Re: DNS Subnet question with DMZ
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 10 Aug 2001 09:03:14 -0700
That server would provide an open path to the LAT through the VPN
connection.
All deployment is based on risk assessment. Only you can determine if the
dangers of a given setup are outweighed by the benefits. Generally, only
those protocols that need to pass between DMZ and LAT should be allowed.
Allowing AD traffic to the DMZ is dangerous, regardless of how you allow it.
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: "Jay" <jschwarzkopf@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, August 10, 2001 7:49 AM
Subject: [isalist] Re: DNS Subnet question with DMZ
http://www.ISAserver.org
Okay.
What about server in perimeter network of back-to-back (using different
firewalls), with VPN connection into internal ISA firewall? Is that anymore
a security concern than published ports?
----- Original Message -----
From: Jim Harrison
To: [ISAserver.org Discussion List]
Sent: Friday, August 10, 2001 10:27 AM
Subject: [isalist] Re: DNS Subnet question with DMZ
http://www.ISAserver.org
A DMZ provides isolation of your trusted network from your
"publicly-available" servers" Some like to think of the DMZ as the
"sacrificial lamb", and to a degree it is. The general idea is that if
someone wants to trash something, let it be in the DMZ. By the same token,
if someone were to trash your DMZ server, they still don't have direct
access to the trusted LAN.
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: Jay
To: [ISAserver.org Discussion List]
Sent: Friday, August 10, 2001 7:18 AM
Subject: [isalist] Re: DNS Subnet question with DMZ
http://www.ISAserver.org
Is there a benefit of putting E2k (or any server) on DMZ, over just
publishing it from internal net?
----- Original Message -----
From: Jim Harrison
To: [ISAserver.org Discussion List]
Sent: Friday, August 10, 2001 9:38 AM
Subject: [isalist] Re: DNS Subnet question with DMZ
http://www.ISAserver.org
Unfortunately, the best you can do for the DMZ server is a single IP
with the set you're given.
Since the DMZ in a three--homed ISA is a subnet of the external
subnet, you have to use a /30 mask for the DMZ, giving you only 2 usable
IPs; one for the ISA DMZ NIC and one left for a server.
Is the Exchange server an E2K variation? If so, placing it in the DMZ
is more trouble than it's worth, given the issues related to AD membership
across a firewall.
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: cismic
To: [ISAserver.org Discussion List]
Sent: Thursday, August 09, 2001 9:51 PM
Subject: [isalist] DNS Subnet question with DMZ
http://www.ISAserver.org
I also posted this to the message boards. Sorry for the duplication.
Just thought I'd see if anyone was online tonight with some ideas.
J
Hello,
I'm using 10.0.0.1 for illustration:
I have 10.0.0.1/29 (8 IPs, 32 per C)
as my ip address. IP'S .1 and .8 are being used by my ISP. .7 is
assigned to my CISCO 776M ISDN router.
That leaves me with 5 ip address to use.
.2, .3, .4, .5, .6
EXT NIC 1. = .2
DMZ NIC 1. = .3
DMZ servers would be .4, .5, .6
If I split those into something like the following
.4 sql
.5 web
.6 DNS
I run out of address and won't be able to place my exchange server
in the dmz.
and Internal NIC private could be 10.0.1.0
Is there another method that will work just as well so I can publish
my Exchange server?
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: jim@xxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jschwarzkopf@xxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jschwarzkopf@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
