Re: DNS Subnet question with DMZ
- From: "Jay" <jschwarzkopf@xxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 10 Aug 2001 13:05:18 -0400
Of course, with E2k you have no choice.
----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, August 10, 2001 12:03 PM
Subject: [isalist] Re: DNS Subnet question with DMZ
> http://www.ISAserver.org
>
>
> That server would provide an open path to the LAT through the VPN
> connection.
> All deployment is based on risk assessment. Only you can determine if the
> dangers of a given setup are outweighed by the benefits. Generally, only
> those protocols that need to pass between DMZ and LAT should be allowed.
> Allowing AD traffic to the DMZ is dangerous, regardless of how you allow
it.
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
> ----- Original Message -----
> From: "Jay" <jschwarzkopf@xxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, August 10, 2001 7:49 AM
> Subject: [isalist] Re: DNS Subnet question with DMZ
>
>
> http://www.ISAserver.org
>
>
> Okay.
>
> What about server in perimeter network of back-to-back (using different
> firewalls), with VPN connection into internal ISA firewall? Is that
anymore
> a security concern than published ports?
>
>
> ----- Original Message -----
> From: Jim Harrison
> To: [ISAserver.org Discussion List]
> Sent: Friday, August 10, 2001 10:27 AM
> Subject: [isalist] Re: DNS Subnet question with DMZ
>
>
> http://www.ISAserver.org
>
>
> A DMZ provides isolation of your trusted network from your
> "publicly-available" servers" Some like to think of the DMZ as the
> "sacrificial lamb", and to a degree it is. The general idea is that if
> someone wants to trash something, let it be in the DMZ. By the same
token,
> if someone were to trash your DMZ server, they still don't have direct
> access to the trusted LAN.
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
> ----- Original Message -----
> From: Jay
> To: [ISAserver.org Discussion List]
> Sent: Friday, August 10, 2001 7:18 AM
> Subject: [isalist] Re: DNS Subnet question with DMZ
>
>
> http://www.ISAserver.org
>
>
> Is there a benefit of putting E2k (or any server) on DMZ, over just
> publishing it from internal net?
>
>
>
> ----- Original Message -----
> From: Jim Harrison
> To: [ISAserver.org Discussion List]
> Sent: Friday, August 10, 2001 9:38 AM
> Subject: [isalist] Re: DNS Subnet question with DMZ
>
>
> http://www.ISAserver.org
>
>
> Unfortunately, the best you can do for the DMZ server is a single IP
> with the set you're given.
> Since the DMZ in a three--homed ISA is a subnet of the external
> subnet, you have to use a /30 mask for the DMZ, giving you only 2 usable
> IPs; one for the ISA DMZ NIC and one left for a server.
> Is the Exchange server an E2K variation? If so, placing it in the
DMZ
> is more trouble than it's worth, given the issues related to AD membership
> across a firewall.
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
> ----- Original Message -----
> From: cismic
> To: [ISAserver.org Discussion List]
> Sent: Thursday, August 09, 2001 9:51 PM
> Subject: [isalist] DNS Subnet question with DMZ
>
>
> http://www.ISAserver.org
>
>
> I also posted this to the message boards. Sorry for the
duplication.
> Just thought I'd see if anyone was online tonight with some ideas.
>
> J
>
>
>
> Hello,
>
>
>
> I'm using 10.0.0.1 for illustration:
>
>
>
> I have 10.0.0.1/29 (8 IPs, 32 per C)
>
> as my ip address. IP'S .1 and .8 are being used by my ISP. .7 is
> assigned to my CISCO 776M ISDN router.
>
>
>
> That leaves me with 5 ip address to use.
>
> .2, .3, .4, .5, .6
>
> EXT NIC 1. = .2
>
> DMZ NIC 1. = .3
>
> DMZ servers would be .4, .5, .6
>
>
>
> If I split those into something like the following
>
> .4 sql
>
> .5 web
>
> .6 DNS
>
> I run out of address and won't be able to place my exchange server
> in the dmz.
>
>
>
> and Internal NIC private could be 10.0.1.0
>
>
>
> Is there another method that will work just as well so I can
publish
> my Exchange server?
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List
> as: jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List
as:
> jschwarzkopf@xxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jschwarzkopf@xxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jschwarzkopf@xxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts: