Firewall box with W2000 - domain?

[Majstor]

Hello,

I plan to install W2000 Server with 3 NICs. (Firewall service provided by
ISA Server or 3rd party).
1 NIC is on LAN - 10.x.x.x (all computers and all users on 1 domain with 1
DC).
1 NIC in DMZ - 192.168.x.x
1 NIC on Internet

May this box belong to internal W2000 domain and what role in domain should
it have (member server, standalone server or...).?
Especially regarding possibility of Internet attacks, also external VPN
clients should be able to authenticate to internal domain !

Hello,
Vladimir

 

[Marc Reynolds [MSFT]]

I would make it a member server in the Internal domain.

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Phillip Windell]

First I have to say that my comments are my opinions. The type of
question you asked tends to create "Ford vs Chevy" arguments and I
don't care to get into one.

In my opinion...
A Tri-Homed DMZ (as you are describing) provides pretty much the same
protection as running two nics without the DMZ, but you just don't
have the same DMZ to place servers into. This would be fine for me
since I am not a big fan of DMZs and I think their "need" has been
over-blown. I do not use a DMZ and have no desire to do so, but they
do have their place.

VPN is a product of RRAS, not really ISA. The ISA's "VPN Wizard", to
my knowledge, is really just configuring RRAS for you "behind the
scenes". You should have no trouble setting up VPN with a Tri-Homed
DMZ or no DMZ, but I think a "Back-to-Back DMZ" would be a real
hair-puller.


--

Phillip Windell [CCNA, MVP, MCP]
(e-mail address removed)
WAND-TV (ABC Affiliate)
www.wandtv.com

 

[Majstor]

What is "BackToBack DMZ"?

First I have to say that my comments are my opinions. The type of
question you asked tends to create "Ford vs Chevy" arguments and I
don't care to get into one.

In my opinion...
A Tri-Homed DMZ (as you are describing) provides pretty much the same
protection as running two nics without the DMZ, but you just don't
have the same DMZ to place servers into. This would be fine for me
since I am not a big fan of DMZs and I think their "need" has been
over-blown. I do not use a DMZ and have no desire to do so, but they
do have their place.

VPN is a product of RRAS, not really ISA. The ISA's "VPN Wizard", to
my knowledge, is really just configuring RRAS for you "behind the
scenes". You should have no trouble setting up VPN with a Tri-Homed
DMZ or no DMZ, but I think a "Back-to-Back DMZ" would be a real
hair-puller.


--

Phillip Windell [CCNA, MVP, MCP]
(e-mail address removed)
WAND-TV (ABC Affiliate)
www.wandtv.com

Hello,

I plan to install W2000 Server with 3 NICs. (Firewall service provided by
ISA Server or 3rd party).
1 NIC is on LAN - 10.x.x.x (all computers and all users on 1 domain with 1
DC).
1 NIC in DMZ - 192.168.x.x
1 NIC on Internet

May this box belong to internal W2000 domain and what role in domain should
it have (member server, standalone server or...).?
Especially regarding possibility of Internet attacks, also external VPN
clients should be able to authenticate to internal domain !

Hello,
Vladimir

 

[Phillip Windell]

If you have to ask,...you probably don't want one.

Private Net --->ISA#1(or firewall)--->DMZ--->ISA#2 (or firewall)--->
Internet


--

Phillip Windell [CCNA, MVP, MCP]
(e-mail address removed)
WAND-TV (ABC Affiliate)
www.wandtv.com

What is "BackToBack DMZ"?

First I have to say that my comments are my opinions. The type of
question you asked tends to create "Ford vs Chevy" arguments and I
don't care to get into one.

In my opinion...
A Tri-Homed DMZ (as you are describing) provides pretty much the same
protection as running two nics without the DMZ, but you just don't
have the same DMZ to place servers into. This would be fine for me
since I am not a big fan of DMZs and I think their "need" has been
over-blown. I do not use a DMZ and have no desire to do so, but they
do have their place.

VPN is a product of RRAS, not really ISA. The ISA's "VPN Wizard", to
my knowledge, is really just configuring RRAS for you "behind the
scenes". You should have no trouble setting up VPN with a Tri-Homed
DMZ or no DMZ, but I think a "Back-to-Back DMZ" would be a real
hair-puller.


--

Phillip Windell [CCNA, MVP, MCP]
(e-mail address removed)
WAND-TV (ABC Affiliate)
www.wandtv.com

Hello,

I plan to install W2000 Server with 3 NICs. (Firewall service provided by
ISA Server or 3rd party).
1 NIC is on LAN - 10.x.x.x (all computers and all users on 1

domain
with 1

DC).
1 NIC in DMZ - 192.168.x.x
1 NIC on Internet

May this box belong to internal W2000 domain and what role in

domain
should

it have (member server, standalone server or...).?
Especially regarding possibility of Internet attacks, also

external
VPN

clients should be able to authenticate to internal domain !

Hello,
Vladimir

 

[Majstor]

OK,

Concerning 3 or 2 NIC firewall solution, I currently have 2 NIC solution but
firewall is actually not on 2 NIC box, instead , we have CISCO router
between this box and Internet with access lists configured, and public
services (Web, Exchange, DNS) are on the 2 NIC box !!
What do you think about this solution?
And what if I wished to deploy firewall (For instance: ISA) on 2 NIC box,
and remove the drag from router. I know that it is not clever to put public
services on firewall box, but is it smarter to put them inside?
So, that`s why I started to think about DMZ !!

Please, give some comment,

Regards,
Vladimir

If you have to ask,...you probably don't want one.

Private Net --->ISA#1(or firewall)--->DMZ--->ISA#2 (or firewall)--->
Internet


--

Phillip Windell [CCNA, MVP, MCP]
(e-mail address removed)
WAND-TV (ABC Affiliate)
www.wandtv.com

What is "BackToBack DMZ"?

First I have to say that my comments are my opinions. The type of
question you asked tends to create "Ford vs Chevy" arguments and I
don't care to get into one.

In my opinion...
A Tri-Homed DMZ (as you are describing) provides pretty much the same
protection as running two nics without the DMZ, but you just don't
have the same DMZ to place servers into. This would be fine for me
since I am not a big fan of DMZs and I think their "need" has been
over-blown. I do not use a DMZ and have no desire to do so, but they
do have their place.

VPN is a product of RRAS, not really ISA. The ISA's "VPN Wizard", to
my knowledge, is really just configuring RRAS for you "behind the
scenes". You should have no trouble setting up VPN with a Tri-Homed
DMZ or no DMZ, but I think a "Back-to-Back DMZ" would be a real
hair-puller.


--

Phillip Windell [CCNA, MVP, MCP]
(e-mail address removed)
WAND-TV (ABC Affiliate)
www.wandtv.com

Hello,

I plan to install W2000 Server with 3 NICs. (Firewall service
provided by
ISA Server or 3rd party).
1 NIC is on LAN - 10.x.x.x (all computers and all users on 1 domain
with 1
DC).
1 NIC in DMZ - 192.168.x.x
1 NIC on Internet

May this box belong to internal W2000 domain and what role in domain
should
it have (member server, standalone server or...).?
Especially regarding possibility of Internet attacks, also external
VPN
clients should be able to authenticate to internal domain !

Hello,
Vladimir

 

[Phillip Windell]

Concerning 3 or 2 NIC firewall solution, I currently have 2 NIC solution but
firewall is actually not on 2 NIC box, instead , we have CISCO router
between this box and Internet with access lists configured, and public
services (Web, Exchange, DNS) are on the 2 NIC box !!
What do you think about this solution?

I don't understand your setup.
So the Cisco router is also providing packet filtering via ACLs?,
correct?
What does the two nic box do then?...provide only NAT?....via RRAS?

And what if I wished to deploy firewall (For instance: ISA) on 2 NIC box,
and remove the drag from router. I know that it is not clever to put public
services on firewall box, but is it smarter to put them inside?
So, that`s why I started to think about DMZ !!

That's another potential Ford vs Chevy argument. I believe in putting
publicly exposed machines directly on the outside. Then if they get
hacked, the hacker is at least still on the outside and the only
victem is the one machine. If it is behind a firewall or ISA you still
have to exposed its ports to the ouside if you expect visitors to get
to it, and if gets hacked then the machine or the hacker potentially
has access to the rest of you internal machines because that is where
the "hacked" machine resides.


--

Phillip Windell [CCNA, MVP, MCP]
(e-mail address removed)
WAND-TV (ABC Affiliate)
www.wandtv.com

 

[Majstor]

I don't understand your setup.

So the Cisco router is also providing packet filtering via ACLs?,
correct?
What does the two nic box do then?...provide only NAT?....via RRAS?

Yes, actually my 2 NIC box(connected with public CISCO router by direct
cable) does no firewalling, but it does a lot of other stuff like
Web,DNS,Email, ISA proxy, RRAS NAT and VPN service....But RRAS NAT does not
support VPN PPTP clients from my LAN, who want to access VPN servers
elsewhere, so I think to move to ISA "integrated" (I was told that it
supported this).

So,
you think that Firewall service should be on 2NIC box, not outside and I get
it. And you think that public services should certainly not be on private
range, so do I.
But still I didn`t get where would you put public service, if not on
firewall 2 NIC box, then you`d have it on public server plugged to public
switch along with 2 NIC box and public router? I don`t see any other
solution.


Thanks for assistance,
Vladimir

Concerning 3 or 2 NIC firewall solution, I currently have 2 NIC solution but
firewall is actually not on 2 NIC box, instead , we have CISCO router
between this box and Internet with access lists configured, and public
services (Web, Exchange, DNS) are on the 2 NIC box !!
What do you think about this solution?

I don't understand your setup.
So the Cisco router is also providing packet filtering via ACLs?,
correct?
What does the two nic box do then?...provide only NAT?....via RRAS?

And what if I wished to deploy firewall (For instance: ISA) on 2 NIC box,
and remove the drag from router. I know that it is not clever to put public
services on firewall box, but is it smarter to put them inside?
So, that`s why I started to think about DMZ !!

That's another potential Ford vs Chevy argument. I believe in putting
publicly exposed machines directly on the outside. Then if they get
hacked, the hacker is at least still on the outside and the only
victem is the one machine. If it is behind a firewall or ISA you still
have to exposed its ports to the ouside if you expect visitors to get
to it, and if gets hacked then the machine or the hacker potentially
has access to the rest of you internal machines because that is where
the "hacked" machine resides.


--

Phillip Windell [CCNA, MVP, MCP]
(e-mail address removed)
WAND-TV (ABC Affiliate)
www.wandtv.com

 

[Jens Ehrich]

Hi Vladimir,

I thought I should warn you: the DMZ on a tri-homed ISA server _must_
be a subnet of your PUBLIC network block. AFAIK, this means you can't
do it with a single public IP address. Here's a great article that
will get you started and explain some of the related issues:

http://www.isaserver.org/tutorials/Creating_a_Poor_Mans_DMZ_Part_1__Using_TCPIP_Security.html

Also, if I remember correctly, you'll be limited to using the packet
filters when publishing services. I imagine that publishing FTP
servers would be a nightmare.

Check out the ISA Server Administrator's Pocket Consultant by MS
Press. A great reference IMHO, if you do a lot of ISA server work.

To secure your web server, you might consider placing it on the LAN,
and isolating it from the rest of your machines by putting it in a
different domain (or just a workgroup), creating IPsec policies that
prevent it from communicating with anything but your ISA server, or
using the vLAN features of your switch to accomplish the same.

Good luck with this!

Regards,

Jens Ehrich MCP, MCSE
Technique Microsystems Ltd.