To set up a back-to-back DMZ that uses ISA Server for the two firewalls, you need to obtain two servers, two copies of Win2K, two copies of ISA Server, four NICs (two for each server), and a switch or hub for the DMZ. First, create the outer firewall by installing and updating Win2K and ISA Server on one server. In the Control Panel Network Connection applet, configure the Internet NIC on the outer firewall with all the IP addresses that your ISP provides. Select a private IP subnet such as 10.10.*.* for all the public servers in the DMZ. For example, assign 10.10.0.1 to the DMZ NIC on the outer firewall, 10.10.0.2 to the Web server, and 10.10.0.3 to the SMTP gateway. Assign this subnet (10.10.*.*) as the outer firewall's LAT. Configure computers in the DMZ to use the outer firewall as the default gateway.
Next, create the inner firewall by installing and updating Win2K and ISA Server on the second server. Assign 10.10.0.4 to the DMZ NIC on the inner firewall, and configure that NIC to use the outer firewall as its default gateway. Select a private IP subnet such as 10.20.*.* for the internal network. Assign the address 10.20.0.1 to the internal network NIC on the inner firewall. Configure internal computers to use the inner firewall as their default gateway. Configure the inner firewall's LAT with the IP address of the internal network (10.20.*.*), which is a separate network from the 10.10.*.* network of the DMZ.
After you've configured the private IP addresses, you can set up the server-publishing rules and protocol rules. To let clients on the Internet access the Web server, add a Web-publishing rule to the outer firewall that publishes the Web server. To let SMTP servers on the Internet forward email to the gateway, configure a server-publishing rule that redirects incoming SMTP connections initially sent to the outer firewall to the SMTP gateway in the DMZ. Then, on the inner firewall, add a server-publishing rule that publishes the Exchange server's SMTP service but limits client connections to the SMTP gateway (10.10.0.3). Next, configure the SMTP gateway to forward incoming email messages to the inner firewall, which will silently redirect them to the Exchange server. To allow outgoing email destined for someone on the Internet, configure a protocol rule and an IP packet filter to allow outgoing SMTP connections to the SMTP gateway. Limit those connections to only those that originate from the Exchange server. Configure Exchange to forward outgoing email messages to the SMTP gateway. Finally, if the Web server in the DMZ needs to access an internal SQL Server machine, create a server-publishing rule on the inner firewall that lets the Web server access the internal SQL Server machine on port 1433.
Implementing HTTPS in sensitive areas of your Web site in a back-to-back DMZ differs from implementing HTTPS in a three-homed DMZ. Instead of installing the server certificate from a public CA on the Web server, you must install the certificate on ISA Server. Consequently, when a client on the Internet accesses a secure area of your Web site, the client browser negotiates a Secure Sockets Layer (SSL) connection between the client's computer and ISA Server. ISA Server then redirects the request to the Web server in the DMZ. You can configure ISA Server to either redirect the request as clear-text HTTP or establish a new HTTPS connection to the Web server. If your Web server is the only server in the DMZ, I recommend that you use HTTP to conserve computing resources. You'll have little risk of anyone intercepting communications because your Web server is on a trusted DMZ network. However, if the Web server isn't the only server in the DMZ, you might consider establishing a new HTTPS connection. Be aware that the reencryption process will reduce ISA Server's and the Web server's performance. Another option would be to use Virtual LANs (VLANs) on the switch for the DMZ to isolate traffic between ISA Server and the Web server.
This LAN Is Your LAN—Secure It!
A three-homed DMZ provides security for the internal network as well as some protection for the public servers in the DMZ. In addition, a three-homed DMZ is less expensive and easier to implement than a back-to-back DMZ. However, with a back-to-back DMZ, you get to use all of ISA Server's features to protect both the internal network and the public servers in the DMZ. In a back-to-back DMZ, the outer firewall inspects traffic to and from your Web server and SMTP gateway at the application level, whereas in a three-homed DMZ, all you get is IP address and port filtering. In addition, a back-to-back DMZ requires only one public Internet address and conceals the IP addresses of not just the internal network but also the servers in the DMZ.
No matter what type of DMZ you decide to implement, you're taking an important step in securing your LAN. Putting your publicly accessible servers in a DMZ adds another layer of protection against attacks.
End of Article
Prev. page
1
2
[3]
next page -->
