[isapros] Re: ISA/IAG Topologies

• From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
• To: <isapros@xxxxxxxxxxxxx>
• Date: Thu, 5 Jun 2008 18:04:47 -0700

Yeah, I was just funnin'.  I would have enjoyed that.  I've worked with
Steve before -- I've not doubt it would have been a respectful,
thoughtful, and engaging debate -- or really, a sharing of ideas in a
way the moves things forward... Not a "club you over the head with my
ideas" thing that so often happens...

t

> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Thursday, June 05, 2008 6:00 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA/IAG Topologies
> 
> Actually, I did and he was disappointed at not being able to engage
you
> on the subject.
> He's well-acquainted with the stories of he who calls himself
> ...Tim
> 
> jim
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> Sent: Thursday, June 05, 2008 4:16 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA/IAG Topologies
> 
> He must have told him it was ME he was debating against ;)
> 
> t
> 
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > Sent: Thursday, June 05, 2008 12:43 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA/IAG Topologies
> >
> > Bummer. :(
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> >
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > Of Jim Harrison
> > > Sent: Thursday, June 05, 2008 2:40 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: ISA/IAG Topologies
> > >
> > > :-(
> > > Steve can't make it.
> > >
> > > Jim
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > Of Thomas W Shinder
> > > Sent: Thursday, June 05, 2008 12:15 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: ISA/IAG Topologies
> > >
> > > I'll second that! I would be very interesting and some useful
> > > conclusions could come of it.
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- Microsoft Firewalls (ISA)
> > >
> > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > Of Jim Harrison
> > > > Sent: Thursday, June 05, 2008 1:32 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > >
> > > > Will do!
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > Of Thor (Hammer of God)
> > > > Sent: Thursday, June 05, 2008 11:23 AM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > >
> > > > You know, an actual "open debate" at Blackhat wouldn't really be
> a
> > bad
> > > > idea.  In fact, I think it would be quite valuable for all
> > involved.
> > > >
> > > > Hmmm... Jim, see if Steve is open to it ;)
> > > >
> > > > t
> > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > > > > Sent: Wednesday, June 04, 2008 7:21 AM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > >
> > > > > I'd like to know the same thing. How does "Direct Connect"
mean
> > the
> > > > > "death of the DMZ". As far as I can tell, these "Direct
> Connect"
> > > > > clients
> > > > > represent yet another perimeter (DMZ) that we need to deal
with
> > and
> > > > > manage appropriately.
> > > > >
> > > > >
> > > > >
> > > > > Thomas W Shinder, M.D.
> > > > > Site: www.isaserver.org
> > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > Book: http://tinyurl.com/3xqb7
> > > > > MVP -- Microsoft Firewalls (ISA)
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > Of Thor (Hammer of God)
> > > > > > Sent: Wednesday, June 04, 2008 9:03 AM
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > >
> > > > > > Same thing I was going to say.  But notice the first thing
he
> > says
> > > > > that
> > > > > > one MUST have is a DMZ (among other things).  So yes, it's
> just
> > a
> > > > > > different way of saying the same thing.
> > > > > >
> > > > > > I have no idea where people get that "DMZ" calls out a
> > particular
> > > > > > topology -- it's just a logical concept that manifests
itself
> > in
> > a
> > > > > > physical network deployment based on the goals of the
config.
> > > > > > Regardless, the whole "direct connect" bit doesn't really
> > apply...
> > > > > but,
> > > > > > what do you say?
> > > > > >
> > > > > > t
> > > > > >
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > > > > > > Sent: Wednesday, June 04, 2008 5:49 AM
> > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > >
> > > > > > > Interesting. He goes through a very very long explanation
> of
> > a
> > > > > simple
> > > > > > > concept -- that there are multiple perimeters and that
each
> > > > > perimeter
> > > > > > > needs to be managed differently.
> > > > > > >
> > > > > > > Thomas W Shinder, M.D.
