RE: ISA does NOT limit access by DMZ 'perimeter pcs' as expected when internal NIC is multihomed

• From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 25 Jan 2002 04:02:40 -0600

Hi Nigel,

Are you bind public and private address to the same NIC?? Hmmm. I think
that defeats the purpose of creating a DMZ, even if such a thing were
possible. For a trihomed ISA Server DMZ configuration, you have to have
the TRI part configured :-)

HTH<
Tom
www.isaserver.org/shinder


-----Original Message-----
From: Nigel Carroll [mailto:nigel@xxxxxxxxxxxxxxx] 
Sent: Friday, January 25, 2002 2:55 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA does NOT limit access by DMZ 'perimeter pcs' as
expected when internal NIC is multihomed

http://www.ISAserver.org


My testing (packet captures & vunerability scans) suggests than ISA does
NOT limit access of a perimeter PC if you have multihomed ISAs internal
NIC with a private AND a public IP. 
In other words it appears that 'Perimeter PCs' (with public IPs) in a
'DMZ' behind ISA appear to be able to access the same SBS2K services
that PCs in the private subnet can. For example I have a packet capture
the shows a perimeter PC can read and write to the NNTP service yet I
haven't created ANY filters or rules allowing this! 
This could be very dangerous for people under the mistaken belief (as I
was) that use this technique to setup a DMZ thinking ISA server is
protected from their DMZ subnet when in fact all the services on it
(available to your private LAN) are ALSO available to the perimeter
network! 
Perhaps this DMZ\perimeter network config only works when you have 2
physically seperate internal NICs instead of multihoming 1 with a
private and public subnet as I have done? 
Does anyone else have any comments, experiences or seen this behaviour?
- I'd be interested in your comments. 
Nigel


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » ISA does NOT limit access by DMZ 'perimeter pcs' as expected when internal NIC is multihomed
• » RE: ISA does NOT limit access by DMZ 'perimeter pcs' as expected when internal NIC is multihomed
• » RE: ISA does NOT limit access by DMZ 'perimeter pcs' as expected when internal NIC is multihomed

1. Home
2. isalist
3. Archive
4. 01-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---