RE: Staging Web Server
- From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 25 Mar 2002 23:35:03 -0600
Hi Joseph,
Hey, there's no such thing as perfect security :-) Its always a balance
between convenience and security, and its mutually exclusive.
Places I've worked with (that require utmost security), have a
management network, that's separate from the internal network. So, if
you want to setup a staging server, you put it in the management
network. You're sort of doing that with your setup, but you need to
unplug the staging server from the internal network and plug the
interface into the management network. Then you connect your dev
machines to the management network, AD LIB. Of course, an easier way to
do this would be through VPN :-)
HTH,
Tom
-----Original Message-----
From: Joseph [mailto:cismic@xxxxxxx]
Sent: Monday, March 25, 2002 5:22 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Staging Web Server
http://www.ISAserver.org
Hi Tom,
How do the big boys do it? I mean MS has a heck of a lot of content.
At least when I was with them we had staging servers that we posted our
content before it went live.
I think I might need to add an inexpensive internal router or something.
I wonder if that is a good idea. I just need a fast way to get content
posted and not compromise security. I bet there are lots of people out
there wondering the same thing. And would make a chapter to a never
ending book!
Thanks for the help.
Joseph
-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Monday, March 25, 2002 3:23 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Staging Web Server
http://www.ISAserver.org
Hi Joseph,
So, if the Web server on the DMZ is compromised (its supposed to be,
it's a bastion host!), then they could access the staging server. If
they compromise the staging server, then they have direct access to the
internal network. Right?
Thanks!
Tom
-----Original Message-----
From: Joseph [mailto:cismic@xxxxxxx]
Sent: Monday, March 25, 2002 5:10 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Staging Web Server
http://www.ISAserver.org
Hi Tom,
EXTERNAL ISA 2 NIC cards
WEB Server 1 NIC card (would like 2)
INTERNAL ISA 2 NIC cards
STAGING Server will have 2 NIC cards with only one going to the
Web Server located in the DMZ.
Does this extra info help?
Thank you,
Joseph
-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Monday, March 25, 2002 3:03 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Staging Web Server
http://www.ISAserver.org
Hi Joseph,
I looked at the graphic you sent about your dual homed staging Web
server. Its looks like its got an interface on the DMZ and another
interface on the internal network. Is that right? Or, do you have two
interfaces on the "internal" ISA Server, both of them on the DMZ
network?
If it's the former, I think that's not a top security config, because
even if IP routing isn't enabled on the staging server, someone with
control of the staging server will still have direct access to your
internal network.
HTH,
Tom
www.isaserver.org/shinder
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
