Re: general question on design options

David,

I'm running the configuration that you are considering. I have a Cisco 2800
series router with the K9 security package. It's configured as my edge router
and handles all of my VPN connections and is configured as my first line of
firewall defense. Behind that I have my ISA, which allows me greater control
over publishing, policies, and bandwidth throttling. For the most part, the
firewall configuration on the ISA mimics that on the Cisco, however if I put
other public devices on the network between the Cisco and ISA (ie. in the
DMZ), I can poke holes for them specifically without effecting the security
to my internal network.

I agree with Phillip that in many cases this could be just "burning
electricity", but even our IT auditors approved of the extra layer of
security. (Also like the fact that I no longer have a single point of
failure; if one device fails I can take it the loop and keep on trucking..)

Hope this helps!
-Steve




"David" wrote:

thanks again.

"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:ubAZvySBIHA.1168@xxxxxxxxxxxxxxxxxxxxxxx
"David" <nospam@xxxxxxxxxx> wrote in message
news:e3G66eSBIHA.1184@xxxxxxxxxxxxxxxxxxxxxxx
I was assuming it was going to be CSU/DSU -> cisco -> ISA, and that I
would have control of that cisco device. I have not dealt with T1 service
before (or any WAN technologies for that matter). We currently use a
fixed wireless provider and that antenna goes directly to my ISA server.
So if I understand correctly, when I select a T1 provider it will come
with the csu/dsu *and* the router (likely cisco) which will likely only
be a router (no nat, spi firewall, etc..)

Correct.

that I would not have administrative access to.

The depends on the arrangment with the ISP. I have access to ours. We own
ours.

So if I wanted to implement a dmz for example, one with 2 firewalls
rather than one tri-homed firewall, the router that would likely come
with the service would not be an option and I would need to purchase
another one.

The router would have nothing to do with the DMZ. The router config would
not be touched. You would have to buy a second Firewall device and place
the two firewalls end-to-end with a "new" RFC Private Addressed Network
between the two Firewalls. Personally I think DMZs are most of the time
just pointless and do nothing other than make things more complicated for
the Admin (Hackers usualy don't notice and aren't slowed by them) and they
just add more pieces to the puzzel that can fail and cause you to have to
troubleshoot something and have more down-time.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or
Microsoft, or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------





.

Relevant Pages

  • Re: general question on design options
    ... I'm running the configuration that you are considering. ... Behind that I have my ISA, ... How do you get the VPN connections that terminate on the Cisco to get past ... DMZ and not the LAN. ...
    (microsoft.public.isa)
  • Re: OT:--CISCO EXPERTS...
    ... boxes and Cisco routers connected to these with X21 cable. ... You mention steep learning curve but if I can just get ino router maybe can ... > want to consider any risk of providing them with an insecure configuration ... >>> Telnet access should also be disabled leaving connection via SSH or ...
    (microsoft.public.windows.server.sbs)
  • CISCO SOHO91 Help Needed
    ... I recently obtained a used CISCO SOHO91 router which I would like to ... use on my home LAN but am having difficulty configuring the router, ... the web interface although I am able to access the console. ... 128K bytes of non-volatile configuration memory. ...
    (comp.dcom.sys.cisco)
  • Re: Cisco Router Config with a T1 Internet line
    ... router exactly as the 1720 router, and when I plug the cable to this spare ... Why can't I even ping the Serial0 ... I compare the configuration on my Cisco 1720 and Cisco ...
    (comp.dcom.sys.cisco)
  • Re: Router ISA OWA and VPN
    ... I'd suggest getting standard (no ISA) working first. ... configuration between basic firewall and ISA, ... > The router I have is a Sitecom WL-025. ... > Sorry I should have mentioned that other ports are enabled but I neglected ...
    (microsoft.public.windows.server.sbs)