Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Trihomed DMZ Config

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Trihomed DMZ Config Page: [1]
Login
Message << Older Topic   Newer Topic >>
Trihomed DMZ Config - 15.Jun.2004 9:06:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hey guys,

I can remember the thread on the DMZ config is that I was discussing the other day, but I tested the config use both a NAT and a route relationship to the DMZ, and it works fine. You an create access rules (instead of publishing rules) that allow access from External to DMZ just fine, and you do not need to create any rules that allow outbound access from the DMZ to the External network.

If you use a route relationshiop and public addresses on the DMZ, make sure your upstream router knows the route to the DMZ segment.

HTH,
Tom
Post #: 1
RE: Trihomed DMZ Config - 16.Jun.2004 9:41:00 PM   
senad

 

Posts: 31
Joined: 27.Nov.2001
From: Brighton, MA
Status: offline 		Hi Tom,

Wouldn't you agree that ISA 2004 has in a way changed a concept of DMZ. You could say that each ISA separated network (depending on the access rules) acts or can act as a DMZ. Pretty much the only distinction left is the use of public or private IP addresses.

IMO, this is one of the strongest (and unique) points of new ISA server. As you argued many times, protecting network edge is just one aspect of network security. Having ability to partition the network and control traffic between each pair of segments to such an extend as provided by ISA 2004 is a huge improvement over traditional firewalls. I hope with time market will recognize this. Along with all those clueless call-it analysts. [Smile]

Senad

(in reply to tshinder)
Post #: 2
RE: Trihomed DMZ Config - 18.Jun.2004 1:31:00 AM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Senad,

Good points. The DMZ concept meant to me a different security zone that segreated public access traffic and limited to that segment. So, if exploits from external users were going to take place, they would happen there first and we could focus our intrustion detection efforts on that segment.

In contrast the Internal or asset networks would not be accessible to externla network hosts, or access from non-Internal networks would be significantly constrained.

I think the DMZ concept applies more when you have firewalls in line, rather then a multihomed box. I cringe every time I walk into a datacenter and see 17 NICs hanging on the box and thinking about the potential effects of this single point of failure model. With all those networks connected to a single box, what happens when that box is compromised? (all firewalls, hardware and software have the potential to be compromise). In this scenario, you now have 17 or more networks compromised, versus a firewall that just a few interfaces.

That said, I know that people like to have lots of interfaces on a single firewall, and I don't know a firewall that handles firewalls and access control better than an ISA box to protect each connected network.

Thanks!
Tom

(in reply to tshinder)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Trihomed DMZ Config Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts