Firewall and DMZ Design—ISA Server 2005

Introduction

The ISA firewall can act in a number of roles: as a front-end edge firewall that sits in front of the entire company, as a back-end firewall located behind another edge firewall that might be an ISA firewall or another type of firewall, or as a perimeter network firewall that walls off critical network servers and services from the rest of the network. We’ll focus on the third configuration in this chapter.

In spite of eye-catching headlines about the death of the DMZ and the imminent demise of network security zones, the fact is that we who live in the trenches still need to live with the current reality, where network perimeters need to be defined to provide access controls on hosts connecting to other hosts belonging to different security zones. And although Network Access Protection (NAP; expected to be implemented in Longhorn/Vista) and IPSec-based domain isolation hold a lot of promise, there are and will be significant technological hurdles that have to be jumped before those methodologies will be applicable for widespread use.

Instead of proclaiming the death of the DMZ, security experts should be making the clarion call for increased perimeterization.You’ll go a long way toward improving your network’s security position by grouping hosts into different security zones, and putting firewalls and other network security devices between those zones that enable strong access controls on communications between those zones.

In this chapter, we’ll examine the requirements and procedures involved with creating a network services segment separated from the rest of the corporate network by an ISA firewall.You can put an ISA firewall in front of the network services located on the services segment to help protect those critical network services from being adversely affected by outbreaks that take place on other network segments.

The key concept here is that only required communications are allowed to and from the network services segment; all other communications are blocked. In addition to limiting communications only to the hosts and protocols that are required for access, we will leverage the ISA firewall’s advanced stateful packet and application layer inspection mechanisms to help secure the communications allowed to the network services segment.

View Firewall and DMZ Design—ISA Server 2005 (part01)

View Firewall and DMZ Design—ISA Server 2005 (part02)

View Firewall and DMZ Design—ISA Server 2005 (part03)

View Firewall and DMZ Design—ISA Server 2005 (part04)

View Firewall and DMZ Design—ISA Server 2005 (part05)

View Firewall and DMZ Design—ISA Server 2005 (part06)

View Firewall and DMZ Design—ISA Server 2005 (part07)

View Firewall and DMZ Design—ISA Server 2005 (part08)

View Firewall and DMZ Design—ISA Server 2005 (part09)

View Firewall and DMZ Design—ISA Server 2005 (part10)