Re: Allow all
- From: "Stuart Pittwood" <SPittwood@xxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 13 Jun 2003 16:32:52 +0100
"Make sure your company charges the vendor for your time as you figure
out how *their* application works."
Too Right .... If I have to take the time work out how to get
their app working they can pay for that time.
I think I'm going to see what my options are talking to progress direct
as I've just spoken to one of our suppliers "support" people who
couldn't answer my questions as he'd never heard of a secondary
connection!!!.
Stu P
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: 13 June 2003 15:30
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Allow all
http://www.ISAserver.org
Hi Stuart,
Thanks! The point is that the vendor is responsible for knowing the
protocols their application uses. If they don't know, then you need to
demand a refund. If they don't understand their application, think of
the security issues related to that. "Ahhh, well you know, its uses
ports XXX and XXX and XXX, we think...are we secure? Sure, yea, its
secure. Why wouldn't it be secure?"
Know what I mean? Security through obscurity has some value, but a
vendor not understanding how their network enabled application works is
not the type of obscurity that confers any level of security.
So, what you need know:
Inbound primary connections
Inbound secondary connections
Outbound primary connections
Outbound secondary connections
Connections defined by:
Source IP and port number
Destination IP and port number
Without this information, you can make an avocation of the ISA firewall
Web Proxy and firewall logs and your favorite packet sniffer. Make sure
your company charges the vendor for your time as you figure out how
*their* application works.
/end rant
:-)
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Stuart Pittwood [mailto:SPittwood@xxxxxxxxxxxxxxxxx]
Sent: Friday, June 13, 2003 9:18 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Allow all
http://www.ISAserver.org
Excellent use of clipart Tom,
I have all the ports published for inbound access and all the
appropriate ports in protocol rules for outbound access.
There are no packet filters applied for specified protocols (although
packet filtering is enabled).
Although there is a publishing rule for the inbound UDP 5162, the Packet
filter log files tell me it's being blocked.
This mess has been left to me by our software vendor who couldn't get it
working either & although it's not urgent (doesn't go live till October)
I'd like to get it working soon coz it's driving me nuts (or more so
than normal)
Any input you could offer is greatly appreciated.
Thanks
Stu
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: 13 June 2003 15:09
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Allow all
http://www.ISAserver.org
Hi Stu,
Before going any farther on this, check out:
www.tacteam.net/openport.htm
Get it?
Thanks!
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Stuart Pittwood [mailto:SPittwood@xxxxxxxxxxxxxxxxx]
Sent: Friday, June 13, 2003 8:20 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Allow all
http://www.ISAserver.org
I'm having trouble with our webspeed application so I was going open
everything up between those two boxes.
I need to talk from the web server in the DMZ to the box on the internal
lan on :
UDP 5162
TCP 3055
TCP 3056
TCP 3057
From the box on the internal lan to the web server on the DMZ:
UDP 1-65535
TCP 2202 - 2206
What I was planning to do is open up all communication between those
servers, get the app working, see what is talking to what then close
everything else.
Thanks
Stu
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: 13 June 2003 14:11
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Allow all
http://www.ISAserver.org
That's a bad security model.
What are you trying to pass between them?
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
http://www.ISAserver.org
This is a probably a simple questionbut how do I allow all traffic to
flow between a server on the internal lan and a server on the DMZ?
_________________________
Stuart Pittwood, CCNA, MCSE
IT Technician
Amery-Parkes Solicitors
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
spittwood@xxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
spittwood@xxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
spittwood@xxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
