Solved

Best way to set up a VPN through an ASA 5505 and ISA 2004

Posted on 2010-11-11
7
818 Views
Last Modified: 2012-05-10
I have the following network layout, and I would like to setup a VPN to the internal protected LAN.
General Network LayoutThe SBS 2003 Premium box is running all services, Exchange, SQL, ISA 2004. The setup has worked well for me, and appears to be as secure as it possibly can be considering it is SBS, and that I also run RWW on it. To mitigate the risks, I do run daily vulnerability scanning, and view my security logs. However, I think it may be time to ratchet this up a notch and disable RWW and setup a VPN to the LAN. This appears to be the way to go, even more important now that there are a host of mobile devices that can utilize VPNs.

My question is, which would be the most secure way of achieving this?  Should I set up the VPN on the Cisco ASA 5505 and open the necessary ports on the ISA server, or should I open the necessary ports on the ASA, and set up the VPN on the ISA server? Or is there something I am missing, and it should be a combination of the two using a Radius implementation if that is even possible between the two?  

Any opinions or links to articles on the subject would be appreciated.
0
Comment
Question by:CALAOMS
  • 4
  • 3
7 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 34125103
What you have marked as Inside,...is not inside,...it is a DMZ. The Internal Protected LAN is the only internal  that you have.

So what you have is a Back-to-Back DMZ between the SBS/ISA and the ASA,...then you have a second Tri-Homed DMZ hanging off the side of the ASA,...so you have two DMZs

Choices:

Choice #1. On the SBS/ISA Change the Network Relationship between Internal and External to Routed.  If there are any Publishing Rules on the SBS/ISA they would be changed to Access Rules and the ReverseNAT Rules on the ASA that are companions to those would change to point to the actual IP of the Published resource which may or may not be the external facing Ip of the SBS.  Basically you would put ISA "out of the publishing business".   Then the VPN would be terminated at the ASA.

Choice #2:  Perform a VPN Passthrough function on the ASA so that the VPN would terminate at the SBS/ISA.  Everything else would be "business as usual".

Choice #3.  Ditch the ASA and let the SBS/ISA be the edge firewall which is what it was designed to do.  You can add a third nic to the SBS/ISA and create a Tri-homed DMZ off the side of it for the Web Server.  The VPN would terminate on the SBS/ISA

Choice #4.  Ditch the ISA.  Uninstall ISA from the SBS, remove the External Nic, and re-run the Internet connection wiizard to re-configure the SBS as a normal single-nic server.   The ASA would then perform all the Firewall and VPN tasks.
0
 

Author Comment

by:CALAOMS
ID: 34231718
Pwindell,

Yes, I would agree that the physical layout of the network could be considered as two DMZs. and as you suggest most probably is.  I chose the term internal network on the diagram as that is Cisco terminology for this particular interface on the ASA as well as most of their other router/security devices.

I also appreciate your detailed reply as to my options in regards to this.  I had thought about options 2-4, but had no idea that #1 was even an option,  so that gives me more to consider.  

However, I guess the root of my question, is "Which would be more secure?"  Does the ASA provide a more secure/robust VPN, or does the ISA, or is it 6 one way and half a dozen the other?  Knowing the answer to this question, may narrow down my choice from the options listed.

Thanks for your reply

Steve
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34233020
Security does not come from the "brand name",...it comes from what you do with it.  The two products are about equal.  But when they first were released the Cisco Firewall had more vulnerabilities,..but since then both companies have patched all their known vulnerabilities.

Secunia Reports
Microsoft ISA Server 2006 Supportability Update
http://secunia.com/advisories/product/26019/?task=advisories_2009
Cisco ASA/PIX
http://secunia.com/advisories/product/16163/?task=advisories

 With the VPN the ISA has authentication abilities and access control abilities that the Cisco box either does not have at all or is at least very difficult to duplicate.   As far as the VPN Tunnel itself,...that is an industry standard,...it is done the same way no matter where the product comes from,...so security is equal.  

However no one is going to break in to the VPN by kicking down the front door,...they are going to get in by social engineering,...by finding a way to get the user to reveal their credentials to them with human-to-human action.  If I have your user's credentials,...none of your security will stop me. How many users who no longer work there still know another user's credentials that still works there?  How many people might they leak that to,...particularly if disgruntled?

Most DMZs make people feel good about themself  but does very little to improve security.  All the ways I would try to get into your system would make no difference if you had no DMZ or 10 DMZs.  On the LAN I operate (for over the last decade) I run no DMZ, run ISA as the Firewall, and have never had any problem.  My ISA is a dedicated machine, nothing on it but ISA itself,...no SBS.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:CALAOMS
ID: 34233602

“Security does not come from the brand name,...it comes from what you do with it.”
Yes, I know, that is why I asked the question given my network topology.

OK, if as you say both vendors have addressed their known vulnerabilities, then I agree security would be equal.  I was unaware of this, also hence my question.  So now it appears that it would then come down to features and personal preference in making my decision.  

We are a small nonprofit, and do not have the luxury of having separate boxes for ISA, Exchange, SQL, and fileservers, so SBS is the better solution for our situation, and I have to make my decision based on that.

As far as ease of implementation, I will probably set up VPN passthrough on ASA

On a side note, the network topology was not configured as multiple DMZs to increase security or give me a good feeling about myself, it is just the way it evolved over time.  Having said that, I would respectfully disagree with you on the usefulness of DMZs.  I personally would never place a public web server on the same subnet as internal servers of any kind.  By their nature public web servers are more vulnerable to attacks, and having one compromised would compromise the entire network if they were on the same subnet.  Just my opinion.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 34234113
OK, if as you say both vendors have addressed their known vulnerabilities, then I agree security would be equal.  I was unaware of this, also hence my question.  So now it appears that it would then come down to features and personal preference in making my decision.

Exactly.  It really does come down to preference.  The difference between a least secure config -vs- a most secure config in your context, is really not going to be much of a difference at all.  It is reasonably secure either way.

We are a small nonprofit, and do not have the luxury of having separate boxes for ISA, Exchange, SQL, and fileservers, so SBS is the better solution for our situation, and I have to make my decision based on that.

Whether on SBS or not SBS,...ISA has never ever ever been compromised in the entire history of the product,...even the predecessor, MS Proxy2, had no validated recorded instance of being compromised short of the Admin doing it to themself with some kind of botched configuration.  The only issue was CodeRed/Nimda that infected IIS and DoS'ed the MS Proxy2,...but even then it only stopped traffic,...it never let anything in.  ISA was not vulnerable to that.  So with ISA on SBS it would not bother me a bit to put it right on the network edge with no DMZ.   The fears of doing that are industry superstition for the most part.  You have to think of the cold mechanics of it without product bias and emotion,...they are not going to hack through it unless you provide them a means to do so (see my final paragraph for an example of that).

As far as ease of implementation, I will probably set up VPN passthrough on ASA

Yes,...that is the approach I would most likely take if I kept the ASA.

Having said that, I would respectfully disagree with you on the usefulness of DMZs.  I personally would never place a public web server on the same subnet as internal servers of any kind.  By their nature public web servers are more vulnerable to attacks, and having one compromised would compromise the entire network if they were on the same subnet.

You're free to disagree of course.  But I  have no problem with a Web Server on the internal LAN (subnets are not really relevant).  I run our second Site that way.  You have to consider what "compromised" really means and what that would really mean to a web server.  The type of compromises that happen to web server do not spread to machines on their LAN,...they spread to users accessing the Site (Malware being the biggest example).  Again,...superstition,...a compromised web server on the LAN does not mean that the one who compromised it has access to the LAN.

How many times has a legitimate user on a legitimate machine with a legitimate user account had trouble getting to resources on the LAN due to unforeseen issue when they were supposed to have access,...so why is there such a superstition that an illegitimate user in an illegitimate situation going to just breeze through?,....they won't,... it isn't that simple.  Now I am not saying let's all drop our security,...I'm just trying to express the opposite side of the coin to inject some reality for people to think about.

However having the web server on the DMZ does not make it safe for the LAN either. Remember I said that any of the ways I would get into your LAN wouldn't matter how many DMZs you had?  If the Web Site uses a Database backend attached to a DB on the LAN then the DB Server becomes the target,..not the Web Server.  The Web Server out in the DMZ just becomes the hacking tool against the DB Server.  I watched a live hacking demonstration one of the times I was out at MS's HQ in Redmond.  The Demo was performed against a Web Server out in the DMZ with a Firewall between it and the LAN. The Demo used SQL Injection to get a hold of a Service Account that had Admin privledges,..then they found an outbound port allowed on the firewall (yes, only outbound),...used the SQL Server to install a remote access tool to communicate outbound to the hacker,...which was then used via the admin level Service Account to change the password of the Domain Admin Password leaving a situation where no one knew what the Domain Admin password was any longer,...except for the Hacker who was the only one that now knew it.

Moral of the story is that the DMZ was totally useless.  Securing the Web Application was the real solution.  With the Web Application properly secured, it would have been equally secure without a DMZ with both Web and SQL Server sitting on the LAN itself.
0
 

Author Closing Comment

by:CALAOMS
ID: 34234880
Yes, I see your point via this albeit sophisticated hacking demo, and I agree that having a hardened web server is your best defense against hacking.  

Thank you for your time.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34238998
You're welcomed.
The VPN Passthrough on the ASA would be my first choice.
Good luck with it.

The guy who did the Demo at MS was Jesper M. Johansson,...he's got a PHD in that stuff so he made it look easy.

Security Myths - Jesper M. Johansson and Steve Riley
http://technet.microsoft.com/en-us/library/cc512582.aspx  (Part 1)
http://technet.microsoft.com/en-us/library/cc512607.aspx (Part 2)

Help: I Got Hacked. Now What Do I Do?
http://technet.microsoft.com/en-us/library/cc512587.aspx

Security Spotlight : Jesper Johansson and Steve Riley
http://www.microsoft.com/singapore/technet/flash20050908a2.mspx
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now