RE: [fw-wiz] Strange setup
From: Robert L. Wanamaker (bobw_at_avantsystems.com)
Date: 02/27/04
- Previous message: Karl D. Mueller: "RE: [fw-wiz] Allowing relay through Watchguard Firebox 1000"
- In reply to: franco segna: "[fw-wiz] Strange setup"
- Next in thread: mcary_at_badgermeter.com: "RE: [fw-wiz] Strange setup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'franco segna'" <fsegna@web.de>, <firewall-wizards@honor.icsalabs.com> Date: Thu, 26 Feb 2004 18:26:58 -0500
Greetings.
I agree with Paul that without knowing more about the rulesets, etc. it's
really impossible to say. But I would say that since you haven't indicated
the presence of any hosts on the ISA<->SonicWall segment, then it's not
really functioning as a DMZ, but merely as a segment to connect the two
devices.
This architecture, IMO, can have significant advantages in an MS shop. As
Mark indicated, ISA functions as an application layer proxy. I tend to
disagree that you must have 2 NIC's and dual-home the server; I know that
Microsoft indicates you must, but I have many sites operating with just one
segment in MS-Proxy/ISA. It's a bit of torture setting one up the first
time this way, but it works fine.
The great advantage [IMO] of this architecture is that you can easily setup
egress filtering to prohibit all client workstations from accessing the
outside world directly, and permit only the ISA server such access. A great
thing is that since ISA server is Active Directory aware, it becomes quite
easy to manage users and groups at the application level, and restrict
access to certain sites based on AD information. Not to mention logging of
user activity, blah blah blah.
The LAN-backbone<->SonicWall segment is in place to permit mail, and any
other non-proxy aware applications to function as needed. If the ISA server
was setup single-homed, the overall architecture would be simplified.
If that "dmz" truly has no hosts, and is not doing anything, then I think
this is a safe bet.
Regards,
Bob
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of franco segna
Sent: Thursday, February 26, 2004 9:39 AM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] Strange setup
Hi everybody,
I'm being confronted with the following existing setup:
T1 --------------------------------
(Internet | LAN backbone |
and VPNs) ------------+---+---+-+-+-+-+---
| | | | | | | |
| +-------+ local x.x.x.254/24 | | | | | | +-
| | Sonic +---------------------+ | | | | +-
+--+ Wall | | | | |
| Pro +------+ | | | +- SQL
+-------+ dmz | | | +-- mail
(?) | +--------+ | +--- etc.
| | MS ISA | |
+--+ 2000 +------+
| Server | x.x.x.251/24
+--------+
The public web server is hosted elsewhere. The LAN comprises 30
workstations.
To complicate the matter, the LAN address family x.x.x. is NOT
RFC1918-compliant (and is conflicting with existing Internet hosts).
The system is up and running, but I cannot understand the bypassing of the
ISA server through the direct connection firewall/LAN. And the meaning of
DMZ seems to be lost.
Anyone can help me to understand the matter ? Thanks in advance
Franco Segna
--- Franco Segna - fsegna@web.de via Dante Alighieri 60 - 31027 Spresiano TV - Italia phone +39 0422 725020 - fax +39 0422 888707 Keys server wwwkeys.pgp.net Key fingerprint = 704C 3070 70A0 680A 760D 025E D849 02AB 2309 87A3 _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Karl D. Mueller: "RE: [fw-wiz] Allowing relay through Watchguard Firebox 1000"
- In reply to: franco segna: "[fw-wiz] Strange setup"
- Next in thread: mcary_at_badgermeter.com: "RE: [fw-wiz] Strange setup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
