hi ive been reading about isa 2006 & securing the deployment:
note: these comments below are what i found in the above 'url' & would appreciate some advice!!
"to help protect from man-in-the-middle attacks on the address resolution protocol (arp) cache, we recommend that you place a router before the isa server computer. this is because arp packets cannot be routed through a router. when isa server shares a physical network with an untrusted network, we recommend that you configure isa server to perform static arp. for optimal security, we recommend that you add a static arp entry for the default gateway and on other hosts on the same physical network"
note: my internal network separated via isa 2006/internal (member server) is using a 'class a' address ie: 10.0.0.x/23.
note: i currently have no 'site-to site vpns'/branch offices or anything like that, as i just use isa for the firewall to protect internal domain users, although i may add a remote vpn for those users wishing to work from home, but at the moment (not added yet)
qns1. my network is in a 'domain & (not a workgroup') so im not sure if adding a router behind the isa 2006 server is (relevant), as suggested below, until i read the (above url), but i would like to know the answer ?
regarding comments below i already have a single cisco switch for my internal lan network and at the moment i have not added the following, but not sure if this relates to (qns2) below: ?
"protect against layer 2 attacks by deploying security solutions such as layer 2 isa and static mac or port associations on switches."
switchport mode access - added
portfast spanning-tree - added
switchport port-security - not added yet
switchport port-security maximum 1 - not added yet
switchport port-security mac-address xxxx.xxxx.xxxx.xxxx - not added yet as what mac ?
note: the above will obviously relate to the specific pc or server plugged in for eg
the paragraph below instructs that instead of an internal network directly connected to the isa/internal nic, i should put a (router) before the isa/internal nic & as a result i should add for optimal security 'a static arp entry for the default gateway & on other hosts & if so is the below correct ?
arp -s nnn.nnn.nnn.nnn ee-ee-ee-ee-ee-ee
(where n's are the ip address and e's are the ethernet mac address)
e.g. in a console prompt on the ISA Server, enter the following:
arp -s 192.168.100.20 a3-00-92-b3-c3-33 - should this be the router interface ???
also, if you setup static arp entries, they do not persist across reboots, so you need to put the arp commands into a batch file and run them as part of the machine's startup script. ?
note: if i add a router this would mean i would then have not 2 but 3 separate subnets ie 1 connecting the internal network to 'int fa0/0 for eg & fa0/1' connecting to isa/internal nic and 1 allocated via my 'isp' as the isa/external public ip address!!!!!!!!!!!!!!