Hello Jim - Let me see if I understand you, are you saying that I need to create IP Packet filters inside of RRAS to block services between my DMZ (192.168.10.0/24) segment and my private (172.19.4.0/22) segment? do I create these filters using RRAS or can I create filters under Access Polices and IP Packet Filters in ISA? -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, December 03, 2003 11:53 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: securing Interfaces on ISA http://www.ISAserver.org As Tom pointed out, you have to enlist the aid of RRAS IP filtering or IPSec filtering between the two LAT segments if you want to restrict access to/from the DMZ to the remainder of the LAT ISA does not provide access controls within the LAT. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Glenn Maks" <gmaks@xxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, December 03, 2003 08:45 Subject: [isalist] Re: securing Interfaces on ISA http://www.ISAserver.org For me to change my DMZ IP Addresses would be a HUGE task, one that I am not willing to do, it will impact too many things, you speak about using RRAS Packet filters? Could I not create Packet Filters inside ISA Management? Or are suggesting that I need to create Packet Filters using RRAS services? It is worth noting that I am also using RRAS to connect all my branch offices using L2TP with certificates and I can tell you this, RRAS is NOT that stable, I am constantly monitoring all my connection states because RRAS seems to have a mind of it's own, if it feels like connecting it will, if not forget about it, I have all the right static routes that define all my other branch office subnets and sometimes when I go to diagnose connection issues using ping path, tracert or any other utility like that, RRAS seems to want to route packet out the Internet Interface rather than the correct tunnel end point, it makes no sense, I am ready to Pull the plug on RRAS and go with a Nortel VPN solution but the problem is my company is Cheap and they will not spend the money to put a more reliable and stable VPN solution in, so I am stuck with RRAS, I am not too happy. I at one time also like ISA, until I started working more in depth with it, I am NOT ready to rip ISA out as my Security platform yet, but it seems to me that the simplest of security features that are found in other firewalls, ISA simply wont support unless you reconfigure your entire IP scheme. My old Raptor firewall, for as old as it is does not care if I am running a reserved IP address range for my DMZ I was still able to secure each and every interface and allow services to pass from on interface to another just by creating access polices, this seems very difficult with ISA, in fact, ISA allows it and had I not tested service requests from my DMZ to my Private interface I would have assumed I was safe. And Why can't I allow or deny using protocol rules, it seems I have to create and use all packet filters now, Protocol rules only address client sets and the Content filtering only support HTTP, suppose I have other services like data base services I want to control between my DMZ and Private Network. Is this the only solution? Packet Filters? it seem so. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, December 03, 2003 11:26 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: securing Interfaces on ISA http://www.ISAserver.org Hi Glenn, You must use a subnet of your public block for the DMZ, unless you want to create a LAT-based DMZ using RRAS packet filters and/or IPSec policy. HTH, Tom Thomas W Shinder <http://www.isaserver.org/shinder> www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> Configuring ISA Server: <http://tinyurl.com/1llp> http://tinyurl.com/1llp -----Original Message----- From: Glenn Maks [mailto:gmaks@xxxxxxxxx] Sent: Wednesday, December 03, 2003 10:02 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: securing Interfaces on ISA Importance: High http://www.ISAserver.org Sure Jim here is a better explanation - My ISA Server has 3 interfaces, the public interface is 64.80.200.0/24 my DMZ subnet is 192.168.10.0/24 and my private segment is 172.19.4.0/22 I have both my private and DMZ address ranges defined in my LAT, this I understand allows ISA to view these interfaces as Internal Interfaces, I have several services published on different servers on my DMZ for Internet customers, services like FTP, HTTP, when I publish these services to the Internet everything works well, except I noticed that I can open Microsoft IE from any server on the DMZ and plug in a known 172.19.4.0 IP address that I know is running IIS and I get IIS responses, I can also login into my DMZ FTP Server from my 172.19.4.0/22 network, and I have NOT created any access polices to allow this to happen, I should be able to SECURE each and every interface and allow or deny any service that I wish, just because I publish services on my DMZ for Internet Clients, does not mean that I wish my Private Network access to these same services, besides, if HTTP and FTP spans the DMZ and Private Network, that to me is a security risk, unless of course I allow it? Any suggestions? I was told to REMOVE the DMZ definition from the LAT and replace all my publishing RULES with PACKET FILTERS, I also have my SOA DNS Server published on my DMZ as well, so that would mean I would need to replace that Publishing rule as well, I attempted this last night and my DNS Server stopped working. So I restored my ISA configuration and now I am back to square one. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmaks@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmaks@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')