securing Interfaces on ISA
- From: Glenn Maks <gmaks@xxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Wed, 3 Dec 2003 09:45:57 -0500
Allow me to bounce this off the discussion group - My ISA Server has 3
network interface cards, one connecting the Internet, one connecting my
Perimeter Network (DMZ) and the other connecting my inside private network.
My LAT has 2 subnet entries, one defining my private network and the other
defining my DMZ. I have noticed that when I publish services from servers on
my DMZ, for example, FTP, I can also access this FTP Server from my private
network, this to me is a huge security risk. I have contacted Microsoft
about this and their suggestion is to remove the DMZ definition from the
LAT, this way ISA will not view this subnet as a private or inside subnet,
when I go to remove the DMZ LAT Definition, ISA complains because one or
more of the publishing rules use one or more of the IP addresses defined in
my DMZ LAT definition, the only way I can get around this is to delete all
my server publishing rules and replace them with Packet Filters, I attempted
this the other evening after hours and found that the packet filters I
created to replace the Server Publishing Rules did not work, example, MY DNS
Services. I restored the ISA configuration and rebooted, crossed my fingers
and things did come back, but I am still faced with services crossing
between my Perimeter Network and my Private Network, I should be able to
secure each interface and
and create access polices to what ever service I wish to span my Perimeter
Network and my Private Network, this seems to be challenging and I was
wondering how other implementations of ISA using 3 Network Interface Card
design has solved this problem.
Thank U
Glenn
Other related posts:
