RE: ISA Network Elements and System Network Interfaces
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 16 Jan 2006 14:50:28 -0600
Hi Gerald,
Yes, I go into assiduous detail regarding this topic in the book. I even
mentioned that crip mode (unihomed ISA firewall) sees only one network
"internal".
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
> Sent: Monday, January 16, 2006 2:03 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] ISA Network Elements and System Network Interfaces
>
> http://www.ISAserver.org
>
> Tom,
>
> I haven't read your books on ISA Server as of yet but, it is
> on my list
> of things to do.
>
> Having said that, do you go into depth on the differences between the
> network elements in ISA, in which you can define IP networks
> and use as
> a basis for firewall rules, and the network interfaces on a system?
>
> Most of the problems I'm currently dealing with - read: cleaning up
> other peoples' messes *8^) - are caused by a misconfiguration of the
> network elements with relation to the network interfaces they
> "represent". Usually, an engineer has arbitrarily configured network
> elements in ISA to match their sense of organization/propriety without
> any consideration of what the routing table on the local system looks
> like.
>
> One of the more insidious problems, which ISA server doesn't seem to
> know how to report out on, is when engineers split IP
> networks that are
> bound to the same network interface on the system between two ISA
> network elements.
>
> Case in point:
> ISA Server 2004 Standard Edition
> Single Network Adapter
>
> This box sits in our DMZ (with a firewall in front and behind) and
> services an OWA site over HTTPS that sits in our trusted network.
>
> An OWA Rule and SSL Listener were created and work fine. The problem
> came when our organization was attempting to monitor the box
> and connect
> from other sources that exist in our trusted networks.
>
> Since there is a single interface on that box, the routing table knows
> only of one route: the default gateway (192.168.0.1). Any destination
> IP address not of the local IP network (let's say 192.168.0.1/24) will
> have to be reached via the default gateway.
>
> In their enthusiasm for maintaining security on this box, they broke
> apart IP networks from which traffic would be hitting the ISA server
> into two network elements. They added IP networks from our trusted
> network into the Internal network element and created a new network
> element named Management, into which they added others (IP
> networks from
> which we monitor and manage the box). The IP networks were split
> between the two network elements along the following lines:
>
> Internal Network Element Addresses
> 192.168.100.1 - 192.168.103.255
> 192.168.150.32 - 192.168.150.63
> 192.168.180.1 - 192.168.180.255
>
> Management Network Element Addresses
> 10.0.1.224 - 10.0.1.255
> 10.0.3.74 - 10.0.3.74
>
> A rule was then created that allowed all traffic between the
> Local Host,
> Internal, and Management network elements, in both directions.
>
> This resulted in network traffic to/from the Internal network element
> being allowed but, network traffic to/from the Management network
> element was not; ISA happily logged the latter traffic as being denied
> without giving any reason whatsoever.
>
> Once I moved the IP networks from the Management network
> element to the
> Internal network element, however, traffic started flowing correctly
> to/from those IP networks.
>
> Now, on ISA Server 2004 Enterprise Edition, with multiple NICs on the
> system, it at least flags configuration issues like this by
> complaining
> about IP addresses being treated as spoofed addresses in
> Alerts. It even
> flags a denied connection in the Monitor as being denied
> because it was
> treating the traffic as if it came from a spoofed IP address.
>
> Is this a difference of version or is it a difference between
> multi-homed and single-interface systems?
>
> In any case, though, at a very basic level, it appears as if the
> following are good guidelines for configuring network elements:
>
> 1. You only ever want one network element per network interface.
> 2. The IP networks defined in a network element must match
> what's bound
> to the network interface.
>
> In the case of a multi-homed system, number 2 becomes much more
> important as the person configuring ISA really, really,
> really needs to
> understand subnetting and routing tables. Properly done, a
> multi-homed
> system will have one default gateway and static route(s) for the other
> interface(s). If you have an IP network defined in a network element
> for a network interface with static routes defined for it but the IP
> network is not part of those static routes, you'll run into problems.
>
> And I'd hate to see what kind of grief you'd run into if you
> configured
> a multi-homed ISA server with more than one default route!
>
> Thoughts?
>
> Cordially yours,
> Jerry G. Young II
> MCSE (4.0/W2K)
> Atlanta EES Implementation Team Lead
> HHS Engineering
> Unisys
>
> 11493 Sunset Hills Rd.
> Reston, VA 20190
> Office: 703-579-2727
> Cell: 703-625-1468
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete
> the e-mail
> and its attachments from all computers.
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
