Duh, what dood you mead? You taying me pud SUS in DMZ and pudish it from ISA? ----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, January 16, 2004 7:27 AM Subject: [isalist] Re: ISA Server detected a spoof attack > http://www.ISAserver.org > > As my dear departed Mama used to say, "better a smartass than a dumbass..." > > Regarding your SUS deployment, my question is "why?" > If a DMZ host needs to get to it, web-publish it to the DMZ. > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://www.microsoft.com/isaserver > http://isaserver.org/Jim_Harrison > http://isatools.org > > Read the help, books and articles! > ----- Original Message ----- > From: "cismic" <cismic@xxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Thursday, January 15, 2004 10:40 > Subject: [isalist] Re: ISA Server detected a spoof attack > > > http://www.ISAserver.org > > Hi Jim, > Nope, My mother only raised throughbreds! lol > > Any way, hey I've finally got well at least most of my new machines in > place. I've been replace old boxes with new ones and of course that means > installing software all over again. > > I run a back to back setup and am wondering if it is a good idea to place > the SUS machine in the DMZ. > > Thank you, > > Joseph > ----- Original Message ----- > From: "Jim Harrison" <jim@xxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, January 14, 2004 1:58 PM > Subject: [isalist] Re: ISA Server detected a spoof attack > > > > http://www.ISAserver.org > > > > Smartass... > > ;-) > > > > I have that little toy. I even had one for my old PalmIII until it > finally died and forced me to buy a Toshiba e750. > > Of course, there's a difference between having and using. > > It was one of those time when you look and say "I know what that is" and > get proven painfully wrong. > > > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://www.microsoft.com/isaserver > > http://isaserver.org/Jim_Harrison > > http://isatools.org > > > > Read the help, books and articles! > > ----- Original Message ----- > > From: "cismic" <cismic@xxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Wednesday, January 14, 2004 13:21 > > Subject: [isalist] Re: ISA Server detected a spoof attack > > > > > > http://www.ISAserver.org > > > > Hi Jim, > > > > Solar winds has a free subnet calculater. > > http://www.purenetworking.net/Products/SolarWinds/SolarWindsSE.htm > > > > Joseph > > ----- Original Message ----- > > From: "Jim Harrison" <jim@xxxxxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Wednesday, January 14, 2004 1:14 PM > > Subject: [isalist] Re: ISA Server detected a spoof attack > > > > > > > http://www.ISAserver.org > > > > > > Don't feel bad; I had to eat a basic subnet miscalculation not too long > > ago... > > > > > > Jim Harrison > > > MCP(NT4, W2K), A+, Network+, PCG > > > http://www.microsoft.com/isaserver > > > http://isaserver.org/Jim_Harrison > > > http://isatools.org > > > > > > Read the help, books and articles! > > > ----- Original Message ----- > > > From: "Dan Bartley" <bartleyd@xxxxxxxxxxxxxxxxxxx> > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > > Sent: Wednesday, January 14, 2004 13:02 > > > Subject: [isalist] Re: ISA Server detected a spoof attack > > > > > > > > > http://www.ISAserver.org > > > > > > Yep, you're right. I transposed DNS and Default Gateway when I looked at > > > them. > > > > > > Best Regards, > > > > > > Dan Bartley > > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > > > Sent: Wednesday, January 14, 2004 15:45 > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] Re: ISA Server detected a spoof attack > > > > > > http://www.ISAserver.org > > > > > > Actually, that's not the case. > > > > > > internal = 172.16.10/24 > > > external = 172.16.2/24 > > > Cisco = 172.16.10.168 > > > > > > The log data states that the packet was sent from the Cisco to the ISA > > > "external" NIC. > > > 172.16.10.168, 172.16.2.9, ICMP, 8, 0, -, BLOCKED,172.16.2.9 > > > > > > According to the IP assignments, the Cisco is "internal", but the packet > > > was received on the ISA external interface according to the > > > log entry. That's why I suggested a misplaced cable or broken VLAN. > > > > > > Jim Harrison > > > MCP(NT4, W2K), A+, Network+, PCG > > > http://www.microsoft.com/isaserver > > > http://isaserver.org/Jim_Harrison > > > http://isatools.org > > > > > > Read the help, books and articles! > > > ----- Original Message ----- > > > From: "Dan Bartley" <bartleyd@xxxxxxxxxxxxxxxxxxx> > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > > Sent: Wednesday, January 14, 2004 12:20 > > > Subject: [isalist] Re: ISA Server detected a spoof attack > > > > > > > > > http://www.ISAserver.org > > > > > > Not necessarily. Is the Cisco on the same private subnet as the external > > > NIC of ISA, and is that different from the private subnet being used by > > > the internal ISA NIC? > > > > > > Could be set up as a second level defense behind the Cisco and a > > > firewall. That would allow for a private IP on the external NIC. > > > > > > What I see below from his ipconfig/all seems to indicate that is the > > > case. > > > > > > Best Regards, > > > > > > Dan Bartley > > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > > > Sent: Wednesday, January 14, 2004 15:16 > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] Re: ISA Server detected a spoof attack > > > > > > http://www.ISAserver.org > > > > > > The fact that ISA is receiving traffic from an internal IP on the > > > external NIC seems to hint that you have a cable misplaced or a > > > VLAN is broken. > > > > > > Jim Harrison > > > MCP(NT4, W2K), A+, Network+, PCG > > > http://www.microsoft.com/isaserver > > > http://isaserver.org/Jim_Harrison > > > http://isatools.org > > > > > > Read the help, books and articles! > > > ----- Original Message ----- > > > From: "Eric Poole" <EPoole@xxxxxxxxxxxxxxxxxxxx> > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > > Sent: Wednesday, January 14, 2004 11:53 > > > Subject: [isalist] Re: ISA Server detected a spoof attack > > > > > > > > > http://www.ISAserver.org > > > > > > ISA's internal is on the .10 subnet just like the cisco box. ISA's > > > external is on the .2 subnet. The external (2.9) is on a > > > separate vlan, so it's virtually external. > > > "Ethernet adapter Intranet: > > > Connection-specific DNS Suffix . : > > > Description . . . . . . . . . . . : HPNC7781 Gigabit Server > > > Adapter > > > Physical Address. . . . . . . . . : 00-0B-CD-82-2A-45 > > > DHCP Enabled. . . . . . . . . . . : No > > > IP Address. . . . . . . . . . . . : 172.16.10.110 > > > Subnet Mask . . . . . . . . . . . : 255.255.255.0 > > > Default Gateway . . . . . . . . . : > > > DNS Servers . . . . . . . . . . . : 172.16.10.41 > > > 172.18.52.41 > > > Primary WINS Server . . . . . . . : 172.16.10.41 > > > Secondary WINS Server . . . . . . : 172.16.11.41 > > > > > > Ethernet adapter Extranet: > > > Connection-specific DNS Suffix . : > > > Description . . . . . . . . . . . : HPNC7781 Gigabit Server > > > Adapter2 > > > Physical Address. . . . . . . . . : 00-0B-CD-82-2A-6A > > > DHCP Enabled. . . . . . . . . . . : No > > > IP Address. . . . . . . . . . . . : 172.16.2.9 > > > Subnet Mask . . . . . . . . . . . : 255.255.255.0 > > > Default Gateway . . . . . . . . . : 172.16.2.20 > > > DNS Servers . . . . . . . . . . . : > > > NetBIOS over Tcpip. . . . . . . . : Disabled" > > > > > > > > > _______________________________________________ > > > Eric Poole > > > IS Security Analyst > > > Community Medical Centers > > > 1140 "T" Street, Fresno, California 93721 > > > 559-459-6784 (phone) 559-459-2045 (fax) > > > > > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > > > Sent: Wednesday, January 14, 2004 11:33 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] Re: ISA Server detected a spoof attack > > > > > > http://www.ISAserver.org > > > > > > What does the ISA "ipconfig/all" produce? > > > It sounds like ISA doesn't really agree with you about what's internal. > > > > > > > > > Jim Harrison > > > MCP(NT4, W2K), A+, Network+, PCG > > > http://www.microsoft.com/isaserver > > > http://isaserver.org/Jim_Harrison > > > http://isatools.org > > > > > > Read the help, books and articles! > > > ----- Original Message ----- > > > From: "Eric Poole" <EPoole@xxxxxxxxxxxxxxxxxxxx> > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > > Sent: Wednesday, January 14, 2004 10:32 > > > Subject: [isalist] ISA Server detected a spoof attack > > > > > > > > > http://www.ISAserver.org > > > > > > I'm getting these about every half hour from our internal Cisco Works > > > box (172.16.10.168). The 2.9 address is the ISA external NIC > > > that is routed through our PIX. Any ideas? > > > > > > "ISA Server detected a spoof attack from Internet Protocol (IP) address > > > 172.16.10.168. A spoof attack occurs when an IP address that > > > is not reachable via the interface on which the packet was received. If > > > logging for dropped packets is set, you can view details in > > > the packet filter log." > > > > > > Here's a sample from the packet filter log. > > > > > > "1/13/2004, 20:43:17, 172.16.10.168, 172.16.2.9, ICMP, 8, 0, -, BLOCKED, > > > 172.16.2.9, 45 00 00 3c 20 74 00 00 7f 01 b6 7b ac 10 0a a8 > > > ac 10 02 09, 08 00 a1 b6 04 00 77 6e ad ad ad ad ad ad ad ad ad ..." > > > > > > _______________________________________________ > > > Eric Poole > > > IS Security Analyst > > > Community Medical Centers > > > 1140 "T" Street, Fresno, California 93721 > > > 559-459-6784 (phone) 559-459-2045 (fax) > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > > jim@xxxxxxxxxxxx > > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > > epoole@xxxxxxxxxxxxxxxxxxxx > > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > > jim@xxxxxxxxxxxx > > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > > bartleyd@xxxxxxxxxxxxxxxxxxx > > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > > jim@xxxxxxxxxxxx > > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > > bartleyd@xxxxxxxxxxxxxxxxxxx > > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > jim@xxxxxxxxxxxx > > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > cismic@xxxxxxx > > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > Leading Network Software Directory: http://www.serverfiles.com > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Network Security Library: http://www.secinf.net/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > Leading Network Software Directory: http://www.serverfiles.com > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Network Security Library: http://www.secinf.net/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > cismic@xxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') >