locked
DMZ configuration

    Question

  • Hi fellow techs,

    I was asked to setup a DMZ. The company has a Cisco 5510 ASA and a server running ISA 2006. It goes like:

    Internet<-->ASA<-->ISA2006<-->LAN. No rules are enforced, the ISA is just a web proxy... nothing relevant sits between the two firewalls.

    Now I was asked to install an additional NIC on the ISA (totalling 3 NICs) and create a DMZ on the extra adapter to publish an IIS server... The request was simply to add a third leg to the ISA server and set some protocol rules as the IIS will have to talk to an SQL server in the LAN.

    I have only ever had experience with back-to-back DMZ. I can't see the need for the extra NIC... I would just put the web server on the DMZ between the firewalls and configure appropriately...

    Am I missing something? This request is like a trihomed DMZ but with two firewalls on the Internet leg... Does that make sense? Is it more or less secure than having Internet<->ASA<->DMZ<->ISA<->LAN (back-to-back config)?

    (let me know if you need a diagram of this!)

    Thanks

    -R

    Thursday, August 12, 2010 5:03 PM

Answers

  • Adding 3rd NIC is not a bad idea.

    So if i understand correctly, this is what you want:

    Traffic from Internet will hit Cisco ASA then Cisco will send it to ISA and ISA will send it to IIS Server in Perimeter Network (DMZ) and that IIS Server needs to access SQL Server on LAN. Right?

    If above statement is correct, then this is what we need to do on ISA.

    >> Add 3rd NIC

    >> Create a Network.

    >> Create a Network Rule as "Route" between DMZ and Internal Network.

    >> Create an Access Rule to allow traffic between DMZ and Internal Network.

    >> Also you need to make sure that CISCO ASA is properly configured to send traffic to ISA.

    Hope this helps.

    Thx, Junaid

    Thursday, August 12, 2010 5:36 PM
  • I agree with you. You are correct and are not missing anything. They already have a DMZ between the firewals and I would put the server there.
     
    The people asking to do this probably have no idea what they have, and hence don't really know what they are asking.  I think you should make it clear to them before you over-complicate the network with two DMZs that it doesn't need.
     
    Something is not automatically more secure or less secure just because there is a DMZ added.   Something can be perfectly secure with no DMZ at all,...while at the same time there could be 10 DMZs and someone could go right through all of it in one shot with a VPN if they dicovered the correct user credentials that the VPN would need.  Now, I don't know of anyone with 10 DMZs,..I'm just trying to make a point.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "RyekAzagoth" <=?utf-8?B?Unlla0F6YWdvdGg=?=> wrote in message news:8aeeae44-cf87-43f4-b82d-bafebd6e17f6...

    Hi fellow techs,

    I was asked to setup a DMZ. The company has a Cisco 5510 ASA and a server running ISA 2006. It goes like:

    Internet<-->ASA<-->ISA2006<-->LAN. No rules are enforced, the ISA is just a web proxy... nothing relevant sits between the two firewalls.

    Now I was asked to install an additional NIC on the ISA (totalling 3 NICs) and create a DMZ on the extra adapter to publish an IIS server... The request was simply to add a third leg to the ISA server and set some protocol rules as the IIS will have to talk to an SQL server in the LAN.

    I have only ever had experience with back-to-back DMZ. I can't see the need for the extra NIC... I would just put the web server on the DMZ between the firewalls and configure appropriately...

    Am I missing something? This request is like a trihomed DMZ but with two firewalls on the Internet leg... Does that make sense? Is it more or less secure than having Internet<->ASA<->DMZ<->ISA<->LAN (back-to-back config)?

    (let me know if you need a diagram of this!)

    Thanks

    -R

    • Marked as answer by RyekAzagoth Friday, August 13, 2010 7:52 AM
    Thursday, August 12, 2010 6:09 PM

All replies

  • Adding 3rd NIC is not a bad idea.

    So if i understand correctly, this is what you want:

    Traffic from Internet will hit Cisco ASA then Cisco will send it to ISA and ISA will send it to IIS Server in Perimeter Network (DMZ) and that IIS Server needs to access SQL Server on LAN. Right?

    If above statement is correct, then this is what we need to do on ISA.

    >> Add 3rd NIC

    >> Create a Network.

    >> Create a Network Rule as "Route" between DMZ and Internal Network.

    >> Create an Access Rule to allow traffic between DMZ and Internal Network.

    >> Also you need to make sure that CISCO ASA is properly configured to send traffic to ISA.

    Hope this helps.

    Thx, Junaid

    Thursday, August 12, 2010 5:36 PM
  • I agree with you. You are correct and are not missing anything. They already have a DMZ between the firewals and I would put the server there.
     
    The people asking to do this probably have no idea what they have, and hence don't really know what they are asking.  I think you should make it clear to them before you over-complicate the network with two DMZs that it doesn't need.
     
    Something is not automatically more secure or less secure just because there is a DMZ added.   Something can be perfectly secure with no DMZ at all,...while at the same time there could be 10 DMZs and someone could go right through all of it in one shot with a VPN if they dicovered the correct user credentials that the VPN would need.  Now, I don't know of anyone with 10 DMZs,..I'm just trying to make a point.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "RyekAzagoth" <=?utf-8?B?Unlla0F6YWdvdGg=?=> wrote in message news:8aeeae44-cf87-43f4-b82d-bafebd6e17f6...

    Hi fellow techs,

    I was asked to setup a DMZ. The company has a Cisco 5510 ASA and a server running ISA 2006. It goes like:

    Internet<-->ASA<-->ISA2006<-->LAN. No rules are enforced, the ISA is just a web proxy... nothing relevant sits between the two firewalls.

    Now I was asked to install an additional NIC on the ISA (totalling 3 NICs) and create a DMZ on the extra adapter to publish an IIS server... The request was simply to add a third leg to the ISA server and set some protocol rules as the IIS will have to talk to an SQL server in the LAN.

    I have only ever had experience with back-to-back DMZ. I can't see the need for the extra NIC... I would just put the web server on the DMZ between the firewalls and configure appropriately...

    Am I missing something? This request is like a trihomed DMZ but with two firewalls on the Internet leg... Does that make sense? Is it more or less secure than having Internet<->ASA<->DMZ<->ISA<->LAN (back-to-back config)?

    (let me know if you need a diagram of this!)

    Thanks

    -R

    • Marked as answer by RyekAzagoth Friday, August 13, 2010 7:52 AM
    Thursday, August 12, 2010 6:09 PM
  • Junaid Jan and Phillip Windel, thank you very very much for your input. I understand that both solutions would *work*. But I'm the kind of guy that like to get his technical stuff done right hence I started this discussion here in the forums.

    I want to know from experts like you what is the best possible approach so I can put that forward to the boss ;). I just want to ensure that my idea of back-to-back firewall isn't going to be less secure than the one he requested or I'll look like a fool!

    As such I'd like to encourage more people to reply to this as well and give me your thoughts.

    Thank you

    -ryek

    Thursday, August 12, 2010 6:25 PM
  • There is no "right" way here,..it is all going to be opinions to some degree or another.
     
    No,...putting it in the B2B DMZ that is already there is not going to be less secure.
    ...and in my opinion it will also be better.  Excessive, needless, and pointless complexity is never a good thing. 
    And at least to me, adding a Tri-Homed DMZ simply because someone is ignoring the B2B DMZ that is already there, would be that kind of "bad complexity".
     
    Also, by definition, a Back-to-Back DMZ is considered a stronger, a more solid, DMZ design than a Tri-Homed DMZ.  It is surounded by firewalls rather than just a dead-end network "dangling" off the side of a single firewall like the Tri-Homed one is.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
     
    "RyekAzagoth" <=?utf-8?B?Unlla0F6YWdvdGg=?=> wrote in message news:7aa59326-81a8-437c-961b-7a9a35f07092...

    Junaid Jan and Phillip Windel, thank you very very much for your input. I understand that both solutions would *work*. But I'm the kind of guy that like to get his technical stuff done right hence I started this discussion here in the forums.

    I want to know from experts like you what is the best possible approach so I can put that forward to the boss ;). I just want to ensure that my idea of back-to-back firewall isn't going to be less secure than the one he requested or I'll look like a fool!

    As such I'd like to encourage more people to reply to this as well and give me your thoughts.

    Thank you

    -ryek

    Thursday, August 12, 2010 6:57 PM
  • Yeah, I understand. I think that way as well but wanted to hear from other people.

    Thanks ever so much

    Ryek

    Friday, August 13, 2010 7:54 AM
  • Ok, very well.
     
    This particular subject rarely has a consensus of opinion.  So you may end up with a bunch of conflicting opinions and in many threads I've seen on this subject, sometimes turns into arguments.  Although to their credeit, I think these MS forums are more disciplined.
     
    Good luck with the project.

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "RyekAzagoth" <=?utf-8?B?Unlla0F6YWdvdGg=?=> wrote in message news:6301fdec-066e-46a8-a10a-da07036bc371...

    Yeah, I understand. I think that way as well but wanted to hear from other people.

    Thanks ever so much

    Ryek

    Friday, August 13, 2010 1:33 PM
  • The network between the ASA and the ISA is a transit DMZ, and not really a good place to put a web server as the ASA will provide limited benefit for web protocols. This is especially true if the web servers will require or support pre-authentication.

    The better option is to place the web server *behind* ISA and employ its powerful web publishing feature set; you can achieve this by placing the web server into an ISA specific (layer 7) DMZ (as opposed to the layer 3 transit DMZ) or by placing it onto the internal network. By placing it into an ISA DMZ, you can isolate the server in the event of compromise, although it is less likely to be compromised if you are web publishing it using ISA, as opposed to allowing direct 80/443 port access via the ASA.

    Deploying a web server simply behind an ASA when there is an ISA server in the firewall topology already is just crimimal IMHO ;)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, August 17, 2010 12:33 AM
  • Hi Philip

    I do want to encourage healthy discussions as I feel I will learn in the process. Future readers goo...-i mean "binging"- for this subject might come accross this thread and find it useful.

     

    Hi JJ

    Thanks for sharing your opinion with us. So you basically agree with the idea of adding a 3rd NIC to the ISA server and running this trihomed Layer7 DMZ solution behind the ASA? 

    If you don't mind answering please, what is, in your opinion, an ideal DMZ configuration within my current constraints?

    Constraints are:

    1. Can't buy new firewalls (can maybe get another ISA but would like to use different vendors, hence the ASA already in house).

    2. Got to provide best possible security (ties in with using different vendors).

    3. Keep network as simple/lean as possible (to gain senior management (non-IT) approval.

    Thanks in advance

    -R

    Tuesday, August 17, 2010 3:38 PM
  • I think the real problem here is the perception of "what is secureity?",...or "what is secure?"
    Please tolerate my rambling for a bit...
     
    Yes a Tri-Homed DMZ would work as Jason said.
    I don't think there is any such thing as an "Ideal" DMZ.  Use what you want.   I've been doing this for over 11 years and never run a DMZ,..I run a single firewall (ISA), never been hacked, never had problems,...not even came close, and I work for a mainstream media outlet that would potentially have a fairly big "bullseye" painted on it.
     
    Your contraints:
     
    1. Doesn't really matter,..you already have two firewalls,...there is no reason you'd have to buy anything.  You could run 3 DMZs with what you have if you wanted to,...A Tri-Homed DMZ off the side of the Cisco ASA,...a Back-to-Back DMZ between the ASA and ISA,...another Tri-Homed DMZ hanging off the side of the ISA.  Then you can add nics to the ISA till you run out of slots and have more Tri-Homed DMZ hanging off each one.   ....And someone could hack right through all of it in one shot with a single flaw in the web site design.  Like Jason said, if the Site is in the DMZ then the "hacked" site is not exposed to the LAN (or is it?),...but,...it depends on the nature of the "hack".  It does not automatically mean they have access to the LAN even if the web server was on the LAN,.. heck I have users with machines on the LAN as domain members with proper domain credentials that are supposed to be there on purpose and sometimes for whatever reason cannot access resources on the LAN when they are supposed to be able to access them by design (point being that things are just not that simple). 
     
    Then even if the Site is in the DMZ does that mean the LAN is safe?,...what about the backend?,...does it use an SQL Server as a back end with the SQL Server on the LAN?  The only true live "hacking demonstration" I watched in person (while at MS's HQ) was done by getting Domain Admin Credentials through the SQL Service Account through SQL Injection from the web site that was sitting in the DMZ
     
    2. "I am secure becuase I have a DMZ"?   No it just does not work like that,..that is just not the right way to even view security.    I (me) am secure and have no DMZ.    Anyway I really don't know what more I can say there.
     
    3. Simple, lean,...my favorite kind.  Hence I have no DMZ and a single Edge Firewall.   Security is not a "place" where you arrive and say "Here I am".  I am secure [so far] because [so far] no one one has gotten into anything that I don't want them to get into.  If that changes then I have to change with it.
     
    Summary of my thoughts:
    Am I saying that everyone should be rid of their DMZs because they are useless?,...No I am not.  I guess I am just saying that having one does not mean you are secure,..and not having one does not mean you can't be secure.   Everyone has heard the IT joke about the guy who has his boss ask him, "Are we secure?" and the IT answers, "Yes,..we have a firewall".     That joke could just as easily have used the line, "Yes, we have a DMZ". 
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    "RyekAzagoth" <=?utf-8?B?Unlla0F6YWdvdGg=?=> wrote in message news:c4ac8681-1d09-4b25-8b70-0e6cd3b4ae61...

    Thanks for sharing your opinion with us. So you basically agree with the idea of adding a 3rd NIC to the ISA server and running this trihomed Layer7 DMZ solution behind the ASA? 

    If you don't mind answering please, what is, in your opinion, an ideal DMZ configuration within my current constraints?

    Constraints are:

    1. Can't buy new firewalls (can maybe get another ISA but would like to use different vendors, hence the ASA already in house).

    2. Got to provide best possible security (ties in with using different vendors).

    3. Keep network as simple/lean as possible (to gain senior management (non-IT) approval.

    Thanks in advance

    -R

    Tuesday, August 17, 2010 4:55 PM
  • A Phil knows, I like this particular topic and always enjoy debating it...

    Trouble is, behind the ASA alone is not good enough if you ask me as you cannot then employ ISA/TMG web publishing which adds a lot of value for web server protection; so you need to place the web server behind ISA/TMG on the LAN or create a DMZ behind ISA.

    Creating a DMZ at least provides the "potential" to impose access control between the Internet facing host and the internal network. As discussed by Phil, depending on the protocol access requirements from the DMZ host to the LAN, this may actually negate the benefit of a DMZ at all, but is a worthy topology to consider.

    Placing Internet facing hosts (like web servers) and internal hosts (like domain controllers) in the same security zone, is not ideal if you ask me...hence the ISA DMZ allows for the creation of a new security zone that differs in risk/exposure to the internal network. If you have other security controls on your internal network like VLAN separation, internal firewalls, IPSec isolation etc, then this may again negate the risks of placing the web server directly on the LAN.

    This approach is dicussed well here: http://www.isaserver.org/articles/2004multidmzp1.html

    Don't get me wrong, I have nothing wrong with a single edge firewall and no DMZ, but I would want this firewall to be pretty clever (like ISA/TMG). If you want dual vendor B2B then place another vendor firewall at the front, but just make sure ISA/TMG is closest to the assets you are trying to protect most and employ as much layer 7 intelligence as you can ;) 

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, August 17, 2010 5:19 PM
  • Yea, true.  I just don't blame it on the Back-to-Back DMZ as far as designs go, I would blame that on using an ASA instead of ISA/TMG as the "outer" Firewall.   If it was a B2B-DMZ between two ISA/TMGs then that wouldn't be a problem.

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "Jason Jones [Silversands]" <=?utf-8?B?SmFzb24gSm9uZXMgW1NpbHZlcnNhbmRzXQ==?=> wrote in message news:0b65d9c5-37f5-4ff5-94b7-8664bcbb2555...

    Trouble is, behind the ASA alone is not good enough if you ask me as you cannot then employ ISA/TMG web publishing which adds a lot of value for web server protection; so you need to place the web server behind ISA/TMG on the LAN or create a DMZ behind ISA.

    Tuesday, August 17, 2010 7:03 PM
  • Thanks guys! Lots of cool advice.

    Phillip and JJ, I understand the ASA's limitations better now and agree with what you say. I guess we'll have to go with the extra NIC for now until the budget situation changes and I can get my hands on TMG. I understand a DMZ is not necessarily secure just for having it but I personally prefer the DMZ approach since it allows for logical separation of network components/zones. Also, senior management at my company feel that a DMZ can be a safety net if properly configured.

    The link on JJ's post also provides excellent information for anyone thinking about back-to-back DMZ config possibilities.

    For the sake of completing the thread for future reference, I also found the following links really useful:

    http://www.isaserver.org/tutorials/ISA_Server_DMZ_Scenarios.html

    http://www.isaserver.org/tutorials/Creating_a_Poor_Mans_DMZ_Part_1__Using_TCPIP_Security.html

    http://www.isaserver.org/tutorials/How_to_use_ISA_Server_Packet_Filters.html

    http://social.technet.microsoft.com/Forums/en-US/Forefrontedgesetup/thread/240225ee-b8b7-4dba-9e96-40388bef869a

    http://www.experts-exchange.com/Microsoft/Windows_Security/Q_24650470.html

    http://www.eggheadcafe.com/software/aspnet/29076010/owa-isa-and-asa.aspx

    Happy reading

    -Ryek

    Wednesday, August 18, 2010 10:16 AM
  • You can do fine with the Tri-homed DMZ and not have to buy anything.
     
    Stay away from the thrid article.  Packet Filters won't have anything to do with anything,...and that article was for ISA2000 which was a completely different architecture.
    Stay away from the "Poor Man's DMZ" article for the same reason.
    Stay away from the "DMZ Scenarios" article for the same reason
     
    The www.isaserver.org is a great site,...but you have to get the right material that fits what you are really using in the right context.
     
    I can't complain about that last link one,...since it is me :-)   But I don't think it really applies to anything you are doing,...in that I was never really sure about the guys physical topology and never heard what he ever ended up doing.  I do not post at egghead,...those sites just "scape" (steal) the material from other places like Usenet groups and other forums, or they build a web "front-end" to Usenet Groups, which is what I think Google Groups does.  In any case they are misleading people to think that they are the source of the material and that they are the place you have to go to get to the stuff.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "RyekAzagoth" <=?utf-8?B?Unlla0F6YWdvdGg=?=> wrote in message news:6cfd3660-0410-4bf1-ba23-8ea97748a279...

    Thanks guys! Lots of cool advice.

    Phillip and JJ, I understand the ASA's limitations better now and agree with what you say. I guess we'll have to go with the extra NIC for now until the budget situation changes and I can get my hands on TMG. I understand a DMZ is not necessarily secure just for having it but I personally prefer the DMZ approach since it allows for logical separation of network components/zones. Also, senior management at my company feel that a DMZ can be a safety net if properly configured.

    The link on JJ's post also provides excellent information for anyone thinking about back-to-back DMZ config possibilities.

    For the sake of completing the thread for future reference, I also found the following links really useful:

    http://www.isaserver.org/tutorials/ISA_Server_DMZ_Scenarios.html

    http://www.isaserver.org/tutorials/Creating_a_Poor_Mans_DMZ_Part_1__Using_TCPIP_Security.html

    http://www.isaserver.org/tutorials/How_to_use_ISA_Server_Packet_Filters.html

    http://social.technet.microsoft.com/Forums/en-US/Forefrontedgesetup/thread/240225ee-b8b7-4dba-9e96-40388bef869a

    http://www.experts-exchange.com/Microsoft/Windows_Security/Q_24650470.html

    http://www.eggheadcafe.com/software/aspnet/29076010/owa-isa-and-asa.aspx

    Happy reading

    -Ryek

    Wednesday, August 18, 2010 2:10 PM
  • Agree with Phil on the old ISA 2000 articles...for me anything below ISA2k4 doesn't have the correct architrecture to be deemed an enterprise firewall...

    The link I provided is probably the best reference for your case as I deliberately tried to find the most appropriate one for you ;)

    Cheers

    JJ 


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, August 18, 2010 9:00 PM