to the Internet and an interface connected to a perimeter network between the third-party packet filtering firewalls and the ISA application layer inspection firewall. The ISA firewall has an interface on the perimeter network and an interface on the protected, corporate LAN.
For organizations that already have third-party firewall products in place, there are several advantages to this configuration. The organization doesn’t have to perform a major redesign their current firewall infrastructure. Third party hardware-based firewalls can perform high-speed packet filtering. This offloads basic stateful packet inspection overhead from the ISA firewall and increases the resources available on the ISA firewall to perform deep application layer inspection. In addition, the ISA firewall’s own stateful packet inspection feature set can shore up any inadequacies in the front-end hardware firewall’s stateful packet inspection feature set.
Resources located on the corporate network are protected by the ISA firewall’s enhanced application layer inspection mechanisms. Granular inbound and outbound access control can be done on a user/group basis and the ISA firewall can be made a member of the internal network domain without concern over “direct access” to a domain member over the Internet.
The figure below shows how ISA 2006 functions as a back end firewall.
Features that make ISA Firewall especially appropriate as a departmental or back end firewall include the following:
Secure Outlook Web Access publishing
Secure RPC/HTTP Web access publishing
Secure Internet Information Services Web site publishing
Secure Exchange RPC publishing
Secure SharePoint Portal Server publishing
User/group based access control for all Internet protocols and services
Integrated site to site VPN to join LANs over the corporate backbone
Web Proxy chaining with upstream Web Proxy servers
Existing firewall infrastructure can be left in place. Never need to “rip and replace” to bring in enhanced protection provided by ISA firewalls
Front-end third party firewalls help increase ISA firewall performance by removing “garbage traffic” – provided more processor cycles for the ISA firewall to perform deep application layer inspection.
How the ISA Firewall Functions as an Inter-network Access Control Solution within the Organization – Multiple Internal Networks or Dedicated Network Services Segments
Because of the complexity of the security infrastructure required by many organizations today, it’s necessary to maintain multiple security zones within the LAN. Each security zone contains services and data that require variable levels of access. This is particularly important in organizations exposed to regulatory requirements that require strong access controls. It would be very hard to pass a regulatory compliance audit without an intelligent network design that segregates hosts based on the security zones that they belong to.
For example, you might might want to place multiple NICs in a single ISA firewall and create a users network, a network services network, an external network, and a public access DMZ network. You can do this with a single ISA firewall with four NICs and configure firewall policy to strictly control traffic between all of these networks.
Another powerful deployment option for the ISA firewall is for creating a network services segment. In this scenario, the ISA firewall is placed between a network services segment containing domain controllers, Exchange Servers, SharePoint Portal Servers, and SQL servers. In this case, the ISA firewall has a NIC on the network services segment and a NIC on the corporate intranet. This helps protect key network infrastructure servers from both external users and potentially compromised hosts on the corporate network. This is sometimes referred to as “re-perimeterization”.
Users are allowed access to corporate network segments based on restrictive firewall policy. All access through the firewall is logged, which provides a robust chain of evidence mechanism for determining what users were accessing through the ISA firewall. The figure below illustrates how this works.
Features that make ISA a great solution for inter-network access control include the following:
ISA 2006 multi-networking applies firewall policy to all interfaces
Advanced worm and flood protection stops attackers from flooding the firewall and destination servers
Enhanced network objects definitions make it easy to fine tune access control
Routing relationships between networks can be set as either NAT or routed
User/group based access control determines which corporate segments are accessible
Comprehensive logging and reporting for all user access through the ISA firewall
Ultra-high security segments can be configured to require VPN access for two factor authentication
Stateful packet inspection deployed on all interfaces
Intelligent application filters perform inspection of traffic between LANs
Intelligent access control and stateful inspection of WLAN traffic further enhance security
How the ISA Firewall Functions as a Branch Office Firewall
You can use the ISA Firewall to connect branch office networks to the main office, employing PPTP, IPSec tunnel mode or L2TP/IPSec site to site VPN connections. You can place an ISA firewall at a branch office, where it can act as a firewall protecting the branch office network and as a VPN gateway that connects the branch office network to the main office network. ISA 2006’s improved VPN interoperability features allow it to create site to site links with any current VPN solution you currently have in place.
Point out to the network guys that when an ISA firewall is used as a branch office VPN gateway to the main office that they can use the same strong user/group based access controls to control branch office user connections to the main office that they use when controlling users access to the Internet. This allows the you to enforce “least privilege” when connecting to the main office and thus reduces the attack surface represented by branch office users, who often are exposed to less vigorous computer security standards than main office users.
A branch office configuration is shown in the figure below.
Features that make ISA Server 2006 the right choice as a branch office firewall include the following:
- IPSec tunnel mode support let you create site to site links with third party VPN gateways
- PPTP and L2TP/IPSec let you create site to site links with Microsoft VPN gateways
- Strong EAP authentication options enable ultra-secure VPN gateway security
- Stateful packet and application layer inspection over the site to site link determine which resources on the main office network can be accessed by the remote networks
- The ISA firewall controls inbound and outbound access to and from the Internet at the branch office
- ISA Enterprise Edition enables main office ISA firewall administrators to set firewall policy at all branch offices from a single location and deploy that policy automatically
- Intelligent application layer filters perform stateful inspection of traffic between VPN connected LANs
- BITS caching reduces the among of bandwidth required over the site to site VPN link
- HTTP compression reduces the impact of Web downloads on the site to site VPN link
- Worm and food protection prevents denial of service attacks from extending from compromised branch offices
- Web proxy chaining speeds up branch office Internet access by retrieving content from main office Web proxy arrays
- Diffserv QoS enables branch offices to make the best use of limited bandwidth between main and branch offices
In this article we began our three part series on “educating the boss and network guys about the ISA firewall”. We went over several common scenarios in which the ISA Firewall can be placed, and how the ISA Firewalls includes many features and security settings that allow you to shore up the weaknesses in your current firewall infrastructure by introducing an ISA Firewall. In the next article in this series we’ll continue with several more scenarios that will help the boss and the network guys better understand how the ISA Firewall is used to create a more secure infrastructure for companies of all sizes. See you then! –Tom.
If you would like to read the next parts in this article series please go to: