RE: SQLSERVE.EXE MSDE instance for ISA 2k4
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sat, 11 Dec 2004 09:48:31 -0800
Yes.
Really.
I'm not quite clear on this statement, though: "Does it means no SQL
server availabe at
ISA2K4 server end in terms of security concern"?
SBS2003 doesn't have ISA (yet) and when it does ship, co-location and
security concerns will be addressed by whole teams of folks that do this
for a living.
If you mean "is there a security concern with MSDE on ISA?", the answer
is "no". The MSDE instance on ISA is not even listening to the network.
All MSDE logging is done via memory-mapped networking, not physical or
logical devices.
With the default MSDE instance, unless the ISA itself is compromised,
you simply "can't get there from here".
You can't say the same for SQL, which listens on all available adapters
by default.
Combine this with the prevalence of "allow all because I'm too damn lazy
to understand my traffic profile" rules and you have the makings of
Slammer-like virus victim.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Saturday, December 11, 2004 9:05 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
Oh...Really, Does it means no SQL server availabe at
ISA2K4 server end in terms of security concern?
Then what about SBS 2003 plus ISA2K4.
I think I can put it into one basket if port could
Be blocked at firwall side like I block acess to SQL
Server from Wan side.
Moreover, I did upgrade instance of ISA2K4, it works
Fine under full version of SQL2000, may I understand
The log is still working under MSDE I/O SQL2000?
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Sunday, December 12, 2004 12:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
No.
Bad.
Unsupported.
DO
NOT
REPLACE
MSDE
WITH
SQL
ON
THE
ISA
SERVER
ITSELF
If you want to replace MSDE with SQL logging, then do it off-box.
The MSDE that's shipped with ISA is "tweaked" to be as secure as
possible.
If you replace it, you open your ISA to potential SQL
vulnerabilities.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: Saturday, December 11, 2004 6:51 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
Sorry, the mail sent directly from my OE to discussion list always
change mal-coding.
To the question of MSDE instance, my idea/suggestion for best
performance is:
a) install ISA2K4 bundled with MSDE
b) upgrade SQL instance "server/msfw" into full version
of SQL 2000 though SQL2000 server instllation
c) use the same instance for Surfcontrol Both of ISA2K4 and
Surfcontrol is now being managed under SQL2000 server I/O MSDE.
Any comment
-----Original Message-----
From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx]
Sent: Saturday, December 11, 2004 10:24 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
Who here can read Roy Tsao posts, all I see is gibberish characters
in his messages, can someone translate it??
Regards,
Andrew
-----Original Message-----
From: Mike Anderson [mailto:mike@xxxxxxxxxxxx]
Sent: Saturday, December 11, 2004 12:19 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
In cases like this, isn't it better to just run a dedicated instance
of SQL Server (if you got it) which resides on a separate box, OR
have a single instance of MSDE host both Databases?
If I remember correctly, MSDE is just a crippled version of SQL
Server 7.0 - in which concurrent connections are just limited.
Otherwise, it's pretty much the same animal.
In fact, since I have a dedicated super fast SQL Server on my
network, I was hoping to uninstall MSDE on the ISA Box, and redirect
all the Database activity to my SQL Server. Can this be done -
anybody do this yet?
I don't mean to steal the fire away from your original post, but I
think this sort of parallels what I suggest doing, which goes back to
the
question: "why have two instances of MSDE running?". Use the one
that is working better (the one with less memory consumption), and
host the database on that instance.
I am just throwing out ideas here...
Mike
-----Original Message-----
From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx]
Sent: Friday, December 10, 2004 5:40 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] SQLSERVE.EXE MSDE instance for ISA 2k4
http://www.ISAserver.org
Anyone notice the MSDE instance for ISA 2k4 memory increase to over
1gb mem usage? We host two instances of MSDE on the ISA2k4 machine,
one for Surf Control and the other for ISA2K4. Surf Control instance
is stable, while the ISA 2k4 instance hogs a lot of memory. Current
mem usage = 786,004k. Wait, wait -- 786,012k , 786,528k and growing.
MSDE versions: SurfControl = 8.00.761
ISA2k4 = 8.00.818
Server has 3gb memory
ISA2K4 version = trial
TIA
Have fun!
greg
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as:
mike@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as:
andrew@xxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as:
jim@xxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network
Security Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: roy_tsao@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
