[isalist] Re: SME LAN and ISA
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Mon, 22 May 2006 12:53:38 -0500
"Someone's not doing his (or her) job over there"
Remember, agreement in number. The PC police got you!
;)
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Monday, May 22, 2006 11:25 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SME LAN and ISA
I don't mean this to be as crass as it might sound, but "so
what?" This is just an example of "policy by fear." Having a strict
policy of "6 months from publishing" to install software buys you
nothing but assumption. Have the COO's cited some industry research
that points out that most vulnerabilities in published software are
reported and fixed within the first 6 months? And how long are other
people waiting to install? What if others wait 8 months? Then the 6
month people are still "guinea pigs." If you don't know what others are
doing, you can't even come up with a term. Then there is the flip side
of things- what about vulnerabilities that exist in current deployments
that are fixed in the new releases? Think Exchange 2k vs 2k3- there
were a few SMTP issues with 2k that could be exploited anonymously where
2k3 required authentication. Look at SQL2000 vs 2005. There are
several ways to "leverage" the way SQL2000 works and operates that flat
out don't work on 2005. Waiting 6 months could dramatically increase
the risk of potential exploitation.
Policies by way of hackneyed logic are worthless. The solution
is to examine deployments on a product-by-product basis and to make
intelligent decisions from available data, not from some "head in the
sand" my-way-or-the-highway policy. And I have to say, waiting six
months to roll out XP SP2 was anything but "prudent." That's just plain
dumb. I am personally aware of more exploitation of systems post-SP2
(where people didn't install it) than of any other definitive time frame
I know of. Someone's not doing there job over there...
t
On 5/22/06 12:33 AM, "Glenn P. JOHNSTON"
<glenn.johnston@xxxxxxxxxxx> spoketh to all:
Just to add some more oil to the fire.
There a 2 small cooperates ( 200 - 300 employees each)
here in Australia that I have had an on going relationship with with
several years, and they both have a corporate policy, that NO software
will go near their production LAN, until at least 6 moths has passed
after the official release. To break the policy requires Chief operating
officers approval. To date, no mater how compelling the argument for an
upgrade, neither COO has signed of on an early upgrade. Neither company
even rolled XPPSP2 out across the desktops until it had been in the
field for 6 months.
Their approach is ":Let some other bunny find the
problems".
Cautious, but very prudent.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
Sent: Monday, 22 May 2006 16:53
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SME LAN and ISA
I get the point but ultimately you dont know if ISA is
or isnt going to break in Beta or even behave weirdly. regardless of ISA
or Exchange or near completion in the life cycle. My boss would tear me
a new one if anything happened and he knew that i was using Beta. Isa
2006 is beta software and hence falls under the Beta "blanket"
regardless of its "stance" in the security world or record or
reputation, Exchange and Bind would be the same, just because ye olde
version worked well doesn't mean the new one will and i'm not about to
find that out the hard way. I was always brought up not to do testing in
a production environment and from the reasons given and ones i have seen
i do not have enough persuasion to change my mind...
I think it all depends on whether you think that the
steps you take increase the chance of risk to YOUR network and for that
matter your job. Also whether the need for the beta software is great at
that point in time, that is to say what improvements, security or
functionally or otherwise is a factor in the overall decision. For me
there has never been a need to rush at beta software in my environments
(home excluded) all our testing of new products is done in a lab
environment to ascertain the best way to attack upgrades and asses
functionality etc etc. So i guess we can differ on this and i suspect
the gallery will be divided on this one. might be a good topic for a
poll on isaserver.org and lucky prize for one of the voters, remember we
used to do those!!
Greg Mulholland
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor
(Hammer of God)
Sent: Mon 22/05/2006 2:32 PM
To: isalist@xxxxxxxxxxxxx; Glenn P. JOHNSTON
Subject: [isalist] Re: SME LAN and ISA
We're talking about someone running it on their own LAN.
Not sure where the "board" or "business owner" stuff came in. I'm not
suggesting that a professional network/security specialist install beta
software on customer's production networks. I'm specifically talking
about ISA 2006, as I stated earlier. It's tight. I run it, I've tested
it (and trust me, I'm made aware of issues that MSFT sometimes never
sees) and I have no problem with someone who knows what they are doing
running it on their own LAN. This isn't some blanket statement about
beta in general: I said, "Don't listen to Greg. Use ISA2006 all you
want (if you know what you are doing.)"
Comparing "full version public release" to "beta" has
absolutely no meaning whatsoever unless you know what has been changed
between releases. I participate in many different beta programs- and
I've seen software go from "beta" to "RC" to "RTM" without a single bit
being changed.
If you know what you are doing, and know where the
product is in the development cycle, and are willing to be responsible
for you own decisions in regard to ISA 2006, then it is OK to deploy it.
I do this, and am fine with it. And I'm somewhat confident that I won't
be looking for another job should an issue arise.
We're professionals here. Let's not make blanket
statements where they are not applicable.
t
On 5/21/06 6:43 PM, "Glenn P. JOHNSTON"
<glenn.johnston@xxxxxxxxxxx> spoketh to all:
From what I have seen of ISA2006 on my play LAN,
it seems stable, works well and to date, I have found no issues, and
while I have not done full speed tests, I have a gut feel that the
performance is better.
However, It's got nothing to do with skill set,
being comfortable or anything like.
Purely on principle, I would not put any beta,
or pre lease software near a production LAN. This comes from 25 years
supporting and developing systems in corporate environments.
What about this situation;
There is some small bug / hole in ISA2006, that,
as yet is it undetected, it small, it's new and it's specific to
ISA2006, it's obscure, but it's there.
You put ISA2006 on a production LAN, and some
one on the internet finds it, finds the bug / hole, makes use of it,
and hacks in and a customer list find it's way onto the internet, or in
the hands of a competitor.
There is an investigation, possibly with law
enforcement called in, the board finds out there was beta software on
their production LAN, you're shot your self in the foot, you are in an
indefensible position.
Unlikely, yes.
Is there any bug / holes in ISA2006, my
suspicion is probably not, but the jury is still out deliberating on
that one.
Would it be OK on a production LAN, probably
yes, it will work, and work without issues.
But, if an issue does occur, will any board or
business owner support using beta or pre release on their production
system, not likely, more likely, you're looking for another job. There
also could very well be legal issues, where you're exposed yourself to
some liability claim.
It's just not a position you want to be in, no
matter how sure you are that every 'i' is dotted, and 't' crossed, you
just don't want to be there in the the unlikely event of an issue.
If it's full version public released software,
the situation would be a lot different, with beta, you done like a
dinner.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Monday, 22 May 2006 10:59
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SME LAN and ISA
People who know what they are doing. If you
are not comfortable with your skillset, then don't do it. But since
you question our sanity, that means that you just know something we
don't. Please give us a list of your specific issues with ISA2006 and
the security vulnerabilities you have discovered.
t
On 5/21/06 5:50 PM, "Glenn P. JOHNSTON"
<glenn.johnston@xxxxxxxxxxx> spoketh to all:
Who in there right mind would use a
product beta on a production LAN ????
We have enough problems with the day to
day stuff, and users, and business needs , and.........
Why make extra problems of our own
making !
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
God)
Sent: Monday, 22 May 2006 08:02
To: isalist@xxxxxxxxxxxxx; Greg
Mulholland
Subject: [isalist] Re: SME LAN and ISA
Don't listen to Greg. Use ISA2006 all
you want (if you know what you are doing.)
t
On 5/21/06 2:21 PM, "Greg Mulholland"
<greg@xxxxxxxxxxxxxx> spoketh to all:
and dont use isa 2006!! its beta..
use 2004..
Greg Mulholland
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on
behalf of Egyptian Mind
Sent: Mon 22/05/2006 1:45 AM
To: isalist@xxxxxxxxxxxxx
Cc: gen_sib@xxxxxxxxx
Subject: [isalist] Re: SME LAN and
ISA
http://www.ISAserver.org
-------------------------------------------------------
1- install the ISA server after the
adsl router and before the switch.
