[clue-tech] Best practice network design?

David Anselmi anselmi at anselmi.us
Wed Jan 5 18:34:13 MST 2005 

Chris Schock wrote:
[...]
> I haven't found any such whitepaper. The closest thing I've found is a lot
> of references to the Microsoft ISA server, but this doesn't really solve
> my problem - it just adds another layer in. Plus then I have to open
> firewall holes for every backend system that needs to be "published".

I just took the ISA 2000 test.  MS seems to think that publishing 
servers on the internal network is a good idea (that's basically DNAT 
plus whatever app layer inspection ISA supports).  I think that's stupid 
for the reasons Chris W mentioned.  Maybe when the test was written 
publishing a server was a step up from putting it directly on the 
Internet, so maybe the ISA 2005 test will be better.

I agree with you that ISA doesn't help.

[...]
> I'm the network guy, and this issue is really Microsoft specific. I may
> end up having to turn it over to someone who is more familiar. Sounds like
> a best practice will involve one way trusts between domains (or if using
> 2003 server, forests).

Even trusts require a bunch of open ports, IIRC (I had a list before I 
left my old job).  You'd think you could get by with LDAP and Kerberos 
open, but no.

> You'd be surprised (well, maybe not) at the kinds of solutions people
> propose in forums. My favorite is the guy who says to just jam another NIC
> into the box, and plug that into the internal network so it's got a leg on
> both sides of the firewall... Voila! No firewall rules necessary at all!

Well, I don't think MS servers route by default.  So that's bad from the 
"what happens when the box gets hacked" point of view but not so much 
from the "keep outsiders out" one.

BTW, on ISA 2000 if you want 3 NICs (internal, external, DMZ) you have 
to enable routing (or it won't know how to make traffic go the right 
place).  But then you also have to enable IP filtering (which defaults 
to deny) or the box is a router and not a firewall.  So much for secure 
by default.  Honestly, ISA 2000 is so backwards that I think the next 
one can't help but be a big improvement.

Dave

More information about the clue-tech mailing list