RE: External Network Logic

From: "Thor \(Hammer of God\)" <thor@xxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Date: Wed, 7 Dec 2005 16:21:17 -0800

It's actually all quite clear in my head now that I've got it all the pieces together... It probably seems convoluted, but it's not really...

This will be "used" in my internal network topology... As it is now, my network is of the "typical" configuration: servers and clients all sharing the same physical network. Full stack access to/from everyone. Well, the clients are all XP Pro SP2 with the FW configured properly, but you know what I mean.

There is no reason for full to/from traffic- why should people be able to hit my Exchange Cluster with SQL traffic? Or to directly access SMTP? Why should people be able to hit my SQL Clusters with RPC or anything other than 1433? They shouldn't.

This ISA will physically go in between my physical servers switch and the physical client switches. The servers will be treated as "Internal" and the clients will be treated as the Perimeter network. At that point, I will have rules that only allow required traffic from the Perimeter to specific server sets, and nothing more. For instance, 1433 will come From the Perimeter To the SQL cluster, and ONLY to the SQL cluster. No other traffic from the Perimeter network will ever touch my SQL boxes. Same with Exchange, my NAS devices, color copiers, network faxes, blah blah blah.

I'm not climbing the mountain because it's there- I'm climbing it because a proper configuration of security exists at the top.

----- Original Message ----- From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, December 07, 2005 3:52 PM Subject: [isalist] RE: External Network Logic


http://www.ISAserver.org

Whose going to use this network? This whole least privilege experiment
is getting pretty convoluted. It this a climb the mountain because the
mountain is there kind of thing?

Amy


-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Wednesday, December 07, 2005 6:39 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: External Network Logic

http://www.ISAserver.org

One thing though, just so I understand-- How would I NAT to the
Internet?
There *is no* "Internet" per se in a 2 NIC config with both defined as
ISA
Firewall Networks, right?  There would be route relationship from the
Internal to the DMZ Perimeter.  The Internet would only exist if an
Interface was added and not defined elsewhere, correct?
t

------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx

RE: External Network Logic

Other related posts: