Um.. Would you mind throwing another one in my direction? ;) > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] > Posted At: Wednesday, December 03, 2003 10:23 PM > Posted To: www.isaserver.org > Conversation: [isalist] Re: securing Interfaces on ISA > Subject: [isalist] Re: securing Interfaces on ISA > > > http://www.ISAserver.org > > Hi Jim, > > Here ya go ;-) (duck again) > > Tom > > Thomas W Shinder > www.isaserver.org/shinder > ISA Server and Beyond: http://tinyurl.com/1jq1 > Configuring ISA Server: http://tinyurl.com/1llp > > > > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: Wednesday, December 03, 2003 1:27 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: securing Interfaces on ISA > > > http://www.ISAserver.org > > <ducks head in shame and abject fear> > I never got mine... > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://www.microsoft.com/isaserver > http://isaserver.org/Jim_Harrison > http://isatools.org > > Read the help, books and articles! > ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, December 03, 2003 11:16 > Subject: [isalist] Re: securing Interfaces on ISA > > > http://www.ISAserver.org > > Hey guys, > > In fact, I believe there is an entire FAT chapter on this > subject in ISA > Server and Beyond ;-) > > HTH, > Tom > > Thomas W Shinder > www.isaserver.org/shinder > ISA Server and Beyond: http://tinyurl.com/1jq1 > Configuring ISA Server: http://tinyurl.com/1llp > > > > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: Wednesday, December 03, 2003 11:12 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: securing Interfaces on ISA > > > http://www.ISAserver.org > > They must be created in RRAS (or IPSec, if you're so inclined). > ISA exercises no control over LAT traffic, even if it's routed through > the > ISA machine itself. > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://www.microsoft.com/isaserver > http://isaserver.org/Jim_Harrison > http://isatools.org > > Read the help, books and articles! > ----- Original Message ----- > From: "Glenn Maks" <gmaks@xxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, December 03, 2003 09:02 > Subject: [isalist] Re: securing Interfaces on ISA > > > http://www.ISAserver.org > > Hello Jim - Let me see if I understand you, are you saying that I need > to > create IP Packet filters inside of RRAS to block services > between my DMZ > (192.168.10.0/24) segment and my private (172.19.4.0/22) segment? do I > create these filters using RRAS or can I create filters under Access > Polices > and IP Packet Filters in ISA? > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: Wednesday, December 03, 2003 11:53 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: securing Interfaces on ISA > > > http://www.ISAserver.org > > As Tom pointed out, you have to enlist the aid of RRAS IP filtering or > IPSec > filtering between the two LAT segments if you want to restrict access > to/from the DMZ to the remainder of the LAT > > ISA does not provide access controls within the LAT. > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://www.microsoft.com/isaserver > http://isaserver.org/Jim_Harrison > http://isatools.org > > Read the help, books and articles! > ----- Original Message ----- > From: "Glenn Maks" <gmaks@xxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, December 03, 2003 08:45 > Subject: [isalist] Re: securing Interfaces on ISA > > > http://www.ISAserver.org > > For me to change my DMZ IP Addresses would be a HUGE task, > one that I am > not > willing to do, it will impact too many things, you speak about using > RRAS > Packet filters? Could I not create Packet Filters inside ISA > Management? > Or > are suggesting that I need to create Packet Filters using > RRAS services? > It > is worth noting that I am also using RRAS to connect all my branch > offices > using L2TP with certificates and I can tell you this, RRAS is NOT that > stable, I am constantly monitoring all my connection states > because RRAS > seems to have a mind of it's own, if it feels like connecting it will, > if > not forget about it, I have all the right static routes that > define all > my > other branch office subnets and sometimes when I go to diagnose > connection > issues using ping path, tracert or any other utility like that, RRAS > seems > to want to route > packet out the Internet Interface rather than the correct tunnel end > point, > it makes no sense, I am ready to Pull the plug on RRAS and go with a > Nortel > VPN solution but the problem is my company is Cheap and they will not > spend > the money to put a more reliable and stable VPN solution in, so I am > stuck > with RRAS, I am not too happy. > > I at one time also like ISA, until I started working more in > depth with > it, > I am NOT ready to rip ISA out as my Security platform yet, > but it seems > to > me that the simplest of > security features that are found in other firewalls, ISA simply wont > support > unless you reconfigure your entire IP scheme. My old Raptor firewall, > for as > old as it is does not care if I am running a reserved IP address range > for > my DMZ I was still able to secure each and every interface and allow > services to pass from on interface to another just by creating access > polices, this seems very difficult with ISA, in fact, ISA > allows it and > had > I not tested service requests from my DMZ to my Private interface I > would > have assumed I was safe. And Why can't I allow or deny using protocol > rules, > it seems I have to create and use all packet filters now, > Protocol rules > only address client sets and the Content filtering only support HTTP, > suppose I have other services like data base services I want > to control > between my DMZ and Private Network. > > Is this the only solution? Packet Filters? it seem so. > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] > Sent: Wednesday, December 03, 2003 11:26 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: securing Interfaces on ISA > > > http://www.ISAserver.org > > Hi Glenn, > > You must use a subnet of your public block for the DMZ, > unless you want > to > create a LAT-based DMZ using RRAS packet filters and/or IPSec policy. > > HTH, > Tom > > > Thomas W Shinder > <http://www.isaserver.org/shinder> www.isaserver.org/shinder > ISA Server and Beyond: http://tinyurl.com/1jq1 > <http://tinyurl.com/1jq1> > Configuring ISA Server: <http://tinyurl.com/1llp> > http://tinyurl.com/1llp > > > > -----Original Message----- > From: Glenn Maks [mailto:gmaks@xxxxxxxxx] > Sent: Wednesday, December 03, 2003 10:02 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: securing Interfaces on ISA > Importance: High > > > http://www.ISAserver.org > > > Sure Jim here is a better explanation - My ISA Server has 3 > interfaces, > the > public interface is 64.80.200.0/24 my DMZ subnet is > 192.168.10.0/24 and > my > private segment is 172.19.4.0/22 I have both my private and > DMZ address > ranges defined in my LAT, > > this I understand allows ISA to view these interfaces as Internal > Interfaces, I have several services published on different > servers on my > DMZ > for Internet customers, services like FTP, HTTP, when I publish these > services to the Internet everything works well, except I > noticed that I > can > open Microsoft IE from any server on the DMZ and plug in a known > 172.19.4.0 > IP address that I know is running IIS and I get IIS responses, I can > also > login into my DMZ FTP Server from my 172.19.4.0/22 network, and I have > NOT > created any access polices to allow this to happen, I should > be able to > SECURE each and every interface and allow or deny any service that I > wish, > just because I publish services on my DMZ for Internet > Clients, does not > mean that I wish my Private Network access to these same services, > besides, > if HTTP and FTP spans the DMZ and Private Network, that to me is a > security > risk, unless of course I allow it? Any suggestions? I was told to > REMOVE > the DMZ definition from the LAT and replace all my publishing > RULES with > PACKET FILTERS, I also have my SOA DNS Server published on my DMZ as > well, > so that would mean I would need to replace that Publishing > rule as well, > I > attempted this last night and my DNS Server stopped working. So I > restored > my ISA configuration and now I am back to square one. > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > gmaks@xxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > gmaks@xxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: isaserver@xxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') >