Hi Mark, You bet. This time I'll throw it at everyone :-) http://www.isaserver.org/news/ISA_Server_and_Beyond__Chapter_4_on_ISAser verorg.html HTH, Tom -----Original Message----- From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx] Sent: Wednesday, December 03, 2003 3:31 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: securing Interfaces on ISA http://www.ISAserver.org Um.. Would you mind throwing another one in my direction? ;) > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] > Posted At: Wednesday, December 03, 2003 10:23 PM Posted To: > www.isaserver.org > Conversation: [isalist] Re: securing Interfaces on ISA > Subject: [isalist] Re: securing Interfaces on ISA > > > http://www.ISAserver.org > > Hi Jim, > > Here ya go ;-) (duck again) > > Tom > > Thomas W Shinder > www.isaserver.org/shinder > ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: > http://tinyurl.com/1llp > > > > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: Wednesday, December 03, 2003 1:27 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: securing Interfaces on ISA > > > http://www.ISAserver.org > > <ducks head in shame and abject fear> > I never got mine... > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://www.microsoft.com/isaserver > http://isaserver.org/Jim_Harrison > http://isatools.org > > Read the help, books and articles! > ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, December 03, 2003 11:16 > Subject: [isalist] Re: securing Interfaces on ISA > > > http://www.ISAserver.org > > Hey guys, > > In fact, I believe there is an entire FAT chapter on this subject in > ISA Server and Beyond ;-) > > HTH, > Tom > > Thomas W Shinder > www.isaserver.org/shinder > ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: > http://tinyurl.com/1llp > > > > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: Wednesday, December 03, 2003 11:12 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: securing Interfaces on ISA > > > http://www.ISAserver.org > > They must be created in RRAS (or IPSec, if you're so inclined). > ISA exercises no control over LAT traffic, even if it's routed through > the ISA machine itself. > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://www.microsoft.com/isaserver > http://isaserver.org/Jim_Harrison > http://isatools.org > > Read the help, books and articles! > ----- Original Message ----- > From: "Glenn Maks" <gmaks@xxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, December 03, 2003 09:02 > Subject: [isalist] Re: securing Interfaces on ISA > > > http://www.ISAserver.org > > Hello Jim - Let me see if I understand you, are you saying that I need > to create IP Packet filters inside of RRAS to block services between > my DMZ > (192.168.10.0/24) segment and my private (172.19.4.0/22) segment? do I > create these filters using RRAS or can I create filters under Access > Polices and IP Packet Filters in ISA? > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: Wednesday, December 03, 2003 11:53 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: securing Interfaces on ISA > > > http://www.ISAserver.org > > As Tom pointed out, you have to enlist the aid of RRAS IP filtering or > IPSec filtering between the two LAT segments if you want to restrict > access to/from the DMZ to the remainder of the LAT > > ISA does not provide access controls within the LAT. > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://www.microsoft.com/isaserver > http://isaserver.org/Jim_Harrison > http://isatools.org > > Read the help, books and articles! > ----- Original Message ----- > From: "Glenn Maks" <gmaks@xxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, December 03, 2003 08:45 > Subject: [isalist] Re: securing Interfaces on ISA > > > http://www.ISAserver.org > > For me to change my DMZ IP Addresses would be a HUGE task, one that I > am not willing to do, it will impact too many things, you speak about > using RRAS Packet filters? Could I not create Packet Filters inside > ISA Management? > Or > are suggesting that I need to create Packet Filters using RRAS > services? > It > is worth noting that I am also using RRAS to connect all my branch > offices using L2TP with certificates and I can tell you this, RRAS is > NOT that stable, I am constantly monitoring all my connection states > because RRAS seems to have a mind of it's own, if it feels like > connecting it will, if not forget about it, I have all the right > static routes that define all my other branch office subnets and > sometimes when I go to diagnose connection issues using ping path, > tracert or any other utility like that, RRAS seems to want to route > packet out the Internet Interface rather than the correct tunnel end > point, it makes no sense, I am ready to Pull the plug on RRAS and go > with a Nortel VPN solution but the problem is my company is Cheap and > they will not spend the money to put a more reliable and stable VPN > solution in, so I am stuck with RRAS, I am not too happy. > > I at one time also like ISA, until I started working more in depth > with it, I am NOT ready to rip ISA out as my Security platform yet, > but it seems to me that the simplest of security features that are > found in other firewalls, ISA simply wont support unless you > reconfigure your entire IP scheme. My old Raptor firewall, for as old > as it is does not care if I am running a reserved IP address range for > my DMZ I was still able to secure each and every interface and allow > services to pass from on interface to another just by creating access > polices, this seems very difficult with ISA, in fact, ISA allows it > and had I not tested service requests from my DMZ to my Private > interface I would have assumed I was safe. And Why can't I allow or > deny using protocol rules, it seems I have to create and use all > packet filters now, Protocol rules only address client sets and the > Content filtering only support HTTP, suppose I have other services > like data base services I want to control between my DMZ and Private > Network. > > Is this the only solution? Packet Filters? it seem so. > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] > Sent: Wednesday, December 03, 2003 11:26 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: securing Interfaces on ISA > > > http://www.ISAserver.org > > Hi Glenn, > > You must use a subnet of your public block for the DMZ, unless you > want to create a LAT-based DMZ using RRAS packet filters and/or IPSec > policy. > > HTH, > Tom > > > Thomas W Shinder > <http://www.isaserver.org/shinder> www.isaserver.org/shinder ISA > Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> > Configuring ISA Server: <http://tinyurl.com/1llp> > http://tinyurl.com/1llp > > > > -----Original Message----- > From: Glenn Maks [mailto:gmaks@xxxxxxxxx] > Sent: Wednesday, December 03, 2003 10:02 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: securing Interfaces on ISA > Importance: High > > > http://www.ISAserver.org > > > Sure Jim here is a better explanation - My ISA Server has 3 > interfaces, the public interface is 64.80.200.0/24 my DMZ subnet is > 192.168.10.0/24 and > my > private segment is 172.19.4.0/22 I have both my private and DMZ > address ranges defined in my LAT, > > this I understand allows ISA to view these interfaces as Internal > Interfaces, I have several services published on different servers on > my DMZ for Internet customers, services like FTP, HTTP, when I publish > these services to the Internet everything works well, except I noticed > that I can open Microsoft IE from any server on the DMZ and plug in a > known 172.19.4.0 IP address that I know is running IIS and I get IIS > responses, I can also login into my DMZ FTP Server from my > 172.19.4.0/22 network, and I have NOT created any access polices to > allow this to happen, I should be able to SECURE each and every > interface and allow or deny any service that I wish, just because I > publish services on my DMZ for Internet Clients, does not mean that I > wish my Private Network access to these same services, besides, if > HTTP and FTP spans the DMZ and Private Network, that to me is a > security risk, unless of course I allow it? Any suggestions? I was > told to REMOVE the DMZ definition from the LAT and replace all my > publishing RULES with PACKET FILTERS, I also have my SOA DNS Server > published on my DMZ as well, so that would mean I would need to > replace that Publishing rule as well, I attempted this last night and > my DNS Server stopped working. So I restored my ISA configuration and > now I am back to square one. > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org Windows > Security Resource Site: http://www.windowsecurity.com/ Network > Security Library: http://www.secinf.net/ Windows 2000/NT Fax > Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > gmaks@xxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org Windows > Security Resource Site: http://www.windowsecurity.com/ Network > Security Library: http://www.secinf.net/ Windows 2000/NT Fax > Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org Windows > Security Resource Site: http://www.windowsecurity.com/ Network > Security Library: http://www.secinf.net/ Windows 2000/NT Fax > Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > gmaks@xxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org Windows > Security Resource Site: http://www.windowsecurity.com/ Network > Security Library: http://www.secinf.net/ Windows 2000/NT Fax > Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org Windows > Security Resource Site: http://www.windowsecurity.com/ Network > Security Library: http://www.secinf.net/ Windows 2000/NT Fax > Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org Windows > Security Resource Site: http://www.windowsecurity.com/ Network > Security Library: http://www.secinf.net/ Windows 2000/NT Fax > Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org Windows > Security Resource Site: http://www.windowsecurity.com/ Network > Security Library: http://www.secinf.net/ Windows 2000/NT Fax > Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org Windows > Security Resource Site: http://www.windowsecurity.com/ Network > Security Library: http://www.secinf.net/ Windows 2000/NT Fax > Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > isaserver@xxxxxxxxxxxx To unsubscribe send a blank email to > $subst('Email.Unsub') > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')