RE: Help me and my ISA server => ISA best practice
From: Greene, Michael (MGreene@lrs.com)Date: 06/11/02
- Previous message: deepblue: "RE: Windows Reverification"
- Next in thread: Kit: "RE: ISA best practice"
- Reply: Kit: "RE: ISA best practice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Greene, Michael" <MGreene@lrs.com> To: focus-ms@securityfocus.com Date: Tue, 11 Jun 2002 10:38:16 -0500
There are, of course, many ways for an ISA server to fit into the network
perimeter. I do not mean to distract attention from the intent of this
thread, which is to help determine where it will fit best into a particular
network, especially if doing so might prolong a colleague from receiving
needed support. Therefore, with that in mind, I would like to spawn a
separate thread.
What is the consensus of using ISA as a firewall in an enterprise network
design? What is the most effective and best practice method of
implementation? I don't think we necessarily need specific's here, but from
a bird's eye view what are the most effective placement and installation?
I personally would rather see an ISA array functioning as a method of
monitoring traffic and restricting access with Active Directory integration
and a hardware-based firewall with a proprietary platform on a separate
device(s). To explain a bit more without getting off-topic, the servers
would only need one NIC because they are only connected to the internal (RFC
1918 compliant) network, but I believe most of the outbound access control
will still function.
I am very excited to hear other professionals' opinions on this topic. Do
you trust ISA as a firewall? Does the fact that it is operating on a
Windows platform make it inherently less secure? Is it as robust and
effective as a PIX or a Firewall 1? (only suggestions, I am not trying to be
vendor specific) If so, or if not, why and what would be the best practice
method of implementation?
Michael
-----Original Message-----
From: Gallant, David [mailto:dave@bkm.ca]
Sent: Mon 6/10/2002 2:40 PM
To: focus-ms@securityfocus.com
Cc:
Subject: RE: Help me and my ISA server
ISA requires 2 nic's to do its job properly...one connected to your
private network and the other connected to the public internet (or a
DMZ).
The LAT is used to determine how ISA routes internal requests. If the
IP address that is requested is within the LAT, it determines it to be
the private (internal) addresses (or local requests), anything else is
external and needs to be sent out. This helps in that the ISA does not
have to rely on a routing table to do its job, because even though ISA
routes requests...it's not a router. At no time should there be live
Internet addresses included in the LAT.
Once you have the second network card in, you create destination sets
and rules for inbound -> outbound requests for internal clients and
web/server publishing rules for outbound -> inbound requests from
client/customers.
ISA has many wizards to get you through.
Check out www.isaserver.org and the MS (ISA Server) newsgroups for extra
help
(http://www.microsoft.com/isaserver/community/newsgroups/default.asp
<http://www.microsoft.com/isaserver/community/newsgroups/default.asp> ).
Both are great resources.
DAVE
-----Original Message-----
From: Damien Ilmonen [mailto:damien@hammerheadtech.net
<mailto:damien@hammerheadtech.net> ]
Sent: Monday, June 10, 2002 2:25 PM
To: miloskv1@netscape.net; focus-ms@securityfocus.com
Subject: RE: Help me and my ISA server
Yes, the LAT is only for people that are in your "private" space. If
you have everything in the LAT, than anyone who can access your IP
address can proxy off of your ISA server. Something that could be done
if you cannot change the physcial configuration is to enable user
authentication against the server so that only people logged into your
network can proxy off the server. However, I do not see why you cannot
add a second NIC to the ISA server, change the LAT, & modify the gateway
so that they using the ISA server. You'll be able to get better control
over your traffic & should be able to setup your content filtering and
any server hosting much better as well. You can't "publish" anything
when you only have one NIC in the ISA server.
Damien Ilmonen, CISSP
-----Original Message-----
From: miloskv1@netscape.net [mailto:miloskv1@netscape.net
<mailto:miloskv1@netscape.net> ]
Sent: Monday, June 10, 2002 7:03 AM
To: focus-ms@securityfocus.com
Subject: Help me and my ISA server
I've just got a job as a system administrator in one company which have
ISA 2000 server in it. When I look at the configuration of my isa server
I saw that it has only one network adapter connected to the public range
of IP adressess on my network. Internal client are comming from my
private range (192.168.x.x) through win2000 router 192.168.x.x /
194.x.x.x and comming to my ISA server one and only NIC 194.x.x.140.
Something like this
192.168.0.0-192.168.0.254--------router(192.168.0.5 /
194.X.X.139)------ISA(194.X.X.140)---------Zyxell (194.X.X.141)
I saw that lot of people use my ISA server as their proxy (people from
internet). I went to microsoft web site and saw that minimal
requirements for ISA 2000 (In integrated mode) are two network adapters
(one for private one for public). So I think LAT table in my case is
useless... Am I Right???? I want to know if this is real problem (My ISA
is exploited becouse of stupidity of an ex-administrator (guy before me
who installed ISA2000) Any help will be great and any questions or
suggestions will help me a lot. Thanks for your time and everything you
have allready done for me and my knowledge.
Milos K. V. , System Administrator
Belgrade, Yugoslavia
__________________________________________________________________
Your favorite stores, helpful shopping tools and great gift ideas.
Experience the convenience of buying online with Shop@Netscape!
http://shopnow.netscape.com/ <http://shopnow.netscape.com/>
Get your own FREE, personal Netscape Mail account today at
http://webmail.netscape.com/ <http://webmail.netscape.com/>
- Previous message: deepblue: "RE: Windows Reverification"
- Next in thread: Kit: "RE: ISA best practice"
- Reply: Kit: "RE: ISA best practice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