2- put two interface cards in the
server
3- attach one interface with the adsl
router ( outside ) and the other to the unmanged switch ( inside )
4- assign an IP from your local lan to
the inside interface
5- assign any IP of the range that
given from the ISP ( after the router nat ) to the ouside interface
6- make ur own rules on the ISA
server
BASIC SME NETWork SETUP
Internet Cloud
|
|
|
|
ADSL (AZTECH ETHERNET USB) Broadband
Router
DHCP
| _____________________________
| |
|
|___outside interface (
10.11.1.1/24) | ISA Server
___insdie interface ( 192.168.1.1/24 )
|
| |_____________________________|
|
|______________________
LoCAL AREA NETWORK (Unmanaged Switch)
LAN IP Address 192.168.1.0/24
______________________________
SBS2003-BOX (HP DL3*) LINUX-Box (HP
DL3*)
AD OpenSource Helpdesk System
DHCP OpenSource Network
Monitoring(nagios, nmis)
DNS SMS Pager
Intranet AV(clamWin Free AV)
Accounting
MAILs (Pulled from ISP thru pop3
connector)
CRM
WSUS
AV (clamWin Free AV + AVG)
!~` Yesterday is a History` ~!
!~` Tomorrow is a Mystery` ~!
!~` Today is a Gift` ~!
!~` So we call it ...............`
~!
!~` Present .......Simple` ~!
Mob : +966 50 2953591
________________________________
From: Gene Sibbs <gen_sib@xxxxxxxxx>
Reply-To: isalist@xxxxxxxxxxxxx
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] SME LAN and ISA
Date: Sun, 21 May 2006 02:25:59 -0700
(PDT)
Greetings,
I have attached a basic LAN setup
diagram and I would like to pick your brains as far as the security
is concerned.
My objective is that the In/Outbound
traffic must pass thru ISA box
Base on the attached design I feel
that the security is lacking. I have downloaded ISA 2006 BETA
version...and I want to introduce ISA Server as a member of the
family to beef-up security.
How can I make ISA Server 2006 beta
play with this basic design, bearing in mind that I don't have a
static IP address from my ISP. My ADSL is dhcp obtaining the IP
address from ISP.
I want to run ISA2006 on a separate
box completely.
With many thanks!
Gene Sibbs
________________________________
New Yahoo! Messenger with Voice. Call
regular phones from your PC
<http://us.rd.yahoo.com/mail_us/taglines/postman5/*http://us.rd.yahoo.co
m/evt=39666/*http://messenger.yahoo.com>
<http://us.rd.yahoo.com/mail_us/taglines/postman5/*http://us.rd.yahoo.co
m/evt=39666/*http://messenger.yahoo.com> and save big.
________________________________
Feel free to call! Free PC-to-PC calls.
Low rates on PC-to-Phone. Get Yahoo! Messenger with Voice
<http://us.rd.yahoo.com/mail_us/taglines/postman10/*http://us.rd.yahoo.c
om/evt=39663/*http://messenger.yahoo.com>
<http://us.rd.yahoo.com/mail_us/taglines/postman10/*http://us.rd.yahoo.c
om/evt=39663/*http://messenger.yahoo.com>
>BASIC SME NETWork SETUP
>
>Internet Cloud
> |
> |
> |
> |
>ADSL (AZTECH ETHERNET USB) Broadband
Router
> DHCP
> |
> |
> |
>________|______________________
>LoCAL AREA NETWORK (Unmanaged
Switch)
>LAN IP Address 10.11.1.0/24
>
>______________________________
>
>SBS2003-BOX (HP DL3*) LINUX-Box (HP
DL3*)
>
>AD OpenSource Helpdesk System
>DHCP OpenSource Network
Monitoring(nagios, nmis)
>DNS SMS Pager
>Intranet AV(clamWin Free AV)
>Accounting
>MAILs (Pulled from ISP thru pop3
connector)
>CRM
>WSUS
>AV (clamWin Free AV + AVG)
>______________________________
>
>Security is an issue here...
>
------------------------------------------------------ List Archives:
//www.freelists.org/archives/isalist/ ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and
Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server
Blogs: http://blogs.isaserver.org/
------------------------------------------------------ Visit
TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------ To unsubscribe
visit http://www.isaserver.org/pages/isalist.asp Report abuse to
listadmin@xxxxxxxxxxxxx
Other related posts:
