[isapros] Re: External an Internal IP Address tied to same NIC
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Mon, 25 Jun 2007 11:39:21 -0700
At the end of any day, defining two subnets at a single-net ISA only serves to
unnecessarily complicate the deployment.
There is no gain in this whatsoever.
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Gerald G. Young
Sent: Monday, June 25, 2007 10:07 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: External an Internal IP Address tied to same NIC
So at the end of the day because we are just using a web publishing rule and
HTTP filtering is fine in this scenario, it can be said that it is working but
will be the only thing that does work.
Cordially yours,
Jerry G. Young II
Application Engineer
Platform Engineering and Architecture
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Monday, June 25, 2007 12:40 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: External an Internal IP Address tied to same NIC
Nope - not even that good.
ISA cannot behave as a router unless separate subnets are operating on
separate interfaces.
Basically, the security implications are that except for HTTP filtering,
ISA offers no protection whatsoever other than its own server.
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Monday, June 25, 2007 9:22 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: External an Internal IP Address tied to same NIC
Yup, I concur....:)
It's just acting as a very badly configured router....
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Monday, June 25, 2007 1:00 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: External an Internal IP Address tied to same NIC
Sounds like it's in hork mode anyhow, so it's not providing any real
security, so I can't say that there are any security implications to
this config.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
Sent: Monday, June 25, 2007 10:53 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] External an Internal IP Address tied to same
NIC
Guys,
Aside from the creepy factor, are there any major gotchas when
you have a NIC that has both internal and external IP addresses on them?
Someone set up an ISA server that simply has a web publishing
rule that allows connectivity to a back end box (HTTP/HTTPS); that's all
it's being used for.
Unfortunately, the people here decided it made sense to specify
an internal IP range on a NIC and then add an external VIP on it, too.
So, we have essentially a NIC with internal IP addressing as
192.168.10.120/24/.1 and a VIP of 10.10.209.120/16.
It does, however, look like an additional access rule was set up
that allows all networks to talk with the backend box.
So, the argument I get is that because this setup is working,
what is wrong with the way it is setup. This screams all wrong to me
but I can't articulate why. Any help?
Cordially yours,
Jerry G. Young II
Application Engineer
Platform Engineering and Architecture
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx <mailto:g.young@xxxxxxxx>
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
