Networking

SolutionBase: Grant Internet access while securing your network using a wireless DMZ

Sometimes you need to grant wireless users access to the Internet, but you want to ensure that someone doesn't use wireless to access network resources. That's where a wireless DMZ comes in handy. Here's how to set one up using ISA Server 2004.

As wireless networks become more common, it's important that you have them properly secured. One way to grant Internet access to wireless networks while still securing your main network is by creating a wireless DMZ.

With multiple interfaces and ISA Server 2004's multi-networking support, it's an effective solution for implementing DMZs (demilitarized zones or perimeter networks that serve as a buffer between your internal LAN and the public Internet or other external networks). A popular implementation of the ISA firewall DMZ networks includes configuration of a wireless DMZ segment that can be used for hosting untrusted users and computers, such as guests with laptops who connect to your network.

Planning for the wireless DMZ

The wireless DMZ configuration discussed in this article requires you to have at least three network interfaces on the ISA firewall (an ISA firewall can have more NICs, but only three are used in this scenario):

  • One interface is connected to the Internet (this is the interface with the default gateway)
  • One interface is connected to the Default Internal Network (this is the interface connected to the production network)
  • One interface is connected to the wireless DMZ segment.

The figure below shows the conceptual designed used in the sample network discussed in this article.

Figure A

The topology of our sample network

Network design

On the Default Internal Network there will be a DNS server that also acts as a domain controller and DHCP server. The DNS server component on this machine is configured to enable Internet DNS host name resolution.

The most secure configuration would be to set up a dedicated DNS resolver in a DMZ segment that hosts no private domain records, but many small and medium sized networks have domain controllers configured as DHCP and DNS servers, so we're using that configuration in our example.

There's a wireless access point (WAP) on the wireless DMZ segment, which has its DHCP server component enabled. This allows computers on the wireless DMZ segment to get addresses on the network ID assigned to the network interface connecting the ISA firewall to the wireless DMZ segment. The network interface connected to the wireless DMZ segment does not use DHCP to obtain its own address. It has a static address.

The ISA firewall's external interface is connected to an upstream DSL NAT, cable NAT or other device that performs Network Address Translation (including a packet filtering firewall). The external interface of the ISA firewall must be able to communicate with the NAT device, but doesn't need to be directly connectedto it. The use of NAT makes it easier to configure the ISA firewall configuration you're using PPP over Ethernet (PPPoE) or when you don't have dedicated addresses bound to the external interface of the ISA firewall.

Here's what you should do:

  • Assign a static address to the ISA firewall's external interface
  • Set the default gateway to the LAN (internal) address of the NAT device.
  • You can connect the ISA firewall directly to the NAT device using a crossover cable, or you can connect the LAN interface of the NAT device to a switch and the external interface of the ISA firewall.

A switch is the preferred method. This gives you a DMZ segment where you can publish resources on the DMZ between the NAT device and the ISA firewall's external interface.

Creating the wireless DMZ segment

Here's what you'll need to do to create the wireless DMZ segment. First, install three NICs into the ISA firewall machine. You'll use one as the external interface. The second will interface with the Default Internal Network. The third connects to the DMZ network.

Next, configure the ISA machine to be a DNS server so clients on the DMZ network can be configured as SecureNAT clients that will use the ISA server's DNS services to resolve names.

Install the ISA firewall software and configure the Default Internal Network. Configure an ISA firewall Network to represent the DMZ segment to which your wireless clients will connect. Next, make a Network Rule on the ISA Server that defines a NAT relationship between the DMZ ISA firewall Network and the Default External Network. Finally, you must create a firewall policy on the ISA Server.

Planning the firewall policy

In the example used in this article, we'll create the following Firewall rules:

DNS to DMZ interface - The SecureNAT clients on the DMZ segment must be able to resolve Internet host names using the DNS server on the ISA firewall, so you'll need to make an Access Rule to allow hosts on the DMZ segment to access the DNS server on the ISA firewall.

HTTP DMZ to Internet - Since the point of the DMZ is to be able to provide limited and secure connections from the DMZ segment, you'll probably want to allow only HTTP connections outbound. We prefer to avoid allowing access to other protocols because this is a more secure configuration and simplifies access policy. It is especially critical that you do not allow encrypted communications to the DMZ, such as SSL or VPN protocols. The ISA firewall is not able to perform stateful application layer inspection on these communications and that puts the DMZ network and the organization at risk.

All Open Internal to Internet (not recommended) - For the purpose of illustrating the procedure in this article, we create an "All Open" rule allowing all protocols from the Default Internal Network to the Internet. In real practice, your network will have its own security policy. We do not recommend that you ever create an "all open" rule on a production network.

Enable the VPN Server Component on the ISA Firewall - You can enable a VPN connection from the wireless DMZ to give wireless clients secure access to files, printers, etc. on the internal network. This is optional.

In the following sections, we'll go into detail about how to implement each of the steps you planned for above.

Installing and configuring the network interfaces

You must install at least three network interfaces on the ISA Server machine. These include:

  • An external interface that connects the ISA firewall to the Internet. Don't configure a DNS server on this interface (Only the Interface closest to the internal network's DNS server should be configured as a DNS server). There is a default gateway configured on this interface.
  • An interface on the Default Internal Network that connects the ISA firewall to the production network. Configure the DNS server on this interface. There should be no default gateway on this interface.
  • An interface on the DMZ network, which connects the ISA firewall to the wireless DMZ segment. It should have neither a DNS server nor a default gateway. At the physical level, you should connect this interface to the same switch the WAP connects to.

Configure the interfaces before you install the ISA software. Table A shows the interface configuration we used for our example network.

Table A

Internal Interface External Interface DMZ Interface
IP Address 10.0.0.1 192.168.1.70* 172.16.0.1
Subnet Mask 255.255.255.0 255.255.255.0 255.255.0.0
Default Gateway N/A 192.168.1.60* N/A
DNS Server Address 10.0.0.2 N/A N/A
Interface configurations for example network with ISA firewall behind a NAT device

Installing and configuring the DNS service

Prior to installing the ISA firewall software, you should install the DNS server service on the ISA machine. This will avoid DNS queries to the DNS server on the internal LAN and let your SecureNAT clients in the DMZ resolve names without going "outside" to DNS servers on the Internet.

In our scenario, DMZ hosts shouldn't be able to access the resources on the production network because this would present a security threat (there may be other cases where you would want to allow the wireless computers in the DMZ to access internal resources). However, if you have users and computers on the DMZ at times who are trusted and need access to LAN resources, you can have them use a VPN connection.

Supporting SecureNAT clients

If you want to support SecureNAT clients on the wireless DMZ, the SecureNAT clients must be able to resolve Internet host names themselves because the ISA firewall does not perform "proxy" DNS for SecureNAT clients (it does so for Web proxy and Firewall clients). For security purposes, you should not allow clients on the wireless DMZ network access to more protocols than absolutely necessary when connecting to the Internet. For example, if you allow the SecureNAT clients on the DMZ Network to access the DNS server at your ISP, you'd have to allow them to access the DNS protocol to the Internet. That's a "no-no" because it can prevent a security issue.

The SecureNAT clients on the wireless DMZ will use the ISA Server DNS services to resolve names. The ISA Server DNS server will perform recursion to resolve Internet host names for those SecureNAT clients. You should configure the DNS server on the ISA firewall to protect it from DNS attacks such as caching poisoning.

Here's how to install and configure the DNS server on the ISA firewall machine:

  1. From the Start menu, open the Control Panel and click Add and Remove Programs.
  2. In the Add and Remove Programs applet, click the Add/Remove Windows Components button in the left pane.
  3. In the Windows Components dialog box, scroll down to the Network Services entry, click it and then click Details.
  4. In the Network Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.
  5. Click Next in the Windows Components dialog box.
  6. Follow the instructions on subsequent Wizard pages and then click Finish when the Wizard completes.

Next, configure the Properties of the DNS server running on the ISA firewall machine:

  1. Click Start, point to Administrative Tools and click DNS.
  2. In the DNS Management console, right click the server name in the left pane of the console and click Properties.
  3. In the DNS server's Properties dialog box, click the Interfaces tab. Select the Only the following IP addresses option. In the IP address list, click on each IP address that is not the IP address bound to the DMZ interface of the ISA firewall, then click Remove.

4. Click Apply and then click OK.

The IP address on the DMZ interface of the ISA firewall should be the only IP address left on the list. To allow the internal Network DNS server to use this DNS server as a forwarder, you can include the internal Network interface as a DNS listener, as shown in Figure B.

Figure B

Configuring the DNS listener

You don't have to create an Access Rule to allow the ISA firewall to perform recursion because a System Policy Rule is enabled automatically on the ISA firewall that allows the ISA firewall to perform DNS queries to all Networks.

Creating the DMZ ISA firewall network

You must next create an ISA firewall Network for your wireless DMZ segment. The ISA firewall uses ISA firewall Networks to determine whether Networks are connected. You can either route or NAT communications between source and destination ISA firewall Networks.

You define ISA firewall Networks on a per-interface basis. Each network interface bound to the ISA firewall is the "root" of an ISA firewall Network. All of the addresses that can be reached directly through a specific interface are included in the definition of a particular ISA firewall Network.

You can't use the same IP address on more than one ISA firewall Network. That's because an IP address is not allowed to be directly reachable from more than one network interface on the ISA firewall machine. Thus, each interface installed on the ISA firewall must be located on a different network ID. However, this doesn't mean you can't have multiple network IDs behind a particular ISA firewall Network interface.

For example, if an interface is on network ID 10.10.10..0/24 and there is another network ID, such as 10.10.15.0/24 located behind a LAN router, there is no problem with that. The ISA firewall Network definition just needs to include all addresses for both network IDs and a routing table entry must be includes on the ISA firewall to point to the appropriate gateway to reach that remote network. The point is that each interface on the ISA firewall must be on a different network ID.

For our example, the DMZ network interface's IP address is 172.16.0.1/16. This interface is on network ID 172.16.0.0/16, so the definition of the wireless DMZ ISA firewall Network will include the IP addresses 172.16.0.0-172.16.255.255.

You don't have to include all the addresses in the network ID; you can include only those addresses that are actually in use. This is the best way to do it in an enterprise network, where you'll probably use subnets of default private address network IDs throughout your organization.

Here's how you create the DMZ ISA firewall Network:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node. Click the Networks node.
  2. On the Networks node, click the Networks tab in the details pane of the ISA firewall console. In the Tasks tab in the Task Pane, click the Create a New Network link.
  3. On the Welcome to the New Network Wizard page, enter DMZ in the Network name text box. Click Next.
  4. On the Network Type page, select the Perimeter Network option and click Next.
  5. On the Network Addresses page, click the Add Adapter button.
  6. In the Select Network Adapters dialog box, select the DMZ interface and then put a checkmark in the DMZ interface's checkbox as shown in Figure C. The network information pulled from the Windows routing table appears in the Network Interfaces Information box. Click OK.

Figure C

Configuring the network addresses
  1. Click Next on the Network Addresses page.
  2. Click Finish on the Completing the New Network Wizard page.
  3. The new ISA firewall Network appears in the list of Networks on the Networks tab, as shown in Figure D.

Figure D

Listing ISA firewall networks

Defining a NAT relationship between the DMZ ISA firewall Network and the default external network

At this point, you have an ISA firewall Network that represents the wireless DMZ, but that Network isn't connected to any other Network. You need a Network Rule to connect the wireless DMZ network to any other ISA firewall Network. So now you must create a Network Rule to connect the wireless DMZ network to other ISA firewall networks.

Connecting one ISA firewall Network to another ISA firewall Network is only one step. Traffic still can't pass between them until you create Access Rules to allow traffic to pass between connected ISA firewall Networks.

Network Rules do more than connecting the networks. They're also used to define the routing relationships (either Route or NAT) between connected Networks. These differ in that:

  • Route is bidirectional, so traffic is routed both from the source to the destination and from the destination to the source.
  • NAT is unidirectional so traffic is NATed from the source to destination, but is not NATed from destination to source.

For our example, we will create the following two Network Rules. One will define a NAT route relationship between the DMZ and the Default External Network. The other one defines a NAT route relationship between the Default Internal Network and the DMZ

The Network Rule NATs connections sourcing from the DMZ ISA firewall Network to the Internet. The source IP addresses for outbound connections will be replaced by the IP address assigned to the external interface of the ISA firewall.

The next step is to create a Network Rule that connects the DMZ to the Internet:

  1. In the ISA firewall console, expand the server name and then expand the Configuration node in the left pane of the console. Click the Networks node.
  2. On the Networks node, click the Networks Rules tab in the details pane of the ISA firewall console. Click the Tasks tab in the Task Pane and click the Create a New Network Rule link.
  3. In the Welcome to the New Network Rule Wizard dialog box, enter the name for the Network Rule in the Network rule name text box. In this example we will name the rule DMZ to Internet. Click Next.
  4. Click Add on the Network Traffic Sources page.
  5. In the Add Network Entities dialog box, click the Networks folder and double click the DMZ Network. Click Close.
  6. Click Next on the Network Traffic Sources page.
  7. Click Add on the Network Traffic Destinations page.
  8. In the Add Network Entities dialog box, click the Networks folder and double click the External Network. Click Close.
  9. Click Next on the Network Traffic Destinations page.
  10. On the Network Relationship page, select the Network Address Translation (NAT) option and click Next, as seen in Figure E.

Figure E

Setting the network routing relationship

11.Click Finish on the Completing The New Network Rule Wizard page.

There is no Network Rule that connects the DMZ Network to the default Internal Network to the DMZ, nor is there a Network Rule connecting the Internal Network to the DMZ.

As part of setting up your wireless DMZ segment, you need to create Access Rules to define which traffic is allowed to move through and to the ISA Server firewall. Your individual security policies and organizational requirements will determine your firewall policies.

In a production network, the ISA firewall should be a member of the Windows domain. You should use strong user/group-based access controls to provide secure outbound and inbound access through the ISA firewall. In addition, all of the client operating systems on the production network should be configured as Web proxy and Firewall clients, and all of the servers that need Internet access (including published servers) should be configured to be SecureNAT clients.

After creating the access rules, you can provide a method to allow hosts on the wireless DMZ more access to resources on the internal network if you wish. You could do this by creating a set of Web and Server Publishing Rules for all the resources that computers on the wireless DMZ might require, or you could create a Route relationship between the wireless DMZ and the Default Internal Network and then create Access Rules allowing connections from the wireless DMZ to the default Internal Network.

Editor's Picks

Free Newsletters, In your Inbox