Short course is that hork mode can be easily bypass, since it's not an inline device. Imagine the front end firewall in hork mode, with a public and private address on a single NIC, or even using VLAN tagging on the front end firewall and hoping and praying that VLAN hopping doesn't take place. Got to have physical segmentation to get security. Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young Sent: Monday, June 25, 2007 11:04 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: External an Internal IP Address tied to same NIC Can you define "real security" for me? Perhaps even a white paper (I know you guys love hork mode) on why this method of running ISA is not ideal? My mind's a bit muddled right now with frustration. J Cordially yours, Jerry G. Young II Application Engineer Platform Engineering and Architecture NTT America, an NTT Communications Company 22451 Shaw Rd. Sterling, VA 20166 Office: 571-434-1319 Fax: 703-333-6749 Email: g.young@xxxxxxxx <mailto:g.young@xxxxxxxx> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Monday, June 25, 2007 12:00 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: External an Internal IP Address tied to same NIC Sounds like it's in hork mode anyhow, so it's not providing any real security, so I can't say that there are any security implications to this config. Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young Sent: Monday, June 25, 2007 10:53 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] External an Internal IP Address tied to same NIC Guys, Aside from the creepy factor, are there any major gotchas when you have a NIC that has both internal and external IP addresses on them? Someone set up an ISA server that simply has a web publishing rule that allows connectivity to a back end box (HTTP/HTTPS); that's all it's being used for. Unfortunately, the people here decided it made sense to specify an internal IP range on a NIC and then add an external VIP on it, too. So, we have essentially a NIC with internal IP addressing as 192.168.10.120/24/.1 and a VIP of 10.10.209.120/16. It does, however, look like an additional access rule was set up that allows all networks to talk with the backend box. So, the argument I get is that because this setup is working, what is wrong with the way it is setup. This screams all wrong to me but I can't articulate why. Any help? Cordially yours, Jerry G. Young II Application Engineer Platform Engineering and Architecture NTT America, an NTT Communications Company 22451 Shaw Rd. Sterling, VA 20166 Office: 571-434-1319 Fax: 703-333-6749 Email: g.young@xxxxxxxx <mailto:g.young@xxxxxxxx>