Re: securing Interfaces on ISA

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 3 Dec 2003 18:12:47 -0600

Hi Mark,

You bet. This time I'll throw it at everyone :-)

http://www.isaserver.org/news/ISA_Server_and_Beyond__Chapter_4_on_ISAser
verorg.html

HTH,
Tom 

-----Original Message-----
From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx] 
Sent: Wednesday, December 03, 2003 3:31 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: securing Interfaces on ISA

http://www.ISAserver.org

Um.. Would you mind throwing another one in my direction? ;)

> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> Posted At: Wednesday, December 03, 2003 10:23 PM Posted To: 
> www.isaserver.org
> Conversation: [isalist] Re: securing Interfaces on ISA
> Subject: [isalist] Re: securing Interfaces on ISA
> 
> 
> http://www.ISAserver.org
> 
> Hi Jim,
> 
> Here ya go ;-) (duck again)
> 
> Tom
> 
> Thomas W Shinder
> www.isaserver.org/shinder
> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server:

> http://tinyurl.com/1llp
> 
>  
> 
> 
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 1:27 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: securing Interfaces on ISA
> 
> 
> http://www.ISAserver.org
> 
> <ducks head in shame and abject fear>
> I never got mine...
> 
>  Jim Harrison
>  MCP(NT4, W2K), A+, Network+, PCG
>  http://www.microsoft.com/isaserver
>  http://isaserver.org/Jim_Harrison
>  http://isatools.org
> 
>  Read the help, books and articles!
> ----- Original Message -----
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, December 03, 2003 11:16
> Subject: [isalist] Re: securing Interfaces on ISA
> 
> 
> http://www.ISAserver.org
> 
> Hey guys,
> 
> In fact, I believe there is an entire FAT chapter on this subject in 
> ISA Server and Beyond ;-)
> 
> HTH,
> Tom
> 
> Thomas W Shinder
> www.isaserver.org/shinder
> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server:

> http://tinyurl.com/1llp
> 
> 
> 
> 
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 11:12 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: securing Interfaces on ISA
> 
> 
> http://www.ISAserver.org
> 
> They must be created in RRAS (or IPSec, if you're so inclined).
> ISA exercises no control over LAT traffic, even if it's routed through

> the ISA machine itself.
> 
>  Jim Harrison
>  MCP(NT4, W2K), A+, Network+, PCG
>  http://www.microsoft.com/isaserver
>  http://isaserver.org/Jim_Harrison
>  http://isatools.org
> 
>  Read the help, books and articles!
> ----- Original Message -----
> From: "Glenn Maks" <gmaks@xxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, December 03, 2003 09:02
> Subject: [isalist] Re: securing Interfaces on ISA
> 
> 
> http://www.ISAserver.org
> 
> Hello Jim - Let me see if I understand you, are you saying that I need

> to create IP Packet filters inside of RRAS to block services between 
> my DMZ
> (192.168.10.0/24) segment and my private (172.19.4.0/22) segment? do I

> create these filters using RRAS or can I create filters under Access 
> Polices and IP Packet Filters in ISA?
> 
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 11:53 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: securing Interfaces on ISA
> 
> 
> http://www.ISAserver.org
> 
> As Tom pointed out, you have to enlist the aid of RRAS IP filtering or

> IPSec filtering between the two LAT segments if you want to restrict 
> access to/from the DMZ to the remainder of the LAT
> 
> ISA does not provide access controls within the LAT.
> 
>  Jim Harrison
>  MCP(NT4, W2K), A+, Network+, PCG
>  http://www.microsoft.com/isaserver
>  http://isaserver.org/Jim_Harrison
>  http://isatools.org
> 
>  Read the help, books and articles!
> ----- Original Message -----
> From: "Glenn Maks" <gmaks@xxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, December 03, 2003 08:45
> Subject: [isalist] Re: securing Interfaces on ISA
> 
> 
> http://www.ISAserver.org
> 
> For me to change my DMZ IP Addresses would be a HUGE task, one that I 
> am not willing to do, it will impact too many things, you speak about 
> using RRAS Packet filters? Could I not create Packet Filters inside 
> ISA Management?
> Or
> are suggesting that I need to create Packet Filters using RRAS 
> services?
> It
> is worth noting that I am also using RRAS to connect all my branch 
> offices using L2TP with certificates and I can tell you this, RRAS is 
> NOT that stable, I am constantly monitoring all my connection states 
> because RRAS seems to have a mind of it's own, if it feels like 
> connecting it will, if not forget about it, I have all the right 
> static routes that define all my other branch office subnets and 
> sometimes when I go to diagnose connection issues using ping path, 
> tracert or any other utility like that, RRAS seems to want to route 
> packet out the Internet Interface rather than the correct tunnel end 
> point, it makes no sense, I am ready to Pull the plug on RRAS and go 
> with a Nortel VPN solution but the problem is my company is Cheap and 
> they will not spend the money to put a more reliable and stable VPN 
> solution in, so I am stuck with RRAS, I am not too happy.
> 
> I at one time also like ISA, until I started working more in depth 
> with it, I am NOT ready to rip ISA out as my Security platform yet, 
> but it seems to me that the simplest of security features that are 
> found in other firewalls, ISA simply wont support unless you 
> reconfigure your entire IP scheme. My old Raptor firewall, for as old 
> as it is does not care if I am running a reserved IP address range for

> my DMZ I was still able to secure each and every interface and allow 
> services to pass from on interface to another just by creating access 
> polices, this seems very difficult with ISA, in fact, ISA allows it 
> and had I not tested service requests from my DMZ to my Private 
> interface I would have assumed I was safe. And Why can't I allow or 
> deny using protocol rules, it seems I have to create and use all 
> packet filters now, Protocol rules only address client sets and the 
> Content filtering only support HTTP, suppose I have other services 
> like data base services I want to control between my DMZ and Private 
> Network.
> 
> Is this the only solution? Packet Filters? it seem so.
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, December 03, 2003 11:26 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: securing Interfaces on ISA
> 
> 
> http://www.ISAserver.org
> 
> Hi Glenn,
> 
> You must use a subnet of your public block for the DMZ, unless you 
> want to create a LAT-based DMZ using RRAS packet filters and/or IPSec 
> policy.
> 
> HTH,
> Tom
> 
> 
> Thomas W Shinder
>  <http://www.isaserver.org/shinder> www.isaserver.org/shinder ISA 
> Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> 
> Configuring ISA Server:  <http://tinyurl.com/1llp> 
> http://tinyurl.com/1llp
> 
> 
> 
> -----Original Message-----
> From: Glenn Maks [mailto:gmaks@xxxxxxxxx]
> Sent: Wednesday, December 03, 2003 10:02 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: securing Interfaces on ISA
> Importance: High
> 
> 
> http://www.ISAserver.org
> 
> 
> Sure Jim here is a better explanation - My ISA Server has 3 
> interfaces, the public interface is 64.80.200.0/24 my DMZ subnet is
> 192.168.10.0/24 and
> my
> private segment is 172.19.4.0/22  I have both my private and DMZ 
> address ranges defined in my LAT,
> 
> this I understand allows ISA to view these interfaces as Internal 
> Interfaces, I have several services published on different servers on 
> my DMZ for Internet customers, services like FTP, HTTP, when I publish

> these services to the Internet everything works well, except I noticed

> that I can open Microsoft IE from any server on the DMZ and plug in a 
> known 172.19.4.0 IP address that I know is running IIS and I get IIS 
> responses, I can also login into my DMZ FTP Server from my 
> 172.19.4.0/22 network, and I have NOT created any access polices to 
> allow this to happen, I should be able to SECURE each and every 
> interface and allow or deny any service that I wish, just because I 
> publish services on my DMZ for Internet Clients, does not mean that I 
> wish my Private Network access to these same services, besides, if 
> HTTP and FTP spans the DMZ and Private Network, that to me is a 
> security risk, unless of course I allow it?  Any suggestions? I was 
> told to REMOVE the DMZ definition from the LAT and replace all my 
> publishing RULES with PACKET FILTERS, I also have my SOA DNS Server 
> published on my DMZ as well, so that would mean I would need to 
> replace that Publishing rule as well, I attempted this last night and 
> my DNS Server stopped working. So I restored my ISA configuration and 
> now I am back to square one.
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows 
> Security Resource Site: http://www.windowsecurity.com/ Network 
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gmaks@xxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows 
> Security Resource Site: http://www.windowsecurity.com/ Network 
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows 
> Security Resource Site: http://www.windowsecurity.com/ Network 
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gmaks@xxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows 
> Security Resource Site: http://www.windowsecurity.com/ Network 
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows 
> Security Resource Site: http://www.windowsecurity.com/ Network 
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows 
> Security Resource Site: http://www.windowsecurity.com/ Network 
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows 
> Security Resource Site: http://www.windowsecurity.com/ Network 
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows 
> Security Resource Site: http://www.windowsecurity.com/ Network 
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> isaserver@xxxxxxxxxxxx To unsubscribe send a blank email to 
> $subst('Email.Unsub')
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

Other related posts:

• » securing Interfaces on ISA
• » Re: securing Interfaces on ISA
• » Re: securing Interfaces on ISA
• » Re: securing Interfaces on ISA
• » Re: securing Interfaces on ISA
• » Re: securing Interfaces on ISA
• » Re: securing Interfaces on ISA
• » Re: securing Interfaces on ISA
• » Re: securing Interfaces on ISA
• » Re: securing Interfaces on ISA
• » Re: securing Interfaces on ISA
• » Re: securing Interfaces on ISA
• » Re: securing Interfaces on ISA
• » Re: securing Interfaces on ISA
• » Re: securing Interfaces on ISA
• » Re: securing Interfaces on ISA
• » Re: securing Interfaces on ISA
• » Re: securing Interfaces on ISA
• » Re: securing Interfaces on ISA

1. Home
2. isalist
3. Archive
4. 12-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---