Re: How I spent my Christmas vacation

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 3 Jan 2006 13:04:51 -0600

Hi Danny,

I don't think it's a false sense of security. The design was not perfect
from a configuration point of view, not a security point of view.
Internet facing hosts that accept anonymous inbound connections should
never be located on the same security zone as core information assets. I
pity the fool who thinks otherwise :))

Once I solve the update issue, the problem is solved. Actually, I have
solved it, but need to complete the solution with a netsh script.

HTH,
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Danny [mailto:nocmonkey@xxxxxxxxx] 
> Sent: Tuesday, January 03, 2006 12:56 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: How I spent my Christmas vacation
> 
> http://www.ISAserver.org
> 
> On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> > No. The inbound SMTP relays are in a DMZ away from the core critical
> > assets, such as Exchange, SharePoint and Active Directory.
> 
> It appears as though you have created a false sense of security
> because you have created a DNS DoS; your blog story is proof of this.
> 
> > The relays accept mail only for my domains, [...]
> 
> I would hope so!
> 
> > and then scrub for viruses and spam.
> 
> Don't forget to rinse after scrubbing.
> 
> > While the LDAP queries would prevent this issue, I don't 
> consider the
> > inbound relays as part of the same security zone as the Exchange
> > Servers. Why? Because the spam whackers are 1. Internet 
> facing, and 2.
> > must accept anonymous inbound connections.
> 
> What threats are you trying to mitigate?
> 
> My RFC-friendly general rule of thumb for mail servers is to only
> accept email for recipients that exist!  Google: email backscatter.
> 
> ...D
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

Other related posts:

• » How I spent my Christmas vacation
• » RE: How I spent my Christmas vacation
• » RE: How I spent my Christmas vacation
• » RE: How I spent my Christmas vacation
• » RE: How I spent my Christmas vacation
• » RE: How I spent my Christmas vacation
• » RE: How I spent my Christmas vacation
• » How I spent my Christmas vacation
• » Re: How I spent my Christmas vacation
• » RE: How I spent my Christmas vacation
• » Re: How I spent my Christmas vacation
• » Re: How I spent my Christmas vacation
• » Re: How I spent my Christmas vacation
• » RE: How I spent my Christmas vacation
• » RE: How I spent my Christmas vacation
• » RE: How I spent my Christmas vacation
• » RE: How I spent my Christmas vacation
• » RE: How I spent my Christmas vacation
• » Re: How I spent my Christmas vacation

1. Home
2. isalist
3. Archive
4. 01-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---