What Are Perimeter Networks?
A perimeter network is a network that is separated from an internal network and the Internet. Perimeter networks allow external users to gain access to specific servers that are located on the perimeter network while preventing direct access to the internal network.
Perimeter networks have the following characteristics:
1- Protected by one or more firewalls Perimeter networks are separated from the Internet by one or more firewalls or routers. The perimeter network is usually also separated from the internal network by a firewall. The firewall protects the servers in the perimeter network from the Internet and filters traffic between the perimeter network and the internal network.
2- Contain publicly accessible servers and services The servers in the perimeter network are usually accessible to users from the Internet. The types of servers or services that are often located in the perimeter network include VPN servers and clients, remote access servers (RASs) and clients, Web servers, application front-end servers, SMTP gateway servers, and proxy servers.
3- Must be accessible from the Internet Because the servers on the perimeter network must be accessible from the Internet, the firewall protecting the perimeter network must allow network traffic from the Internet. This traffic must be filtered to ensure that only legitimate traffic enters the perimeter network. Because almost all network traffic will flow from the Internet to the perimeter network, most firewall rules can be configured to allow only inbound traffic.
4 -Require network connectivity to the internal network Frequently, the computers on the perimeter network must be able to connect to resources on the internal network. For example, VPN or RAS Clients connect to the VPN or RAS server, but then must gain access from that server to the internal network. An SMTP gateway server must be able to forward messages to internal e-mail servers. An application front-end server may need to connect to a database server on the internal
network. Often, users on the internal network must also be able to connect to servers in the perimeter network. This means that you must configure firewall access rules on the firewall between the perimeter network and the internal network to enable the required network traffic.
5- Require some level of network protection The servers on the perimeter network must be partially isolated both from the Internet and the internal network. The firewalls on both sides of a perimeter network should not forward all traffic, but should filter traffic flowing in both directions. Only required network traffic should be allowed to pass between networks.
Benefits of Using a Perimeter Network
The main reason for using a perimeter network is to provide an additional layer of security. A perimeter network is commonly used for deploying publicly accessible servers while servers that should never be accessed from the Internet are located on the internal network. In this way, even if an attacker penetrates the perimeter network security, only the perimeter network servers are compromised.
The servers in the perimeter network usually do not contain confidential or private organization data. This data and critical applications are located on the internal network. By implementing a perimeter network, you ensure that there is an additional layer of security between the Internet and the internal servers.
The perimeter network can also be used to secure other connections to the internal network. For example, many organizations are using mobile clients such as wireless devices or cell phones to access information such as e-mail on the internal network. These devices greatly increase the security risks; one way to reduce that risk is to install the wireless access servers for these devices in the perimeter network and then use the internal firewall to filter traffic from these servers to the internal network. VPN servers and clients can be secured using the same method.
Affichage des articles dont le libellé est perimeter. Afficher tous les articles
Affichage des articles dont le libellé est perimeter. Afficher tous les articles
Implementing Perimeter Networks and Network Templates
Lesson 2: Configuring Multiple Networking on ISA Server
ISA Server Support for Multiple Networks
ISA Server 2004 uses networks to define blocks of IP addresses that may be directly attached to the ISA Server computer or IP addresses that may be remote networks. ISA Server uses these networks as components when you create access rules. ISA Server supports an unlimited number of networks.
What Is Multinetworking?
Multinetworking means that you can configure multiple networks on ISA Server, and then configure network and access rules that inspect and filter all network traffic between all networks. Multinetworking enables flexible options for network configuration. One common network configuration is a three-legged firewall.
In this configuration, you create three networks:
1- The servers that are accessible from the Internet are usually isolated on their own network, such as a perimeter network.
2- The internal client computers and servers that are not accessible from the Internet are located on an internal network.
3- The third network is the Internet.
ISA Server multinetworking functionality supports this configuration. You can configure how clients on the corporate network access the perimeter network, and how external clients access the perimeter network. You can also define access rules for all
network traffic flowing from the Internal network to the Internet. You can also configure the relationships between the various networks, defining different network rules between each network.
You might also need to configure a more complicated network environment. In this scenario, you could have the following:
1- Two perimeter networks Perhaps you are deploying some servers that are domain members and other servers that are stand-alone servers. The domain members need to be able to communicate with domain controllers that are located on your internal network. In this scenario, you could configure a second perimeter network for the servers that need to be members of the domain.
2- Two internal networks You might have a group of client computers that needs to access the Internet using a different application or with security rules different from the other client computers. You can create an additional internal network and configure specific Internet access rules for each network.
3- VPN client and VPN remote-site networks ISA Server defines a network for VPN clients, and you can define a network for each remote site connected with a site-to-site VPN connection.
How to Create and Modify Network Objects
For a small organization with a fairly simple network, the default network objects may provide all the configuration options required. However, in a larger organization with a more complex network environment and more complicated requirements, you may need to create and modify the network objects.
To create a new network object, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration node and click Networks.
2. In the Details pane, click the Network tab.
3. On the Tasks tab, click Create a New Network.
4. On the Welcome to the New Network Wizard page, in the Network Name: box,type the name for the network. Click Next.
5. On the Network Type page, select the type of network
you are creating. Select one of the following options:
. External Network
. Internal Network
. Perimeter Network
. VPN Site-To-Site Network
6. After selecting the network type, click Next.
7. If you selected an internal, perimeter, or external network type, on the Network Addresses page, click Add.
8. In the IP Address Range Properties page, type the starting and ending addresses,and then click OK.
9. On the Completing The New Network Wizard page, review the settings and then click Finish.
To modify a network, click the network in ISA Server Management Console and then click Edit Selected Network.
Multinetworking means that you can configure multiple networks on ISA Server, and then configure network and access rules that inspect and filter all network traffic between all networks. Multinetworking enables flexible options for network configuration. One common network configuration is a three-legged firewall.
In this configuration, you create three networks:
1- The servers that are accessible from the Internet are usually isolated on their own network, such as a perimeter network.
2- The internal client computers and servers that are not accessible from the Internet are located on an internal network.
3- The third network is the Internet.
ISA Server multinetworking functionality supports this configuration. You can configure how clients on the corporate network access the perimeter network, and how external clients access the perimeter network. You can also define access rules for all
network traffic flowing from the Internal network to the Internet. You can also configure the relationships between the various networks, defining different network rules between each network.
You might also need to configure a more complicated network environment. In this scenario, you could have the following:
1- Two perimeter networks Perhaps you are deploying some servers that are domain members and other servers that are stand-alone servers. The domain members need to be able to communicate with domain controllers that are located on your internal network. In this scenario, you could configure a second perimeter network for the servers that need to be members of the domain.
2- Two internal networks You might have a group of client computers that needs to access the Internet using a different application or with security rules different from the other client computers. You can create an additional internal network and configure specific Internet access rules for each network.
3- VPN client and VPN remote-site networks ISA Server defines a network for VPN clients, and you can define a network for each remote site connected with a site-to-site VPN connection.
How to Create and Modify Network Objects
For a small organization with a fairly simple network, the default network objects may provide all the configuration options required. However, in a larger organization with a more complex network environment and more complicated requirements, you may need to create and modify the network objects.
To create a new network object, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration node and click Networks.
2. In the Details pane, click the Network tab.
3. On the Tasks tab, click Create a New Network.
4. On the Welcome to the New Network Wizard page, in the Network Name: box,type the name for the network. Click Next.
5. On the Network Type page, select the type of network
you are creating. Select one of the following options:
. External Network
. Internal Network
. Perimeter Network
. VPN Site-To-Site Network
6. After selecting the network type, click Next.
7. If you selected an internal, perimeter, or external network type, on the Network Addresses page, click Add.
8. In the IP Address Range Properties page, type the starting and ending addresses,and then click OK.
9. On the Completing The New Network Wizard page, review the settings and then click Finish.
To modify a network, click the network in ISA Server Management Console and then click Edit Selected Network.
Inscription à :
Articles (Atom)