> > > > > > > Site: www.isaserver.org
> > > > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > MVP -- Microsoft Firewalls (ISA)
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > Of Stefaan Pouseele
> > > > > > > > Sent: Wednesday, June 04, 2008 2:05 AM
> > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > >
> > > > > > > > What about
> > > > > > > >
> > > > > >
> > > >
> >
http://isc.sans.org/presentations/2006-sansatnight-notes-optimez.pdf?
> > > > > > > >
> > > > > > > > Stefaan
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> > > > > > > > Behalf Of Jason Jones
> > > > > > > > Sent: woensdag 4 juni 2008 1:17
> > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > >
> > > > > > > > Does 'Direct connect' fall into a similar category as
SSL
> > VPN
> > > > > where
> > > > > > > they are
> > > > > > > > really providing a "transport solution", as opposed to a
> > > > > "security
> > > > > > > > solution"?
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> > > > > > > > Behalf Of Thomas W Shinder
> > > > > > > > Sent: 04 June 2008 00:11
> > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > >
> > > > > > > > Bam!!! Exactly. That is where my thinking was going in
> this
> > > > > > > direction.
> > > > > > > I
> > > > > > > > don't see how "Direct Connect" is going to solve
anything
> > > other
> > > > > than
> > > > > > > > creating a more difficult to solve problem.
> > > > > > > >
> > > > > > > > "I pity the foo"
> > > > > > > >
> > > > > > > > Thomas W Shinder, M.D.
> > > > > > > > Site: www.isaserver.org
> > > > > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > > MVP -- Microsoft Firewalls (ISA)
> > > > > > > >
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > Of Thor (Hammer of God)
> > > > > > > > > Sent: Tuesday, June 03, 2008 6:03 PM
> > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > >
> > > > > > > > > Of course (just saw this one ;).
> > > > > > > > >
> > > > > > > > > Direct Access IPSec into the network still affords
full
> > > stack
> > > > > > > access.
> > > > > > > > > And it does nothing for untrusted, anonymous access to
> > > assets
> > > > > that
> > > > > > > > > should be configured as such.  IPv6 and IPSec will not
> > > "kill"
> > > > > the
> > > > > > > need
> > > > > > > > > for least privilege and security in depth.  I'm
> actually
> > > quite
> > > > > > > > > disappointed that I am seeing professionals let the
> > > excitement
> > > > > of
> > > > > > > "new
> > > > > > > > > technologies" override the need for and importance of
> > core
> > > > > > security
> > > > > > > > > postulates.  Saying that the "DMZ is Dead" is foolish,
> > and
> > > > > nothing
> > > > > > > > more
> > > > > > > > > than "Oh, I have something cool to talk about at
> > > conferences"
> > > > > > > fodder.
> > > > > > > > > Or, as Mr. T calls it, "Jibba Jabba."
> > > > > > > > >
> > > > > > > > > t
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > > > > > > > Sent: Tuesday, June 03, 2008 9:01 AM
> > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > >
> > > > > > > > > > (hee-hee)
> > > > > > > > > > I'd love to get you into the discussion happing in
> the
> > > > > product
> > > > > > > > > security
> > > > > > > > > > alias...
> > > > > > > > > > Can I put you & Steve Riley in the same room for 10
> > > minutes?
> > > > > > > > > >
> > > > > > > > > > Jim
> > > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
> God)
> > > > > > > > > > Sent: Tuesday, June 03, 2008 8:59 AM
> > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > >
> > > > > > > > > > The "DMZ" is alive and well.  Misconceptions of what
> a
> > DMZ
> > > > > is,
> > > > > > or
> > > > > > > > what
> > > > > > > > > > the term means, or how it should be deployed and
> > > maintained
> > > > > does
> > > > > > > not
> > > > > > > > > > affect the absolute need for such a topology.
Anyone
> > who
> > > > > says
> > > > > > > "The
> > > > > > > > > DMZ
> > > > > > > > > > is dead" is either foolishly hanging on to
semantics,
> > or
> > > > they
> > > > > > > simply
> > > > > > > > > do
> > > > > > > > > > not understand what it is for....
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > t
> > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-
> > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > > > > > > > > > Sent: Tuesday, June 03, 2008 8:21 AM
> > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > >
> > > > > > > > > > > Hi Amy,
> > > > > > > > > > >
> > > > > > > > > > > You may have noticed I used the phrase " ISA
> > protected
> > > > > > > perimeter
> > > > > > > > > > > network" as I know from bitter experience what you
> > guys
> > > > are
> > > > > > > like
> > > > > > > > > when
> > > > > > > > > > I
> > > > > > > > > > > mention the dreaded DMZ word! :-P
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-
> > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> > > > > > > > > > > Sent: 03 June 2008 15:17
> > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > >
> > > > > > > > > > > The newb and even those that shouldn't be newb
have
> a
> > > > > > difficult
> > > > > > > > time
> > > > > > > > > > > understand the basic concept of an authenticated
> DMZ.
> > To
> > > > > most
> > > > > > > DMZ
> > > > > > > > > > means
> > > > > > > > > > > that you stick the server out there naked. Press
> the
> > DMZ
> > > > > > button
> > > > > > > > and
> > > > > > > > > > > allow full access to the server. Don't bother to
> > patch
> > > it
> > > > > > > because
> > > > > > > > > > > you'll probably have to re-image it from time to
> time
> > > > > anyway,
> > > > > > > > since
> > > > > > > > > > > it's being constantly hacked upon.
> > > > > > > > > > >
> > > > > > > > > > > It's this attitude that causes me to say DMZ is
> dead.
> > > It's
> > > > > old
> > > > > > > > > > outdated
> > > > > > > > > > > terminology that shouldn't be used anymore. ISA
may
> > have
> > > > > the
> > > > > > > > ability
> > > > > > > > > > to
> > > > > > > > > > > authenticate and protect servers in the DMZ but
> most
> > > > don't.
> > > > > I
> > > > > > > > really
> > > > > > > > > > > think that ISA needs a new term.
> > > > > > > > > > >
> > > > > > > > > > > thanks,
> > > > > > > > > > >
> > > > > > > > > > > Amy Babinchak
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Harbor Computer Services |(248) 850-8616
> > > > > > > > > > >
> > > > > > > > > > > Learn about the perfect storm of rebates: June
10th
> > at
> > > > > 9:00am
> > > > > > > and
> > > > > > > > > > save
> > > > > > > > > > > money on your SBS 2008 upgrade.
> > > > > > > > > > > Join the meeting.
> > > > > > > > > > > Conference Bridge 866-500-6738  PC:  3876393
> > > > > > > > > > >
> > > > > > > > > > > Tech Blog
> http://securesmb.harborcomputerservices.net
> > > > > > > > > > > Client Blog http://smalltechnotes.blogspot.com
> > > > > > > > > > > Website http://www.harborcomputerservices.net
> > > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-
> > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W
Shinder
> > > > > > > > > > > Sent: Tuesday, June 03, 2008 10:11 AM
> > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > >
> > > > > > > > > > > Yo Jim,
> > > > > > > > > > >
> > > > > > > > > > > Now that is an interesting topic. A paper airplane
> is
> > > > > simple
> > > > > > > > > compared
> > > > > > > > > > > to
> > > > > > > > > > > a B1 bomber, but I'd argue that the B1 probably
> > provides
> > > a
> > > > > > > higher
> > > > > > > > > > level
> > > > > > > > > > > of security :)
> > > > > > > > > > >
> > > > > > > > > > > Bringing the analogy down a bit, "complexity" is
> > > operator
> > > > > > > > dependent.
> > > > > > > > > > > Creating anonymous and authenticated access DMZs
is
> > > simple
> > > > > for
> > > > > > > us,
> > > > > > > > > > but
> > > > > > > > > > > complex for the ISA firewall neophyte. Does that
> mean
> > > the
> > > > > auth
> > > > > > > and
> > > > > > > > > > anon
> > > > > > > > > > > DMZ concept is not secure? Or is it secure for us,
> > but
> > > not
> > > > > > > secure
> > > > > > > > > for
> > > > > > > > > > > nEwB?
> > > > > > > > > > >
> > > > > > > > > > > Just playing with the idea of "complexity is the
> > enemy
> > > of
> > > > > > > > security".
> > > > > > > > > > It
> > > > > > > > > > > sounds right to me, just trying to figure out the
> > > > corrolary
> > > > > > > > > > arguments.
> > > > > > > > > > >
> > > > > > > > > > > Thomas W Shinder, M.D.
> > > > > > > > > > > Site: www.isaserver.org
> > > > > > > > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > > > > > MVP -- Microsoft Firewalls (ISA)
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > > Of Jim Harrison
> > > > > > > > > > > > Sent: Tuesday, June 03, 2008 9:00 AM
> > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > > >
> > > > > > > > > > > > Since "better" is subjective, I'd be more
> inclined
> > to
> > > > > call
> > > > > > it
> > > > > > > > > > > "better-isolated".
> > > > > > > > > > > > In general, any time you can functionally
isolate
> > > > > (whether
> > > > > > > this
> > > > > > > > is
> > > > > > > > > > > literal isolation is
> > > > > > > > > > > > another discussion) inbound and outbound
traffic,
> > your
> > > > > > > firewall
> > > > > > > > > > > policies and
> > > > > > > > > > > > requirements become simplified.  It's a given
> that
> > > since
> > > > > > > > > complexity
> > > > > > > > > > > increases the odds
> > > > > > > > > > > > of human error, complexity must therefore be the
> > enemy
> > > > of
> > > > > > > > > security.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > > Of Jason Jones
> > > > > > > > > > > > Sent: Tuesday, June 03, 2008 3:35 AM
> > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > > >
> > > > > > > > > > > > So, in this scenario, I am right to consider a
> > > combined
> > > > > > > solution
> > > > > > > > > to
> > > > > > > > > > > get a "better"
> > > > > > > > > > > > security solution - yes?
> > > > > > > > > > > >
> > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > > Of Jim Harrison
> > > > > > > > > > > > Sent: 02 June 2008 16:43
> > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > > >
> > > > > > > > > > > > MS separates inbound and outbound arrays.
> > > > > > > > > > > > You're right; IAG sux as a fwd proxy and ISA
bows
> > to
> > > IAG
> > > > > > > remote
> > > > > > > > > > > client
> > > > > > > > > > > trust
> > > > > > > > > > > > mechanisms.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > > Of Jason Jones
> > > > > > > > > > > > Sent: Monday, June 02, 2008 7:16 AM
> > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > > >
> > > > > > > > > > > > As ever, I have left out the details until
> someone
> > > > > > volunteers
> > > > > > > to
> > > > > > > > > > help
> > > > > > > > > > > J
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > I know that IAG *is* ISA, but in the current
> > solution
> > > > set
> > > > > > the
> > > > > > > > ISA
> > > > > > > > > > > "bit" doesn't scale very
> > > > > > > > > > > > well if you are looking at multiple IAG units to
> > > protect
> > > > > a
> > > > > > > data
> > > > > > > > > > > centre
> > > > > > > > > > > for all inbound and
> > > > > > > > > > > > outbound access. In this sort of scenario, IAG
> > can't
> > > > > really
> > > > > > > cut
> > > > > > > > it
> > > > > > > > > > on
> > > > > > > > > > > it's own to facilitate
> > > > > > > > > > > > system -to-system communications (and
> authenticated
> > > > > > > > > > outbound/forward
> > > > > > > > > > > access) and
> > > > > > > > > > > > ISA seems much more appropriate. I know ISA
could
> > be
> > > > > > > configured
> > > > > > > > to
> > > > > > > > > > do
> > > > > > > > > > > some of this,
> > > > > > > > > > > > but having to create firewall policy rules on
> each
> > > > > appliance
> > > > > > > and
> > > > > > > > > > > synchronise them
> > > > > > > > > > > > across several IAG appliances doesn't seem very
> > > elegant
> > > > > to
> > > > > > > me...
