[isalist] Re: SME LAN and ISA
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 22 May 2006 09:25:15 -0700
I don¹t mean this to be as crass as it might sound, but ³so what?² This is
just an example of ³policy by fear.² Having a strict policy of ³6 months
from publishing² to install software buys you nothing but assumption. Have
the COO¹s cited some industry research that points out that most
vulnerabilities in published software are reported and fixed within the
first 6 months? And how long are other people waiting to install? What if
others wait 8 months? Then the 6 month people are still ³guinea pigs.² If
you don¹t know what others are doing, you can¹t even come up with a term.
Then there is the flip side of things? what about vulnerabilities that exist
in current deployments that are fixed in the new releases? Think Exchange
2k vs 2k3? there were a few SMTP issues with 2k that could be exploited
anonymously where 2k3 required authentication. Look at SQL2000 vs 2005.
There are several ways to ³leverage² the way SQL2000 works and operates that
flat out don¹t work on 2005. Waiting 6 months could dramatically increase
the risk of potential exploitation.
Policies by way of hackneyed logic are worthless. The solution is to
examine deployments on a product-by-product basis and to make intelligent
decisions from available data, not from some ³head in the sand²
my-way-or-the-highway policy. And I have to say, waiting six months to roll
out XP SP2 was anything but ³prudent.² That¹s just plain dumb. I am
personally aware of more exploitation of systems post-SP2 (where people
didn¹t install it) than of any other definitive time frame I know of.
Someone¹s not doing there job over there...
t
On 5/22/06 12:33 AM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx>
spoketh to all:
> Just to add some more oil to the fire.
>
> There a 2 small cooperates ( 200 - 300 employees each) here in Australia that
> I have had an on going relationship with with several years, and they both
> have a corporate policy, that NO software will go near their production LAN,
> until at least 6 moths has passed after the official release. To break the
> policy requires Chief operating officers approval. To date, no mater how
> compelling the argument for an upgrade, neither COO has signed of on an early
> upgrade. Neither company even rolled XPPSP2 out across the desktops until it
> had been in the field for 6 months.
>
> Their approach is ":Let some other bunny find the problems".
>
> Cautious, but very prudent.
>
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Greg Mulholland
> Sent: Monday, 22 May 2006 16:53
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: SME LAN and ISA
>
> I get the point but ultimately you dont know if ISA is or isnt going to break
> in Beta or even behave weirdly. regardless of ISA or Exchange or near
> completion in the life cycle. My boss would tear me a new one if anything
> happened and he knew that i was using Beta. Isa 2006 is beta software and
> hence falls under the Beta "blanket" regardless of its "stance" in the
> security world or record or reputation, Exchange and Bind would be the same,
> just because ye olde version worked well doesn't mean the new one will and i'm
> not about to find that out the hard way. I was always brought up not to do
> testing in a production environment and from the reasons given and ones i have
> seen i do not have enough persuasion to change my mind...
>
> I think it all depends on whether you think that the steps you take increase
> the chance of risk to YOUR network and for that matter your job. Also whether
> the need for the beta software is great at that point in time, that is to say
> what improvements, security or functionally or otherwise is a factor in the
> overall decision. For me there has never been a need to rush at beta software
> in my environments (home excluded) all our testing of new products is done in
> a lab environment to ascertain the best way to attack upgrades and asses
> functionality etc etc. So i guess we can differ on this and i suspect the
> gallery will be divided on this one. might be a good topic for a poll on
> isaserver.org and lucky prize for one of the voters, remember we used to do
> those!!
>
>
> Greg Mulholland
>
>
> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
> Sent: Mon 22/05/2006 2:32 PM
> To: isalist@xxxxxxxxxxxxx; Glenn P. JOHNSTON
> Subject: [isalist] Re: SME LAN and ISA
>
> We¹re talking about someone running it on their own LAN. Not sure where the
> ³board² or ³business owner² stuff came in. I¹m not suggesting that a
> professional network/security specialist install beta software on customer¹s
> production networks. I¹m specifically talking about ISA 2006, as I stated
> earlier. It¹s tight. I run it, I¹ve tested it (and trust me, I¹m made aware
> of issues that MSFT sometimes never sees) and I have no problem with someone
> who knows what they are doing running it on their own LAN. This isn¹t some
> blanket statement about beta in general: I said, ³Don¹t listen to Greg. Use
> ISA2006 all you want (if you know what you are doing.)²
>
> Comparing ³full version public release² to ³beta² has absolutely no meaning
> whatsoever unless you know what has been changed between releases. I
> participate in many different beta programs? and I¹ve seen software go from
> ³beta² to ³RC² to ³RTM² without a single bit being changed.
>
> If you know what you are doing, and know where the product is in the
> development cycle, and are willing to be responsible for you own decisions in
> regard to ISA 2006, then it is OK to deploy it. I do this, and am fine with
> it. And I¹m somewhat confident that I won¹t be looking for another job should
> an issue arise.
>
> We¹re professionals here. Let¹s not make blanket statements where they are
> not applicable.
