Re: Noob question: ISA and IIS on the same server?
From: Thomas W Shinder [MVP] (tshinder_at_hotmail.com)
Date: 07/09/04
- Next message: sandaruwan: "Aborting Long Web Sessions"
- Previous message: Thomas W Shinder [MVP]: "Re: ISA 2004"
- In reply to: Gary: "Re: Noob question: ISA and IIS on the same server?"
- Next in thread: Gary: "Re: Noob question: ISA and IIS on the same server?"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 8 Jul 2004 22:40:14 -0500
Hi Gary,
OK, but NAT and packet filtering do *not* provide any security, that's what
I'm getting at. The ISA firewall already has a packet filtering function
that no one has ever broken, so what's the point of the NAT/packet filter in
front of the ISA firewall?
This is an even more problematic situation, because the ISA firewall is
compromised from the start by running a Web server on it. With the only
protection being a simple NAT/packet filter device, its a dicely situation.
Guess what firewall is in front of the most networks that have been hacked?
You guessed it, and its not an ISA firewall.
The DNS server, as long as its a caching-only DNS server, is fine on the ISA
firewall. However, I would *not* put an authoritative DNS server on the ISA
firewall. That could potentially expose your name infrastructure to
intruders in the event that the firewall is compromised (which is more
likely, since its running a Web server on it, which greatly increases it's
attack surface).
The key take home message is that the pix packet filter doesn't need to be
compromised in order to attack your network. It just "passes packets", it
doesn't inspect them at the application layer. I can pass code-red from here
to doomsday through the pix packet filter and never miss a beat. In
contrast, its simple to block Code Red with an ISA firewall using the
instructions on www.isaserver.org
Now, the solution:
1. Get the Web site off the firewall
2. Get some money back by putting the pix on eBay -- you'll sell it, as
there's one born every minute ;-)
3. Put any resources that would have been on the DMZ between the ISA
firewall and the pix packet filter behind the trihomed DMZ segment attached
to the ISA firewall. When a pix packet filter is in front of the ISA
firewall.
Finally, I apologize if I sound a bit sharp, but I've dealt with a lot of
people recently who are wedded to the "earth is flat" hypothesis that
somehow a stateful packet filter provides decent security. Personally, I
would be scared to death if my own production network were behind a stateful
packet filtering device only.
YMMV,
-- Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls "Gary" <gary123@123iplynx123.com123> wrote in message news:iM5Hc.6139$876.1289@fed1read07... : Thank you for your insight Thomas. : : The real security that I am looking for is a piece of equipment that does : only packet filtering and NAT just as you have stated. : : My difficulty with my configuration is that the "ISA" server has one "leg" : in the DMZ and one "leg" in the "high security", "private", "trusted" (which : ever label you would put on it) network. Now all of this is already behind : the firewall (the PIX) which is great! The downer, to me, is that this "ISA" : server in the DMZ is also running services like WWW and DNS which could : possibly be exploited and give a potential attacker direct access to the : internal network if these "non-secure" functions were somehow compromised. : Not a very likely scenario to be certain, but its not like this (or similar) : hasn't happened before either (Code Red virus I believe). If it was a true : firewall to firewall configuration I would be pleased as punch, but : unfortunately my client has a limit to the depths of their pockets and this : is the best I can think of having no budget for an extra ISA-only server. : : Having no acronyms to follow my signature or the like, I am truly grateful : for any corrections you might have for my train of thought and thank you for : taking to time to respond to my perhaps incoherent ramblings. : : Thank You! : : -Gary : : "Thomas W Shinder [MVP]" <tshinder@hotmail.com> wrote in message : news:%235BHRk8XEHA.808@tk2msftngp13.phx.gbl... : > Hi Gary, : > : > This sounds like a back to back DMZ, the most secure config. : > : > Just curious, what real security do you think you derive from the pix? : Does : > it do anything other than packet filtering and NAT? : > : > Thanks! : > -- : > Tom : > www.isaserver.org/shinder : > Get the book! : > Tom and Deb Shinder's Configuring ISA Server 2004 : > http://tinyurl.com/3xqb7 : > MVP -- ISA Firewalls : > : > : > "Gary" <gary123@123iplynx123.com123> wrote in message : > news:cVXEc.2965$876.1834@fed1read07... : > : Using these links: : > : : > : http://support.microsoft.com/default.aspx?scid=kb;en-us;323387 : > : http://support.microsoft.com/default.aspx?scid=kb;en-us;290113 : > : http://support.microsoft.com/default.aspx?kbid=238131 : > : : > : I am configuring an ISA server on an existing Win2k3 server that : currently : > : performs web hosting and DNS in a DMZ (medium security interface--50) : > behind : > : a PIX 515. The purpose for this ISA server is to provide proxy access to : > the : > : corporate web mail server that is on the high security interface (100) : of : > : the PIX. I am fairly certain that there is no configuration that will : > permit : > : me to proxy the web mail on the outside interface of the ISA server, but : > am : > : open to any suggestions anyone has on this matter. : > : : > : My Solution (as much as I disapprove of how it breaks the philosophy of : a : > : good firewall configuration) is to place the internal interface of the : ISA : > : server on the high security corporate network and leave the public : > interface : > : in the PIX DMZ. I would ordinarily never do this but I see no way to : proxy : > : using ISA without 2 physical interfaces, and since ISA IS a firewall (MS : > : would have me believe--rather convincingly too judging by its : capabilities : > : and documentation which are rather impressive, even to a skeptic like : me), : > I : > : have little reservation in allowing the DMZ network and the corporate : high : > : security network to met, physically, though 2 firewalls. : > : : > : My Question is, how do you configure the Win2k3 server to serve a : website : > : through its own IIS server, but also to proxy to another website using : > ISA? : > : I have duplicated my sandbox configuration in the production environment : > : using the Step-by-step guides provided by MS and while my sandbox : > : configuration continues to function properly, my production environment : is : > : not functioning in a proxy capacity (DNS and local IIS serving work, but : > : proxy web mail does not). I have determined that the only difference : (that : > I : > : can recognize as possibly causing a problem) is that my production : > : environment Win2k3 server is running IIS, while my sandbox environment : is : > : not. Anyone running IIS and ISA together to both serve and proxy : websites? : > : If so, what deviations from the MS Step-by-step guides are there? Any : > : assistance would be greatly appreciated!! : > : : > : The Step-by-step guides I refer to are (in the order in which i used : them : > : are): : > : : > : http://support.microsoft.com/default.aspx?scid=kb;en-us;323387 : > : http://support.microsoft.com/default.aspx?scid=kb;en-us;290113 : > : http://support.microsoft.com/default.aspx?kbid=238131 : > : : > : Thanks in advance! : > : : > : -Gary : > : : > : : > : : > : > : :
- Next message: sandaruwan: "Aborting Long Web Sessions"
- Previous message: Thomas W Shinder [MVP]: "Re: ISA 2004"
- In reply to: Gary: "Re: Noob question: ISA and IIS on the same server?"
- Next in thread: Gary: "Re: Noob question: ISA and IIS on the same server?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