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > So assuming we are looking at an Internet
> > datacentre
> > > > > model
> > > > > > > (e.g.
> > > > > > > > > > all
> > > > > > > > > > > the clients and
> > > > > > > > > > > > untrusted systems are on the outside) I am
> thinking
> > > that
> > > > > > both
> > > > > > > > IAG
> > > > > > > > > > and
> > > > > > > > > > > ISA would be
> > > > > > > > > > > > needed to provide an elegant solution - yes?
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > In this model, it seemed to make sense to put
ISA
> > on
> > > the
> > > > > > edge
> > > > > > > as
> > > > > > > > > it
> > > > > > > > > > > can provide LB/HA
> > > > > > > > > > > > out of the box (with NLB), whereas IAG cannot.
> ISA
> > can
> > > > > then
> > > > > > > be
> > > > > > > > > used
> > > > > > > > > > > for "protection"
> > > > > > > > > > > > and IPSec VPN with IAG added for more advanced
> > > > publishing
> > > > > > > > > > > with/without
> > > > > > > > > > > endpoint
> > > > > > > > > > > > checking as required.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > In the above model, I am leaning towards putting
> > the
> > > > > > external
> > > > > > > > > > > interface of IAG into an
> > > > > > > > > > > > ISA anonymous access DMZ, with both devices
> > connected
> > > > > > > directly
> > > > > > > > to
> > > > > > > > > > the
> > > > > > > > > > > internal
> > > > > > > > > > > > protected network. However, I am curious if this
> > > > provides
> > > > > > > little
> > > > > > > > > > > benefit and I may as
> > > > > > > > > > > > well simplify things by placing IAG in parallel
> if
> > it
> > > > > will
> > > > > > be
> > > > > > > > > > > dedicated for remote access
> > > > > > > > > > > > duties...
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Any chance of a hint at what MS IT do?? ;-)
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Jason Jones | Security | Silversands Limited |
> > Desk:
> > > +44
> > > > > > > (0)1202
> > > > > > > > > > > 360489 | Mobile: +44
> > > > > > > > > > > > (0)7971 500312 | Email/MSN:
> > > > jason.jones@xxxxxxxxxxxxxxxxx
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > > Of Jim Harrison
> > > > > > > > > > > > Sent: 02 June 2008 14:47
> > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > ..pick one.
> > > > > > > > > > > >
> > > > > > > > > > > > ..no; really - there is no "boilerplate".
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > It depends on what you have for application and
> > > security
> > > > > > > > > > > requirements.
> > > > > > > > > > > >
> > > > > > > > > > > > IAG *is* ISA with some kewl stuff tossed into
the
> > mix.
> > > > > > > > > > > >
> > > > > > > > > > > > Thus, the question of whether to place IAG or
ISA
> > at
> > > the
> > > > > > edge
> > > > > > > is
> > > > > > > > > > > equivalent to asking
> > > > > > > > > > > > "should I place ISA or ISA at the edge?"
> > > > > > > > > > > >
> > > > > > > > > > > > Deploying ISAG and ISA side-by-side will be
> > determined
> > > > by
> > > > > > the
> > > > > > > > > > tasking
> > > > > > > > > > > for each as
> > > > > > > > > > > > well.
> > > > > > > > > > > >
> > > > > > > > > > > > In general, using IAG for fwd traffic is; shall
> we
> > > say,
> > > > a
> > > > > > bit
> > > > > > > > less
> > > > > > > > > > > than easy.
> > > > > > > > > > > >
> > > > > > > > > > > > Likewise, trying to duplicate the functionality
> IAG
> > > > > brings
> > > > > > to
> > > > > > > > the
> > > > > > > > > > > application publishing
> > > > > > > > > > > > game is impossible.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > IOW, their relative merits in a given scenario
> > depend
> > > > > > largely
> > > > > > > on
> > > > > > > > > > what
> > > > > > > > > > > you want them to
> > > > > > > > > > > > do.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Jim
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > > Of Jason Jones
> > > > > > > > > > > > Sent: Monday, June 02, 2008 2:34 AM
> > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > Subject: [isapros] ISA/IAG Topologies
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Hi All,
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > I was wondering what sort of topologies you guys
> > had
> > > > used
> > > > > > for
> > > > > > > > > > > customers who were
> > > > > > > > > > > > looking at combined ISA Server and IAG
> deployments?
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > For example:
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Should ISA be the edge device with IAG in an ISA
> > > > > protected
> > > > > > > > > > perimeter
> > > > > > > > > > > network?
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Should ISA and IAG be placed in parallel?
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Should IAG be placed between two ISA Server edge
> > > > > firewalls
> > > > > > > (e.g.
> > > > > > > > > > > between front-end
> > > > > > > > > > > > and back-end ISAs)?
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Any feedback appreciated...
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Cheers
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > JJ
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >   ________________________________
> > > > > > > > > > > >
> > > > > > > > > > > > This email and any files transmitted with it are
> > > > > > confidential
> > > > > > > > and
> > > > > > > > > > > intended solely for the
> > > > > > > > > > > > use of the individual to whom it is addressed.
If
> > you
> > > > > have
> > > > > > > > > received
> > > > > > > > > > > this email in error,
> > > > > > > > > > > > or if you believe this email is unsolicited and
> > wish
> > > to
> > > > > be
> > > > > > > > removed
> > > > > > > > > > > from any future
> > > > > > > > > > > > mailings, please contact our Support Desk
> > immediately
> > > on
> > > > > > > 01202
> > > > > > > > > > 360360
> > > > > > > > > > > or email
> > > > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > > > > > >
> > > > > > > > > > > > If this email contains a quotation then unless
> > > otherwise
> > > > > > > stated
> > > > > > > > it
> > > > > > > > > > is
> > > > > > > > > > > valid for 7 days and
> > > > > > > > > > > > offered subject to Silversands Professional
> > Services
> > > > > Terms
> > > > > > > and
> > > > > > > > > > > Conditions, a copy of
> > > > > > > > > > > > which is available on request. Any pricing
> > > information,
> > > > > > > design
> > > > > > > > > > > information or
> > > > > > > > > > > > information concerning specific Silversands'
> staff
> > > > > contained
> > > > > > > in
> > > > > > > > > > this
> > > > > > > > > > > email is
> > > > > > > > > > > > considered confidential or of commercial
interest
> > and
> > > > > exempt
> > > > > > > > from
> > > > > > > > > > the
> > > > > > > > > > > Freedom of
> > > > > > > > > > > > Information Act 2000.
> > > > > > > > > > > >
> > > > > > > > > > > > Any view or opinions presented are solely those
> of
> > the
> > > > > > author
> > > > > > > > and
> > > > > > > > > > do
> > > > > > > > > > > not necessarily
> > > > > > > > > > > > represent those of Silversands
> > > > > > > > > > > >
> > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane,
> > Poole,
> > > > > BH17
> > > > > > > 7BX.
> > > > > > > > > > > > Company Registration Number : 2141393.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > ________________________________
> > > > > > > > > > > >
> > > > > > > > > > > > This email and any files transmitted with it are
> > > > > > confidential
> > > > > > > > and
> > > > > > > > > > > intended solely for the
> > > > > > > > > > > > use of the individual to whom it is addressed.