>
> t
>
>
> On 5/21/06 6:43 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx> spoketh
> to all:
>
>> From what I have seen of ISA2006 on my play LAN, it seems stable, works well
>> and to date, I have found no issues, and while I have not done full speed
>> tests, I have a gut feel that the performance is better.
>>
>> However, It's got nothing to do with skill set, being comfortable or
>> anything like.
>>
>> Purely on principle, I would not put any beta, or pre lease software near a
>> production LAN. This comes from 25 years supporting and developing systems
>> in corporate environments.
>>
>> What about this situation;
>>
>> There is some small bug / hole in ISA2006, that, as yet is it undetected, it
>> small, it's new and it's specific to ISA2006, it's obscure, but it's there.
>>
>> You put ISA2006 on a production LAN, and some one on the internet finds it,
>> finds the bug / hole, makes use of it, and hacks in and a customer list find
>> it's way onto the internet, or in the hands of a competitor.
>>
>> There is an investigation, possibly with law enforcement called in, the
>> board finds out there was beta software on their production LAN, you're shot
>> your self in the foot, you are in an indefensible position.
>>
>> Unlikely, yes.
>>
>> Is there any bug / holes in ISA2006, my suspicion is probably not, but the
>> jury is still out deliberating on that one.
>>
>> Would it be OK on a production LAN, probably yes, it will work, and work
>> without issues.
>>
>> But, if an issue does occur, will any board or business owner support using
>> beta or pre release on their production system, not likely, more likely,
>> you're looking for another job. There also could very well be legal issues,
>> where you're exposed yourself to some liability claim.
>>
>> It's just not a position you want to be in, no matter how sure you are that
>> every 'i' is dotted, and 't' crossed, you just don't want to be there in the
>> the unlikely event of an issue.
>>
>> If it's full version public released software, the situation would be a lot
>> different, with beta, you done like a dinner.
>>
>>
>>
>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Thor (Hammer of God)
>> Sent: Monday, 22 May 2006 10:59
>> To: isalist@xxxxxxxxxxxxx
>> Subject: [isalist] Re: SME LAN and ISA
>>
>> People who know what they are doing. If you are not comfortable with your
>> skillset, then don¹t do it. But since you question our sanity, that means
>> that you just know something we don¹t. Please give us a list of your
>> specific issues with ISA2006 and the security vulnerabilities you have
>> discovered.
>>
>> t
>>
>>
>> On 5/21/06 5:50 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx> spoketh
>> to all:
>>
>>
>>> Who in there right mind would use a product beta on a production LAN ????
>>>
>>> We have enough problems with the day to day stuff, and users, and business
>>> needs , and.........
>>>
>>> Why make extra problems of our own making !
>>>
>>>
>>>
>>>
>>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
>>> On Behalf Of Thor (Hammer of God)
>>> Sent: Monday, 22 May 2006 08:02
>>> To: isalist@xxxxxxxxxxxxx; Greg Mulholland
>>> Subject: [isalist] Re: SME LAN and ISA
>>>
>>> Don¹t listen to Greg. Use ISA2006 all you want (if you know what you are
>>> doing.)
>>>
>>> t
>>>
>>>
>>> On 5/21/06 2:21 PM, "Greg Mulholland" <greg@xxxxxxxxxxxxxx> spoketh to
>>> all:
>>>
>>>
>>>
>>>> and dont use isa 2006!! its beta.. use 2004..
>>>>
>>>> Greg Mulholland
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Egyptian Mind
>>>> Sent: Mon 22/05/2006 1:45 AM
>>>> To: isalist@xxxxxxxxxxxxx
>>>> Cc: gen_sib@xxxxxxxxx
>>>> Subject: [isalist] Re: SME LAN and ISA
>>>>
>>>> http://www.ISAserver.org
>>>> -------------------------------------------------------
>>>>
>>>>
>>>>
>>>>
>>>> 1- install the ISA server after the adsl router and before the switch.
>>>>
>>>> 2- put two interface cards in the server
>>>>
>>>> 3- attach one interface with the adsl router ( outside ) and the other
>>>> to the unmanged switch ( inside )
>>>>
>>>> 4- assign an IP from your local lan to the inside interface
>>>>
>>>> 5- assign any IP of the range that given from the ISP ( after the router
>>>> nat ) to the ouside interface
>>>>
>>>> 6- make ur own rules on the ISA server
>>>>
>>>>
>>>>
>>>> BASIC SME NETWork SETUP
>>>>
>>>> Internet Cloud
>>>> |
>>>> |
>>>> |
>>>> |
>>>> ADSL (AZTECH ETHERNET USB) Broadband Router
>>>> DHCP
>>>> | _____________________________
>>>> | | |
>>>> |___outside interface ( 10.11.1.1/24) | ISA Server
>>>> ___insdie interface ( 192.168.1.1/24 ) |
>>>> | |_____________________________|
>>>> |
>>>> |______________________
>>>> LoCAL AREA NETWORK (Unmanaged Switch)
>>>> LAN IP Address 192.168.1.0/24
>>>>
>>>> ______________________________
>>>>
>>>> SBS2003-BOX (HP DL3*) LINUX-Box (HP DL3*)
>>>>
>>>> AD OpenSource Helpdesk System
>>>> DHCP OpenSource Network Monitoring(nagios, nmis)
>>>> DNS SMS Pager
>>>> Intranet AV(clamWin Free AV)
>>>> Accounting
>>>> MAILs (Pulled from ISP thru pop3 connector)
>>>> CRM
>>>> WSUS
>>>> AV (clamWin Free AV + AVG)
>>>>
>>>>
>>>> !~` Yesterday is a History` ~!
>>>> !~` Tomorrow is a Mystery` ~!
>>>> !~` Today is a Gift` ~!
>>>> !~` So we call it ...............` ~!
>>>> !~` Present .......Simple` ~!
>>>> Mob : +966 50 2953591
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> From: Gene Sibbs <gen_sib@xxxxxxxxx>
>>>>> Reply-To: isalist@xxxxxxxxxxxxx
>>>>> To: isalist@xxxxxxxxxxxxx
>>>>> Subject: [isalist] SME LAN and ISA
>>>>> Date: Sun, 21 May 2006 02:25:59 -0700 (PDT)
>>>>>
>>>>>
>>>>>
>>>>> Greetings,
>>>>>
>>>>>
>>>>>
>>>>> I have attached a basic LAN setup diagram and I would like to pick
>>>>> your brains as far as the security is concerned.
>>>>>
>>>>>
>>>>>
>>>>> My objective is that the In/Outbound traffic must pass thru ISA box
>>>>>
>>>>>
>>>>>
>>>>> Base on the attached design I feel that the security is lacking. I
>>>>> have downloaded ISA 2006 BETA version...and I want to introduce ISA
>>>>> Server as a member of the family to beef-up security.
>>>>>
>>>>>
>>>>>
>>>>> How can I make ISA Server 2006 beta play with this basic design,
>>>>> bearing in mind that I don't have a static IP address from my ISP. My
>>>>> ADSL is dhcp obtaining the IP address from ISP.
>>>>>
>>>>>
>>>>>
>>>>> I want to run ISA2006 on a separate box completely.
>>>>>
>>>>>
>>>>>
>>>>> With many thanks!
>>>>>
>>>>>
>>>>>
>>>>> Gene Sibbs
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> New Yahoo! Messenger with Voice. Call regular phones from your PC
>>>>> <http://us.rd.yahoo.com/mail_us/taglines/postman5/*http://us.rd.yahoo.com/
>>>>> evt=39666/*http://messenger.yahoo.com> and save big.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Feel free to call! Free PC-to-PC calls. Low rates on PC-to-Phone. Get
>>>>> Yahoo! Messenger with Voice
>>>>> <http://us.rd.yahoo.com/mail_us/taglines/postman10/*http://us.rd.yahoo.com
>>>>> /evt=39663/*http://messenger.yahoo.com>
>>>>>
>>>>>
>>>>>> >BASIC SME NETWork SETUP
>>>>>> >
>>>>>> >Internet Cloud
>>>>>> > |
>>>>>> > |
>>>>>> > |
>>>>>> > |
>>>>>> >ADSL (AZTECH ETHERNET USB) Broadband Router
>>>>>> > DHCP
>>>>>> > |
>>>>>> > |
>>>>>> > |
>>>>>> >________|______________________
>>>>>> >LoCAL AREA NETWORK (Unmanaged Switch)
>>>>>> >LAN IP Address 10.11.1.0/24
>>>>>> >
>>>>>> >______________________________
>>>>>> >
>>>>>> >SBS2003-BOX (HP DL3*) LINUX-Box (HP DL3*)
>>>>>> >
>>>>>> >AD OpenSource Helpdesk System
>>>>>> >DHCP OpenSource Network Monitoring(nagios, nmis)
>>>>>> >DNS SMS Pager
>>>>>> >Intranet AV(clamWin Free AV)
>>>>>> >Accounting
>>>>>> >MAILs (Pulled from ISP thru pop3 connector)
>>>>>> >CRM
>>>>>> >WSUS
>>>>>> >AV (clamWin Free AV + AVG)
>>>>>> >______________________________
>>>>>> >
>>>>>> >Security is an issue here...
>>>>>> >
>>>>>
>>>>>
>>>> ------------------------------------------------------ List Archives:
>>>> //www.freelists.org/archives/isalist/ ISA Server Newsletter:
>>>> http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and
>>>> Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server
>>>> Blogs: http://blogs.isaserver.org/
>>>> ------------------------------------------------------ Visit
>>>> TechGenix.com for more information about our other sites:
>>>> http://www.techgenix.com
>>>> ------------------------------------------------------ To unsubscribe
>>>> visit http://www.isaserver.org/pages/isalist.asp Report abuse to
>>>> listadmin@xxxxxxxxxxxxx
>>>>
>>>
>>>
>>
>>
>
>
Other related posts:
