Re: securing Interfaces on ISA
- From: Glenn Maks <gmaks@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 3 Dec 2003 11:45:23 -0500
For me to change my DMZ IP Addresses would be a HUGE task, one that I am not
willing to do, it will impact too many things, you speak about using RRAS
Packet filters? Could I not create Packet Filters inside ISA Management? Or
are suggesting that I need to create Packet Filters using RRAS services? It
is worth noting that I am also using RRAS to connect all my branch offices
using L2TP with certificates and I can tell you this, RRAS is NOT that
stable, I am constantly monitoring all my connection states because RRAS
seems to have a mind of it's own, if it feels like connecting it will, if
not forget about it, I have all the right static routes that define all my
other branch office subnets and sometimes when I go to diagnose connection
issues using ping path, tracert or any other utility like that, RRAS seems
to want to route
packet out the Internet Interface rather than the correct tunnel end point,
it makes no sense, I am ready to Pull the plug on RRAS and go with a Nortel
VPN solution but the problem is my company is Cheap and they will not spend
the money to put a more reliable and stable VPN solution in, so I am stuck
with RRAS, I am not too happy.
I at one time also like ISA, until I started working more in depth with it,
I am NOT ready to rip ISA out as my Security platform yet, but it seems to
me that the simplest of
security features that are found in other firewalls, ISA simply wont support
unless you reconfigure your entire IP scheme. My old Raptor firewall, for as
old as it is does not care if I am running a reserved IP address range for
my DMZ I was still able to secure each and every interface and allow
services to pass from on interface to another just by creating access
polices, this seems very difficult with ISA, in fact, ISA allows it and had
I not tested service requests from my DMZ to my Private interface I would
have assumed I was safe. And Why can't I allow or deny using protocol rules,
it seems I have to create and use all packet filters now, Protocol rules
only address client sets and the Content filtering only support HTTP,
suppose I have other services like data base services I want to control
between my DMZ and Private Network.
Is this the only solution? Packet Filters? it seem so.
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, December 03, 2003 11:26 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: securing Interfaces on ISA
http://www.ISAserver.org
Hi Glenn,
You must use a subnet of your public block for the DMZ, unless you want to
create a LAT-based DMZ using RRAS packet filters and/or IPSec policy.
HTH,
Tom
Thomas W Shinder
<http://www.isaserver.org/shinder> www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1>
Configuring ISA Server: <http://tinyurl.com/1llp> http://tinyurl.com/1llp
-----Original Message-----
From: Glenn Maks [mailto:gmaks@xxxxxxxxx]
Sent: Wednesday, December 03, 2003 10:02 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: securing Interfaces on ISA
Importance: High
http://www.ISAserver.org
Sure Jim here is a better explanation - My ISA Server has 3 interfaces, the
public interface is 64.80.200.0/24 my DMZ subnet is 192.168.10.0/24 and my
private segment is 172.19.4.0/22 I have both my private and DMZ address
ranges defined in my LAT,
this I understand allows ISA to view these interfaces as Internal
Interfaces, I have several services published on different servers on my DMZ
for Internet customers, services like FTP, HTTP, when I publish these
services to the Internet everything works well, except I noticed that I can
open Microsoft IE from any server on the DMZ and plug in a known 172.19.4.0
IP address that I know is running IIS and I get IIS responses, I can also
login into my DMZ FTP Server from my 172.19.4.0/22 network, and I have NOT
created any access polices to allow this to happen, I should be able to
SECURE each and every interface and allow or deny any service that I wish,
just because I publish services on my DMZ for Internet Clients, does not
mean that I wish my Private Network access to these same services, besides,
if HTTP and FTP spans the DMZ and Private Network, that to me is a security
risk, unless of course I allow it? Any suggestions? I was told to REMOVE
the DMZ definition from the LAT and replace all my publishing RULES with
PACKET FILTERS, I also have my SOA DNS Server published on my DMZ as well,
so that would mean I would need to replace that Publishing rule as well, I
attempted this last night and my DNS Server stopped working. So I restored
my ISA configuration and now I am back to square one.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmaks@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
