Chapter 4 of this book has been provided to ISAserver.org courtesy of Syngress Publishing and it's distinguished authors - Tom Shinder, Debra Littlejohn Shinder and Martin Grasdal. Click here to download Chapter 4 (PDF)
In this chapter, we go over techniques that you can use to implement a private address, LAT-based DMZ segment.The ability to use an internal network segment for a DMZ is important because you should be able to take advantage of the Web and server publishing rules to make servers available on the DMZ.The only other option for a trihomed ISA server for publishing servers on a DMZ segment is to use public IP addresses on the DMZ segment, and then use packet filters to make those servers available to the Internet. As you learned in the last two chapters, packet filters are not very flexible and do not leverage the security features provided by Web and server publishing rules.
You can use TCP/IP security to perform basic access control for incoming packets to the DMZ host.TCP/IP filters don’t do much to protect the internal network from a DMZ host, but they can prevent the DMZ host from packets arriving on hosts on the internal network.TCP security filters only apply to incoming packets and have no influence on packets leaving the host configured to use TCP/IP security filtering. One advantage of using TCP/IP security filters is that they work in kernel mode and thus are less subject to compromise.
RRAS packet filters provide a powerful and effective method to control traffic moving between the LAT-based DMZ segment and the internal network. RRAS packet filters work on an exception basis; you can allow all traffic except for that for which you create filters, or you can deny all traffic except for that for which you create filters.While you can obtain a certain level of granularity over packets moving into and out of the DMZ segment, the exception-based filter makes it difficult to create a universal Deny rule with exceptions. RRAS packet filters depend on the Routing and Remote Access Service (RRAS), which runs as a user-mode process.The operating system can continue to run even if there is an access violation in the RRAS service,which can create a security risk to the internal network if the RRAS service is disabled on the ISA server.
IPSec policies are implemented on the DMZ host itself. IPSec policies leverage sophisticated filter lists and filter actions that comprise IPSec rules.You can create a general, global Deny rule and then create exceptions to the global Deny by creating more specific rules.The IPSec policy agent is a user-mode process, and thus can be interrupted and the operating system will still run, which can cause a security risk to internal network clients if the agent is compromise on the DMZ host.
By purchasing the book you'll have a resource at your fingertips that will guide you through many other advanced ISA server deployments and configurations.
ISA Server and Beyond should be part of every ISA administrator's arsenal. Pick up your copy today!