Firewall Wizards mailing list archives

RE: Strange setup

From: "Melson, Paul" <PMelson () sequoianet com>
Date: Thu, 26 Feb 2004 14:24:02 -0500

Franco,

Without seeing the rule sets on either system, it is impossible to say.


Clearly this design misses the point of a 'DMZ' network.  There's no
reason that I can think of for the ISA server to be dual-homed.  There's
no reason that outbound proxy traffic, RAS/VPN traffic, or reverse proxy
traffic can't pass through two sets of firewall rules, one between the
outside and DMZ, and another between the DMZ and inside.  If you're
tasked with redesigning this network, that should be first on your to-do
list.

That said, a possible explanation is that the ISA server is a reverse
proxy for servers on the internal network, and the firewall only allows
inbound traffic to the DMZ for NAT purposes.  In this situation, the ISA
server could provide extra access controls at the application layer in
the form of authentication or restricting access to specific
pages/services through destination lists.   Workstation browsing and
other inside->out traffic could pass directly through the firewall
without going through ISA.

That's just a theory, though.  Looking at the rules on both the
SonicWall and the ISA Server will give you a better idea of the intended
function of this design.

PaulM

PS - I can't help but notice that a disproportionately large number of
European, and specifically German IP networks (including my previous
employer's) have been designed using internal addressing schemes that do
not conform to RFC1918.  Anybody have an educated guess as to why this
is?  It's just a personal curiosity of mine.

-----Original Message-----
Hi everybody,
I'm being confronted with the following existing setup:


    T1                    --------------------------------
(Internet                 |        LAN backbone          |
 and VPNs)                ------------+---+---+-+-+-+-+---
     |                                |   |   | | | | |
     |  +-------+ local x.x.x.254/24  |   |   | | | | +-
     |  | Sonic +---------------------+   |   | | | +-
     +--+  Wall |                         |   | | |
        |  Pro  +------+                  |   | | +- SQL
        +-------+ dmz  |                  |   | +-- mail
                  (?)  |  +--------+      |   +--- etc.
                       |  | MS ISA |      |
                       +--+  2000  +------+
                          | Server | x.x.x.251/24
                          +--------+

The public web server is hosted elsewhere. The LAN comprises 
30 workstations.
To complicate the matter, the LAN address family x.x.x. is 
NOT RFC1918-compliant (and is conflicting with existing 
Internet hosts).
The system is up and running, but I cannot understand the 
bypassing of the ISA server through the direct connection 
firewall/LAN. And the meaning of DMZ seems to be lost.
Anyone can help me to understand the matter ? Thanks in advance

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Strange setup franco segna (Feb 26)
- Re: Strange setup Mark Tinberg (Feb 26)
- RE: Strange setup Robert L. Wanamaker (Feb 26)
- <Possible follow-ups>
- RE: Strange setup Melson, Paul (Feb 26)
  - RE: Strange setup Bill Royds (Feb 27)
- RE: Strange setup mcary (Feb 27)
  - RE: Strange setup Daniel Linder (Feb 27)
- RE: Strange setup Steven A. Fletcher (Feb 27)
  - Multiple small switches vs. a single big one; Granularity of control Shimon Silberschlag (Feb 29)
- RE: Strange setup Sloane, David (Feb 27)