Re: Do I need a DMZ for the public webservers ? (ISA2004)

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: ABH (andyspamfee_at_hotmail.com)
Date: 09/10/04

• Next message: ysh: "Re: there are no certificates configured on this server"
• Previous message: azer: "Re: ISA 2004 VPN Woes (Argh!)"
• In reply to: ObiWan: "Re: Do I need a DMZ for the public webservers ? (ISA2004)"
• Next in thread: Andreas Bladh: "Re: Do I need a DMZ for the public webservers ? (ISA2004)"
• Reply: Andreas Bladh: "Re: Do I need a DMZ for the public webservers ? (ISA2004)"
• Reply: ObiWan: "Re: Do I need a DMZ for the public webservers ? (ISA2004)"
• Messages sorted by: [ date ] [ thread ]

---

Date: Fri, 10 Sep 2004 21:32:36 +0100

ObiWan wrote:
> Consider this; let's say your webservers are sitting on your
> LAN, now, one day, someone discovers some kind of bug
> or exploit or whatever ... or even a flaw in an ASP application
> leading to machine access.. now .. the folk penetrates your
> webserver and .. is on your LAN with the ability to reach each
> and every machine on the LAN; this won't happen with a web
> server sitting on a DMZ, in such a case the attacker would just
> be able to reach the other servers on the DMZ but the LAN
> would still be safe

Surely what the OP is suggesting/asking is....

With the web publishing rules of ISA, the impression given is that noone is
actaully "allowed in" to access the Web Server.

All http connections are terminated by the ISA server proxy which then makes
a seperarate internal connection to the webserver.

In theory therefore, no matter what changes could theoretically be made to
an "open" web server, the hacker still couldn't make a connection to it ?

I say in theory because I still keep our web servers in the DMZ ;-)

-- 
Andy

---

• Next message: ysh: "Re: there are no certificates configured on this server"
• Previous message: azer: "Re: ISA 2004 VPN Woes (Argh!)"
• In reply to: ObiWan: "Re: Do I need a DMZ for the public webservers ? (ISA2004)"
• Next in thread: Andreas Bladh: "Re: Do I need a DMZ for the public webservers ? (ISA2004)"
• Reply: Andreas Bladh: "Re: Do I need a DMZ for the public webservers ? (ISA2004)"
• Reply: ObiWan: "Re: Do I need a DMZ for the public webservers ? (ISA2004)"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Is NFS export r/o safe from lan to dmz? ... than the portmap/nfsd deamons) web server on the machine hawing the ... The reverse proxy would be another barrier between wan and lan, ... the nfs export would be. ... make the lan webserver accessible to script exploits etc. Webservers are ... (Debian-User) Re: DMZ and file sharing ... Also having the users being responsible for updating the webserver files ... webserver would that be a better solution than a file share on the DMZ? ... allowing file share from LAN to DMZ any worse than ftp from LAN to DMZ? ... the folders in IE on the web server, but instead of limiting access by ... (microsoft.public.windows.server.sbs) Re: I dont see changes right away on real web server ... file on the web server and then go to look at ... The proxy server in our LAN is caching the content ... To see if it's the webserver, let someone on a different continent ... (alt.html) Re: I dont see changes right away on real web server ... Our web server is in North America. ... The proxy server in our LAN is caching the content ... To see if it's the webserver, let someone on a different continent ... (alt.html) Re: nobody using sudo -- scary! ... don't run your webserver as "nobody". ... If this web server is tightly controlled and only used for controlling ... it permission to run that script. ... (comp.lang.perl.misc)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isaserver  > 2004-09