RE: Domain stucture to add more security protection

  • From: "Kevin S. Malinowski" <Kevin@xxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Sat, 9 Aug 2003 15:02:59 -0600

Hi, David.

There are a couple of flaws with this as I see it in this situation.

First if the Corp Domain trusts the ISA domain, then anyone who compromises 
your ISA box is automatically (for all intents and purposes) trusted by the 
Corp Domain. I see this as a bad thing.

Second there is no way to trust the internet as it is not a domain, so this 
part of the discussion is basically moot.

However, if it were the other way around, the ISA domain were to trust the Corp 
Domain, then the internal users of the Corp domain would have access to ISA 
resources. Since this is a one way trust, if your ISA box was compromised the 
attacker would not automatically have access to internal Corp Domain resources.

Now, the question is does this really add more security, or just more 
complication? If you were just to have a Stand Alone ISA server and then a 
member server in a back to back deployment (The standalone exposed to the 
internet) gives me pretty much the same amount of security without the 
complication of external forest trusts. Of course YMMV.

Kevin

-----Original Message-----
From: David V. Dellanno [mailto:ddellanno@xxxxxxxxxx]
Sent: Saturday, August 09, 2003 2:51 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Domain stucture to add more security protection


http://www.ISAserver.org


Hi everyone,
    I was wondering if cost was not a factor and design the perfect Windows 
2000/2003 environment.  Would it be wised to create a resource domain 
specifically for ISA/VPN and create a External - One-Way - Non-Transitive 
Trust.  I remember someone asking this and I can't remember if it was answered.

Corp Domain  <---trust--- ISA Domain <---- Internet


Corp Domain trusts ISA Domain, ISA Domain does not automatically trust Corp 
Domain.

In a non-transitive trust relationship, if Corp Domain trusts ISA Domain and 
ISA Domain trusts the Internet, Corp Domain not automatically trust the 
Internet.




Regards,

David V. Dellanno - MCSE, MCP+I, MCP
MSDEMO Consultants
Williams Place
2564 Bridgewood Lane
Snellville, Georgia 30078 USA
(770) 736-8794 (Office)
msdemo.net

Confidentiality Notice:
This e-mail message, including any attachments, is for the sole use of the 
intended recipient(s) and may contain confidential and privileged information. 
Any unauthorized review, use, disclosure or distribution is prohibited. If you 
are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message. 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
kevin@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 


Other related posts: