Re: IP Addresses on DMZ

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 30 Jul 2001 20:26:27 -0700

Ok, now that's a new question:
1. Security risks posed by having web / E2K servers inside out of the rain:
_If_ someone were to get past the ISA and infect the web or E2K servers,
they _might_ be able to gain access to the rest of your internal network.
They might also fix you eggs and ham for breakfast, but the odds are about
even there.  Seriously, that's the whole point of ISA; to help keep the bad
guys out.  Properly configured, it does a mighty fine job. I, for one, have
no fear of the code red worm, because my ISA's drop the buffer overflow
request before it even gets to my web servers.
2. DMZ security:  the DMZ offers security by isolation; the separation of
the trusted network from those servers that must be accessible from the
Internet.  Since E2K requires direct AD access and that's a huge hole in
your firewall between the LAT and the DMZ, there's little to be gained by
placing an E2K server there.  Also, the web server is better protected by
being in the LAT, since the web proxy is now available for application-level
filtering of web traffic.
3. IP assignment: By using web publishing, you can publish a cubic grunch of
web servers using one IP address and keep all the traffic logged
individually by client.  This means that you only need to assign an IP for
each identical non-web protocol (more than one SMTP publishing, for
instance).  This helps to reduce your IP-per-site requirements so many
admins are used to creating.

Jim Harrison
MCP(2K), A+, Network+, PCG

----- Original Message -----
From: "Guinn Unger" <geunger@xxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, July 30, 2001 7:44 PM
Subject: [isalist] Re: IP Addresses on DMZ


http://www.ISAserver.org


I have read a good bit of this material, but it gets rather
overwhelming pretty quickly.  So suppose we step back 10
paces and ask ourselves what we really want.  My ultimate
goal is to have internet access, publish one or two web
servers, publish an Exchange server, and have VPN access
both from our desktops to outside sites and from outside
to our network.

From what I had read, it seemed like a DMZ would be a good
solution, but I'm beginning to wonder.  If I go back to our
ISP and ask for a bigger block of IP addresses I feel pretty
certain they are going to balk.  They seemed very reluctant
to give us the eight that they did.  (It also seems like we
are using IP addresses pretty inefficiently if I need more
than 8 public IP addresses to publish three servers.  Oh,
well.)

How much of a security risk would it really be to have our
web servers and Exchange server on our private network?
Does the DMZ really offer that much extra security?  If we
keep up with security patches and such, do we really need the
DMZ?  I can't imagine that we have very much that anybody
would want on our network except to take over a server for
DOS attacks or something similar.  Does that make sense?

Again, thanks in advance for the help.

Guinn

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Monday, July 30, 2001 7:40 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: IP Addresses on DMZ


http://www.ISAserver.org


One problem you have is that with 6 IP's, any further subnetting is limited
to two functional DMZ IPs; one for the ISA DMZ NIC and one for the DMZ
server.

There is some general ISA deployment reading you should do before plunging
headlong into the abyss that is ISA :-)...

http://www.isaserver.org/shinder/tips/getting_started.htm
http://www.isaserver.org/shinder/tutorials/secure_nat_client.htm
http://www.isaserver.org/shinder/tutorials/designing_an_isa_server_solution_
on_a%20_simple_network.htm
http://www.isaserver.org/pages/tutorials/isanetworks.htm
http://www.isaserver.org/shinder/tutorials/dmz_scenarios.htm

..and many more in the "Learning Zone"...

 Jim Harrison
 MCP(2K), A+, Network+, PCG


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » IP Addresses on DMZ
• » Re: IP Addresses on DMZ
• » Re: IP Addresses on DMZ
• » Re: IP Addresses on DMZ
• » Re: IP Addresses on DMZ
• » Re: IP Addresses on DMZ
• » Re: IP Addresses on DMZ
• » Re: IP Addresses on DMZ
• » Re: IP Addresses on DMZ
• » Re: IP Addresses on DMZ

1. Home
2. isalist
3. Archive
4. 07-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---