Educational institutions face unique challenges in securing their networks against intruders, attackers, viruses and malicious code. The academic environment is based on free and open flow of information, yet educational institutions are also bound by laws and policies designed to protect student privacy and proprietary information.

Thus, the balancing act between access and security is even more difficult than in the typical corporate environment. Schools and universities also must deal with many of the same threats and problems common to the business network, but in some cases on a much larger scale (for example, the prevalence of peer-to-peer (P2P) file sharing is greater on campuses).

Both students and teachers today depend on access to the Internet and internal network resources in order to do their jobs. The growing popularity of wireless networking on campus further complicates the task of securing campus networks.

Specific issues that must be addressed by today’s educational institutions include the following:

Need to keep confidential student information such as social security numbers, grades, etc. secure.
Need to keep financial records secure (student loan information, donor information, credit card numbers)
Need to protect the institution against vicarious liability stemming from P2P programs, student hackers and other student activities on the network that might violate state or federal law or incur civil liability.
Need to protect the integrity of administrative information such as grades against tampering.
Need to protect faculty/staff information (instructor notes, lesson plans, personnel records) from tampering and/or divulgence).
Need to protect the confidentiality of student medical records.
Need to protect the network against denial of service (DoS) and other attacks and viruses that impact productivity and access of network users.

Cost is another important factor for both public and private educational institutions that must operate within a defined – and often limited – budget. IT budgets are traditionally tight in the college/university environment, and IT departments are often understaffed, with administrators who are overworked and underpaid in comparison with their corporate counterparts. Due to the lower pay scales and the fact that students are often recruited to do much of the work, skill and/or experience levels may be lower than in the business world. Thus ease of use becomes a top priority when selecting a security solution.

ISA Server 2000 firewalls can be used within the campus to protect departmental or student LANs. In addition to protecting student LANs, an ISA Server 2000 computer can speed access to essential resources. ISA Server can act as both a firewall and a Web Proxy server for the campus network. These two components provide the following features for the LAN segment or segments behind the ISA Server 2000 machine:

Firewall

ISA Server 2000’s firewall features allow you to control inbound and outbound access into and out of the protected segments. You can place the ISA Server 2000 firewall in front of a departmental or student LAN and allow access to sites and protocols based on user account or group membership. Inbound access into the protected network can be controlled so that only selected servers and services can be accessed by hosts outside of the protected network. Firewall chaining can be used to make Internet access for departmental LANs independent of your current routing infrastructure as downstream ISA Server 2000 firewalls can communicate directly with upstream ISA Server 2000 firewalls.

Web Proxy

The Web Proxy component of ISA Server 2000 can be used to bring Web content closer to the protected network. The ISA Server 2000 Web Proxy server can be chained to upstream Web Proxy servers to allow users on the protected LAN to benefit from content located on their local cache as well as from content contained in a centralized cache that serves the entire institution. Caching at the local ISA Server 2000 reduces the amount of traffic on the campus backbone and the centralized cache reduces overall bandwidth consumption on the institution’s Internet links.

In this document, we will discuss the following:

Sample network topologies and how ISA Server 2000 firewalls and Web caching servers can be used on campus networks to provide departmental and student LAN protection and access control and Web caching
How to configure firewall chaining to make the ISA Server 2000 firewalls independent of your current routing infrastructure. Firewall chaining allows you to drop ISA Server 2000 firewalls into your current network infrastructure with a minimum of disruption
How to configure Web proxy chaining to bring Web content closer to users on the protected networks. Web Proxy chaining allows you to configure the Web Proxy servers to communicate directly with one another so that there is minimum disruption to the current network infrastructure
How to configure site to site VPN connections between departmental or student LANs. The site to site connections allow LANs separated across the campus backbone to communicate directly with one another without being subjected to firewall policies. These LANs can then be members of the same Windows NT 4.0 or Windows 2000/Windows Server 2003 Active Directory domain.

Network Topologies

ISA Server 2000 firewalls can be placed on a campus network with an existing routing and firewall infrastructure. Most educational institutions have an existing firewall and routing infrastructure that has evolved over time and reconfiguring the existing infrastructure could lead to a large amount of financial and administrative overhead.

The following ISA Server 2000 firewall topologies allow you to leave your current firewall and routing topologies in place and still benefit from the powerful application layer filtering and Web caching features available with ISA Server 2000.

ISA Server 2000 firewalls and Web caching servers placed at the edge of departmental and student LANs
ISA Server 2000 firewalls and Web caching servers placed at the edge of departmental and student LANs and a centralized Web caching server or server array located on the network backbone
ISA Server 2000 firewalls and Web caching servers placed at the edge of departmental LANs and an ISA Server 2000 firewall placed at the edge of the campus network. The ISA Server 2000 firewall is placed in parallel with an existing packet filtering firewall
ISA Server 2000 firewalls and Web caching servers placed at the edge of departmental and student LANs. Protected networks are joined via site to site links between ISA Server 2000 firewall/VPN gateways

ISA Server 2000 Firewalls Placed at the Edge of Departmental and Student LANs

You can place ISA Server 2000 firewall and Web caching servers at the edge of the departmental and student LANs. This configuration allows you to replace only the devices at the edge of the departmental and student LANs and keep the current firewall and routing infrastructure in place.

Advantages of this configuration include:

The current firewall at the edge of the campus network is left intact. There is no need to change any of the settings on the current firewall at the campus network edge
Only the devices at the edge of the departmental and student LAN edges need to be replaced. You do not need to change the current routing infrastructure to support the new ISA Server 2000 firewall and Web caching servers
You can control access to and from the departmental and student LANs on a user or group basis. The user accounts and groups can be created on the ISA Server 2000 firewall and Web caching servers, or you can create Windows NT 4.0 or Windows 2000/Windows Server 2003 Active Directory domains on the LANs and create the user and group accounts there.
Traffic on the campus LAN and Internet link is reduced because popular Web content is stored on the local ISA Server 2000 firewall and Web caching server.

The figure below shows the high-level placement of the ISA Server 2000 firewall and Web caching servers on the campus network.

ISA Server 2000 Firewalls Placed at the Edge of Departmental and Student LANs and Centralized Web Caching Server or Caching Array Placed on Campus Backbone

You can build on the ISA Server 2000 firewall and Web caching server at the departmental and student LAN edge configuration by adding a Web-caching only ISA Server 2000 computer or array on the campus backbone.

The advantages of this configuration include:

The current firewall at the edge of the campus network is left unchanged. There is no need to alter any of the settings on the current firewall at the campus network edge
Only the devices at the edge of the departmental and student LAN edges need to be replaced. You do not need to change the current routing infrastructure to support the new ISA Server 2000 firewall and Web caching servers
You can control access to and from the departmental and student LANs on a user or group basis. The user accounts and groups can be created on the ISA Server 2000 firewall and Web caching servers, or you can create Windows NT 4.0 or Windows 2000/Windows Server 2003 Active Directory domains on the LANs and create theuser and group accounts there.
Traffic on the campus backbone is reduced because popular Web content for each protected LAN is cached on the local ISA Server 2000 Web caching server
Traffic on the Internet link is reduced because popular content for all protected LANs is cached on the centralized Web caching server or Web caching array

The figure below shows the high-level placement of the ISA Server 2000 firewall and Web caching servers at the LAN edges and a Web caching array on the backbone network.

ISA Server 2000 Firewalls Placed at the Edge of Departmental and Student LANs and ISA Server 2000 Firewall Placed in Parallel with Current Internet Firewall

You can build on the ISA Server 2000 firewall and Web caching configuration at the departmental and student LAN edges by placing an ISA Server 2000 firewall and Web caching server at the Internet edge in parallel with existing Internet firewalls made by other vendors. You could also place an ISA Server 2000 firewall and Web caching server on the campus backbone network and configure firewall chaining between the LAN ISA Server 2000 firewalls, the backbone ISA Server 2000 firewall and the non-Microsoft Internet edge firewall.

The advantages of this configuration include:

The current firewall at the edge of the campus network is left unchanged. There is no need to alter any of the settings on the current firewall at the campus network edge
Only the devices at the edge of the departmental and student LAN edges need to be replaced. You do not need to change the current routing infrastructure to support the new ISA Server 2000 firewall and Web caching servers
You can control access to and from the departmental and student LANs on a user or group basis. The user accounts and groups can be created on the ISA Server 2000 firewall and Web caching servers, or you can create Windows NT 4.0 or Windows 2000/Windows Server 2003 Active Directory domains on the LANs and create theuser and group accounts there.
Centralized application layer filtering can be performed for all protected LANs at the Internet edge and/or on the campus backbone. This provides an additional tier of protection in the event that configuration errors are made on the LAN edge firewalls. Downstream ISA Server 2000 firewalls are chained to upstream firewalls
Inbound access scenarios to the campus backbone or protected LANs can be implemented at the network edge or campus backbone using ISA Server 2000’s sophisticated application layer filtering mechanisms
Traffic on the campus backbone is reduced because popular Web content for each protected LAN is cached on the local ISA Server 2000 Web caching server
Traffic on the Internet link is reduced because popular content for all protected LANs is cached on the centralized Web caching server or Web caching array

The figure below shows the high-level placement of the ISA Server 2000 firewall and Web caching servers at the LAN edges and ISA Server 2000 firewalls and Web caching servers on the corporate backbone and Internet edge.

ISA Server 2000 Firewalls Placed at the Edge of Departmental and Student LANs and Site to Site VPN Links Joining Trusted Networks

Networks separated from one another over the campus backbone often need to share the same user database and security configuration. Because of the sensitive nature of communications that take place between trusted hosts, it is inadvisable to allow machines belonging to the same Windows security partition (Windows domain) to communicate freely over an untrusted network such as the campus backbone.

The solution to this problem is to join networks belonging to the same security partition (Windows domain) via a site to site VPN link. VPN connections are typically used to connect host systems or entire networks to one another over the Internet. However, the utility of VPN connections is not limited to only Internet communications. You can use the same VPN technology to join protected LAN segments to each other.

The advantages of this configuration include:

The current firewall at the edge of the campus network is left intact. There is no need to change any of the settings on the current firewall at the campus network edge
Only the devices at the edge of the departmental and student LAN edges need to be replaced. You do not need to change the current routing infrastructure to support the new ISA Server 2000 firewall and Web caching servers
You can control access to and from the departmental and student LANs on a user or group basis. The user accounts and groups can be created on the ISA Server 2000 firewall and Web caching servers, or you can create Windows NT 4.0 or Windows 2000/Windows Server 2003 Active Directory domains on the LANs and create theuser and group accounts there.
Traffic on the corporate LAN and Internet link is reduced because popular Web content is stored on the local ISA Server 2000 firewall and Web caching server.
Traffic can move between LAN segments joined by the VPN site to site link without incurring the overhead of firewall policy processing. All network traffic between trusted VPN connected segments is passed without requiring special firewall configuration to support complex protocols and complete support for voice/video communications between trusted segments
Joined segments can belong to the same Windows NT 4.0 or Windows 2000/Windows Server 2003 domain. Sensitive intradomain communications are never passed “in the clear” over the campus backbone network
Multiple networks can be connected using the site to site link and all networks can use Firewall and Web Proxy chaining within the VPN network. This obviates the need for a backbone or Internet edge located ISA Server 2000 firewall for centralized firewall management and control and also allows hierarchical Web caching, all based on a single user database (Windows NT 4.0 or Windows 2000/Windows Server 2003 Active Directory domain)

The four network topologies described in this section represent only a subset of the possible configurations. However, they provide examples of the possibilities and make it clear that you can introduce ISA Server 2000 firewall and Web caching servers into the campus network with a minimal amount of disruption.

Configuring Firewall Chaining

ISA Server 2000 firewall chaining allows you to configure customized firewall policies at the LAN edge of each of the departmental and student networks and also create a firewall policy that applies to all networks protected by the ISA Server 2000 firewall and Web caching servers.

One of the major advantages of using firewall chaining is that you do not need to configure the ISA Server 2000 firewalls at the corporate LANs to use the upstream ISA Server 2000 firewall as their default gateway. Instead, the ISA Server 2000 firewall at the departmental and student LAN edges can use any default gateway you like and forward Internet bound requests directly to the upstream firewall at the Internet edge or on the campus backbone.

Firewall chaining applies to all TCP and UDP communications moving through the ISA Server 2000 firewalls in the chain. For example, you can create a firewall policy that prevents users from accessing a list of Internet located domains and blocks the use of peer to peer file sharing applications. However, you do not want the LAN edge firewalls to use the upstream ISA Server 2000 firewall for ICMP communications (used for PING, PATHPING, tracert and other network utitlies). The ICMP communications need to go through your current Internet firewall.

Firewall chaining enables you to create this configuration because the TCP and UDP communications move from the downstream ISA Server 2000 firewalls to the upstream ISA Server 2000 firewall via direct communications; the downstream firewalls do not depend on their default gateway configuration to reach the Internet because they are configured to communicate directly with the upstream firewall. The ICMP communications can move through the network based on the default gateway configuration on the downstream ISA Server 2000 firewall.

In this section, we’ll present an example of how to configuration firewall chaining between LAN edge ISA Server 2000 firewall and Web caching servers and an upstream ISA Server 2000 firewall and Web caching server. The following procedures are covered in this document:

Install ISA Server 2000 on the Internet edge firewall and the departmental LAN firewalls
Configure the base ISA Server 2000 firewall configuration
Configure firewall chaining between the departmental LAN ISA Server 2000 firewalls and the Internet edge ISA Server 2000 firewall
Create access polices on the LAN firewalls and the Internet edge firewall

You should always perform your testing on a lab network before implementing the configurations on your production network. The figure below shows the setup of the lab network we’ll be using in the example discussed in this section.

All machines are configured with a subnet mask of 255.255.255.0
The client machines on the LAN networks are configured as DNS servers and the DNS servers can perform recursion to resolve Internet domain names
The client machine on LAN-2 is configured as a domain controller in the msfirewall.org domain (this configuration will be used later to test VPN site to site configurations)
The LAN-1 and LAN-2 ISA Server 2000 firewalls are configured to use the DNS servers on the LAN segments they protect; access policies allow the DNS servers outbound access to DNS queries
The ISA Server 2000 firewalls on LAN-1, LAN-2 and at the edge of the simulated campus network are installed in integrated mode.
ISA2 is a member of the msfirewall.org domain (Active Directory domain on LAN-2)
If you are using operating system virtualization (virtual machine) software, you should configure each network segment to be on a different Ethernet broadcast domain. In our example, the simulated campus backbone network is on VMNet2, LAN-1 is on VMNet4 and LAN-2 is on VMNet3. The external interface of the ISA Server 2000 firewall on the edge of the campus network is bridged with the physical interface on the test machine, which allows it to access Internet resources via the live network’s Internet connection.

IP Configurations for each machine are listed in the table below.

Machine

IP address

Subnet Mask

Default Gateway

DNS address