That is a good point
We have a good permimiter setup and ISA has nice intrustion detection software built in.. I may opt to put more IDS software on the proxy as well.
-----Original Message-----
From: Andy Grafton [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 04, 2002 11:05 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] OT?
MessageMichael the major problem is not really preventing forwarding between the NICs, but rather as Dave says the (big) issues if the box is compromised... basically, your trusted network would be completely exposed to the new "owner" of the box.
All the best,
Andy
----- Original Message -----
From: MHR(Michael Ross)
To: '[EMAIL PROTECTED]'
Sent: Monday, November 04, 2002 5:56 PM
Subject: RE: [ActiveDir] OT?
Makes sense!
I would turn off IPfowarding, so it wouldnt route it.
how do you direct the proxy to the firewall, for internal traffic? Once reason im trying to do this is to speed up browsing to the intranet, which was amazingly fast when I had the server dual NIC'd. -----Original Message-----
From: Dave Kinnamon [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 04, 2002 10:51 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT?
Yes ... just have to make sure the box isn't routing between the NICs. However, realize that if the box is compromised, so is your internal network since you've bypassed your firewall with the multi-NIC configuration. Make sure your proxy directs its internal traffic the the firewall to help block some of what makes it through.
-----Original Message-----
From: MHR(Michael Ross) [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 04, 2002 10:40 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT?
Curious.. I notice all the MS docs for ISA and proxy say to do it with 2 nics.. And you cant do any packet filtering or stateful inspection with one nic in the server. Ive also found Linux proxy documentation showing the same thing. -----Original Message-----
From: Roger Seielstad [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 04, 2002 10:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT?
Because the 2 NIC solution results in a box bridging your firewall. In other words, your firewall is no longer the only path between your internal and external networks. That's generally a bad idea.
------------------------------------------------------
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA
> -----Original Message-----
> From: MHR(Michael Ross) [mailto:[EMAIL PROTECTED]]
> Sent: Monday, November 04, 2002 10:06 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] OT?
>
>
> Can you explain why?
>
> -----Original Message-----
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]]
> Sent: Monday, November 04, 2002 9:04 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] OT?
>
>
> You were told correctly.
>
> One NIC in the DMZ is the better choice.
>
> ------------------------------------------------------
> Roger D. Seielstad - MCSE
> Sr. Systems Administrator
> Inovis - Formerly Harbinger and Extricity
> Atlanta, GA
>
>
> > -----Original Message-----
> > From: MHR(Michael Ross) [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, November 04, 2002 9:55 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: [ActiveDir] OT?
> >
> >
> > I dunno if this is off topic..
> > but which is more secure?
> > a proxy (or isa server), with 1 NIC in a DMZ, or a server
> > with 2 NICs .. one in the DMZ, one on the internal LAN.. internal
> > NIC has no default gateway. External NIC has WINS, SERVER service,
> > Workstation service unbound from the NIC.
> >
> > im told a dual NICd proxy is a hole in the firewall.
> >
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
