RE: Connection Issue

Due to obvious security issues I won't discuss the configuration of our
corporate firewalls.  However, there is quite an advantage to having a
multiple-system firewall.  A vulnerability of one system is typically not
going to be a vulnerability in another system so your protection against
attack is greatly increased with mixed systems.  ISA can handle itself, I
agree.  But if/when something does get through ISA another wall behind it
would give admins more time to react to the breach before the internal
network is compromised.  Same reason they built castles with an outer wall.
The biggest question then is how willing is your company to throw the
required resources at a multiple-system firewall?  More systems require more
money and they add a great deal of complexity to the solution.  From a pure
security standpoint it is the best solution.  You just have to weigh it
against your purse and your corporate culture.
 
-Shawn
 

----- 
Shawn R. Quillman 
Robert Bosch Corporation RBNA/CIT1.1 
38000 Hills Tech Drive 
Farmington Hills, MI  48331 
(248) 553-1164 (P)     (248) 848-2855 (F) 
shawn.quillman@xxxxxxxxxxxx 

-----Original Message-----
From: Eric Poole [mailto:EPoole@xxxxxxxxxxxxxxxxxxxx]
Sent: Friday, August 29, 2003 10:33 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Connection Issue


http://www.ISAserver.org



Wisecracks aside, what I'm getting at is that it seems that ISA is still
being governed by our PIX.  Question still remains, how many use ISA behind
another firewall?  ISA can handle itself without being behind one, so why
would it be needed, especially if you didn't have any control over that
firewall?

Eric Poole

IS Security Analyst

 <http://communitymedical.org/> Community Medical Centers

1140 "T" Street, Fresno, California  93721

559-459-6784 (phone)  559-459-2045 (fax)



        -----Original Message-----
From: Jim Harrison <jim@xxxxxxxxxxxx>@CHCC
Sent: Friday, August 29, 2003 6:12 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Connection Issue

        http://www.ISAserver.org <http://www.ISAserver.org> 


        They finally opened a port for you.

        Hell, any port on a storm, right?

        Is it really all that important?

        Port, Starboard, who really knows?

        Maybe they can port their rules to your ISA.

        An evil portent, this is..

        Jim Harrison

        MCP(NT4, W2K), A+, Network+, PCG

        http://isaserver.org/Jim_Harrison/
<http://isaserver.org/Jim_Harrison/> 

        http://isatools.org <http://isatools.org> 

        Read the help / books / articles!


        On Thu, 28 Aug 2003 22:57:10 -0700

        "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx> wrote:

        http://www.ISAserver.org <http://www.ISAserver.org> 


        All I know is I am seeing Holes.



        John Tolmachoff MCSE CSSA

        Engineer/Consultant

        eServices For You

        www.eservicesforyou.com



        -----Original Message-----

        From: Eric Poole [ mailto:EPoole@xxxxxxxxxxxxxxxxxxxx
<mailto:EPoole@xxxxxxxxxxxxxxxxxxxx> ]

        Sent: Thursday, August 28, 2003 5:59 PM

        To: [ISAserver.org Discussion List]

        Subject: [isalist] Connection Issue



        http://www.ISAserver.org <http://www.ISAserver.org> 




        Here's the situation.  I'm trying to trouble shoot a web connection
issue.

        Supposedly, our ISA server has a hole in our PIX firewall.  Yet,
when I make

        a specific protocol rule (internal ip - any) it doesn't work.  On
the other

        hand, if our network team gives another workstation a hole, it works
fine.

        If they both have a hole, why the difference???  Another example,

        workstation with hole was able to ping out, ISA could not.  After a
good

        half hour of our network team looking at the PIX acl, ISA was able
to ping

        out again.  I think I pretty much know the answer to my questions,
but

        wanted to bounce it off a third party.  Also, I don't mean to sound
bitter.

        :-)  Final question, how many of you have ISA behind another
firewall?

        Thanks in advance.

        Eric Poole

        IS Security Analyst

        < http://communitymedical.org/ <http://communitymedical.org/> >
Community Medical Centers

        1140 "T" Street, Fresno, California  93721

        559-459-6784 (phone)  559-459-2045 (fax)



        ------------------------------------------------------

        List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
<http://www.webelists.com/cgi/lyris.pl?enter=isalist> 

        ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp> 

        ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
<http://www.isaserver.org/pages/larticle.asp?type=FAQ> 

        ------------------------------------------------------

        Other Internet Software Marketing Sites:

        Leading Network Software Directory: http://www.serverfiles.com
<http://www.serverfiles.com> 

        No.1 Exchange Server Resource Site: http://www.msexchange.org
<http://www.msexchange.org> 

        Windows Security Resource Site: http://www.windowsecurity.com/
<http://www.windowsecurity.com/> 

        Network Security Library: http://www.secinf.net/
<http://www.secinf.net/> 

        Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
<http://www.ntfaxfaq.com> 

        ------------------------------------------------------

        You are currently subscribed to this ISAserver.org Discussion List
as:

        johnlist@xxxxxxxxxxxxxxxxxxx

        To unsubscribe send a blank email to
$subst('Email.Unsub')



        ------------------------------------------------------

        List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
<http://www.webelists.com/cgi/lyris.pl?enter=isalist> 

        ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp> 

        ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
<http://www.isaserver.org/pages/larticle.asp?type=FAQ> 

        ------------------------------------------------------

        Other Internet Software Marketing Sites:

        Leading Network Software Directory: http://www.serverfiles.com
<http://www.serverfiles.com> 

        No.1 Exchange Server Resource Site: http://www.msexchange.org
<http://www.msexchange.org> 

        Windows Security Resource Site: http://www.windowsecurity.com/
<http://www.windowsecurity.com/> 

        Network Security Library: http://www.secinf.net/
<http://www.secinf.net/> 

        Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
<http://www.ntfaxfaq.com> 

        ------------------------------------------------------

        You are currently subscribed to this ISAserver.org Discussion List
as: jim@xxxxxxxxxxxx

        To unsubscribe send a blank email to
$subst('Email.Unsub')

        ------------------------------------------------------

        List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
<http://www.webelists.com/cgi/lyris.pl?enter=isalist> 

        ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
<http://www.isaserver.org/pages/newsletter.asp> 

        ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
<http://www.isaserver.org/pages/larticle.asp?type=FAQ> 

        ------------------------------------------------------

        Other Internet Software Marketing Sites:

        Leading Network Software Directory: http://www.serverfiles.com
<http://www.serverfiles.com> 

        No.1 Exchange Server Resource Site: http://www.msexchange.org
<http://www.msexchange.org> 

        Windows Security Resource Site: http://www.windowsecurity.com/
<http://www.windowsecurity.com/> 

        Network Security Library: http://www.secinf.net/
<http://www.secinf.net/> 

        Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
<http://www.ntfaxfaq.com> 

        ------------------------------------------------------

        You are currently subscribed to this ISAserver.org Discussion List
as: epoole@xxxxxxxxxxxxxxxxxxxx

        To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

Other related posts: