We are doing an eval of the SA4500 and are discussing options of where to place it on the network. The plan is to give users access to basic resources (email, internet, in-house apps, etc.).
Option 1 - Place the SA in our DMZ behind a firewall and have a "one arm" topology where the internal and external interfaces are in the same subnet. Thus the traffic travels from the internet to the firewall to the DMZ, then back through the same firewall to reach the internal network.
Option 2 - Place the SA in front of the firewall and send traffic to the internal network through the firewall (utilizing a second DMZ-style vlan).
The concern with the first option is that we would create a back door into the internal network, where all traffic currently has to traverse the firewall to get there. Option #2 does leave the SA open to the internet for potential attacks.
Is there a normal convention that most organizations use?
I can't speak for other organizations obviously but we place the external NIC of the SA in our DMZ behind a firewall and the internal NIC of the SA is in our corporate network.
DMZ - External NIC of SA | SA | Interernal NIC of SA
The SA acts like a proxy in that it doesn't pass traffic through itself per se meaning that putting an SA in with this type of configuration is not the same thing as poking a hole in your firewall for the Internet to pour through to your internal network.
I'm fairly paranoid when it comes to security but I've not had any security issues from this setup with an SA in the several years that we have been using it.
Thanks...do you also use Network Connect? If so, is the IP range for that part of the same subnet of the internal NIC or do you use a private IP space and route it to the SA's internal interface?
just a quick note on your point 2. You should never place the SA in front of the firewall directly on the Internet. It has no inbuilt basic IP threat protection of its own and so should always go behind a firewall that provides this.
Internet <-> Firewall <-> SA ext--| --SA-Int ---<optional firewall - security level=paranoid > ---Internal Network
1. I always prefer two arm mode as the External interface listens only on 443 (and ESP) and its been hardened such that it will not source any traffic from the External interface i.e.. External interface is only to receive user traffic. All traffic will be sourced via internal interface only even if the traffic is destined for the internet.
2. For NC ip pool try to use a pool that belongs to the same subnet as the internal interface of the IVE. By doing this you won't have to create static routes on your internal network infrastructure to let backend resources know that traffic for NC IP pool belongs to SA's internal interface.
Actuall, the SA can be configured to listen on 11000-11099 is you are using Passthrough proxy, but your point is still valid.