Re: general question on design options

"SMadaras" <SMadaras@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message

I'm running the configuration that you are considering. I have a Cisco
series router with the K9 security package. It's configured as my edge
and handles all of my VPN connections and is configured as my first line
firewall defense. Behind that I have my ISA,

How do you get the VPN connections that terminate on the Cisco to get past
the ISA into the LAN? Effectively the people would only be VPNing into the
DMZ and not the LAN.

I agree with Phillip that in many cases this could be just "burning
electricity", but even our IT auditors approved of the extra layer of

We've had auditors like that. They base a lot of what they like or don't
like on "superstition" and not reality. Such as the superstition that a
"Lan with a DMZ is more secure than one without" when the reality is that a
LAN with a DMZ is just a LAN that has one more IP Segment and is neither
more secure or less secure because of it. The DMZ usually gets in the way
of the admin more than the hacker. If I were going to extract information
from a LAN the method I would use would work even if they had 15 DMZs
between them and the Internet,..they just wouldn't matter at all. Currently
in today's Internet with today's type of threats that is exactly the case.

There are situations where they can be solidly justified, but I say that
more by "faith" than by seeing a real example of one.

(Also like the fact that I no longer have a single point of
failure; if one device fails I can take it the loop and keep on

Yes, but you still have to readdress the remaing device to eliminate the DMZ
IP Segment when one is removed,...but you can't do that if there are
machines that "live" on that segment unless you quickly redesign the access
method to them such as putting them on the Public segment or moving them
into the LAN and creating Publishing Rules (or Reverse NATs) for it.

I have the redundancy you mentioned by using ISA2006 and a Watchgaurd
Firebox X. But they run "side-by-side" and are completely independent of
each other, and there is no DMZ. The LAN's topology is not disturbed no
matter which one "quits" or which one is used for any particular purpose.
Some of the key functions are duplicated on each even if not used so either
can be a fallback device. I have ISA do most of the actual work because it
is just a better product.

The WG is doing the Site-to-site VPN because it has matching devices at the
other end. The ISA handles as the Remote Access VPN because the WG is not
cable of using true DHCP for the VPN Clients (and hence DHCP Options and
WPAD) and is not capable of filtering access after the connection is made.

Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
Understanding the ISA 2004 Access Rule Processing

Troubleshooting Client Authentication on Access Rules in ISA Server 2004

Microsoft Internet Security & Acceleration Server: Partners

Microsoft ISA Server Partners: Partner Hardware Solutions