[isapros] Re: ISA/IAG Topologies

• From: Jim Harrison <Jim@xxxxxxxxxxxx>
• To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
• Date: Thu, 5 Jun 2008 18:13:10 -0700

I knew that (both of them) - and that's why I'd like to get you two in the same 
bar for the discussion.
There is just too much "religious fervor" over the FUD that's suddenly hit the 
blogsphere.

Jim

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
Sent: Thursday, June 05, 2008 6:05 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA/IAG Topologies

Yeah, I was just funnin'.  I would have enjoyed that.  I've worked with
Steve before -- I've not doubt it would have been a respectful,
thoughtful, and engaging debate -- or really, a sharing of ideas in a
way the moves things forward... Not a "club you over the head with my
ideas" thing that so often happens...

t

> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Thursday, June 05, 2008 6:00 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA/IAG Topologies
>
> Actually, I did and he was disappointed at not being able to engage
you
> on the subject.
> He's well-acquainted with the stories of he who calls himself
> ...Tim
>
> jim
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> Sent: Thursday, June 05, 2008 4:16 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA/IAG Topologies
>
> He must have told him it was ME he was debating against ;)
>
> t
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > Sent: Thursday, June 05, 2008 12:43 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ISA/IAG Topologies
> >
> > Bummer. :(
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> >
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > Of Jim Harrison
> > > Sent: Thursday, June 05, 2008 2:40 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: ISA/IAG Topologies
> > >
> > > :-(
> > > Steve can't make it.
> > >
> > > Jim
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > Of Thomas W Shinder
> > > Sent: Thursday, June 05, 2008 12:15 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: ISA/IAG Topologies
> > >
> > > I'll second that! I would be very interesting and some useful
> > > conclusions could come of it.
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- Microsoft Firewalls (ISA)
> > >
> > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > Of Jim Harrison
> > > > Sent: Thursday, June 05, 2008 1:32 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > >
> > > > Will do!
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > Of Thor (Hammer of God)
> > > > Sent: Thursday, June 05, 2008 11:23 AM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > >
> > > > You know, an actual "open debate" at Blackhat wouldn't really be
> a
> > bad
> > > > idea.  In fact, I think it would be quite valuable for all
> > involved.
> > > >
> > > > Hmmm... Jim, see if Steve is open to it ;)
> > > >
> > > > t
> > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > > > > Sent: Wednesday, June 04, 2008 7:21 AM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > >
> > > > > I'd like to know the same thing. How does "Direct Connect"
mean
> > the
> > > > > "death of the DMZ". As far as I can tell, these "Direct
> Connect"
> > > > > clients
> > > > > represent yet another perimeter (DMZ) that we need to deal
with
> > and
> > > > > manage appropriately.
> > > > >
> > > > >
> > > > >
> > > > > Thomas W Shinder, M.D.
> > > > > Site: www.isaserver.org
> > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > Book: http://tinyurl.com/3xqb7
> > > > > MVP -- Microsoft Firewalls (ISA)
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > Of Thor (Hammer of God)
> > > > > > Sent: Wednesday, June 04, 2008 9:03 AM
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > >
> > > > > > Same thing I was going to say.  But notice the first thing
he
> > says
> > > > > that
> > > > > > one MUST have is a DMZ (among other things).  So yes, it's
> just
> > a
> > > > > > different way of saying the same thing.
> > > > > >
> > > > > > I have no idea where people get that "DMZ" calls out a
> > particular
> > > > > > topology -- it's just a logical concept that manifests
itself
> > in
> > a
> > > > > > physical network deployment based on the goals of the
config.
> > > > > > Regardless, the whole "direct connect" bit doesn't really
> > apply...
> > > > > but,
> > > > > > what do you say?
> > > > > >
> > > > > > t
> > > > > >
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > > > > > > Sent: Wednesday, June 04, 2008 5:49 AM
> > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > >
> > > > > > > Interesting. He goes through a very very long explanation
> of
> > a
> > > > > simple
> > > > > > > concept -- that there are multiple perimeters and that
each
> > > > > perimeter
> > > > > > > needs to be managed differently.
> > > > > > >
> > > > > > > Thomas W Shinder, M.D.
> > > > > > > Site: www.isaserver.org
> > > > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > MVP -- Microsoft Firewalls (ISA)
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > Of Stefaan Pouseele
> > > > > > > > Sent: Wednesday, June 04, 2008 2:05 AM
> > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > >
> > > > > > > > What about
> > > > > > > >
> > > > > >
> > > >
> >
http://isc.sans.org/presentations/2006-sansatnight-notes-optimez.pdf?
> > > > > > > >
> > > > > > > > Stefaan
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> > > > > > > > Behalf Of Jason Jones
> > > > > > > > Sent: woensdag 4 juni 2008 1:17
> > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > >
> > > > > > > > Does 'Direct connect' fall into a similar category as
SSL
> > VPN
> > > > > where
> > > > > > > they are
> > > > > > > > really providing a "transport solution", as opposed to a
> > > > > "security
> > > > > > > > solution"?
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> > > > > > > > Behalf Of Thomas W Shinder
> > > > > > > > Sent: 04 June 2008 00:11
> > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > >
> > > > > > > > Bam!!! Exactly. That is where my thinking was going in
> this
> > > > > > > direction.
> > > > > > > I
> > > > > > > > don't see how "Direct Connect" is going to solve
anything
> > > other
> > > > > than
> > > > > > > > creating a more difficult to solve problem.
> > > > > > > >
> > > > > > > > "I pity the foo"
> > > > > > > >
> > > > > > > > Thomas W Shinder, M.D.
> > > > > > > > Site: www.isaserver.org
> > > > > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > > MVP -- Microsoft Firewalls (ISA)
> > > > > > > >
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > Of Thor (Hammer of God)
> > > > > > > > > Sent: Tuesday, June 03, 2008 6:03 PM
> > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > >
> > > > > > > > > Of course (just saw this one ;).
> > > > > > > > >
> > > > > > > > > Direct Access IPSec into the network still affords
full
> > > stack
> > > > > > > access.
> > > > > > > > > And it does nothing for untrusted, anonymous access to
> > > assets
> > > > > that
> > > > > > > > > should be configured as such.  IPv6 and IPSec will not
> > > "kill"
> > > > > the
> > > > > > > need
> > > > > > > > > for least privilege and security in depth.  I'm
> actually
> > > quite
> > > > > > > > > disappointed that I am seeing professionals let the
> > > excitement
> > > > > of
> > > > > > > "new
> > > > > > > > > technologies" override the need for and importance of
> > core
> > > > > > security
> > > > > > > > > postulates.  Saying that the "DMZ is Dead" is foolish,
> > and
> > > > > nothing
> > > > > > > > more
> > > > > > > > > than "Oh, I have something cool to talk about at
> > > conferences"
> > > > > > > fodder.
> > > > > > > > > Or, as Mr. T calls it, "Jibba Jabba."
> > > > > > > > >
> > > > > > > > > t
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > > > > > > > Sent: Tuesday, June 03, 2008 9:01 AM
> > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > >
> > > > > > > > > > (hee-hee)
> > > > > > > > > > I'd love to get you into the discussion happing in
> the
> > > > > product
> > > > > > > > > security
> > > > > > > > > > alias...
> > > > > > > > > > Can I put you & Steve Riley in the same room for 10
> > > minutes?
> > > > > > > > > >
> > > > > > > > > > Jim
> > > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
> God)
> > > > > > > > > > Sent: Tuesday, June 03, 2008 8:59 AM
> > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > >
> > > > > > > > > > The "DMZ" is alive and well.  Misconceptions of what
> a
> > DMZ
> > > > > is,
> > > > > > or
> > > > > > > > what
> > > > > > > > > > the term means, or how it should be deployed and
> > > maintained
> > > > > does
> > > > > > > not
> > > > > > > > > > affect the absolute need for such a topology.
Anyone
> > who
> > > > > says
> > > > > > > "The
> > > > > > > > > DMZ
> > > > > > > > > > is dead" is either foolishly hanging on to
semantics,
> > or
> > > > they
> > > > > > > simply
> > > > > > > > > do
> > > > > > > > > > not understand what it is for....
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > t
> > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-
> > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > > > > > > > > > Sent: Tuesday, June 03, 2008 8:21 AM
> > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > >
> > > > > > > > > > > Hi Amy,
> > > > > > > > > > >
> > > > > > > > > > > You may have noticed I used the phrase " ISA
> > protected
> > > > > > > perimeter
> > > > > > > > > > > network" as I know from bitter experience what you
> > guys
> > > > are
> > > > > > > like
> > > > > > > > > when
> > > > > > > > > > I
> > > > > > > > > > > mention the dreaded DMZ word! :-P
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-
> > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> > > > > > > > > > > Sent: 03 June 2008 15:17
> > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > >
> > > > > > > > > > > The newb and even those that shouldn't be newb
have
> a
> > > > > > difficult
> > > > > > > > time
> > > > > > > > > > > understand the basic concept of an authenticated
> DMZ.
> > To
> > > > > most
> > > > > > > DMZ
> > > > > > > > > > means
> > > > > > > > > > > that you stick the server out there naked. Press
> the
> > DMZ
> > > > > > button
> > > > > > > > and
> > > > > > > > > > > allow full access to the server. Don't bother to
> > patch
> > > it
> > > > > > > because
> > > > > > > > > > > you'll probably have to re-image it from time to
> time
> > > > > anyway,
> > > > > > > > since
> > > > > > > > > > > it's being constantly hacked upon.
> > > > > > > > > > >
> > > > > > > > > > > It's this attitude that causes me to say DMZ is
> dead.
> > > It's
> > > > > old
> > > > > > > > > > outdated
> > > > > > > > > > > terminology that shouldn't be used anymore. ISA
may
> > have
> > > > > the
> > > > > > > > ability
> > > > > > > > > > to
> > > > > > > > > > > authenticate and protect servers in the DMZ but
> most
> > > > don't.
> > > > > I
> > > > > > > > really
> > > > > > > > > > > think that ISA needs a new term.
> > > > > > > > > > >
> > > > > > > > > > > thanks,
> > > > > > > > > > >
> > > > > > > > > > > Amy Babinchak
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Harbor Computer Services |(248) 850-8616
> > > > > > > > > > >
> > > > > > > > > > > Learn about the perfect storm of rebates: June
10th
> > at
> > > > > 9:00am
> > > > > > > and
> > > > > > > > > > save
> > > > > > > > > > > money on your SBS 2008 upgrade.
> > > > > > > > > > > Join the meeting.
> > > > > > > > > > > Conference Bridge 866-500-6738  PC:  3876393
> > > > > > > > > > >
> > > > > > > > > > > Tech Blog
> http://securesmb.harborcomputerservices.net
> > > > > > > > > > > Client Blog http://smalltechnotes.blogspot.com
> > > > > > > > > > > Website http://www.harborcomputerservices.net
> > > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-
> > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W
Shinder
> > > > > > > > > > > Sent: Tuesday, June 03, 2008 10:11 AM
> > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > >
> > > > > > > > > > > Yo Jim,
> > > > > > > > > > >
> > > > > > > > > > > Now that is an interesting topic. A paper airplane
> is
> > > > > simple
> > > > > > > > > compared
> > > > > > > > > > > to
> > > > > > > > > > > a B1 bomber, but I'd argue that the B1 probably
> > provides
> > > a
> > > > > > > higher
> > > > > > > > > > level
> > > > > > > > > > > of security :)
> > > > > > > > > > >
> > > > > > > > > > > Bringing the analogy down a bit, "complexity" is
> > > operator
> > > > > > > > dependent.
> > > > > > > > > > > Creating anonymous and authenticated access DMZs
is
> > > simple
> > > > > for
> > > > > > > us,
> > > > > > > > > > but
> > > > > > > > > > > complex for the ISA firewall neophyte. Does that
> mean
> > > the
> > > > > auth
> > > > > > > and
> > > > > > > > > > anon
> > > > > > > > > > > DMZ concept is not secure? Or is it secure for us,
> > but
> > > not
> > > > > > > secure
> > > > > > > > > for
> > > > > > > > > > > nEwB?
> > > > > > > > > > >
> > > > > > > > > > > Just playing with the idea of "complexity is the
> > enemy
> > > of
> > > > > > > > security".
> > > > > > > > > > It
> > > > > > > > > > > sounds right to me, just trying to figure out the
> > > > corrolary
> > > > > > > > > > arguments.
> > > > > > > > > > >
> > > > > > > > > > > Thomas W Shinder, M.D.
> > > > > > > > > > > Site: www.isaserver.org
> > > > > > > > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > > > > > MVP -- Microsoft Firewalls (ISA)
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > > Of Jim Harrison
> > > > > > > > > > > > Sent: Tuesday, June 03, 2008 9:00 AM
> > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > > >
> > > > > > > > > > > > Since "better" is subjective, I'd be more
> inclined
> > to
> > > > > call
> > > > > > it
> > > > > > > > > > > "better-isolated".
> > > > > > > > > > > > In general, any time you can functionally
isolate
> > > > > (whether
> > > > > > > this
> > > > > > > > is
> > > > > > > > > > > literal isolation is
> > > > > > > > > > > > another discussion) inbound and outbound
traffic,
> > your
> > > > > > > firewall
> > > > > > > > > > > policies and
> > > > > > > > > > > > requirements become simplified.  It's a given
> that
> > > since
> > > > > > > > > complexity
> > > > > > > > > > > increases the odds
> > > > > > > > > > > > of human error, complexity must therefore be the
> > enemy
> > > > of
> > > > > > > > > security.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > > Of Jason Jones
> > > > > > > > > > > > Sent: Tuesday, June 03, 2008 3:35 AM
> > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > > >
> > > > > > > > > > > > So, in this scenario, I am right to consider a
> > > combined
> > > > > > > solution
> > > > > > > > > to
> > > > > > > > > > > get a "better"
> > > > > > > > > > > > security solution - yes?
> > > > > > > > > > > >
> > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > > Of Jim Harrison
> > > > > > > > > > > > Sent: 02 June 2008 16:43
> > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > > >
> > > > > > > > > > > > MS separates inbound and outbound arrays.
> > > > > > > > > > > > You're right; IAG sux as a fwd proxy and ISA
bows
> > to
> > > IAG
> > > > > > > remote
> > > > > > > > > > > client
> > > > > > > > > > > trust
> > > > > > > > > > > > mechanisms.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > > Of Jason Jones
> > > > > > > > > > > > Sent: Monday, June 02, 2008 7:16 AM
> > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > > >
> > > > > > > > > > > > As ever, I have left out the details until
> someone
> > > > > > volunteers
> > > > > > > to
> > > > > > > > > > help
> > > > > > > > > > > J
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > I know that IAG *is* ISA, but in the current
> > solution
> > > > set
> > > > > > the
> > > > > > > > ISA
> > > > > > > > > > > "bit" doesn't scale very
> > > > > > > > > > > > well if you are looking at multiple IAG units to
> > > protect
> > > > > a
> > > > > > > data
> > > > > > > > > > > centre
> > > > > > > > > > > for all inbound and
> > > > > > > > > > > > outbound access. In this sort of scenario, IAG
> > can't
> > > > > really
> > > > > > > cut
> > > > > > > > it
> > > > > > > > > > on
> > > > > > > > > > > it's own to facilitate
> > > > > > > > > > > > system -to-system communications (and
> authenticated
> > > > > > > > > > outbound/forward
> > > > > > > > > > > access) and
> > > > > > > > > > > > ISA seems much more appropriate. I know ISA
could
> > be
> > > > > > > configured
> > > > > > > > to
> > > > > > > > > > do
> > > > > > > > > > > some of this,
> > > > > > > > > > > > but having to create firewall policy rules on
> each
> > > > > appliance
> > > > > > > and
> > > > > > > > > > > synchronise them
> > > > > > > > > > > > across several IAG appliances doesn't seem very
> > > elegant
> > > > > to
> > > > > > > me...
