[isapros] Re: External an Internal IP Address tied to same NIC
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Mon, 25 Jun 2007 11:40:33 -0500
Short course is that hork mode can be easily bypass, since it's not an
inline device. Imagine the front end firewall in hork mode, with a
public and private address on a single NIC, or even using VLAN tagging
on the front end firewall and hoping and praying that VLAN hopping
doesn't take place. Got to have physical segmentation to get security.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
Sent: Monday, June 25, 2007 11:04 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: External an Internal IP Address tied to
same NIC
Can you define "real security" for me? Perhaps even a white
paper (I know you guys love hork mode) on why this method of running ISA
is not ideal? My mind's a bit muddled right now with frustration. J
Cordially yours,
Jerry G. Young II
Application Engineer
Platform Engineering and Architecture
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx <mailto:g.young@xxxxxxxx>
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Monday, June 25, 2007 12:00 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: External an Internal IP Address tied to
same NIC
Sounds like it's in hork mode anyhow, so it's not providing any
real security, so I can't say that there are any security implications
to this config.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
Sent: Monday, June 25, 2007 10:53 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] External an Internal IP Address tied
to same NIC
Guys,
Aside from the creepy factor, are there any major
gotchas when you have a NIC that has both internal and external IP
addresses on them?
Someone set up an ISA server that simply has a web
publishing rule that allows connectivity to a back end box (HTTP/HTTPS);
that's all it's being used for.
Unfortunately, the people here decided it made sense to
specify an internal IP range on a NIC and then add an external VIP on
it, too. So, we have essentially a NIC with internal IP addressing as
192.168.10.120/24/.1 and a VIP of 10.10.209.120/16.
It does, however, look like an additional access rule
was set up that allows all networks to talk with the backend box.
So, the argument I get is that because this setup is
working, what is wrong with the way it is setup. This screams all wrong
to me but I can't articulate why. Any help?
Cordially yours,
Jerry G. Young II
Application Engineer
Platform Engineering and Architecture
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx <mailto:g.young@xxxxxxxx>
Other related posts:
