Re: IP Addresses on DMZ
- From: "Mark Strangways" <strangconst@xxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 30 Jul 2001 23:13:57 -0400
Possibly you could set up a back to back network,
bind all public IP's to the internet NIC,
set up semi-private IP's for "DMZish" servers (web,exchange,etc)
then set up another isa server for your private network.
cost , additional server and licensing for ISA.
But you can work with the IP's you have now.
I think that would be they way I did it.
I actually built my "little" network with ISA just on the internet side, and
no second ISA server.
Not the best way to do it, and I'll likely hear about it, but I don't have
any private network clients to worry about, it's just there to serve web
pages, receive e-mail, etc.etc.
After all, if it does get hacked, most (if not all) of my servers would have
been in the DMZ anyways. Once that's compromised, they I imagine anything in
the DMZ is fair game.
Then again, I'm not a hacker YET, perhaps I should brush up on it... Makes
for a nice career in network security :)
Regards,
Mark
----- Original Message -----
From: "Guinn Unger" <geunger@xxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, July 30, 2001 10:44 PM
Subject: [isalist] Re: IP Addresses on DMZ
> http://www.ISAserver.org
>
>
> I have read a good bit of this material, but it gets rather
> overwhelming pretty quickly. So suppose we step back 10
> paces and ask ourselves what we really want. My ultimate
> goal is to have internet access, publish one or two web
> servers, publish an Exchange server, and have VPN access
> both from our desktops to outside sites and from outside
> to our network.
>
> From what I had read, it seemed like a DMZ would be a good
> solution, but I'm beginning to wonder. If I go back to our
> ISP and ask for a bigger block of IP addresses I feel pretty
> certain they are going to balk. They seemed very reluctant
> to give us the eight that they did. (It also seems like we
> are using IP addresses pretty inefficiently if I need more
> than 8 public IP addresses to publish three servers. Oh,
> well.)
>
> How much of a security risk would it really be to have our
> web servers and Exchange server on our private network?
> Does the DMZ really offer that much extra security? If we
> keep up with security patches and such, do we really need the
> DMZ? I can't imagine that we have very much that anybody
> would want on our network except to take over a server for
> DOS attacks or something similar. Does that make sense?
>
> Again, thanks in advance for the help.
>
> Guinn
>
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: Monday, July 30, 2001 7:40 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: IP Addresses on DMZ
>
>
> http://www.ISAserver.org
>
>
> One problem you have is that with 6 IP's, any further subnetting is
limited
> to two functional DMZ IPs; one for the ISA DMZ NIC and one for the DMZ
> server.
>
> There is some general ISA deployment reading you should do before plunging
> headlong into the abyss that is ISA :-)...
>
> http://www.isaserver.org/shinder/tips/getting_started.htm
> http://www.isaserver.org/shinder/tutorials/secure_nat_client.htm
>
http://www.isaserver.org/shinder/tutorials/designing_an_isa_server_solution_
> on_a%20_simple_network.htm
> http://www.isaserver.org/pages/tutorials/isanetworks.htm
> http://www.isaserver.org/shinder/tutorials/dmz_scenarios.htm
>
> ..and many more in the "Learning Zone"...
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
strangconst@xxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
