RE: SQLSERVE.EXE MSDE instance for ISA 2k4
- From: "Roy Tsao" <roy_tsao@xxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Sun, 12 Dec 2004 02:07:13 +0800
Jim,
Thanks a lot for your advise.
1) "Does it means no SQL server availabe at
ISA2K4 server end in terms of security concern"
Reflects my wondering "no installation of SQL
At ISA2K4 server.
2) Sorry, I am not familiar with SQL server.
Firstly, I want to know if I upgrade the instance,
The ISA2004 are surely managed by SQL2000 or not and
No limitation for storage & co-current connection
3) I duly note that mechanism of MSDE bundled with ISA2004
Is through memory mapped networking, no port listening at all.
However after installation of SQL2000 server, does it help
To prevent from vulnerabilities through port access (1433) blocking
By ISA access rule, in another words what happen SQL listen 1433 on
All NIC interface and ISA2K4 block 1433 port connection.
4) The reason why I want to put SQL & ISA into one box because
There is not enough budget to have two servers merely for firewall
Usage, agree?
With regards,
Roy Tsao
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Sunday, December 12, 2004 1:49 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
Yes.
Really.
I'm not quite clear on this statement, though: "Does it means no SQL
server availabe at
ISA2K4 server end in terms of security concern"?
SBS2003 doesn't have ISA (yet) and when it does ship, co-location and
security concerns will be addressed by whole teams of folks that do
this for a living.
If you mean "is there a security concern with MSDE on ISA?", the
answer is "no". The MSDE instance on ISA is not even listening to
the network.
All MSDE logging is done via memory-mapped networking, not physical
or logical devices.
With the default MSDE instance, unless the ISA itself is compromised,
you simply "can't get there from here".
You can't say the same for SQL, which listens on all available
adapters by default.
Combine this with the prevalence of "allow all because I'm too damn
lazy to understand my traffic profile" rules and you have the makings
of Slammer-like virus victim.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Saturday, December 11, 2004 9:05 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
Oh...Really, Does it means no SQL server availabe at
ISA2K4 server end in terms of security concern?
Then what about SBS 2003 plus ISA2K4.
I think I can put it into one basket if port could Be blocked at
firwall side like I block acess to SQL Server from Wan side.
Moreover, I did upgrade instance of ISA2K4, it works Fine under full
version of SQL2000, may I understand The log is still working under
MSDE I/O SQL2000?
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Sunday, December 12, 2004 12:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
No.
Bad.
Unsupported.
DO
NOT
REPLACE
MSDE
WITH
SQL
ON
THE
ISA
SERVER
ITSELF
If you want to replace MSDE with SQL logging, then do it off-box.
The MSDE that's shipped with ISA is "tweaked" to be as secure as
possible.
If you replace it, you open your ISA to potential SQL
vulnerabilities.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Saturday, December 11, 2004 6:51 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
Sorry, the mail sent directly from my OE to discussion list always
change mal-coding.
To the question of MSDE instance, my idea/suggestion for best
performance is:
a) install ISA2K4 bundled with MSDE
b) upgrade SQL instance "server/msfw" into full version
of SQL 2000 though SQL2000 server instllation
c) use the same instance for Surfcontrol Both of ISA2K4 and
Surfcontrol is now being managed under SQL2000 server I/O MSDE.
Any comment
-----Original Message-----
From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx]
Sent: Saturday, December 11, 2004 10:24 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
Who here can read Roy Tsao posts, all I see is gibberish characters
in his messages, can someone translate it??
Regards,
Andrew
-----Original Message-----
From: Mike Anderson [mailto:mike@xxxxxxxxxxxx]
Sent: Saturday, December 11, 2004 12:19 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
In cases like this, isn't it better to just run a dedicated instance
of SQL Server (if you got it) which resides on a separate box, OR
have a single instance of MSDE host both Databases?
If I remember correctly, MSDE is just a crippled version of SQL
Server 7.0 - in which concurrent connections are just limited.
Otherwise, it's pretty much the same animal.
In fact, since I have a dedicated super fast SQL Server on my
network, I was hoping to uninstall MSDE on the ISA Box, and redirect
all the Database activity to my SQL Server. Can this be done -
anybody do this yet?
I don't mean to steal the fire away from your original post, but I
think this sort of parallels what I suggest doing, which goes back to
the
question: "why have two instances of MSDE running?". Use the one
that is working better (the one with less memory consumption), and
host the database on that instance.
I am just throwing out ideas here...
Mike
-----Original Message-----
From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx]
Sent: Friday, December 10, 2004 5:40 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
Anyone notice the MSDE instance for ISA 2k4 memory increase to over
1gb mem usage? We host two instances of MSDE on the ISA2k4 machine,
one for Surf Control and the other for ISA2K4. Surf Control instance
is stable, while the ISA 2k4 instance hogs a lot of memory. Current
mem usage = 786,004k. Wait, wait -- 786,012k , 786,528k and growing.
MSDE versions: SurfControl = 8.00.761
ISA2k4 = 8.00.818
Server has 3gb memory
ISA2K4 version = trial
TIA
Have fun!
greg
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as:
mike@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as:
andrew@xxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as:
jim@xxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as:
jim@xxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
