RE: Domain stucture to add more security protection
- From: "David V. Dellanno" <ddellanno@xxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sat, 9 Aug 2003 17:15:51 -0400
The Second part is what I was talking about. I realize the internet
can't be trusted but it is the domain that will be allowed through the
ISA domain, technically it is not trusted but giving the internet domain
access to the ISA domain, is what I'm talking about. The example you
mention is what I thought would be the less expensive solution for the
same security, I was looking for.
Corp Domain <-> Member Server (ISA) <-DMZ-> Stand-Alone (ISA) <->
Internet
Thanks Kev
-----Original Message-----
From: Kevin S. Malinowski [mailto:Kevin@xxxxxxxxxx]
Sent: Saturday, August 09, 2003 5:03 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Domain stucture to add more security protection
http://www.ISAserver.org
Hi, David.
There are a couple of flaws with this as I see it in this situation.
First if the Corp Domain trusts the ISA domain, then anyone who
compromises your ISA box is automatically (for all intents and purposes)
trusted by the Corp Domain. I see this as a bad thing.
Second there is no way to trust the internet as it is not a domain, so
this part of the discussion is basically moot.
However, if it were the other way around, the ISA domain were to trust
the Corp Domain, then the internal users of the Corp domain would have
access to ISA resources. Since this is a one way trust, if your ISA box
was compromised the attacker would not automatically have access to
internal Corp Domain resources.
Now, the question is does this really add more security, or just more
complication? If you were just to have a Stand Alone ISA server and then
a member server in a back to back deployment (The standalone exposed to
the internet) gives me pretty much the same amount of security without
the complication of external forest trusts. Of course YMMV.
Kevin
-----Original Message-----
From: David V. Dellanno [mailto:ddellanno@xxxxxxxxxx]
Sent: Saturday, August 09, 2003 2:51 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Domain stucture to add more security protection
http://www.ISAserver.org
Hi everyone,
I was wondering if cost was not a factor and design the perfect
Windows 2000/2003 environment. Would it be wised to create a resource
domain specifically for ISA/VPN and create a External - One-Way -
Non-Transitive Trust. I remember someone asking this and I can't
remember if it was answered.
Corp Domain <---trust--- ISA Domain <---- Internet
Corp Domain trusts ISA Domain, ISA Domain does not automatically trust
Corp Domain.
In a non-transitive trust relationship, if Corp Domain trusts ISA Domain
and ISA Domain trusts the Internet, Corp Domain not automatically trust
the Internet.
Regards,
David V. Dellanno - MCSE, MCP+I, MCP
MSDEMO Consultants
Williams Place
2564 Bridgewood Lane
Snellville, Georgia 30078 USA
(770) 736-8794 (Office)
msdemo.net
Confidentiality Notice:
This e-mail message, including any attachments, is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
kevin@xxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ddellanno@xxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
Confidentiality Notice:
This e-mail message, including any attachments, is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.
Confidentiality Notice:
This e-mail message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and
destroy all copies of the original message.
Other related posts:
