RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer
- From: "Quillman Shawn (RBNA/CSA1) *" <Shawn.Quillman@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 29 Jul 2004 14:05:15 -0500
Whose definition of "secure" are you going to use in your determination
(for any installation)? Each company / individual / entity must define
for themselves what "secure" means. My definition includes attack
surface as one aspect of secure. Granted, it is obviously a key
component of the definition because there are so many underlying
components dependant on it. But what is it that we're ultimate
securing? We are preventing attacks against our data. All attack
surface calculations I've seen are computing against compromisable flaws
in a product. Do you have a calculation that quantifies flaws in the
overall policy?
What about someone who's not trying to compromise a flaw, but still
compromising your data by using the system as it was designed? Is that
a security breach? I believe it is, personally. Back to my disgruntled
emailer example. Your SMTP gateway (that everyone in the company can
use with certain size limitations, etc) has just been compromised by
someone using it exactly as it was designed. The flaw is then in your
policy. Your data is not secure.
-Shawn
-----
Shawn R. Quillman
Robert Bosch Corporation RBNA/CSA1
38000 Hills Tech Drive
Farmington Hills, MI 48331
(248) 553-1164 (P) (248) 848-6969 (F)
shawn.quillman@xxxxxxxxxxxx
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thursday, July 29, 2004 2:08 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 838376 - Cannot connect to a published service
from the external network when the published service is running dire
ctly on the ISA Server 2004 computer
http://www.ISAserver.org
Hi Shawn,
Its an interesting discussion, because if one could posit that an
ISA/SBS installation is secure, then what of the discussion and theories
regarding "attack surface"?
http://www.microsoft.com/windowsserver2003/techinfo/overview/advsec.mspx
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/de
ployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/200
3/all/deployguide/en-us/iisdg_sec_ntwp.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/
html/secure02132003.asp
http://reports-archive.adm.cs.cmu.edu/anon/2003/CMU-CS-03-169.pdf
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Quillman Shawn (RBNA/CSA1) * [mailto:Shawn.Quillman@xxxxxxxxxxxx]
Sent: Thursday, July 29, 2004 12:52 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 838376 - Cannot connect to a published service
from the external network when the published service is running dire
ctly on the ISA Server 2004 computer
http://www.ISAserver.org
I, too, run SBS on the perimeter. I will phrase it differently
following Troy's thought process. I have never noticed a breach. I am
fairly confident that there's never been a breach since I have never
seen any subsequent consequences I would expect with the nature of the
businesses. SBS isn't necessarily less "secure", just makes it more
difficult to implement your security policy.
However, it comes down to more than who is securing it and who has
access to it. These are critical aspects to security, to be sure, and
there are other technical things such as the platform. But don't forget
about softer issues such as "does anyone really care to hack you?". In
other words, do you have anything worth hacking into? Has your
organization recently pissed someone (internal/external) off? Have you
as an admin recently pissed someone (internal/external) off. Also don't
forget the high percentage of security breaches that come from within.
Do you monitor outgoing mail enough to know for certain that someone
isn't zipping company data up and emailing it to their home accounts or
someone else's accounts? Is it worth it too? Etc, etc.
"Secure" is a relative term, there is no absolute definition. It's a
function of your $$ and your attitude.
-Shawn
-----
Shawn R. Quillman
Robert Bosch Corporation RBNA/CSA1
38000 Hills Tech Drive
Farmington Hills, MI 48331
(248) 553-1164 (P) (248) 848-6969 (F)
shawn.quillman@xxxxxxxxxxxx
-----Original Message-----
From: Paul Nuernberger [mailto:pen@xxxxxxxxx]
Sent: Thursday, July 29, 2004 1:36 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 838376 - Cannot connect to a published service
from the external network when the published service is running dire
ctly on the ISA Server 2004 computer
http://www.ISAserver.org
While I agree in principle with you - getting small companies to spend
the extra cash is (usually) not possible.
I have multiple SBS2k & SBS2k3 installs sitting right on the net - not
one has ever been compromised (and believe me there have been and
continue to be endless attempts).
Granted, I am the ONLY one who has access to the units, and nothing
extra gets installed except Symantec A/V & GFI DS & ME.
It comes down to who is securing it, and who has access to it.
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thursday, July 29, 2004 11:34 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 838376 - Cannot connect to a published service
from the external network when the published service is running dire
ctly on the ISA Server 2004 computer
http://www.ISAserver.org
Hey guys,
I'll jump in here. I'd *never* put an ISA SBS box on the Internet edge
of the network.
ISA firewalls just won't get the respect they deserve if you put the
kitchen sink on them. I'll fight this one tirelessly (or at least
passively :-) until they SBS team unbundles a single OS lic to place the
ISA firewall software on a white box in front of the family jewells.
Just because something can be done, doesn't mean it should be done. I
can make a Exchange/SQL/ISA/Kazaa/Morpheus/Doom server work, but it
shouldn't be done. And even when you do it, there are other issues. Its
just not worth it. You'll be able to get a fully loaded ISA 2004
firewall appliance for less than 2500US in a couple of months. Over 5
years, that's just 500/year or about $1.39 a day.
IMHO,
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: Thursday, July 29, 2004 10:27 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 838376 - Cannot connect to a published service
from the external network when the published service is running dire
ctly on the ISA Server 2004 computer
http://www.ISAserver.org
Well articulated James, I have a client who has been running sbs 2000
with isa installed and has never in all these years had a security
breach tho' many have tried.
There is no problem with a loaded sbs server, 2000 or 2003...as long as
it's done right.
Steve
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, July 27, 2004 3:44 PM
To: Isa Weblist
Subject: [isalist] RE: 838376 - Cannot connect to a published service
from the external network when the published service is running dire
ctly on the ISA Server 2004 computer
http://www.ISAserver.org
Unscrew the top of your head and let some light in.
It's exactly this sort of self-serving, elitist rhetoric that causes
folks to feel like they "just can't do it".
There isn't and never will be "just one right way" to do something.
There are external factors that are not always controllable.
Security is and will always be a balancing act between requirements,
money and hardware resources.
"Fast, Secure or cheap; choose two" is one of my favorite quotes.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: "Troy Radtke" <TRadtke@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, July 27, 2004 06:31
Subject: [isalist] RE: 838376 - Cannot connect to a published service
from the external network when the published service is running dire
ctly on the ISA Server 2004 computer
http://www.ISAserver.org
Which is why you'll never see anyone in their right mind running SBS who
expects the same level of protection from a dedicated system.
I forwarded that e-mail from Tom to the guys at work, and the first
thing they did is say: Look at ISA! It's a piece of junk since you've
gotta do a work around just to make stuff even work on the box! You
never have that problem with a PIX!
If you're boss won't look at the cost justification of buying a low end
desktop to run a service, all I have to say to any financial institution
is how much is the cost of an FDIC audit in terms of your labor?
Pulling 50% of the IT staff into meetings with the FBI/FDIC/Secret
Service (yes, the secret service is involved in these types of audits)
for 2 months along with hiring a small army of people to produce all
your audit trails for the past
7 years is by FAR more expensive than any server that I can think of....
What I was getting at in my first e-mail is that since you can't even
install services on a PIX, you'd need to purchase or use another server
anyways, which is why you should leave things off of an ISA box and just
not even open yourself up to an service exploit.....
Troy
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, July 27, 2004 12:16 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 838376 - Cannot connect to a published service
from the external network when the published service is running directly
on the ISA Server 2004 computer
http://www.ISAserver.org
"Hardware"; thpthpthpthpthp
Please drop this blatant BS; until it's implemented in the ASICs, it
ain't "hardware".
Facts:
- Installing service on any machine is only as functional or secure
as the person deploying / securing it.
- There are folks with more motivation than $$
- These same folks need an answer, not attitude.
- placing services on the firewall is not for the faint of heart;
this is why the SBS folks spend years perfecting the compromise.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: "Troy Radtke" <TRadtke@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, July 26, 2004 09:10
Subject: [isalist] RE: 838376 - Cannot connect to a published service
from the external network when the published service is running directly
on the ISA Server 2004 computer
http://www.ISAserver.org
Installing services on your ISA box is like hiring a blind, deaf body
guard and expecting him to walk you to the other side of the street.....
Only bad things can happen.....
Suggestion: The service you've installed can't be mission critical,
otherwise you'd have a dedicated server..... BYOS (build your own
@#(*$&)@(#*ing server) or put it on a cheap POJ (Piece of Junk) box....
Besides, I'd love to see someone try and install a service on a PIX box
anyways...... so the hardware firewall people can't even bring this up
as a 'flaw'...... even though i am a fan of hardware at the entrance for
bulk processing of incoming/outgoing traffic......
-----Original Message-----
From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx]
Sent: Monday, July 26, 2004 10:35 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 838376 - Cannot connect to a published service
from the external network when the published service is running directly
on the ISA Server 2004 computer
http://www.ISAserver.org
They left out the most obvious solution, and the one which is usually
the most correct... Move the service to something besides your
firewall.
Ray Dzek
Network Operations Supervisor
Specialized Bicycle Components
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Monday, July 26, 2004 7:10 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] 838376 - Cannot connect to a published service from
the external network when the published service is running directly on
the ISA Server 2004 computer
http://www.ISAserver.org
Very interesting KB article and an issue that I'm sure will generate a
lot of heat in the coming months.
838376 - Cannot connect to a published service from the external network
when the published service is running directly on the ISA Server 2004
computer: http://support.microsoft.com/default.aspx?scid=kb;en-us;838376
<http://support.microsoft.com/default.aspx?scid=kb;en-us;838376>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
steve@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
This E-Mail is confidential. It is not intended to be read, copied,
disclosed or used by any person other than the recipient named above.
Unauthorised use, disclosure, or copying is strictly prohibited and may
be unlawful. Optimum IT Solutions disclaims any liability for any action
taken in connection of this E-Mail. The comments or statements expressed
in this E-Mail are not necessarily those of Optimum IT Solutions or its
subsidiaries or affiliates.
administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pen@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Other related posts:
