RE: Help me and my ISA server

From: Damien Ilmonen (damien@hammerheadtech.net)
Date: 06/10/02


From: "Damien Ilmonen" <damien@hammerheadtech.net>
To: <miloskv1@netscape.net>, <focus-ms@securityfocus.com>
Date: Mon, 10 Jun 2002 12:24:56 -0500

Yes, the LAT is only for people that are in your "private" space. If
you have everything in the LAT, than anyone who can access your IP
address can proxy off of your ISA server. Something that could be done
if you cannot change the physcial configuration is to enable user
authentication against the server so that only people logged into your
network can proxy off the server. However, I do not see why you cannot
add a second NIC to the ISA server, change the LAT, & modify the gateway
so that they using the ISA server. You'll be able to get better control
over your traffic & should be able to setup your content filtering and
any server hosting much better as well. You can't "publish" anything
when you only have one NIC in the ISA server.

Damien Ilmonen, CISSP

-----Original Message-----
From: miloskv1@netscape.net [mailto:miloskv1@netscape.net]
Sent: Monday, June 10, 2002 7:03 AM
To: focus-ms@securityfocus.com
Subject: Help me and my ISA server

I've just got a job as a system administrator in one company which have
ISA 2000 server in it. When I look at the configuration of my isa server
I saw that it has only one network adapter connected to the public range
of IP adressess on my network. Internal client are comming from my
private range (192.168.x.x) through win2000 router 192.168.x.x /
194.x.x.x and comming to my ISA server one and only NIC 194.x.x.140.
Something like this

192.168.0.0-192.168.0.254--------router(192.168.0.5 /
194.X.X.139)------ISA(194.X.X.140)---------Zyxell (194.X.X.141)

I saw that lot of people use my ISA server as their proxy (people from
internet). I went to microsoft web site and saw that minimal
requirements for ISA 2000 (In integrated mode) are two network adapters
(one for private one for public). So I think LAT table in my case is
useless... Am I Right???? I want to know if this is real problem (My ISA
is exploited becouse of stupidity of an ex-administrator (guy before me
who installed ISA2000) Any help will be great and any questions or
suggestions will help me a lot. Thanks for your time and everything you
have allready done for me and my knowledge.

Milos K. V. , System Administrator
Belgrade, Yugoslavia

__________________________________________________________________
Your favorite stores, helpful shopping tools and great gift ideas.
Experience the convenience of buying online with Shop@Netscape!
http://shopnow.netscape.com/

Get your own FREE, personal Netscape Mail account today at
http://webmail.netscape.com/