Re: ISA2004 - No need for DMZ anymore ?
- From: "ZVR" <nospamever@xxxxxx>
- Date: Wed, 14 Sep 2005 10:14:06 -0400
> I've been looking at our LAN layout and I'm beginning to ask myself some
> questions on its validity.
>
> Until recently we were using checkpoint and the ISA box has been put in as
> a direct replacement. The more I use ISA2004 though the more I realise
> that it is not a like for like replacement.
No it's not. I worked with both and ISA is more featured as an
application-level firewall
> Traditionally we have had machines in our DMZ for a variety of purposes.
>
> We have our webserver in the DMZ
> Our webserver acts as our Exchange Front End and provides OWA
> functionality.
> We have our AntiVirus server in the DMZ, to allow our roaming clients to
> collect updates and report in problems.
>
> The above are all published using server publishing rules.
>
> To enable OWA and to allow copying of files to/from DMZ machines,
> monitoring/RDP from inside the LAN etc we've punched big holes between the
> LAN and the DMZ.
Yeah... AD traffic and Exchange directory sincronization traffic from DMZ to
LAN... big holes indeed.
> Makes me wonder how much "more secure" these machines are in the DMZ
> and/or how much more secure our LAN machines are being hidden from them.
>
> Many of the Exchange diagrams suggest that the Front End Server should be
> on the LAN, not the DMZ. We want to develop the main website to be more
> database orientated, sucking content from our SQL server on the LAN.
>
> I can't see, given the publishing/proxying was that ISA2004 works that
> there is any good reason for us to have a DMZ at all.
I share the same view. The Exchange FE should sit on the LAN, considering
the type of interactions with your AD, etc. Then you would use OWA
publishing through ISA, which is very powerful when it comes to that.
>
> Can anyone give me some pointers ? Is it fair to say that in a small
> business network using ISA2004 there is no need to have a DMZ anymore
I agree, especially for a small business network environment.
> If not, and we must keep the DMZ, where can I find guidance on which
> servers can safely sit on the LAN and which need to outside in the DMZ ?
The rule of thumb with DMZ is that you place there servers that you want to
"isolate" from your LAN still make available to external clients. It is
pretty clear an Exchange OWA server does not fit this criteria. Standalone
(i.e. not joined to a domain) web servers, application servers etc are best
bets for a DMZ placement.
>
> For those that think that "back to back" firewalls would be a suitable
> solution, we don't really have the budget for another firewall unless its
> truely unavoidable.
>
> Any advice greatly apprecitated.
>
>
> Thanks,
>
>
> Andy
>
.
- References:
- ISA2004 - No need for DMZ anymore ?
- From: Andy
- ISA2004 - No need for DMZ anymore ?
- Prev by Date: Re: Log web proxy and time
- Next by Date: Re: Logging in MSDE, how to get IP-Address out of this number in the t
- Previous by thread: ISA2004 - No need for DMZ anymore ?
- Next by thread: Re: Logging in MSDE, how to get IP-Address out of this number in the t
- Index(es):
Relevant Pages
|
