Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
your thoughts on IPSEC vs Internal ISA2004
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
your thoughts on IPSEC vs Internal ISA2004 - 27.Aug.2005 8:07:00 PM
|
|
|
Tom Decaluwe
Posts: 135
Joined: 23.Jul.2003
Status: offline
|
Hi all,
I'm in the process of studying for exam 70-298 and was doing some reading and testing of IPSEC policies and it's all working like it should.
I had always thought a very secure setup for a company would be internet <=FIRST FIREWALL=> client network <=ISA 2004=> servers (maby even setup a 3homed ISA 2004 and have the first firewall come in on the second and then have to segments for clients and servers)
My thoughts are that a setup like this would clearly shield the servers from the client (something i firmly believe in) plus give me the benefit of the flexebility of ISA and all the logging + application filtering we have all come to love. (the downside ofcourse is that FTP,POP3,... are still plain sniffable on the network)
But now i'm playing with IPSEC, this would clearly solve the problem of sniffing pop3 or whatever from the network but on the other hand then my above setup with the ISA 2004 to schield cliets and server would be pretty useless as all traffic would be encrypted and running over mini encrypted tunnels freely to whatever prot ont he server the want => hence cercumventing any protocol/applicatoin lockdown on the server site unless i setup a very extensive IPSEC policy system loseing alot of the fexibility and logging from ISA 2004.
I know every security settings is a trade of but i'm wondering what your thoughts are on building an environment as secure as possible?
Would you go for the ISA between clients and servers leaving IP traffic as is?
Would you go for IPSEC on all protocols and leave out an ISA beteween clients and servers.
Or whould you go for a combination and only use ipsec for those protocals you know are unsafe and use ISA for all others making it thougher administrate the whole setup.
Has anyone done any of these 3 cenarios? I know this might all be a bit far feched but hey, it's study time so it's a perfect oppertuinity to thing about this kind of stuff.
thanks for any vision you give me,
Tom DecaluwT
|
|
|
|
|
RE: your thoughts on IPSEC vs Internal ISA2004 - 28.Aug.2005 2:59:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Tom,
did you already do a search on microsoft.com for the terms 'ipsec' and 'domain isolation'. If I remember well there are some very good papers and webcasts on this item, even how Microsoft implemented it internally.
HTH,
Stefaan
|
|
|
|
|
RE: your thoughts on IPSEC vs Internal ISA2004 - 29.Aug.2005 9:00:00 AM
|
|
|
isawader
Posts: 420
Joined: 27.Apr.2005
Status: offline
|
I wouldn't go this far with the IPSEC, unless I am dealing with HIPPA compliance.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Wink]](/image/smiles/wink.gif)
)![[Smile]](/image/smiles/smile.gif)