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > So assuming we are looking at an Internet
> > datacentre
> > > > > model
> > > > > > > (e.g.
> > > > > > > > > > all
> > > > > > > > > > > the clients and
> > > > > > > > > > > > untrusted systems are on the outside) I am
> thinking
> > > that
> > > > > > both
> > > > > > > > IAG
> > > > > > > > > > and
> > > > > > > > > > > ISA would be
> > > > > > > > > > > > needed to provide an elegant solution - yes?
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > In this model, it seemed to make sense to put
ISA
> > on
> > > the
> > > > > > edge
> > > > > > > as
> > > > > > > > > it
> > > > > > > > > > > can provide LB/HA
> > > > > > > > > > > > out of the box (with NLB), whereas IAG cannot.
> ISA
> > can
> > > > > then
> > > > > > > be
> > > > > > > > > used
> > > > > > > > > > > for "protection"
> > > > > > > > > > > > and IPSec VPN with IAG added for more advanced
> > > > publishing
> > > > > > > > > > > with/without
> > > > > > > > > > > endpoint
> > > > > > > > > > > > checking as required.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > In the above model, I am leaning towards putting
> > the
> > > > > > external
> > > > > > > > > > > interface of IAG into an
> > > > > > > > > > > > ISA anonymous access DMZ, with both devices
> > connected
> > > > > > > directly
> > > > > > > > to
> > > > > > > > > > the
> > > > > > > > > > > internal
> > > > > > > > > > > > protected network. However, I am curious if this
> > > > provides
> > > > > > > little
> > > > > > > > > > > benefit and I may as
> > > > > > > > > > > > well simplify things by placing IAG in parallel
> if
> > it
> > > > > will
> > > > > > be
> > > > > > > > > > > dedicated for remote access
> > > > > > > > > > > > duties...
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Any chance of a hint at what MS IT do?? ;-)
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Jason Jones | Security | Silversands Limited |
> > Desk:
> > > +44
> > > > > > > (0)1202
> > > > > > > > > > > 360489 | Mobile: +44
> > > > > > > > > > > > (0)7971 500312 | Email/MSN:
> > > > jason.jones@xxxxxxxxxxxxxxxxx
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > > Of Jim Harrison
> > > > > > > > > > > > Sent: 02 June 2008 14:47
> > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > Subject: [isapros] Re: ISA/IAG Topologies
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > ..pick one.
> > > > > > > > > > > >
> > > > > > > > > > > > ..no; really - there is no "boilerplate".
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > It depends on what you have for application and
> > > security
> > > > > > > > > > > requirements.
> > > > > > > > > > > >
> > > > > > > > > > > > IAG *is* ISA with some kewl stuff tossed into
the
> > mix.
> > > > > > > > > > > >
> > > > > > > > > > > > Thus, the question of whether to place IAG or
ISA
> > at
> > > the
> > > > > > edge
> > > > > > > is
> > > > > > > > > > > equivalent to asking
> > > > > > > > > > > > "should I place ISA or ISA at the edge?"
> > > > > > > > > > > >
> > > > > > > > > > > > Deploying ISAG and ISA side-by-side will be
> > determined
> > > > by
> > > > > > the
> > > > > > > > > > tasking
> > > > > > > > > > > for each as
> > > > > > > > > > > > well.
> > > > > > > > > > > >
> > > > > > > > > > > > In general, using IAG for fwd traffic is; shall
> we
> > > say,
> > > > a
> > > > > > bit
> > > > > > > > less
> > > > > > > > > > > than easy.
> > > > > > > > > > > >
> > > > > > > > > > > > Likewise, trying to duplicate the functionality
> IAG
> > > > > brings
> > > > > > to
> > > > > > > > the
> > > > > > > > > > > application publishing
> > > > > > > > > > > > game is impossible.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > IOW, their relative merits in a given scenario
> > depend
> > > > > > largely
> > > > > > > on
> > > > > > > > > > what
> > > > > > > > > > > you want them to
> > > > > > > > > > > > do.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Jim
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > > > > > > Of Jason Jones
> > > > > > > > > > > > Sent: Monday, June 02, 2008 2:34 AM
> > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > Subject: [isapros] ISA/IAG Topologies
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Hi All,
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > I was wondering what sort of topologies you guys
> > had
> > > > used
> > > > > > for
> > > > > > > > > > > customers who were
> > > > > > > > > > > > looking at combined ISA Server and IAG
> deployments?
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > For example:
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Should ISA be the edge device with IAG in an ISA
> > > > > protected
> > > > > > > > > > perimeter
> > > > > > > > > > > network?
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Should ISA and IAG be placed in parallel?
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Should IAG be placed between two ISA Server edge
> > > > > firewalls
> > > > > > > (e.g.
> > > > > > > > > > > between front-end
> > > > > > > > > > > > and back-end ISAs)?
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Any feedback appreciated...
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Cheers
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > JJ
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >   ________________________________
> > > > > > > > > > > >
> > > > > > > > > > > > This email and any files transmitted with it are
> > > > > > confidential
> > > > > > > > and
> > > > > > > > > > > intended solely for the
> > > > > > > > > > > > use of the individual to whom it is addressed.
If
> > you
> > > > > have
> > > > > > > > > received
> > > > > > > > > > > this email in error,
> > > > > > > > > > > > or if you believe this email is unsolicited and
> > wish
> > > to
> > > > > be
> > > > > > > > removed
> > > > > > > > > > > from any future
> > > > > > > > > > > > mailings, please contact our Support Desk
> > immediately
> > > on
> > > > > > > 01202
> > > > > > > > > > 360360
> > > > > > > > > > > or email
> > > > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > > > > > >
> > > > > > > > > > > > If this email contains a quotation then unless
> > > otherwise
> > > > > > > stated
> > > > > > > > it
> > > > > > > > > > is
> > > > > > > > > > > valid for 7 days and
> > > > > > > > > > > > offered subject to Silversands Professional
> > Services
> > > > > Terms
> > > > > > > and
> > > > > > > > > > > Conditions, a copy of
> > > > > > > > > > > > which is available on request. Any pricing
> > > information,
> > > > > > > design
> > > > > > > > > > > information or
> > > > > > > > > > > > information concerning specific Silversands'
> staff
> > > > > contained
> > > > > > > in
> > > > > > > > > > this
> > > > > > > > > > > email is
> > > > > > > > > > > > considered confidential or of commercial
interest
> > and
> > > > > exempt
> > > > > > > > from
> > > > > > > > > > the
> > > > > > > > > > > Freedom of
> > > > > > > > > > > > Information Act 2000.
> > > > > > > > > > > >
> > > > > > > > > > > > Any view or opinions presented are solely those
> of
> > the
> > > > > > author
> > > > > > > > and
> > > > > > > > > > do
> > > > > > > > > > > not necessarily
> > > > > > > > > > > > represent those of Silversands
> > > > > > > > > > > >
> > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane,
> > Poole,
> > > > > BH17
> > > > > > > 7BX.
> > > > > > > > > > > > Company Registration Number : 2141393.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > ________________________________
> > > > > > > > > > > >
> > > > > > > > > > > > This email and any files transmitted with it are
> > > > > > confidential
> > > > > > > > and
> > > > > > > > > > > intended solely for the
> > > > > > > > > > > > use of the individual to whom it is addressed.
If
> > you
> > > > > have
> > > > > > > > > received
> > > > > > > > > > > this email in error,
> > > > > > > > > > > > or if you believe this email is unsolicited and
> > wish
> > > to
> > > > > be
> > > > > > > > removed
> > > > > > > > > > > from any future
> > > > > > > > > > > > mailings, please contact our Support Desk
> > immediately
> > > on
> > > > > > > 01202
> > > > > > > > > > 360360
> > > > > > > > > > > or email
> > > > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > > > > > >
> > > > > > > > > > > > If this email contains a quotation then unless
> > > otherwise
> > > > > > > stated
> > > > > > > > it
> > > > > > > > > > is
> > > > > > > > > > > valid for 7 days and
> > > > > > > > > > > > offered subject to Silversands Professional
> > Services
> > > > > Terms
> > > > > > > and
> > > > > > > > > > > Conditions, a copy of
> > > > > > > > > > > > which is available on request. Any pricing
> > > information,
> > > > > > > design
> > > > > > > > > > > information or
> > > > > > > > > > > > information concerning specific Silversands'
> staff
> > > > > contained
> > > > > > > in
> > > > > > > > > > this
> > > > > > > > > > > email is
> > > > > > > > > > > > considered confidential or of commercial
interest
> > and
> > > > > exempt
> > > > > > > > from
> > > > > > > > > > the
> > > > > > > > > > > Freedom of
> > > > > > > > > > > > Information Act 2000.
> > > > > > > > > > > >
> > > > > > > > > > > > Any view or opinions presented are solely those
> of
> > the
> > > > > > author
> > > > > > > > and
> > > > > > > > > > do
> > > > > > > > > > > not necessarily
> > > > > > > > > > > > represent those of Silversands
> > > > > > > > > > > >
> > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane,
> > Poole,
> > > > > BH17
> > > > > > > 7BX.
> > > > > > > > > > > > Company Registration Number : 2141393.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > This email and any files transmitted with it are
> > > > > > confidential
> > > > > > > > and
> > > > > > > > > > > intended solely for the
> > > > > > > > > > > > use of the individual to whom it is addressed.
> If
> > you
> > > > > have
> > > > > > > > > > received
> > > > > > > > > > > this email in error,
> > > > > > > > > > > > or if you believe this email is unsolicited and
> > wish
> > > to
> > > > > be
> > > > > > > > removed
> > > > > > > > > > > from any future
> > > > > > > > > > > > mailings, please contact our Support Desk
> > immediately
> > > on
> > > > > > > 01202
> > > > > > > > > > 360360
> > > > > > > > > > > or email
> > > > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > > > > > >
> > > > > > > > > > > > If this email contains a quotation then unless
> > > otherwise
> > > > > > > stated
> > > > > > > > it
> > > > > > > > > > is
> > > > > > > > > > > valid for 7 days and
> > > > > > > > > > > > offered subject to Silversands Professional
> > Services
> > > > > Terms
> > > > > > > and
> > > > > > > > > > > Conditions, a copy of
> > > > > > > > > > > > which is available on request. Any pricing
> > > information,
> > > > > > > design
> > > > > > > > > > > information or
> > > > > > > > > > > > information concerning specific Silversands'
> staff
> > > > > contained
> > > > > > > in
> > > > > > > > > > this
> > > > > > > > > > > email is
> > > > > > > > > > > > considered confidential or of commercial
interest
> > and
> > > > > exempt
> > > > > > > > from
> > > > > > > > > > the
> > > > > > > > > > > Freedom of
> > > > > > > > > > > > Information Act 2000.
> > > > > > > > > > > >
> > > > > > > > > > > > Any view or opinions presented are solely those
> of
> > the
> > > > > > author
> > > > > > > > and
> > > > > > > > > > do
> > > > > > > > > > > not necessarily
> > > > > > > > > > > > represent those of Silversands
> > > > > > > > > > > >
> > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane,
> > Poole,
> > > > > BH17
> > > > > > > 7BX.
> > > > > > > > > > > > Company Registration Number : 2141393.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > This email and any files transmitted with it are
> > > > > confidential
> > > > > > > and
> > > > > > > > > > > intended solely for the use of the individual to
> whom
> > it
> > > > is
> > > > > > > > > > addressed.
> > > > > > > > > > > If you have received this email in error, or if
you
> > > > believe
> > > > > > > this
> > > > > > > > > > email
> > > > > > > > > > > is unsolicited and wish to be removed from any
> future
> > > > > > mailings,
> > > > > > > > > > please
> > > > > > > > > > > contact our Support Desk immediately on 01202
> 360360
> > or
> > > > > email
> > > > > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > > > > >
> > > > > > > > > > > If this email contains a quotation then unless
> > otherwise
> > > > > > stated
> > > > > > > it
> > > > > > > > > is
> > > > > > > > > > > valid for 7 days and offered subject to
Silversands
> > > > > > > Professional
> > > > > > > > > > > Services Terms and Conditions, a copy of which is
> > > > available
> > > > > on
> > > > > > > > > > request.
> > > > > > > > > > > Any pricing information, design information or
> > > information
> > > > > > > > > concerning
> > > > > > > > > > > specific Silversands' staff contained in this
email
> > is
> > > > > > > considered
> > > > > > > > > > > confidential or of commercial interest and exempt
> > from
> > > the
> > > > > > > Freedom
> > > > > > > > > of
> > > > > > > > > > > Information Act 2000.
> > > > > > > > > > >
> > > > > > > > > > > Any view or opinions presented are solely those of
> > the
> > > > > author
> > > > > > > and
> > > > > > > > do
> > > > > > > > > > > not necessarily represent those of Silversands
> > > > > > > > > > >
> > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane,
> > Poole,
> > > > BH17
> > > > > > > 7BX.
> > > > > > > > > > > Company Registration Number : 2141393.
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > This email and any files transmitted with it are
> > confidential
> > > > and
> > > > > > > intended
> > > > > > > > solely for the use of the individual to whom it is
> > addressed.
> > > > If
> > > > > > you
> > > > > > > have
> > > > > > > > received this email in error, or if you believe this
> email
> > is
> > > > > > > unsolicited
> > > > > > > > and wish to be removed from any future mailings, please
> > > contact
> > > > > our
> > > > > > > Support
> > > > > > > > Desk immediately on 01202 360360 or email
> > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > > >
> > > > > > > > If this email contains a quotation then unless otherwise
> > > stated
> > > > > it
> > > > > > is
> > > > > > > valid
> > > > > > > > for 7 days and offered subject to Silversands
> Professional
> > > > > Services
> > > > > > > Terms
> > > > > > > > and Conditions, a copy of which is available on request.
> > Any
> > > > > pricing
> > > > > > > > information, design information or information
concerning
> > > > > specific
> > > > > > > > Silversands' staff contained in this email is considered
> > > > > > confidential
> > > > > > > or of
> > > > > > > > commercial interest and exempt from the Freedom of
> > Information
> > > > > Act
> > > > > > > 2000.
> > > > > > > >
> > > > > > > > Any view or opinions presented are solely those of the
> > author
> > > > and
> > > > > do
> > > > > > > not
> > > > > > > > necessarily represent those of Silversands
> > > > > > > >
> > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole,
> BH17
> > > 7BX.
> > > > > > > > Company Registration Number : 2141393.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > >
> >
> >
>
>
>

• References:
  • [isapros] Re: ISA/IAG Topologies
    • From: Thomas W Shinder
  • [isapros] Re: ISA/IAG Topologies
    • From: Thor (Hammer of God)
  • [isapros] Re: ISA/IAG Topologies
    • From: Jim Harrison
  • [isapros] Re: ISA/IAG Topologies
    • From: Thor (Hammer of God)

Other related posts:

• » [isapros] ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies
• » [isapros] Re: ISA/IAG Topologies

1. Home
2. isapros
3. Archive
4. 06-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---