RE: Isa Server and Pix Firewall DMZ configuration
- From: "Troy Radtke" <TRadtke@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 8 Nov 2005 08:38:30 -0600
DMZ's are required by regulatory law in financial/remittance industry
(SOX and GLB compliance audits have turned up interesting things that
people are requesting). A true DMZ (not that home user
Linksys/D-Link/etc wanna-be a DMZ) is extremely useful and lends a hand
to proving exactly what kind of traffic is being passed to servers that
handle requests from the wild. An IDS placed in the DMZ looking for
"out of place" traffic can quickly alert you to issues with your rules
or a problem with your application that development needs to work on, or
worst case scenario, that someone else now "owns" that server.
Would you want to do business with a bank that has its front end home
banking web servers NOT in a DMZ? Or how about paying your phone bill
online only to find out that they don't sanitize the data being sent to
the SQL server via a proxy application in a DMZ?
A lot of extremely large businesses have dozens of firewalls in place
just to protect their outward facing servers, and dozens more to protect
the data farms behind them.
Troy
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Monday, November 07, 2005 9:07 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Isa Server and Pix Firewall DMZ configuration
http://www.ISAserver.org
Hi Amy,
I like DMZs. I use them a lot and I think if you move away from the
"hardware 'open a port'" admin and think in terms of security zones,
then they're pretty useful. But I do agree that no servers should be
sacrified just for the heck of it, unless they're honeypots.
Tom
-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: Monday, November 07, 2005 6:25 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Isa Server and Pix Firewall DMZ configuration
http://www.ISAserver.org
I've never understood sacrificing a server to the Internet in a DMZ.
What wrong with protecting every server? If the public needs access just
give them access to what they need and nothing more. DMZ's are for
dinosaurs.
Amy
-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx]
Sent: Monday, November 07, 2005 7:16 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Isa Server and Pix Firewall DMZ configuration
http://www.ISAserver.org
No.
Use ISA as your first line of defense. Use the PIX as a door stop.
There is no need to have the webserver in a DMZ with ISA. You can if you
want to tho'.
Make it a member of your domain as well.
Have a look at ISAServer.org for do's and don't's.
S
-----Original Message-----
From: Lisa Brown [mailto:lbrown@xxxxxxxx]
Sent: Monday, November 07, 2005 6:28 PM
To: ISA Mailing List
Subject: [isalist] RE: Isa Server and Pix Firewall DMZ configuration
http://www.ISAserver.org
So in other words I remove Isa from the web server when moving to the
DMZ and just use PIX and then put the ISA 2004 on the internal network.
Does the PIX protect the web server with no firewall installed on it on
the DMZ?
-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx]
Sent: Monday, November 07, 2005 3:59 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Isa Server and Pix Firewall DMZ configuration
http://www.ISAserver.org
By all means, use the PIX as a firewall, but in front of the ISA 2004
Firewall. The ISA 2004 Firewall is far more of a firewall then the pixie
will ever be.
S
-----Original Message-----
From: Lisa Brown [mailto:lbrown@xxxxxxxx]
Sent: Monday, November 07, 2005 5:25 PM
To: ISA Mailing List
Subject: [isalist] RE: Isa Server and Pix Firewall DMZ configuration
http://www.ISAserver.org
Yes, I am aware of that. That is why when I took over this position I
am moving the web server to the dmz and was curious how to protect the
webserver while on the dmz. Yes I am separating them I will have ISA
2004 internal and was wondering if I need isa on the web server. But I
guess that answers my question. What will protect the web server. The
PIX? To keep people from compromising that system?
-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx]
Sent: Monday, November 07, 2005 2:57 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Isa Server and Pix Firewall DMZ configuration
http://www.ISAserver.org
The point I am trying to make, is that ISA 2004 is a firewall, a very
powerful one. Therefore one should never install applications on it
especially web / mail servers.
-----Original Message-----
From: Lisa Brown [mailto:lbrown@xxxxxxxx]
Sent: Monday, November 07, 2005 4:49 PM
To: ISA Mailing List
Subject: [isalist] RE: Isa Server and Pix Firewall DMZ configuration
http://www.ISAserver.org
No I will be running in dual firewall mode
-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx]
Sent: Monday, November 07, 2005 2:46 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Isa Server and Pix Firewall DMZ configuration
http://www.ISAserver.org
Well, the Pix is a firewall also...well sort of. You wouldn't dream of
trying to install applications on it would you???
S
-----Original Message-----
From: Lisa Brown [mailto:lbrown@xxxxxxxx]
Sent: Monday, November 07, 2005 4:40 PM
To: ISA Mailing List
Subject: [isalist] RE: Isa Server and Pix Firewall DMZ configuration
http://www.ISAserver.org
I guess I don't understand what you mean about installed applications on
my PIX?
-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx]
Sent: Monday, November 07, 2005 2:39 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Isa Server and Pix Firewall DMZ configuration
http://www.ISAserver.org
Dear dear dear
You have installed applications on your pix also.
Isa's a firewall, not a web or application server. And why would you
want to put it in a DMZ.
Do a little research on ISA 2004 before you make the move.
Try www.isaserver.org to start with, then when you have real questions
come back here.
S
-----Original Message-----
From: Lisa Brown [mailto:lbrown@xxxxxxxx]
Sent: Monday, November 07, 2005 10:41 AM
To: ISA Mailing List
Subject: [isalist] Isa Server and Pix Firewall DMZ configuration
http://www.ISAserver.org
I am currently using Isa Server 2000 as a proxy only and it is installed
on my webserver. My webserver is currently inside my internal network.
I am going to move my webserver, front-end for exchange and barracuda
spam device to the DMZ on the PIX. I would like to see if someone can
help me with the configurations. I would like to keep isa on the
webserver but upgrade to Isa 2004. It currenlty was not upgraded
because it had to run in dual Nic mode and the previous net admin had it
disabled. I need to configure it for dual nic mode so it will protect
my webserver, front-exchange and spam device. I guess I also want to
configure isa on another server internally. So we will still have a
proxy out to the internet internally since the current one is moving to
the DMZ.
Can someone tell me how to keep the ISA upgraded to 2004 on move to DMZ.
How should the nics be configured. What needs to be put on the PIX and
how should the nic on the internal ISA 2004 be configured.
Thanks in advance for any assistance you can provide.
Lisa
Other related posts:
