RE: FW1 between ISA and internal network

• From: "Quillman Shawn (RBNA/CIT1.1)" <Shawn.Quillman@xxxxxxxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 19 Dec 2002 11:22:42 -0500

I'd have to agree with you Howard, there's really no reason other than
paranoia and prejudice to have that internal FW1 box.  A dual product
firewall is actually a fairly good idea, but I think FW1-ISA-FW1 is going a
bit overboard.  You could raise the cost issue for the hardware, the FW1
license if you don't already have it, your effort in supporting the 2nd FW1
box, etc.  If things continue to remain ugly, maybe you could try
compromising with an ACL router instead of the internal FW1.

-Shawn

-----
Shawn R. Quillman
Robert Bosch Corporation RBNA/CIT1.1
38000 Hills Tech Drive
Farmington Hills, MI  48331
(248) 553-1164 (P)     (248) 848-2855 (F)
shawn.quillman@xxxxxxxxxxxx


-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, December 18, 2002 6:57 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FW1 between ISA and internal network


http://www.ISAserver.org


What was wrong with the reasons I provided? Do I need to draw packet
diagrams to make them technical? :-)

HTH,
Tom

-----Original Message-----
From: Howard Griffith [mailto:hgriffith@xxxxxxxxxx] 
Sent: Wednesday, December 18, 2002 4:10 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FW1 between ISA and internal network


http://www.ISAserver.org


I guess I should clarify what I'm referring to.


What he wants:
INET---FW1---ISA---FW1---Internal network/Exchange

What I want:
INET---FW1---ISA---Internal network/Exchange


I need a good reason that will stand on it's own as to why ISA should be
connected to the internal network. He's saying it doesn't have to be and
doesn't want it to be but I'm saying it should be. IMO, there's no
reason to
duplicate layers when it won't do any good and all it will do is create
redundancy. I know that and most others know that but I need a good
technical reason to stand on to defend ISA and have it connected to the
inside without the other FW1 in it's way.

Thanks!
Howard


-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, December 18, 2002 4:08 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FW1 between ISA and internal network


http://www.ISAserver.org


Hi Howard,

There's no reason why you can't do it this way. You'll have two DMZ
segments, an "external" DMZ and an "internal" DMZ. If all three of these
machines were ISA Servers, it would be very easy to publish internal
network
Exchange RPC, SMTP, NNTP, OWA, etc. But I don't believe Checkpoint has
the
Application layer intelligence to handle the task without making swiss
cheeze out of the checkbox boxes.

Another reason to put the ISA Sever is on the LAN edge is that you can
leverage user/group based outbound and inbound access control. If you
open
up the VPN ports and protocols on the two Checkpoint boxes in front of
the
ISA Server on the LAN's edge, you can have unlimited number of inbound
VPN
connections to the ISA Server without paying a penny more. Can you say
the
same with Checkpoint?

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
http://tinyurl.com/1jq1
http://tinyurl.com/1llp

 
 


-----Original Message-----
From: Howard Griffith [mailto:hgriffith@xxxxxxxxxx] 
Sent: Wednesday, December 18, 2002 2:34 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] FW1 between ISA and internal network


http://www.ISAserver.org


Yes, you read the subject correctly. The project team I am on has a
person
on it who thinks he is a firewall god. With my proposal to implement ISA
server to publish our internal Exchange severs to the world came a
backlash
of defiancy. This guy does not give ISA any respect and doesn't even
consider it to be a firewall that can stand on it's own. The guy wants
me to
put my ISA server between two checkpoint firewalls. Yes you read
correctly,
he wants to put a firewall between two firewalls. Why, I don't know.
Probably because he's defensive about his checkpoint and doesn't want to
lose control of it or something. Anyway, can someone give me a good
solid
reason that will be worth putting in my gun and shooting as to why this
should NOT be done.

Is there any reason at all, technically, that ISA has to be connected to
the
same segment as the Exchange servers? Any reason at all? Say for the
secure
connection to OWA, SMTP, POP3, IMAP, NNTP, anything at all??

TIA and HELP!!!!

Howard

List Sponsored by Aspelle
Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server
and
the Internet to quickly and cost-effectively manage and deliver secure,
client-less access to all corporate applications (Web, Unix, Windows and
legacy systems), for all users. More info at http://www.aspelle.com/info

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security
Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax
Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

List Sponsored by Aspelle
Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server
and
the Internet to quickly and cost-effectively manage and deliver secure,
client-less access to all corporate applications (Web, Unix, Windows and
legacy systems), for all users. More info at http://www.aspelle.com/info

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security
Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax
Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isaserver.org@xxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

List Sponsored by Aspelle
Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server
and the Internet to quickly and cost-effectively manage and deliver
secure, client-less access to all corporate applications (Web, Unix,
Windows and legacy systems), for all users.
More info at http://www.aspelle.com/info

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

List Sponsored by Aspelle
Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server and
the Internet to quickly and cost-effectively manage and deliver secure,
client-less access to all corporate applications (Web, Unix, Windows and
legacy systems), for all users.
More info at http://www.aspelle.com/info

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » FW1 between ISA and internal network
• » RE: FW1 between ISA and internal network
• » RE: FW1 between ISA and internal network
• » RE: FW1 between ISA and internal network
• » RE: FW1 between ISA and internal network
• » RE: FW1 between ISA and internal network

1. Home
2. isalist
3. Archive
4. 12-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---