RE: Internet Access behind SBS
- From: "Quillman Shawn (RBNA/CIT1.1) *" <Shawn.Quillman@xxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 27 Aug 2003 08:18:36 -0500
Hitchhiker's Guide
-----
Shawn R. Quillman
Robert Bosch Corporation RBNA/CIT1.1
38000 Hills Tech Drive
Farmington Hills, MI 48331
(248) 553-1164 (P) (248) 848-2855 (F)
shawn.quillman@xxxxxxxxxxxx
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, August 27, 2003 9:08 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Internet Access behind SBS
http://www.ISAserver.org
Now is where I get to join the fray.
The FW client actually adds to your security, not detracts from it.
If you (as Paul and Tom both stated) create the ISA policies to disallow
anything not specifically allowed, then the FW client actually helps you:
1. enforce that policy
2. perfrom your necessary forensic tasks (user and machine names!)
You can also block applications themselves, not just the protocols they use.
You can configure an "ain't no way" "Common Configuration" settings section
that includes "disable=1" and use the "disable=0" for those app you want to
allow through.
This way, even if the internal clients disable the FW client itself and
become SecureNAT clients (who the hell allows that?!?), the ISA policies
tell them to zark off (three social points for that reference).
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
On Wed, 27 Aug 2003 18:12:44 +1000
"Paul Aitchison" <pdaitch@xxxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org
I agree with ya there Tom!
Documentation on the ini file is pretty smoky.
I just know in an SBS2000 install with ISA set up thru the Internet
Connection Wizard, the firewall client is able to access everything so
you'd need to spend some time configuring the ini files etc to prevent
users having open access via ISA.
I've had cases where we've taken over providing IT services for SBS
users and the previous company has left the ISA with no configuration
short of the SBS defaults, needless to say spyware and other nasty
things were rampant throughout the network.
I tend to go into an SBS ISA install and just do it from scratch to make
sure its right :-)
Basically in my experience it comes down to what ppl need to run over
the net. If its just web surfing, leave the client off their machine as
it's a security hole you don't have to worry about.
Of course if I was much more versed in the wspcfg.ini file I could lock
it down
Cheers
Paul
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, 27 August 2003 5:01 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Internet Access behind SBS
http://www.ISAserver.org
Hi Paul,
You shoud rethink your opinion of the Firewall client. The firewall
client
is one of the major features that separates an ISA firewall from other
firewalls. Without the Firewall client, you have just a dumb, no
intelligent outbound access control firewall like a pix.
Why? Because its this client piece that allows user/group based
access controls for *ALL* protocols and it does not require the
application
to be proxy aware and there does not need to be a dedicated "proxy"
component. Even with SOCKS, the application has to be written to be
SOCKS
aware. The Firewall client allows you to use any application behind the
ISA
firewall. No other firewall that I'm aware can do this.
The Firewall client is the way, the truth and the light. The only
compliant
I have is that the documentation on how to actually use the settings in
the
wspcfg.ini file are as clear as mud. :-)
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
