Re: securing Interfaces on ISA
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 3 Dec 2003 20:11:44 -0600
Hi Greg,
It's a chapter that I'm licensing out to smart media manufacturers :-)
Tom
-----Original Message-----
From: Greg Mulholland [mailto:gmulholland@xxxxxxxxxxxxxxx]
Sent: Wednesday, December 03, 2003 5:13 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: securing Interfaces on ISA
http://www.ISAserver.org
What is a FAT chapter??
Greg Mulholland
gmulholland@xxxxxxxxxxxxxxx
http://www.isaserver.org
http://isatools.org
http://www.google.com
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, December 04, 2003 6:17 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: securing Interfaces on ISA
http://www.ISAserver.org
Hey guys,
In fact, I believe there is an entire FAT chapter on this subject in ISA
Server and Beyond ;-)
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server:
http://tinyurl.com/1llp
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, December 03, 2003 11:12 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: securing Interfaces on ISA
http://www.ISAserver.org
They must be created in RRAS (or IPSec, if you're so inclined).
ISA exercises no control over LAT traffic, even if it's routed through
the ISA machine itself.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: "Glenn Maks" <gmaks@xxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, December 03, 2003 09:02
Subject: [isalist] Re: securing Interfaces on ISA
http://www.ISAserver.org
Hello Jim - Let me see if I understand you, are you saying that I need
to
create IP Packet filters inside of RRAS to block services between my DMZ
(192.168.10.0/24) segment and my private (172.19.4.0/22) segment? do I
create these filters using RRAS or can I create filters under Access
Polices
and IP Packet Filters in ISA?
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, December 03, 2003 11:53 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: securing Interfaces on ISA
http://www.ISAserver.org
As Tom pointed out, you have to enlist the aid of RRAS IP filtering or
IPSec
filtering between the two LAT segments if you want to restrict access
to/from the DMZ to the remainder of the LAT
ISA does not provide access controls within the LAT.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: "Glenn Maks" <gmaks@xxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, December 03, 2003 08:45
Subject: [isalist] Re: securing Interfaces on ISA
http://www.ISAserver.org
For me to change my DMZ IP Addresses would be a HUGE task, one that I am
not
willing to do, it will impact too many things, you speak about using
RRAS
Packet filters? Could I not create Packet Filters inside ISA Management?
Or
are suggesting that I need to create Packet Filters using RRAS services?
It
is worth noting that I am also using RRAS to connect all my branch
offices
using L2TP with certificates and I can tell you this, RRAS is NOT that
stable, I am constantly monitoring all my connection states because RRAS
seems to have a mind of it's own, if it feels like connecting it will,
if
not forget about it, I have all the right static routes that define all
my
other branch office subnets and sometimes when I go to diagnose
connection
issues using ping path, tracert or any other utility like that, RRAS
seems
to want to route
packet out the Internet Interface rather than the correct tunnel end
point,
it makes no sense, I am ready to Pull the plug on RRAS and go with a
Nortel
VPN solution but the problem is my company is Cheap and they will not
spend
the money to put a more reliable and stable VPN solution in, so I am
stuck
with RRAS, I am not too happy.
I at one time also like ISA, until I started working more in depth with
it,
I am NOT ready to rip ISA out as my Security platform yet, but it seems
to
me that the simplest of
security features that are found in other firewalls, ISA simply wont
support
unless you reconfigure your entire IP scheme. My old Raptor firewall,
for as
old as it is does not care if I am running a reserved IP address range
for
my DMZ I was still able to secure each and every interface and allow
services to pass from on interface to another just by creating access
polices, this seems very difficult with ISA, in fact, ISA allows it and
had
I not tested service requests from my DMZ to my Private interface I
would
have assumed I was safe. And Why can't I allow or deny using protocol
rules,
it seems I have to create and use all packet filters now, Protocol rules
only address client sets and the Content filtering only support HTTP,
suppose I have other services like data base services I want to control
between my DMZ and Private Network.
Is this the only solution? Packet Filters? it seem so.
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, December 03, 2003 11:26 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: securing Interfaces on ISA
http://www.ISAserver.org
Hi Glenn,
You must use a subnet of your public block for the DMZ, unless you want
to
create a LAT-based DMZ using RRAS packet filters and/or IPSec policy.
HTH,
Tom
Thomas W Shinder
<http://www.isaserver.org/shinder> www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1>
Configuring ISA Server: <http://tinyurl.com/1llp>
http://tinyurl.com/1llp
-----Original Message-----
From: Glenn Maks [mailto:gmaks@xxxxxxxxx]
Sent: Wednesday, December 03, 2003 10:02 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: securing Interfaces on ISA
Importance: High
http://www.ISAserver.org
Sure Jim here is a better explanation - My ISA Server has 3 interfaces,
the
public interface is 64.80.200.0/24 my DMZ subnet is 192.168.10.0/24 and
my
private segment is 172.19.4.0/22 I have both my private and DMZ address
ranges defined in my LAT,
this I understand allows ISA to view these interfaces as Internal
Interfaces, I have several services published on different servers on my
DMZ
for Internet customers, services like FTP, HTTP, when I publish these
services to the Internet everything works well, except I noticed that I
can
open Microsoft IE from any server on the DMZ and plug in a known
172.19.4.0
IP address that I know is running IIS and I get IIS responses, I can
also
login into my DMZ FTP Server from my 172.19.4.0/22 network, and I have
NOT
created any access polices to allow this to happen, I should be able to
SECURE each and every interface and allow or deny any service that I
wish,
just because I publish services on my DMZ for Internet Clients, does not
mean that I wish my Private Network access to these same services,
besides,
if HTTP and FTP spans the DMZ and Private Network, that to me is a
security
risk, unless of course I allow it? Any suggestions? I was told to
REMOVE
the DMZ definition from the LAT and replace all my publishing RULES with
PACKET FILTERS, I also have my SOA DNS Server published on my DMZ as
well,
so that would mean I would need to replace that Publishing rule as well,
I
attempted this last night and my DNS Server stopped working. So I
restored
my ISA configuration and now I am back to square one.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmaks@xxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmaks@xxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmulholland@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
