RE: ISA & FW1
- From: "Ronny" <rserrano@xxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Wed, 28 Nov 2001 17:41:41 -0700
Holger,
Thanks.. the "Internet -> FW-1 -> ISA -> LAN" is exactly the one I'm
looking at implimenting. The IT staff is already comfortable with FW-1, so
I want the ISA to be as passive as possible. The other thing is, we are
going to try and have everyone as SNAT on the network. They don't want to
use the authentication and don't want to put any more software on the
desktops. The ISA is going to be there only to help with the HTTP
anti-virus.. the company got hit by NIMDA from a hotmail account, and is
now kinda parinoid. They feel this would help give them a "warm fuzzy"
feeling if you know what I mean.
Can anyone think of any pitfalls I should be aware of?
Thanks again!
RS
> Hello Ronny,
>
> you may use ISA for this task, but i think it's better to place ISA
> behind your FW-1.
>
> Internet -> FW-1 -> ISA -> LAN
>
>
> You are lowering the risk of your ISA getting compromised.
> In this scenario you can also use the Authentication and personalized
> logging feature of ISA.
>
> More secure is this scenario with a DMZ
>
> Internet -> FW-1 -> LAN
> |
> ISA
>
> Well you lose the authentication Information based on NT or W2K if you
> use these Domains in your LAN, but if ISA gets compromised, its not
> standing in your LAN.
>
> An even better scenario is this
>
> Internet -> FW-1 -> ISA -> FW-1 -> ISA -> LAN
> DMZ
>
> Now you can benefit of the authentication mechanism of ISA and having a
> real second layer of security.
> As ever it depends on the $ and the level of security your customer may
> need.
>
> Best wishes
> Holger Reichert
> Buisness Manager
> Holysword gbr
> www.holysword.de
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Ronny wrote:
>
> I have a weird scenario..
>
> A Checkpoint FW1 is in place and runs fine. The client wants to add a
> server that will do some antivirus scanning on HTTP. Checkpoint's CVP
> protocol does this, but is single threaded and basically will kill
> everything. We are looking into placing an ISA server, with the
> AntiVirus
> stuff before the checkpoint FW. Since the users are already comforable
> with using the FW1, here's my question:
>
> can I configure ISA to just allow all traffic through. All the FW rules
> will be handled by the Checkpoint FW. I also would like to have all the
> clients be SNAT, because I don't want to setup any software on the
> users'
> desktops.
>
> Please let me know your thoughts.
>
> Thanks
> RS
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> holger.reichert@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