If
> > you
> > > > > have
> > > > > > > > > received
> > > > > > > > > > > this email in error,
> > > > > > > > > > > > or if you believe this email is unsolicited and
> > wish
> > > to
> > > > > be
> > > > > > > > removed
> > > > > > > > > > > from any future
> > > > > > > > > > > > mailings, please contact our Support Desk
> > immediately
> > > on
> > > > > > > 01202
> > > > > > > > > > 360360
> > > > > > > > > > > or email
> > > > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > > > > > >
> > > > > > > > > > > > If this email contains a quotation then unless
> > > otherwise
> > > > > > > stated
> > > > > > > > it
> > > > > > > > > > is
> > > > > > > > > > > valid for 7 days and
> > > > > > > > > > > > offered subject to Silversands Professional
> > Services
> > > > > Terms
> > > > > > > and
> > > > > > > > > > > Conditions, a copy of
> > > > > > > > > > > > which is available on request. Any pricing
> > > information,
> > > > > > > design
> > > > > > > > > > > information or
> > > > > > > > > > > > information concerning specific Silversands'
> staff
> > > > > contained
> > > > > > > in
> > > > > > > > > > this
> > > > > > > > > > > email is
> > > > > > > > > > > > considered confidential or of commercial
interest
> > and
> > > > > exempt
> > > > > > > > from
> > > > > > > > > > the
> > > > > > > > > > > Freedom of
> > > > > > > > > > > > Information Act 2000.
> > > > > > > > > > > >
> > > > > > > > > > > > Any view or opinions presented are solely those
> of
> > the
> > > > > > author
> > > > > > > > and
> > > > > > > > > > do
> > > > > > > > > > > not necessarily
> > > > > > > > > > > > represent those of Silversands
> > > > > > > > > > > >
> > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane,
> > Poole,
> > > > > BH17
> > > > > > > 7BX.
> > > > > > > > > > > > Company Registration Number : 2141393.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > This email and any files transmitted with it are
> > > > > > confidential
> > > > > > > > and
> > > > > > > > > > > intended solely for the
> > > > > > > > > > > > use of the individual to whom it is addressed.
> If
> > you
> > > > > have
> > > > > > > > > > received
> > > > > > > > > > > this email in error,
> > > > > > > > > > > > or if you believe this email is unsolicited and
> > wish
> > > to
> > > > > be
> > > > > > > > removed
> > > > > > > > > > > from any future
> > > > > > > > > > > > mailings, please contact our Support Desk
> > immediately
> > > on
> > > > > > > 01202
> > > > > > > > > > 360360
> > > > > > > > > > > or email
> > > > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > > > > > >
> > > > > > > > > > > > If this email contains a quotation then unless
> > > otherwise
> > > > > > > stated
> > > > > > > > it
> > > > > > > > > > is
> > > > > > > > > > > valid for 7 days and
> > > > > > > > > > > > offered subject to Silversands Professional
> > Services
> > > > > Terms
> > > > > > > and
> > > > > > > > > > > Conditions, a copy of
> > > > > > > > > > > > which is available on request. Any pricing
> > > information,
> > > > > > > design
> > > > > > > > > > > information or
> > > > > > > > > > > > information concerning specific Silversands'
> staff
> > > > > contained
> > > > > > > in
> > > > > > > > > > this
> > > > > > > > > > > email is
> > > > > > > > > > > > considered confidential or of commercial
interest
> > and
> > > > > exempt
> > > > > > > > from
> > > > > > > > > > the
> > > > > > > > > > > Freedom of
> > > > > > > > > > > > Information Act 2000.
> > > > > > > > > > > >
> > > > > > > > > > > > Any view or opinions presented are solely those
> of
> > the
> > > > > > author
> > > > > > > > and
> > > > > > > > > > do
> > > > > > > > > > > not necessarily
> > > > > > > > > > > > represent those of Silversands
> > > > > > > > > > > >
> > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane,
> > Poole,
> > > > > BH17
> > > > > > > 7BX.
> > > > > > > > > > > > Company Registration Number : 2141393.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > This email and any files transmitted with it are
> > > > > confidential
> > > > > > > and
> > > > > > > > > > > intended solely for the use of the individual to
> whom
> > it
> > > > is
> > > > > > > > > > addressed.
> > > > > > > > > > > If you have received this email in error, or if
you
> > > > believe
> > > > > > > this
> > > > > > > > > > email
> > > > > > > > > > > is unsolicited and wish to be removed from any
> future
> > > > > > mailings,
> > > > > > > > > > please
> > > > > > > > > > > contact our Support Desk immediately on 01202
> 360360
> > or
> > > > > email
> > > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > > > > >
> > > > > > > > > > > If this email contains a quotation then unless
> > otherwise
> > > > > > stated
> > > > > > > it
> > > > > > > > > is
> > > > > > > > > > > valid for 7 days and offered subject to
Silversands
> > > > > > > Professional
> > > > > > > > > > > Services Terms and Conditions, a copy of which is
> > > > available
> > > > > on
> > > > > > > > > > request.
> > > > > > > > > > > Any pricing information, design information or
> > > information
> > > > > > > > > concerning
> > > > > > > > > > > specific Silversands' staff contained in this
email
> > is
> > > > > > > considered
> > > > > > > > > > > confidential or of commercial interest and exempt
> > from
> > > the
> > > > > > > Freedom
> > > > > > > > > of
> > > > > > > > > > > Information Act 2000.
> > > > > > > > > > >
> > > > > > > > > > > Any view or opinions presented are solely those of
> > the
> > > > > author
> > > > > > > and
> > > > > > > > do
> > > > > > > > > > > not necessarily represent those of Silversands
> > > > > > > > > > >
> > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane,
> > Poole,
> > > > BH17
> > > > > > > 7BX.
> > > > > > > > > > > Company Registration Number : 2141393.
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > This email and any files transmitted with it are
> > confidential
> > > > and
> > > > > > > intended
> > > > > > > > solely for the use of the individual to whom it is
> > addressed.
> > > > If
> > > > > > you
> > > > > > > have
> > > > > > > > received this email in error, or if you believe this
> email
> > is
> > > > > > > unsolicited
> > > > > > > > and wish to be removed from any future mailings, please
> > > contact
> > > > > our
> > > > > > > Support
> > > > > > > > Desk immediately on 01202 360360 or email
> > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > >
> > > > > > > > If this email contains a quotation then unless otherwise
> > > stated
> > > > > it
> > > > > > is
> > > > > > > valid
> > > > > > > > for 7 days and offered subject to Silversands
> Professional
> > > > > Services
> > > > > > > Terms
> > > > > > > > and Conditions, a copy of which is available on request.
> > Any
> > > > > pricing
> > > > > > > > information, design information or information
concerning
> > > > > specific
> > > > > > > > Silversands' staff contained in this email is considered
> > > > > > confidential
> > > > > > > or of
> > > > > > > > commercial interest and exempt from the Freedom of
> > Information
> > > > > Act
> > > > > > > 2000.
> > > > > > > >
> > > > > > > > Any view or opinions presented are solely those of the
> > author
> > > > and
> > > > > do
> > > > > > > not
> > > > > > > > necessarily represent those of Silversands
> > > > > > > >
> > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole,
> BH17
> > > 7BX.
> > > > > > > > Company Registration Number : 2141393.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> 
> 
> 

• Follow-Ups:
  • [isapros] Re: ISA/IAG Topologies
    • From: Jim Harrison

• References:
  • [isapros] Re: ISA/IAG Topologies
    • From: Thomas W Shinder
  • [isapros] Re: ISA/IAG Topologies
    • From: Thor (Hammer of God)
  • [isapros] Re: ISA/IAG Topologies
    • From: Jim Harrison

Other related posts:

• » [isapros] ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies

1. Home
2. isapros
3. Archive
4. 06-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---