Re: New 2k3 infrastructure advice

I could see arguments both directions. The differentiator would be the
business requirements.
I've heard of people that put everything on a public network and others who
put nothing on a public network. A lot in between.

The difference between a private and public network would be the
implementation but ISA really doesn't know what the purpose of two different
networks is until you tell it. In other words, you could deploy ISA between
two public networks and it would be able to monitor and protect traffic
traveling between the two. However, does that make sense if the two are
both publicly accessible? I wouldn't think much value could be had.

Do you get greater security if you move to a private address space?
Depends. You can control the traffic to/from the private network with more
granular control, but like I said, there really is no difference between a
public and private network other than the address space you use. They both
route, right?

Private addressing is often used to allow you to have non-routable addresses
which can make things more difficult from a security intruder's perspective;
not much though. It's also used to allow for larger IP networks. You can
read some more about this type of concept in RFC 1918 and so on.

In my mind and opinion, it would be best to understand what your
requirements from a business perspective. I wouldn't consider the
addressing to be a big contributor to your security stance, but rather
figure out if you need to use public or private addresses. Either can be
secured without much security advantage difference between them. It's just
an address.

There are some operational advantages to keeping private addresses vs.
public addresses. But that's another matter and you would have been living
with public long enough that it may not matter unless your business
requirements indicate it.

Does that help?



"davidn" <davidn@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:80A0210C-A832-416A-A3A7-C33D83A8528A@xxxxxxxxxxxxxxxx
> sorry - should have been a bit clearer...all of our network is located
> publicly (and has done so for years) as I am about to upgrade all of our
> DCs/exchange etc so I am trying to see if it is worth while moving
> everything
> over to a private lan for greater security. I plan on introducing ISA 2004
> so
> I can carry out multi-layer filtering (currently using a PIX) but can ISA
> 2004 still operate public --> public OR must it be public --> private. I
> guess what I am trying to work out in my design of AD if I should I move
> everything over to a private LAN or just leave it as is - I would just
> like
> to hear peoples comments on the above bearing in mind that i plan to
> introduce ISA 2004 - thanks
>
>
> "Al Mulnick" wrote:
>
>> After reading those documents, what is it that gives trouble exactly?
>> I'm also not clear on why the requirements for change and what the
>> requirements are once you've made the change in terms of services
>> available?
>> Can you expand on that?
>>
>>
>>
>>
>>
>>
>> "davidn" <davidn@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:6E312CC8-06A5-4B5B-82DE-6D7D6B789840@xxxxxxxxxxxxxxxx
>> > All - sorry if this is in the wrong area but briefly, we own a swag of
>> > public
>> > IP addresses and currently all our services (inc workstations) use
>> > public
>> > addressing which is the reason for the need to change. We host
>> > everything
>> > DNS/Exchange etc and I feel it is time to move all of these into
>> > private
>> > address land (correct me if I am wrong) but I am designing a new 2K3
>> > infrastructure and I would like to hear some views after putting the
>> > above
>> > into consideration i.e. sit everything behind an ISA box in private
>> > land
>> > including all services DNS/Exchange etc. I have read all the docos in
>> > Technet
>> > (SMBIZ) and found them very useful but our scenario is probably a
>> > little
>> > different considering all the public IP addressing we own - any
>> > thoughts/pointers will be appreciated :)
>>
>>
>>


.

Relevant Pages

  • Re: Connecting SBS to the internet sing 1 NIC
    ... Layered levels of security make for a better night's sleep. ... How to Configure a SBS for Full Time Internet Access with a Single Network ... I would run ISA ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: security for Exchange & SBS
    ... non-profit and have pulled these guys from the stone-age (P2P network over ... manually altered the rules in ISA in any way that lessens the security. ... collectively have hundreds or thousands of customers using SBS. ...
    (microsoft.public.windows.server.sbs)
  • Re: Possibility of routing through internet with private IP address
    ... > The SonicWall has rules allowing in these private address ranges. ... > FREE Whitepaper: Better Management for Network Security ...
    (Security-Basics)
  • Re: ISA 2004 and inter-forest trusts
    ... the reason for having a trust between the domains is for security. ... it has full access to my network. ... If it breaks the ISA box, it will only have access to the resource domain. ... "Phillip Windell" wrote: ...
    (microsoft.public.isa)
  • [Full-disclosure] Lets make a spy-proof communications infrastructure
    ... cell phone network which will run like a peer to peer network, ... If we devised some private communicator, ... While truly global routing might require some relays to bridge areas ...
    (Full-Disclosure)