[isalist] Re: SME LAN and ISA
- From: "John T \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Mon, 22 May 2006 02:16:03 -0700
Prudence at the expense of security?
New OS - 6 months
New version Server Software (Exchange, SQL, yadda yadda) 2-4 months
New service pack - 1-2 months
John T
eServices For You
"Seek, and ye shall find!"
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Glenn P. JOHNSTON
Sent: Monday, May 22, 2006 12:33 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SME LAN and ISA
Just to add some more oil to the fire.
There a 2 small cooperates ( 200 - 300 employees each) here in Australia
that I have had an on going relationship with with several years, and they
both have a corporate policy, that NO software will go near their production
LAN, until at least 6 moths has passed after the official release. To break
the policy requires Chief operating officers approval. To date, no mater how
compelling the argument for an upgrade, neither COO has signed of on an
early upgrade. Neither company even rolled XPPSP2 out across the desktops
until it had been in the field for 6 months.
Their approach is ":Let some other bunny find the problems".
Cautious, but very prudent.
_____
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Greg Mulholland
Sent: Monday, 22 May 2006 16:53
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SME LAN and ISA
I get the point but ultimately you dont know if ISA is or isnt going to
break in Beta or even behave weirdly. regardless of ISA or Exchange or near
completion in the life cycle. My boss would tear me a new one if anything
happened and he knew that i was using Beta. Isa 2006 is beta software and
hence falls under the Beta "blanket" regardless of its "stance" in the
security world or record or reputation, Exchange and Bind would be the same,
just because ye olde version worked well doesn't mean the new one will and
i'm not about to find that out the hard way. I was always brought up not to
do testing in a production environment and from the reasons given and ones i
have seen i do not have enough persuasion to change my mind...
I think it all depends on whether you think that the steps you take increase
the chance of risk to YOUR network and for that matter your job. Also
whether the need for the beta software is great at that point in time, that
is to say what improvements, security or functionally or otherwise is a
factor in the overall decision. For me there has never been a need to rush
at beta software in my environments (home excluded) all our testing of new
products is done in a lab environment to ascertain the best way to attack
upgrades and asses functionality etc etc. So i guess we can differ on this
and i suspect the gallery will be divided on this one. might be a good topic
for a poll on isaserver.org and lucky prize for one of the voters, remember
we used to do those!!
Greg Mulholland
_____
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
Sent: Mon 22/05/2006 2:32 PM
To: isalist@xxxxxxxxxxxxx; Glenn P. JOHNSTON
Subject: [isalist] Re: SME LAN and ISA
We're talking about someone running it on their own LAN. Not sure where the
"board" or "business owner" stuff came in. I'm not suggesting that a
professional network/security specialist install beta software on customer's
production networks. I'm specifically talking about ISA 2006, as I stated
earlier. It's tight. I run it, I've tested it (and trust me, I'm made
aware of issues that MSFT sometimes never sees) and I have no problem with
someone who knows what they are doing running it on their own LAN. This
isn't some blanket statement about beta in general: I said, "Don't listen
to Greg. Use ISA2006 all you want (if you know what you are doing.)"
Comparing "full version public release" to "beta" has absolutely no meaning
whatsoever unless you know what has been changed between releases. I
participate in many different beta programs- and I've seen software go from
"beta" to "RC" to "RTM" without a single bit being changed.
If you know what you are doing, and know where the product is in the
development cycle, and are willing to be responsible for you own decisions
in regard to ISA 2006, then it is OK to deploy it. I do this, and am fine
with it. And I'm somewhat confident that I won't be looking for another job
should an issue arise.
We're professionals here. Let's not make blanket statements where they are
not applicable.
t
On 5/21/06 6:43 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx> spoketh
to all:
>From what I have seen of ISA2006 on my play LAN, it seems stable, works well
and to date, I have found no issues, and while I have not done full speed
tests, I have a gut feel that the performance is better.
However, It's got nothing to do with skill set, being comfortable or
anything like.
Purely on principle, I would not put any beta, or pre lease software near a
production LAN. This comes from 25 years supporting and developing systems
in corporate environments.
What about this situation;
There is some small bug / hole in ISA2006, that, as yet is it undetected, it
small, it's new and it's specific to ISA2006, it's obscure, but it's there.
You put ISA2006 on a production LAN, and some one on the internet finds it,
finds the bug / hole, makes use of it, and hacks in and a customer list find
it's way onto the internet, or in the hands of a competitor.
There is an investigation, possibly with law enforcement called in, the
board finds out there was beta software on their production LAN, you're shot
your self in the foot, you are in an indefensible position.
Unlikely, yes.
Is there any bug / holes in ISA2006, my suspicion is probably not, but the
jury is still out deliberating on that one.
Would it be OK on a production LAN, probably yes, it will work, and work
without issues.
But, if an issue does occur, will any board or business owner support using
beta or pre release on their production system, not likely, more likely,
you're looking for another job. There also could very well be legal issues,
where you're exposed yourself to some liability claim.
It's just not a position you want to be in, no matter how sure you are that
every 'i' is dotted, and 't' crossed, you just don't want to be there in the
the unlikely event of an issue.
If it's full version public released software, the situation would be a lot
different, with beta, you done like a dinner.
_____
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of God)
Sent: Monday, 22 May 2006 10:59
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SME LAN and ISA
People who know what they are doing. If you are not comfortable with your
skillset, then don't do it. But since you question our sanity, that means
that you just know something we don't. Please give us a list of your
specific issues with ISA2006 and the security vulnerabilities you have
discovered.
t
On 5/21/06 5:50 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx> spoketh
to all:
Who in there right mind would use a product beta on a production LAN ????
We have enough problems with the day to day stuff, and users, and business
needs , and.........
Why make extra problems of our own making !
_____
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of God)
Sent: Monday, 22 May 2006 08:02
To: isalist@xxxxxxxxxxxxx; Greg Mulholland
Subject: [isalist] Re: SME LAN and ISA
Don't listen to Greg. Use ISA2006 all you want (if you know what you are
doing.)
t
On 5/21/06 2:21 PM, "Greg Mulholland" <greg@xxxxxxxxxxxxxx> spoketh to
all:
and dont use isa 2006!! its beta.. use 2004..
Greg Mulholland
_____
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Egyptian Mind
Sent: Mon 22/05/2006 1:45 AM
To: isalist@xxxxxxxxxxxxx
Cc: gen_sib@xxxxxxxxx
Subject: [isalist] Re: SME LAN and ISA
http://www.ISAserver.org
-------------------------------------------------------
1- install the ISA server after the adsl router and before the switch.
2- put two interface cards in the server
3- attach one interface with the adsl router ( outside ) and the other to
the unmanged switch ( inside )
4- assign an IP from your local lan to the inside interface
5- assign any IP of the range that given from the ISP ( after the router
nat ) to the ouside interface
6- make ur own rules on the ISA server
BASIC SME NETWork SETUP
Internet Cloud
|
|
|
|
ADSL (AZTECH ETHERNET USB) Broadband Router
DHCP
| _____________________________
| | |
|___outside interface ( 10.11.1.1/24) | ISA Server
___insdie interface ( 192.168.1.1/24 ) |
| |_____________________________|
|
|______________________
LoCAL AREA NETWORK (Unmanaged Switch)
LAN IP Address 192.168.1.0/24
______________________________
SBS2003-BOX (HP DL3*) LINUX-Box (HP DL3*)
AD OpenSource Helpdesk System
DHCP OpenSource Network Monitoring(nagios, nmis)
DNS SMS Pager
Intranet AV(clamWin Free AV)
Accounting
MAILs (Pulled from ISP thru pop3 connector)
CRM
WSUS
AV (clamWin Free AV + AVG)
!~` Yesterday is a History` ~!
!~` Tomorrow is a Mystery` ~!
!~` Today is a Gift` ~!
!~` So we call it ...............` ~!
!~` Present .......Simple` ~!
Mob : +966 50 2953591
_____
From: Gene Sibbs <gen_sib@xxxxxxxxx>
Reply-To: isalist@xxxxxxxxxxxxx
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] SME LAN and ISA
Date: Sun, 21 May 2006 02:25:59 -0700 (PDT)
Greetings,
I have attached a basic LAN setup diagram and I would like to pick your
brains as far as the security is concerned.
My objective is that the In/Outbound traffic must pass thru ISA box
Base on the attached design I feel that the security is lacking. I have
downloaded ISA 2006 BETA version...and I want to introduce ISA Server as
a member of the family to beef-up security.
How can I make ISA Server 2006 beta play with this basic design, bearing
in mind that I don't have a static IP address from my ISP. My ADSL is
dhcp obtaining the IP address from ISP.
I want to run ISA2006 on a separate box completely.
With many thanks!
Gene Sibbs
_____
New Yahoo! Messenger with Voice. Call regular phones from your PC
<http://us.rd.yahoo.com/mail_us/taglines/postman5/*http:/us.rd.yahoo.com/evt
=39666/*http:/messenger.yahoo.com>
<http://us.rd.yahoo.com/mail_us/taglines/postman5/*http://us.rd.yahoo.com/ev
t=39666/*http://messenger.yahoo.com> and save big.
_____
Feel free to call! Free PC-to-PC calls. Low rates on PC-to-Phone. Get
Yahoo! Messenger with Voice
<http://us.rd.yahoo.com/mail_us/taglines/postman10/*http:/us.rd.yahoo.com/ev
t=39663/*http:/messenger.yahoo.com>
<http://us.rd.yahoo.com/mail_us/taglines/postman10/*http://us.rd.yahoo.com/e
vt=39663/*http://messenger.yahoo.com>
>BASIC SME NETWork SETUP
>
>Internet Cloud
> |
> |
> |
> |
>ADSL (AZTECH ETHERNET USB) Broadband Router
> DHCP
> |
> |
> |
>________|______________________
>LoCAL AREA NETWORK (Unmanaged Switch)
>LAN IP Address 10.11.1.0/24
>
>______________________________
>
>SBS2003-BOX (HP DL3*) LINUX-Box (HP DL3*)
>
>AD OpenSource Helpdesk System
>DHCP OpenSource Network Monitoring(nagios, nmis)
>DNS SMS Pager
>Intranet AV(clamWin Free AV)
>Accounting
>MAILs (Pulled from ISP thru pop3 connector)
>CRM
>WSUS
>AV (clamWin Free AV + AVG)
>______________________________
>
>Security is an issue here...
>
------------------------------------------------------ List Archives:
//www.freelists.org/archives/isalist/ ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and
Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs:
http://blogs.isaserver.org/
------------------------------------------------------ Visit TechGenix.com
for more information about our other sites: http://www.techgenix.com
------------------------------------------------------ To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp Report abuse to
listadmin@xxxxxxxxxxxxx
Other related posts:
