Firewall Wizards mailing list archives
RE: Strange setup
From: "Steven A. Fletcher" <sfletcher () integrityts com>
Date: Fri, 27 Feb 2004 12:40:09 -0600
I have done similar designs with a Cisco PIX and ISA server. You just configure the firewall to only a allow traffic on ports 80 and 443 from the proxy server. That way, all web traffic must go through it. However, I do not understand the purpose of the DMZ. When I have done this myself, the ISA server is on the internal network and a static NAT to the outside. Steve Fletcher Senior Network Engineer, MCSE, Master ASE, CCNA BCSC Technology Solutions Phone: (309)664-8129 Toll Free: (888) 764-8100 ext. 129 Fax: (309) 662-6421 sfletcher () bcsc com -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of mcary () badgermeter com Sent: Friday, February 27, 2004 11:17 AM To: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Strange setup What prevents a user from changing his default route from ISA to the FW, bypassing any authentication that ISA provided? -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of Bill Royds Sent: Thursday, February 26, 2004 7:02 PM To: 'Melson, Paul'; 'franco segna'; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Strange setup Actually there is a good reason for the ISA to be configured this way. The ISA server acts as an HTTP cache/authenticator. So if you have the inside boxes with default route going to internal address of ISA server, it can validate the user of that workstation with Windows authentication and either, forward the request out to the Internet and cache the reply , or return the cached value. This adds to security by ensuring that all internal workstation access is by authenticated users. The straight through branch is used for server traffic like mail that is coming towards the internal network or is being forwarded by authorized MTA style servers that use the FW as default route. ISA may not be a great firewall but it is a good proxy/authenticator for a Windows network. Its examination it does of HTTP traffic before caching it is a bonus. -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Melson, Paul Sent: February 26, 2004 2:24 PM To: franco segna; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Strange setup Franco, Without seeing the rule sets on either system, it is impossible to say. Clearly this design misses the point of a 'DMZ' network. There's no reason that I can think of for the ISA server to be dual-homed. There's no reason that outbound proxy traffic, RAS/VPN traffic, or reverse proxy traffic can't pass through two sets of firewall rules, one between the outside and DMZ, and another between the DMZ and inside. If you're tasked with redesigning this network, that should be first on your to-do list. That said, a possible explanation is that the ISA server is a reverse proxy for servers on the internal network, and the firewall only allows inbound traffic to the DMZ for NAT purposes. In this situation, the ISA server could provide extra access controls at the application layer in the form of authentication or restricting access to specific pages/services through destination lists. Workstation browsing and other inside->out traffic could pass directly through the firewall without going through ISA. That's just a theory, though. Looking at the rules on both the SonicWall and the ISA Server will give you a better idea of the intended function of this design. PaulM PS - I can't help but notice that a disproportionately large number of European, and specifically German IP networks (including my previous employer's) have been designed using internal addressing schemes that do not conform to RFC1918. Anybody have an educated guess as to why this is? It's just a personal curiosity of mine.
-----Original Message----- Hi everybody, I'm being confronted with the following existing setup: T1 -------------------------------- (Internet | LAN backbone | and VPNs) ------------+---+---+-+-+-+-+--- | | | | | | | | | +-------+ local x.x.x.254/24 | | | | | | +- | | Sonic +---------------------+ | | | | +- +--+ Wall | | | | | | Pro +------+ | | | +- SQL +-------+ dmz | | | +-- mail (?) | +--------+ | +--- etc. | | MS ISA | | +--+ 2000 +------+ | Server | x.x.x.251/24 +--------+ The public web server is hosted elsewhere. The LAN comprises 30 workstations. To complicate the matter, the LAN address family x.x.x. is NOT RFC1918-compliant (and is conflicting with existing Internet hosts). The system is up and running, but I cannot understand the bypassing of the ISA server through the direct connection firewall/LAN. And the meaning of DMZ seems to be lost. Anyone can help me to understand the matter ? Thanks in advance
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Badger Meter, Inc. will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Strange setup franco segna (Feb 26)
- Re: Strange setup Mark Tinberg (Feb 26)
- RE: Strange setup Robert L. Wanamaker (Feb 26)
- <Possible follow-ups>
- RE: Strange setup Melson, Paul (Feb 26)
- RE: Strange setup Bill Royds (Feb 27)
- RE: Strange setup mcary (Feb 27)
- RE: Strange setup Daniel Linder (Feb 27)
- RE: Strange setup Steven A. Fletcher (Feb 27)
- Multiple small switches vs. a single big one; Granularity of control Shimon Silberschlag (Feb 29)
- RE: Strange setup Sloane, David (Feb 27)