[clue-tech] Best practice network design?
David Anselmi
anselmi at anselmi.us
Wed Jan 5 18:34:13 MST 2005
Chris Schock wrote:
[...]
> I haven't found any such whitepaper. The closest thing I've found is a lot
> of references to the Microsoft ISA server, but this doesn't really solve
> my problem - it just adds another layer in. Plus then I have to open
> firewall holes for every backend system that needs to be "published".
I just took the ISA 2000 test. MS seems to think that publishing
servers on the internal network is a good idea (that's basically DNAT
plus whatever app layer inspection ISA supports). I think that's stupid
for the reasons Chris W mentioned. Maybe when the test was written
publishing a server was a step up from putting it directly on the
Internet, so maybe the ISA 2005 test will be better.
I agree with you that ISA doesn't help.
[...]
> I'm the network guy, and this issue is really Microsoft specific. I may
> end up having to turn it over to someone who is more familiar. Sounds like
> a best practice will involve one way trusts between domains (or if using
> 2003 server, forests).
Even trusts require a bunch of open ports, IIRC (I had a list before I
left my old job). You'd think you could get by with LDAP and Kerberos
open, but no.
> You'd be surprised (well, maybe not) at the kinds of solutions people
> propose in forums. My favorite is the guy who says to just jam another NIC
> into the box, and plug that into the internal network so it's got a leg on
> both sides of the firewall... Voila! No firewall rules necessary at all!
Well, I don't think MS servers route by default. So that's bad from the
"what happens when the box gets hacked" point of view but not so much
from the "keep outsiders out" one.
BTW, on ISA 2000 if you want 3 NICs (internal, external, DMZ) you have
to enable routing (or it won't know how to make traffic go the right
place). But then you also have to enable IP filtering (which defaults
to deny) or the box is a router and not a firewall. So much for secure
by default. Honestly, ISA 2000 is so backwards that I think the next
one can't help but be a big improvement.
Dave
More information about the clue-tech
mailing list