As previously mentioned, ISA is fully capable of supporting numerous networks, and makes it possible to create firewall rules that specifically allow or deny traffic from certain networks to other networks. For example, HTTP traffic could be allowed by default from the internal network to the external network, but not from the internal network to the perimeter network. Many different scenarios exist for these types of deployments, and it is therefore ideal to gain a better understanding of how ISA defines networks and how an ISA firewall can be set up to protect them.
Understanding ISA's Concept of a Network
The standard definition of a network, loosely described, is quite simply a group of interconnected computers and network devices, all able to communicate with each other on the same segment.
ISA Server 2004, on the other hand, actually defines a network in a somewhat different way. A network in ISA Server 2004 is all the connected physical networks that are routable from one of ISA's network cards. For example, in Figure 5.3, ISA defines the physical network subnets of 10.10.1.x, 10.10.2.x, 10.10.3.x, 10.10.10.x and 10.10.11.x as one ISA network, because only a single network card is connected to the logical grouping of subnets (10.10.1.1).
Figure 5.3. Understanding ISA networks.
Any time ISA sees source IP addresses within the range that it has defined for this network, it assumes that they originated from that network.
It is important to list all the physical subnets of which a network is composed in the ISA Console. If all subnets are not listed, ISA assumes that clients in unlisted subnets are simply spoofing their IP addresses, and deny them access through the server.
Each network is defined on the ISA server itself and can be viewed from the Networks tab of the Networks node, similar to what is shown in Figure 5.4.
Figure 5.4. Viewing ISA networks.
Creation of new networks can be accomplished by using the Create a New Network task in the task pane or through running the Network Template Wizard, described in the following section of this chapter.
Understanding Network Rules with ISA Server 2004
Network Rules in ISA Server 2004 define the relationships that exist between the various defined ISA networks. Two types of relationships can be defined as part of ISA network rules, and it is important to understand the differences between the two. The two forms of network relationships are
Network Address Translation (NAT) A NAT relationship between networks is one where the source IP of a client is hidden, and instead replaced by the IP address of the ISA server on the destination network. This is most often the type of relationship that exists between a private IP range on an internal network, such as 10.x.x.x or 192.168.x.x and a public IP range, such as the IP addresses on the Internet. In this scenario, when a client with an IP address of 10.10.10.200 tries to access a web server on the Internet, the web server sees the request coming from the Internet IP address (such as 126.96.36.199) of the ISA Server. This concept allows for large IP ranges to be established on an internal network without any waste of the dwindling supply of public IP addresses on the Internet.
Route A route relationship defined between ISA networks essentially allows the ISA server to act as a router between two distinct network segments. When resources from one network are requested in another, the requester and the target see the real IP addresses of each other. Simply creating a route relationship does not open communications between networks, however: ISA requires firewall rules to be set up for that functionality. The relationship simply defines how allowed traffic will be handled.
Working with the Default Network Templates
ISA Server 2004 streamlines the way that networks, network rules, and firewall rules are applied to new servers by including default templates that can be applied to servers. These templates define what role an ISA server holds and sets up the appropriate types of access to match that role.
Network templates support various ISA deployment options, including firewall deployments. The various network templates that are included in ISA Server 2004 Standard Edition are as follows:
Edge Firewall This template configures the ISA Server as a dual-NIC system that provides traditional firewall functionality, with one NIC connected to the Internet and the other to the Internal network. This template is the traditional deployment model for ISA Server.
3-Leg Perimeter This template expands the edge firewall template design to include a third-NIC connected to a perimeter (DMZ) network.
Front Firewall A front firewall is an ISA Server that is deployed as a dual-NIC server, but one that works in combination with a back firewall to provide two routes out of a network that is sandwiched between both ISA firewalls.
Back Firewall The back firewall template applies rules that provide for the second ISA Server in the front/back firewall design already described.
Single Network Adapter A single network adapter template, commonly deployed for caching-only servers or for reverse-proxy capabilities in an existing packet-filter firewall DMZ, provides a template for a server with a single NIC. Although not a traditional firewall, this configuration is actually quite common for securing services such as OWA and websites.
Deploying an ISA Firewall using the Edge Firewall Template
When deploying ISA Server 2004 as a firewall, which is the focus of this particular chapter, several of the default network templates can be used to configure the initial server settings. Each template is used in different scenarios, depending on the specific firewall role that the ISA server is to fulfill. The most basic ISA firewall is the edge server role, and the process for configuring an edge server is described in the following section.
If the firewall to be deployed has three NICs and will be deployed with a perimeter (DMZ) network, the 3-leg perimeter template would be the logical choice instead. A specific example of deploying the 3-leg perimeter network template is provided in Chapter 3, "Exploring ISA Server 2004 Tools and Concepts."
To use the Network Template Wizard to configure a new ISA Server system as an edge firewall, perform the following steps:
Open the ISA Server Management Console and select the Networks Node by clicking on it in the Console tree.
Select the Templates tab in the Tasks pane.
Click on Edge Firewall from the list of templates, as shown in Figure 5.5.
Figure 5.5. Viewing the network templates.
At the Welcome dialog box, click Next to continue.
Ignore the Export dialog box and click Next to continue.
The Network Template Wizard overwrites current configuration settings, including firewall policy rules and network rules. It was designed to be used when deploying new servers, and would normally not be used to modify existing settings. If a new network were added, for example, it would make more sense to simply manually create the network, rather than have the template wizard overwrite existing customizations.
At the subsequent dialog box, which allows for the internal network to be configured, click Add Adapter.
Check the box for the network card that is attached to the internal network.
When finished adding all IP ranges that should compose the internal network, click Next to continue.
The subsequent dialog box, shown in Figure 5.6, allows for the creation of a default policy, which will automatically create firewall rules based on the needs of the organization. Carefully review which policy will be needed by clicking on each option to see which rules will be created. The policies listed are described as follows:
- Block All This option does not create any firewall rules automatically. It is up to the administrator to create the appropriate policies after the wizard has been run.
- Block Internet Access, Allow Access to Network Services on the Perimeter Network This policy creates default rules that allow only limited DNS traffic from the Internet network to the DMZ network.
- Block Internet Access, Allow Access to ISP Network Services This option creates rules that only allow DNS access from internal clients to the external network. It is used in situations when clients get their DNS services from an Internet Service Provider (ISP).
- Allow Limited Web Access This option, more common in many organizations, creates firewall rules that allow web browsing via the HTTP, HTTPS, and FTP ports to the external network. It also creates rules that grant VPN clients full access to the internal network.
- Allow Limited Web Access, Allow Access to Network Services on Perimeter Network This option configures the same rules as the preceding option, with the addition of DNS access to the DMZ network.
- Allow Limited Web Access and Access to ISP Network Services This option configures the same rules as the Allow Limited Web Access option, with an additional rule to allow DNS to the external network (for ISP services).
- Allow Unrestricted Access This option, although definitely not the most secure, opens all ports from the internal protected networks to the Internet and to the DMZ network. It does not, however, allow the external network to have any type of access to internal networks.
Figure 5.6. Creating a default policy for the ISA network template.
Select the firewall policy from the options, using the preceding criteria as a guideline. In this example, the Allow limited web access, allow access to network services on Perimeter network policy is chosen. Click Next to continue.
Review the options on the completion dialog box and click Finish to create and apply the template, network rules, and firewall rules.
Click the Apply button that appears in the upper portion of the Central Details pane.
Click OK at the configuration confirmation dialog box.