Could be that too. If on the phone I hear something that sounds like I'm going to asked to give dynamite and match to a kid, I'll refer the client to somebody else in this area :) Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > Of Jim Harrison > Sent: Tuesday, June 03, 2008 11:35 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA/IAG Topologies > > Or maybe you just ruin screaming when they regurgistate from certain sources..? > :-P > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > Of Thomas W Shinder > Sent: Tuesday, June 03, 2008 9:34 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA/IAG Topologies > > For example, I had a consulting gig with a customer that had an ISA firewall in place > for just reverse proxy. He wanted me to audit his ISA configuration, as well as their > DNS and Active Directory setup. After the audit was complete, I spent the next day > educating them on how to improve their security. They were very interested and didn't > have any problems understanding the concepts of auth and anon DMZs and thought > they were great ideas -- as they were already jiggy in the area of least privilege. I > showed them how to do it, and how to set it up in their test lab -- and gave them the > option of setting it up in production themselves or having me do it. Since the team was > so enthusiastic, they said they'd prefer to set it up in their lab, test it out, and then > deploy it. Then have me come in an audit the setup. > > Maybe I'm lucky that I usually have good clients. Or maybe it's that I train them to be > good ;) > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf > > Of Thomas W Shinder > > Sent: Tuesday, June 03, 2008 11:26 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: ISA/IAG Topologies > > > > To be fair, we're not talking to the Linksys, Dlink, and Netgear crowd. We're trying to > > talk to people who want to understand how thing work and how to make them work > > better. Leo Laporte and Kim Komando trained admins aren't really the target > audience > > :) > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- Microsoft Firewalls (ISA) > > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > > Behalf > > > Of Amy Babinchak > > > Sent: Tuesday, June 03, 2008 11:15 AM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > Nor mine... > > > http://search.live.com/results.aspx?q=DMZ+%2B+Amy+Babinchak&src=IE- > > SearchBox > > > > > > But that's not the point. This isn't about users of ISA. This is about general > > knowledge > > > of DMZ. > > > > > > thanks, > > > > > > Amy Babinchak > > > > > > > > > Harbor Computer Services |(248) 850-8616 > > > > > > Learn about the perfect storm of rebates: June 10th at 9:00am and save money on > > > your SBS 2008 upgrade. > > > Join the meeting. > > > Conference Bridge 866-500-6738 PC: 3876393 > > > > > > Tech Blog http://securesmb.harborcomputerservices.net > > > Client Blog http://smalltechnotes.blogspot.com > > > Website http://www.harborcomputerservices.net > > > > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > > Behalf > > > Of Thomas W Shinder > > > Sent: Tuesday, June 03, 2008 12:06 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > Certainly not for lack of trying to educate on my part: > > > > > > http://www.google.com/search?hl=en&q=DMZ+shinder > > > > > > > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org > > > Blog: http://blogs.isaserver.org/shinder/ > > > Book: http://tinyurl.com/3xqb7 > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > Of Jim Harrison > > > > Sent: Tuesday, June 03, 2008 11:03 AM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > Perception is frequently based on raw ignorance and the willingness to > > > confuse > > > > marketing brochures with technical discussion. Education is the best > > > weapon against > > > > ignorance. > > > > > > > > Sadly, ignorance is self-sustaining, while education requires > > > individual effort. > > > > This, more than any other reason, is why "DMZ" is so poorly understood > > > and makes > > > > for a pretty full classroom every Black Hat. > > > > > > > > Jim > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > Of Amy Babinchak > > > > Sent: Tuesday, June 03, 2008 8:57 AM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > If that was true then yes. But the real world out here says, no one, > > > especially the > > > > hardware firewall vendors, can figure it out. It's a perception issue. > > > If you call it DMZ > > > > then it is assumed that your definition of DMZ is the same one that > > > DLink, NetGear and > > > > Linksys use. > > > > > > > > thanks, > > > > > > > > Amy Babinchak > > > > > > > > > > > > Harbor Computer Services |(248) 850-8616 > > > > > > > > Learn about the perfect storm of rebates: June 10th at 9:00am and save > > > money on > > > > your SBS 2008 upgrade. > > > > Join the meeting. > > > > Conference Bridge 866-500-6738 PC: 3876393 > > > > > > > > Tech Blog http://securesmb.harborcomputerservices.net > > > > Client Blog http://smalltechnotes.blogspot.com > > > > Website http://www.harborcomputerservices.net > > > > > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > Of Jim Harrison > > > > Sent: Tuesday, June 03, 2008 11:43 AM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > "because some can't learn how to use it, the technique is flawed"? > > > > That's some really twisted logic... > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > Of Amy Babinchak > > > > Sent: Tuesday, June 03, 2008 7:17 AM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > The newb and even those that shouldn't be newb have a difficult time > > > understand the > > > > basic concept of an authenticated DMZ. To most DMZ means that you > > > stick the server > > > > out there naked. Press the DMZ button and allow full access to the > > > server. Don't > > > > bother to patch it because you'll probably have to re-image it from > > > time to time > > > > anyway, since it's being constantly hacked upon. > > > > > > > > It's this attitude that causes me to say DMZ is dead. It's old > > > outdated terminology that > > > > shouldn't be used anymore. ISA may have the ability to authenticate > > > and protect > > > > servers in the DMZ but most don't. I really think that ISA needs a new > > > term. > > > > > > > > thanks, > > > > > > > > Amy Babinchak > > > > > > > > > > > > Harbor Computer Services |(248) 850-8616 > > > > > > > > Learn about the perfect storm of rebates: June 10th at 9:00am and save > > > money on > > > > your SBS 2008 upgrade. > > > > Join the meeting. > > > > Conference Bridge 866-500-6738 PC: 3876393 > > > > > > > > Tech Blog http://securesmb.harborcomputerservices.net > > > > Client Blog http://smalltechnotes.blogspot.com > > > > Website http://www.harborcomputerservices.net > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > Of Thomas W Shinder > > > > Sent: Tuesday, June 03, 2008 10:11 AM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > Yo Jim, > > > > > > > > Now that is an interesting topic. A paper airplane is simple compared > > > to > > > > a B1 bomber, but I'd argue that the B1 probably provides a higher > > > level > > > > of security :) > > > > > > > > Bringing the analogy down a bit, "complexity" is operator dependent. > > > > Creating anonymous and authenticated access DMZs is simple for us, but > > > > complex for the ISA firewall neophyte. Does that mean the auth and > > > anon > > > > DMZ concept is not secure? Or is it secure for us, but not secure for > > > > nEwB? > > > > > > > > Just playing with the idea of "complexity is the enemy of security". > > > It > > > > sounds right to me, just trying to figure out the corrolary arguments. > > > > > > > > Thomas W Shinder, M.D. > > > > Site: www.isaserver.org > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > Book: http://tinyurl.com/3xqb7 > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > -----Original Message----- > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > Of Jim Harrison > > > > > Sent: Tuesday, June 03, 2008 9:00 AM > > > > > To: isapros@xxxxxxxxxxxxx > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > Since "better" is subjective, I'd be more inclined to call it > > > > "better-isolated". > > > > > In general, any time you can functionally isolate (whether this is > > > > literal isolation is > > > > > another discussion) inbound and outbound traffic, your firewall > > > > policies and > > > > > requirements become simplified. It's a given that since complexity > > > > increases the odds > > > > > of human error, complexity must therefore be the enemy of security. > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > Of Jason Jones > > > > > Sent: Tuesday, June 03, 2008 3:35 AM > > > > > To: isapros@xxxxxxxxxxxxx > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > So, in this scenario, I am right to consider a combined solution to > > > > get a "better" > > > > > security solution - yes? > > > > > > > > > > -----Original Message----- > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > Of Jim Harrison > > > > > Sent: 02 June 2008 16:43 > > > > > To: isapros@xxxxxxxxxxxxx > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > MS separates inbound and outbound arrays. > > > > > You're right; IAG sux as a fwd proxy and ISA bows to IAG remote > > > client > > > > trust > > > > > mechanisms. > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > Of Jason Jones > > > > > Sent: Monday, June 02, 2008 7:16 AM > > > > > To: isapros@xxxxxxxxxxxxx > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > As ever, I have left out the details until someone volunteers to > > > help > > > > J > > > > > > > > > > > > > > > > > > > > I know that IAG *is* ISA, but in the current solution set the ISA > > > > "bit" doesn't scale very > > > > > well if you are looking at multiple IAG units to protect a data > > > centre > > > > for all inbound and > > > > > outbound access. In this sort of scenario, IAG can't really cut it > > > on > > > > it's own to facilitate > > > > > system -to-system communications (and authenticated outbound/forward > > > > access) and > > > > > ISA seems much more appropriate. I know ISA could be configured to > > > do > > > > some of this, > > > > > but having to create firewall policy rules on each appliance and > > > > synchronise them > > > > > across several IAG appliances doesn't seem very elegant to me... > > > > > > > > > > > > > > > > > > > > So assuming we are looking at an Internet datacentre model (e.g. all > > > > the clients and > > > > > untrusted systems are on the outside) I am thinking that both IAG > > > and > > > > ISA would be > > > > > needed to provide an elegant solution - yes? > > > > > > > > > > > > > > > In this model, it seemed to make sense to put ISA on the edge as it > > > > can provide LB/HA > > > > > out of the box (with NLB), whereas IAG cannot. ISA can then be used > > > > for "protection" > > > > > and IPSec VPN with IAG added for more advanced publishing > > > with/without > > > > endpoint > > > > > checking as required. > > > > > > > > > > > > > > > > > > > > In the above model, I am leaning towards putting the external > > > > interface of IAG into an > > > > > ISA anonymous access DMZ, with both devices connected directly to > > > the > > > > internal > > > > > protected network. However, I am curious if this provides little > > > > benefit and I may as > > > > > well simplify things by placing IAG in parallel if it will be > > > > dedicated for remote access > > > > > duties... > > > > > > > > > > > > > > > > > > > > Any chance of a hint at what MS IT do?? ;-) > > > > > > > > > > > > > > > > > > > > Jason Jones | Security | Silversands Limited | Desk: +44 (0)1202 > > > > 360489 | Mobile: +44 > > > > > (0)7971 500312 | Email/MSN: jason.jones@xxxxxxxxxxxxxxxxx > > > > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > Of Jim Harrison > > > > > Sent: 02 June 2008 14:47 > > > > > To: isapros@xxxxxxxxxxxxx > > > > > Subject: [isapros] Re: ISA/IAG Topologies > > > > > > > > > > > > > > > > > > > > ..pick one. > > > > > > > > > > ..no; really - there is no "boilerplate". > > > > > > > > > > > > > > > > > > > > It depends on what you have for application and security > > > requirements. > > > > > > > > > > IAG *is* ISA with some kewl stuff tossed into the mix. > > > > > > > > > > Thus, the question of whether to place IAG or ISA at the edge is > > > > equivalent to asking > > > > > "should I place ISA or ISA at the edge?" > > > > > > > > > > Deploying ISAG and ISA side-by-side will be determined by the > > > tasking > > > > for each as > > > > > well. > > > > > > > > > > In general, using IAG for fwd traffic is; shall we say, a bit less > > > > than easy. > > > > > > > > > > Likewise, trying to duplicate the functionality IAG brings to the > > > > application publishing > > > > > game is impossible. > > > > > > > > > > > > > > > > > > > > IOW, their relative merits in a given scenario depend largely on > > > what > > > > you want them to > > > > > do. > > > > > > > > > > > > > > > > > > > > Jim > > > > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > Of Jason Jones > > > > > Sent: Monday, June 02, 2008 2:34 AM > > > > > To: isapros@xxxxxxxxxxxxx > > > > > Subject: [isapros] ISA/IAG Topologies > > > > > > > > > > > > > > > > > > > > Hi All, > > > > > > > > > > > > > > > > > > > > I was wondering what sort of topologies you guys had used for > > > > customers who were > > > > > looking at combined ISA Server and IAG deployments? > > > > > > > > > > > > > > > > > > > > For example: > > > > > > > > > > > > > > > > > > > > Should ISA be the edge device with IAG in an ISA protected perimeter > > > > network? > > > > > > > > > > > > > > > > > > > > Should ISA and IAG be placed in parallel? > > > > > > > > > > > > > > > > > > > > Should IAG be placed between two ISA Server edge firewalls (e.g. > > > > between front-end > > > > > and back-end ISAs)? > > > > > > > > > > > > > > > > > > > > Any feedback appreciated... > > > > > > > > > > > > > > > > > > > > Cheers > > > > > > > > > > > > > > > > > > > > JJ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > > > This email and any files transmitted with it are confidential and > > > > intended solely for the > > > > > use of the individual to whom it is addressed. If you have received > > > > this email in error, > > > > > or if you believe this email is unsolicited and wish to be removed > > > > from any future > > > > > mailings, please contact our Support Desk immediately on 01202 > > > 360360 > > > > or email > > > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > > > > > If this email contains a quotation then unless otherwise stated it > > > is > > > > valid for 7 days and > > > > > offered subject to Silversands Professional Services Terms and > > > > Conditions, a copy of > > > > > which is available on request. Any pricing information, design > > > > information or > > > > > information concerning specific Silversands' staff contained in this > > > > email is > > > > > considered confidential or of commercial interest and exempt from > > > the > > > > Freedom of > > > > > Information Act 2000. > > > > > > > > > > Any view or opinions presented are solely those of the author and do > > > > not necessarily > > > > > represent those of Silversands > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > > > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > ________________________________ > > > > > > > > > > This email and any files transmitted with it are confidential and > > > > intended solely for the > > > > > use of the individual to whom it is addressed. If you have received > > > > this email in error, > > > > > or if you believe this email is unsolicited and wish to be removed > > > > from any future > > > > > mailings, please contact our Support Desk immediately on 01202 > > > 360360 > > > > or email > > > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > > > > > If this email contains a quotation then unless otherwise stated it > > > is > > > > valid for 7 days and > > > > > offered subject to Silversands Professional Services Terms and > > > > Conditions, a copy of > > > > > which is available on request. Any pricing information, design > > > > information or > > > > > information concerning specific Silversands' staff contained in this > > > > email is > > > > > considered confidential or of commercial interest and exempt from > > > the > > > > Freedom of > > > > > Information Act 2000. > > > > > > > > > > Any view or opinions presented are solely those of the author and do > > > > not necessarily > > > > > represent those of Silversands > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > > > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > > > This email and any files transmitted with it are confidential and > > > > intended solely for the > > > > > use of the individual to whom it is addressed. If you have received > > > > this email in error, > > > > > or if you believe this email is unsolicited and wish to be removed > > > > from any future > > > > > mailings, please contact our Support Desk immediately on 01202 > > > 360360 > > > > or email > > > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > > > > > If this email contains a quotation then unless otherwise stated it > > > is > > > > valid for 7 days and > > > > > offered subject to Silversands Professional Services Terms and > > > > Conditions, a copy of > > > > > which is available on request. Any pricing information, design > > > > information or > > > > > information concerning specific Silversands' staff contained in this > > > > email is > > > > > considered confidential or of commercial interest and exempt from > > > the > > > > Freedom of > > > > > Information Act 2000. > > > > > > > > > > Any view or opinions presented are solely those of the author and do > > > > not necessarily > > > > > represent those of Silversands > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > > > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >