[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

cisco 837 router & isa 2006 firewall - need some advice

Posted on 2012-09-03
8
Medium Priority
?
1,349 Views
Last Modified: 2012-10-04
hi i have the following:

- windows 2003 dc/ad/dns/dhcp/gpo server
- exchange 2003 server
- host xp pc clients - hosts can browse the internet & send/receive email externally successfully
- isa 2006 firwall (vmdg480/the super box) - set as 'modem-enable' that provides the 'public' ip address to my isa external nic successfully

i was told that it would be preferred if i had hardware cisco router connected infront of the isa server/external nic directly to my local router (vmdg480)!!

->internal network  -->  isa - external --> cisco router  --> vmdg480 --> isp/internet

i do happen to have 1 x cisco 837 router !!!

qns1.  can someone give some advice on whether i use this 'cisco 837 router' or not & any general advice if i was to connect and configure this 'cisco 837', bearing in mind the 'cisco 837 router' would receive the 'public ip address', but what would my isa/external nic receive, unless it would receive a public address automatically ?
0
Comment
Question by:mikey250
  • 4
  • 3
8 Comments
 
LVL 18

Assisted Solution

by:fgasimzade
fgasimzade earned 668 total points
ID: 38366817
You dont need it unless you want to create a DMZ zone between ISA and cisco router
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38366918
You could use it as an extra layer of security and (like fgasimzade said) if you want to create a DMZ.
The thing is that If you have only one public IP that will be on the outside interface of the router. The router will run NAT (from internet to DMZ) and the ISA server will do that a second time (from DMZ to internal network).
This might complicate things unnecessary and give issue (NAT after NAT).

i was told that it would be preferred if i had hardware cisco router connected infront of the isa server/external nic directly to my local router
Did they give any specific reason why this would be preferred?
0
 

Author Comment

by:mikey250
ID: 38367315
hi,

qns1.
so i assume that my isa connected via my modem to isp is perfectly fine ?

they may have mentioned about the 'dmz' part but i could not find that comment!

im aware of what a 'dimilitarized zone' is but maybe i have not understood properly what purpose it is there for!!!

a dmz allows you to setup a device on your network that is available to anyone on the Internet to access for undefined services.

running a dmz presents a potential security risk to your network, so only do this if you're willing to risk open access.

qns2.

cisco 837

i have not viewed the 'gui' of the cisco 837 yet but if i compare my current netgear router box it has the 'dmz' on: 192.168.0.x, but the dhcp is also on same subnet: 192.168.0.x/24 for the internal network, when i thought the dmz & internal would be on 2 separate subnets for eg: 192.168.1.x & 192.168.2.x ?

qns3. i assume that i would not use my master dc win 2003/dhcp feature & instead use the built-in cisco 837 dhcp feature ?

qn4.  im still thinking about my internal dns & my exchange 2003 server in relation to connectivity by using a dmz as assumed was separated via 2 separate subnets as mentioned above...?

note1.

im assuming if say 30 users then using the 'isa 2006' to separate internal/external is good enough & just install something like antivirus - kaspersky or semantec endpoint or something on the host pc & job done..!!

note2.

im assuming if 100s/1000s of user i assume i would (not) use a dmz and use a cisco router for example configured with (nat) for example & firewall configurations which i believe is: 'cbac'..!!

note3.

i am aware of 'sbs' but currently not using.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 35

Accepted Solution

by:
Ernie Beek earned 1332 total points
ID: 38379961
Ans1

so i assume that my isa connected via my modem to isp is perfectly fine ?
No problem if you set up the ISA as it should (securing, hardening, etc). Have a look at: http://www.isaserver.org/tutorials/2004bestpractices-p1.html Though it is for ISA 2004 I found this quite interesting.

a dmz allows you to setup a device on your network that is available to anyone on the Internet to access for undefined services.
running a dmz presents a potential security risk to your network, so only do this if you're willing to risk open access.

Alsmost. It's not on your network, it's just outside your network and exposed to the internet (on certain ports). So devices in a DMZ can be reached from the internet for certain services and are fully accessable from your internal network but still leaving you internal network protected.

Ans2

i have not viewed the 'gui' of the cisco 837 yet but if i compare my current netgear router box it has the 'dmz' on: 192.168.0.x, but the dhcp is also on same subnet: 192.168.0.x/24 for the internal network, when i thought the dmz & internal would be on 2 separate subnets for eg: 192.168.1.x & 192.168.2.x

Here DMZ means: a machine on your internal network that is exposed to the internet. That's not a real DMZ. A DMZ should be physically separated from you internal network.

Ans3

i assume that i would not use my master dc win 2003/dhcp feature & instead use the built-in cisco 837 dhcp feature

Nope. The 837 is not directly connected to your internal network (the ISA is in between). So use your DC as DHCP (then you also have more options).

Ans4

im still thinking about my internal dns & my exchange 2003 server in relation to connectivity by using a dmz as assumed was separated via 2 separate subnets as mentioned above...?

Ehr, not quite sure what you mean.
0
 

Author Comment

by:mikey250
ID: 38380729
hi, apologies for longwinded in depth clarification!!!!!!!!!!!!!!!!

yes ive been reading about the 'securing & hardening' - the reason why i ask is because i was told that even though im using isa 2006, it would always be preferable to have a piece of hardware infront of the 'isa' as it is more software. (that was the expression) - but ok understood!!

qns1.
ive also just read one of the 'url's you sent:  

-  http://isaserver.org/articles/2004dumbdownisa.html  -  i understand although im not sure what changes/improvements have been made since isa 2004 to now isa 2006 to then ignore my some explanations about the 'url' above or even my below other questions (as currently i am using 2 nics for internal/external as a member server via gpmc already & have also had previously run the remote vpn via same gpo method & firewall client software used ?

- i did assume though that a cisco 837 was just as good if not better than isa!!!!!!!!!!!

"here dmz means: a machine on your internal network that is exposed to the internet"  - yes i realise!:)

qns2.

"that's not a real dmz.  a dmz should be physically separated from you internal network." - yes exactly a dmz is/should be on a separate subnet - so how can my netgear vdmg480 & my cisco 837 both show the dmz as part of same subnet, as im wondering what kind of setup is required in this case due to being on same setup.  as i can only assume that whatever server is in the dmz, would have no default-gateway or something but have 'dns' added in order to link back to the internal master dc, maybe....!! ?

ans3

i assume that i would not use my master dc win 2003/dhcp feature & instead use the built-in cisco 837 dhcp feature

- "nope. the 837 is not directly connected to your internal network (the isa is in between). so use your dc as dhcp (then you also have more options)."

your comment above, no i was thinking (if i did not use the isa & used 837 & as only a small network then just using the 837 built-in dhcp instead of win 2003 dhcp.yes i realise there are more options.:)


ans4

im still thinking about my internal dns & my exchange 2003 server in relation to connectivity by using a dmz as assumed was separated via 2 separate subnets as mentioned above...?

ehr, not quite sure what you mean.

qns3. regarding above comment:

i would like to setup a dmz so can properly understand as cannot think of what services i would put in a dmz & also have an internal network !!!

i remember when i was working in a datacenter they had a 'dmz' but i never got involved with that at that stage 4 years ago!! ?


determining domain membership

-  http://technet.microsoft.com/en-us/library/bb794718.aspx  -  security guide as u suggested

install the isa server computer in a separate forest (rather than in the internal forest of your corporate network). you help protect the internal forest from being compromised, even if an attack is mounted on the forest of the isa server computer. to experience the administrative and security benefits of isa server as a domain member, we recommend that you deploy the isa server computer in a separate forest with a one-way trust to the corporate forest.

qns4.  im wondering about this 'one-way trust' & why i would put in a separate forest if im setup as a 'member server', as explained above although this maybe specifically isa 2004 & not 2006 ?

qns5. although above mentions separate forest, im now reading the below & not sure ?

"when you install an isa server computer in a separate forest or domain, the use of kerberos constrained delegation is not a viable authentication delegation method. this is because the isa server computer and the published web servers must be in the same domain, and the isa server computer and user must be in the same domain. "

qns6. ive never setup a workgroup with (ldap) b4 as dont understand how this protects (ldap is with dns) as i thought (ldap was for remote type connections) ?

"install the isa server computer in a workgroup and configure lightweight directory access protocol (ldap) authentication. you help protect the internal domain from being compromised, even if an attack is mounted on the isa server computer in the workgroup"

qns7.  im reading through now to see what is relevant to me & once complete it also states to run the 'scw', but i was told by someone else that because i have 2 nics separating the internal/external network, then i would not need to run the 'scw' ?

thanks for the advice though if u dont reply back!!!!! appreciated as am still reading through all 'urls' to grasp your advice!!:)
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 1332 total points
ID: 38382711
ad qns1
i did assume though that a cisco 837 was just as good if not better than isa
You can't completely compare the two. Isa has functionality the Cisco hasn't got and v.v. So even better would be to just use them both from a security point of view).

ad qns2
so how can my netgear vdmg480 & my cisco 837 both show the dmz as part of same subnet, as im wondering what kind of setup is required in this case due to being on same setup.
In this case you could see it like:
internal network  -->  isa - external--> DMZ --> cisco router  
So the subnet between the ISA and the Cisco is your DMZ. This way you can expose servers in the DMZ through the Cisco without exposing your internal network.

as i can only assume that whatever server is in the dmz, would have no default-gateway or something but have 'dns' added in order to link back to the internal master dc, maybe....!! ?
The DG would be the Cisco (it should be able to get out to the internet ;).
And of course you normally wouldn't let a server in the DMZ access the internal network........

ad ans3
no i was thinking (if i did not use the isa & used 837 & as only a small network then just using the 837 built-in dhcp instead of win 2003 dhcp.yes i realise there are more options.
Ah, ok. It's a matter of preference. As long as there is a server on the network I personally prefer to use that as a DHCP.

ad ans 4

?

ad qns3

i would like to setup a dmz so can properly understand as cannot think of what services i would put in a dmz & also have an internal network
If you cannot think of any, you probably don't need it ;)

You could think of a webserver (running your companies website) or a exchange frontend server (for outlook web access) for example.

ad qns4 & 5

ISA should be a completely dedicated and separate server (separated from your internal domain) because like you said, it's still a software based solution. If it's compromised and it's in your domain, attackers could gain a lot of information you don't want them to get.

ad qns7
but i was told by someone else that because i have 2 nics separating the internal/external network, then i would not need to run the 'scw' ?
Oh? I would like to know their motivation behind that.
0
 

Author Comment

by:mikey250
ID: 38396077
hi

in this case you could see it like:
internal network  -->  isa - external--> dmz --> cisco router  
So the subnet between the isa and the cisco is your dmz. this way you can expose servers in the dmz through the cisco without exposing your internal network.

qns1. internal network 10.0.0.x/24  -->  - external (public address) --> dmz - what address --> cisco router - not understanding what addresses would be placed at external onwards ie private or public !!! uuuummm ?

note: i understand my initial setup ie isa/internal/nic - private addr isa/external nic public address

The dg would be the cisco (it should be able to get out to the internet ;).
and of course you normally wouldn't let a server in the dmz access the internal network........

qns2.  if the cisco is infront of the isa/external which currently receives  public then im not understanding what address would be allocated to the cisco ?

qns4.  what kind of server would i put in this dmz - oh ok:

"you could think of a webserver (running your companies website) or a exchange frontend server (for outlook web access) for example."  - so when ive heard of the expression 'front end and backend, ie servers or even an exchange server that receives email at the front end, but is actually sent to the back end to be sent to its destination (as ive read this when setting up exhange 2003. -  uuuummmm

i was advised or at least this is how i understood it that i should make my isa server a member server with 2 nics to separate isa/internal nic from isa/external nic & that was perfectly ok.  also not to add the 'default-gateway' on the isa/internal nic & just point it o the internal dns.  as the isa/external nic already has public ip addresses/default-gateway.  even so when i did add a default -gateway at isa/internal nic, isa detected an error in eventviewer for multiple nics so i removed which resolved issue!!!

reference below, dont quote me but im sure i read someones comments on experts-exchange.com and it was chatting between isa 2004 & 2006, but i cannot quite remember as never used isa 2004.  regarding not using 'scw' ie from my reading it gave the impression that it could be used but did not have to be, so i just assumed that when isa was installed that it automatically blocked services that were not configured through the firewall policy or something!!

"but i was told by someone else that because i have 2 nics separating the internal/external network, then i would not need to run the 'scw' ?
oh? I would like to know their motivation behind that."

isa should be a completely dedicated and separate server (separated from your internal domain) because like you said, it's still a software based solution. If it's compromised and it's in your domain, attackers could gain a lot of information you don't want them to get.
0
 

Author Closing Comment

by:mikey250
ID: 38462518
now ive had more time to re-read im starting to understand better!! sound advice!!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question