The issue with this config is that the box itself is open to compromise, at
which point even without forwarding enabled, it still can route traffic.
That's what ISA does.

------------------------------------------------------
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA


> -----Original Message-----
> From: MHR(Michael Ross) [mailto:mhr@;panduit.com] 
> Sent: Monday, November 04, 2002 11:57 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] OT?
> 
> 
> Makes sense!
> I would turn off IPfowarding, so it wouldnt route it.
> how do you direct the proxy to the firewall, for internal traffic?
> Once reason im trying to do this is to speed up browsing to 
> the intranet, which was amazingly fast when I had the server 
> dual NIC'd.
> 
>       -----Original Message-----
>       From: Dave Kinnamon [mailto:dkinnamon@;etcconnect.com] 
>       Sent: Monday, November 04, 2002 10:51 AM
>       To: '[EMAIL PROTECTED]'
>       Subject: RE: [ActiveDir] OT?
>       
>       
>       Yes ... just have to make sure the box isn't routing 
> between the NICs.  However, realize that if the box is 
> compromised, so is your internal network since you've 
> bypassed your firewall with the multi-NIC configuration.  
> Make sure your proxy directs its internal traffic the the 
> firewall to help block some of what makes it through.
>        
>        
>        
>        
>        
> 
>               -----Original Message-----
>               From: MHR(Michael Ross) [mailto:mhr@;panduit.com]
>               Sent: Monday, November 04, 2002 10:40 AM
>               To: '[EMAIL PROTECTED]'
>               Subject: RE: [ActiveDir] OT?
>               
>               
> 
>               Curious.. I notice all the MS docs for ISA and 
> proxy say to do it with 2 nics.. And you cant do any packet 
> filtering or stateful inspection with one nic in the server.
> 
>               Ive also found Linux proxy documentation 
> showing the same thing. 
> 
>               -----Original Message----- 
>               From: Roger Seielstad 
> [mailto:roger.seielstad@;inovis.com] 
>               Sent: Monday, November 04, 2002 10:34 AM 
>               To: [EMAIL PROTECTED] 
>               Subject: RE: [ActiveDir] OT? 
> 
> 
>               Because the 2 NIC solution results in a box 
> bridging your firewall. In other words, your firewall is no 
> longer the only path between your internal and external networks.
> 
>               That's generally a bad idea. 
> 
>               ------------------------------------------------------ 
>               Roger D. Seielstad - MCSE 
>               Sr. Systems Administrator 
>               Inovis - Formerly Harbinger and Extricity 
>               Atlanta, GA 
> 
> 
>               > -----Original Message----- 
>               > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] 
>               > Sent: Monday, November 04, 2002 10:06 AM 
>               > To: '[EMAIL PROTECTED]' 
>               > Subject: RE: [ActiveDir] OT? 
>               > 
>               > 
>               > Can you explain why? 
>               > 
>               > -----Original Message----- 
>               > From: Roger Seielstad 
> [mailto:roger.seielstad@;inovis.com] 
>               > Sent: Monday, November 04, 2002 9:04 AM 
>               > To: [EMAIL PROTECTED] 
>               > Subject: RE: [ActiveDir] OT? 
>               > 
>               > 
>               > You were told correctly. 
>               > 
>               > One NIC in the DMZ is the better choice. 
>               > 
>               > 
> ------------------------------------------------------ 
>               > Roger D. Seielstad - MCSE 
>               > Sr. Systems Administrator 
>               > Inovis - Formerly Harbinger and Extricity 
>               > Atlanta, GA 
>               > 
>               > 
>               > > -----Original Message----- 
>               > > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] 
>               > > Sent: Monday, November 04, 2002 9:55 AM 
>               > > To: '[EMAIL PROTECTED]' 
>               > > Subject: [ActiveDir] OT? 
>               > > 
>               > > 
>               > > I dunno if this is off topic.. 
>               > > but which is more secure? 
>               > > a proxy (or isa server), with 1 NIC in a 
> DMZ,   or a server 
>               > > with 2 NICs .. one in the DMZ, one on the 
> internal LAN.. 
>               > > internal NIC has no default gateway. 
>               > > External NIC has WINS, SERVER service, 
> Workstation service 
>               > > unbound from the NIC. 
>               > >  
>               > > im told a dual NICd proxy is a hole in the 
> firewall. 
>               > > 
>               > List info   : http://www.activedir.org/mail_list.htm 
>               > List FAQ    : http://www.activedir.org/list_faq.htm 
>               > List archive: 
>               > http://www.mail-archive.com/activedir%> 
> 40mail.activedir.org/ 
>               > 
>               > 
>               List info   : http://www.activedir.org/mail_list.htm 
>               List FAQ    : http://www.activedir.org/list_faq.htm 
>               List archive: 
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/ 
> 
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to