Re: securing Interfaces on ISA
- From: "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 3 Dec 2003 22:30:39 +0100
Um.. Would you mind throwing another one in my direction? ;)
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> Posted At: Wednesday, December 03, 2003 10:23 PM
> Posted To: www.isaserver.org
> Conversation: [isalist] Re: securing Interfaces on ISA
> Subject: [isalist] Re: securing Interfaces on ISA
>
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> Here ya go ;-) (duck again)
>
> Tom
>
> Thomas W Shinder
> www.isaserver.org/shinder
> ISA Server and Beyond: http://tinyurl.com/1jq1
> Configuring ISA Server: http://tinyurl.com/1llp
>
>
>
>
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 1:27 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: securing Interfaces on ISA
>
>
> http://www.ISAserver.org
>
> <ducks head in shame and abject fear>
> I never got mine...
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://www.microsoft.com/isaserver
> http://isaserver.org/Jim_Harrison
> http://isatools.org
>
> Read the help, books and articles!
> ----- Original Message -----
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, December 03, 2003 11:16
> Subject: [isalist] Re: securing Interfaces on ISA
>
>
> http://www.ISAserver.org
>
> Hey guys,
>
> In fact, I believe there is an entire FAT chapter on this
> subject in ISA
> Server and Beyond ;-)
>
> HTH,
> Tom
>
> Thomas W Shinder
> www.isaserver.org/shinder
> ISA Server and Beyond: http://tinyurl.com/1jq1
> Configuring ISA Server: http://tinyurl.com/1llp
>
>
>
>
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 11:12 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: securing Interfaces on ISA
>
>
> http://www.ISAserver.org
>
> They must be created in RRAS (or IPSec, if you're so inclined).
> ISA exercises no control over LAT traffic, even if it's routed through
> the
> ISA machine itself.
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://www.microsoft.com/isaserver
> http://isaserver.org/Jim_Harrison
> http://isatools.org
>
> Read the help, books and articles!
> ----- Original Message -----
> From: "Glenn Maks" <gmaks@xxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, December 03, 2003 09:02
> Subject: [isalist] Re: securing Interfaces on ISA
>
>
> http://www.ISAserver.org
>
> Hello Jim - Let me see if I understand you, are you saying that I need
> to
> create IP Packet filters inside of RRAS to block services
> between my DMZ
> (192.168.10.0/24) segment and my private (172.19.4.0/22) segment? do I
> create these filters using RRAS or can I create filters under Access
> Polices
> and IP Packet Filters in ISA?
>
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 11:53 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: securing Interfaces on ISA
>
>
> http://www.ISAserver.org
>
> As Tom pointed out, you have to enlist the aid of RRAS IP filtering or
> IPSec
> filtering between the two LAT segments if you want to restrict access
> to/from the DMZ to the remainder of the LAT
>
> ISA does not provide access controls within the LAT.
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://www.microsoft.com/isaserver
> http://isaserver.org/Jim_Harrison
> http://isatools.org
>
> Read the help, books and articles!
> ----- Original Message -----
> From: "Glenn Maks" <gmaks@xxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, December 03, 2003 08:45
> Subject: [isalist] Re: securing Interfaces on ISA
>
>
> http://www.ISAserver.org
>
> For me to change my DMZ IP Addresses would be a HUGE task,
> one that I am
> not
> willing to do, it will impact too many things, you speak about using
> RRAS
> Packet filters? Could I not create Packet Filters inside ISA
> Management?
> Or
> are suggesting that I need to create Packet Filters using
> RRAS services?
> It
> is worth noting that I am also using RRAS to connect all my branch
> offices
> using L2TP with certificates and I can tell you this, RRAS is NOT that
> stable, I am constantly monitoring all my connection states
> because RRAS
> seems to have a mind of it's own, if it feels like connecting it will,
> if
> not forget about it, I have all the right static routes that
> define all
> my
> other branch office subnets and sometimes when I go to diagnose
> connection
> issues using ping path, tracert or any other utility like that, RRAS
> seems
> to want to route
> packet out the Internet Interface rather than the correct tunnel end
> point,
> it makes no sense, I am ready to Pull the plug on RRAS and go with a
> Nortel
> VPN solution but the problem is my company is Cheap and they will not
> spend
> the money to put a more reliable and stable VPN solution in, so I am
> stuck
> with RRAS, I am not too happy.
>
> I at one time also like ISA, until I started working more in
> depth with
> it,
> I am NOT ready to rip ISA out as my Security platform yet,
> but it seems
> to
> me that the simplest of
> security features that are found in other firewalls, ISA simply wont
> support
> unless you reconfigure your entire IP scheme. My old Raptor firewall,
> for as
> old as it is does not care if I am running a reserved IP address range
> for
> my DMZ I was still able to secure each and every interface and allow
> services to pass from on interface to another just by creating access
> polices, this seems very difficult with ISA, in fact, ISA
> allows it and
> had
> I not tested service requests from my DMZ to my Private interface I
> would
> have assumed I was safe. And Why can't I allow or deny using protocol
> rules,
> it seems I have to create and use all packet filters now,
> Protocol rules
> only address client sets and the Content filtering only support HTTP,
> suppose I have other services like data base services I want
> to control
> between my DMZ and Private Network.
>
> Is this the only solution? Packet Filters? it seem so.
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 11:26 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: securing Interfaces on ISA
>
>
> http://www.ISAserver.org
>
> Hi Glenn,
>
> You must use a subnet of your public block for the DMZ,
> unless you want
> to
> create a LAT-based DMZ using RRAS packet filters and/or IPSec policy.
>
> HTH,
> Tom
>
>
> Thomas W Shinder
> <http://www.isaserver.org/shinder> www.isaserver.org/shinder
> ISA Server and Beyond: http://tinyurl.com/1jq1
> <http://tinyurl.com/1jq1>
> Configuring ISA Server: <http://tinyurl.com/1llp>
> http://tinyurl.com/1llp
>
>
>
> -----Original Message-----
> From: Glenn Maks [mailto:gmaks@xxxxxxxxx]
> Sent: Wednesday, December 03, 2003 10:02 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: securing Interfaces on ISA
> Importance: High
>
>
> http://www.ISAserver.org
>
>
> Sure Jim here is a better explanation - My ISA Server has 3
> interfaces,
> the
> public interface is 64.80.200.0/24 my DMZ subnet is
> 192.168.10.0/24 and
> my
> private segment is 172.19.4.0/22 I have both my private and
> DMZ address
> ranges defined in my LAT,
>
> this I understand allows ISA to view these interfaces as Internal
> Interfaces, I have several services published on different
> servers on my
> DMZ
> for Internet customers, services like FTP, HTTP, when I publish these
> services to the Internet everything works well, except I
> noticed that I
> can
> open Microsoft IE from any server on the DMZ and plug in a known
> 172.19.4.0
> IP address that I know is running IIS and I get IIS responses, I can
> also
> login into my DMZ FTP Server from my 172.19.4.0/22 network, and I have
> NOT
> created any access polices to allow this to happen, I should
> be able to
> SECURE each and every interface and allow or deny any service that I
> wish,
> just because I publish services on my DMZ for Internet
> Clients, does not
> mean that I wish my Private Network access to these same services,
> besides,
> if HTTP and FTP spans the DMZ and Private Network, that to me is a
> security
> risk, unless of course I allow it? Any suggestions? I was told to
> REMOVE
> the DMZ definition from the LAT and replace all my publishing
> RULES with
> PACKET FILTERS, I also have my SOA DNS Server published on my DMZ as
> well,
> so that would mean I would need to replace that Publishing
> rule as well,
> I
> attempted this last night and my DNS Server stopped working. So I
> restored
> my ISA configuration and now I am back to square one.
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gmaks@xxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gmaks@xxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: isaserver@xxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
Other related posts:
