Re: Advice asked - choosing between ISA, SSL VPN, Hardware firewall etc
From: Phillip Windell (_at_.)
Date: 01/27/05
- Next message: Phillip Windell: "Re: Proxy server 2.0 group?"
- Previous message: Guillaume Genest: "RE: Isa problem after installing Windows Updates"
- In reply to: Paul De Bie: "Advice asked - choosing between ISA, SSL VPN, Hardware firewall etc"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 27 Jan 2005 08:50:15 -0600
"Paul De Bie" <paul.de.bieNO@MORESPAMhnt.be> wrote in message
news:35s8uiF4qc002U1@individual.net...
> Now management would like:
> - remote access to the mail (Outlook Web access --> IIS)
> - remote access to the AS/400 (IBM iSeries Access for Web --> Websphere
> Application Server))
> - remote access to the security cameras ( digital recorder with built in
> webserver)
> etc...
>
> OK I could accomplish this maybe with more port forwarding but I think
> this would put our internal network at a much higher risk.
>
> I talked to a security expert and he suggested me to build a DMZ. In
> the DMZ I could put an Exchange Front End server for the OWA, and other
> stuff I want to access from the Internet.
A DMZ will never make things easier,...always harder,...much harder.
Publishing OWA via Static NAT (you called port forwarding) is perfectly
fine. Think about it, if you put a Front End OWA box in the DMZ, how is it
going to communicate with the Back End Exchange?.....you publish it via
Static NAT, so your back to the same thing as if you never had a DMZ.
> When I arguing with the guy he suddenly proposed another magical
> solution: a Netscreen 500 Remote Access SSL-VPN box. Cost between 4000
> and 5000 USD.
I consider it a positive thing that you "argued" with the guy,..I think it
is good that you question things and not just go out and do the first thing
someone tells you to do with out thinking it over over yourself.
I do think VPN is the "other half" of your solution.
> When he was away I have browsed around a bit and I studied ISA-server.
> It looks to me to be the answer to all of my problems.
> I would not have to build a DMZ.
> I can use it to bring the mail to the remote users (using OWA) without
> compromising the EXchange server and without having to split it up in
> FE/BE.
> I can use it to get to the other webservers (the camera's, the AS/400)
> without compromising my internal network.
> I could even still use my packet-filtering firewall as a first layer of
> defense.
> All I need is a box + OS + ISA Server 2000.
I would agree. I am perfectly happy with ISA and am confident that it is a
solid and secure product.
-- Phillip Windell [MCP, MVP, CCNA] www.wandtv.com
- Next message: Phillip Windell: "Re: Proxy server 2.0 group?"
- Previous message: Guillaume Genest: "RE: Isa problem after installing Windows Updates"
- In reply to: Paul De Bie: "Advice asked - choosing between ISA, SSL VPN, Hardware firewall etc"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
