The issue with this config is that the box itself is open to compromise, at which point even without forwarding enabled, it still can route traffic. That's what ISA does.
------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] > Sent: Monday, November 04, 2002 11:57 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] OT? > > > Makes sense! > I would turn off IPfowarding, so it wouldnt route it. > how do you direct the proxy to the firewall, for internal traffic? > Once reason im trying to do this is to speed up browsing to > the intranet, which was amazingly fast when I had the server > dual NIC'd. > > -----Original Message----- > From: Dave Kinnamon [mailto:dkinnamon@;etcconnect.com] > Sent: Monday, November 04, 2002 10:51 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] OT? > > > Yes ... just have to make sure the box isn't routing > between the NICs. However, realize that if the box is > compromised, so is your internal network since you've > bypassed your firewall with the multi-NIC configuration. > Make sure your proxy directs its internal traffic the the > firewall to help block some of what makes it through. > > > > > > > -----Original Message----- > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] > Sent: Monday, November 04, 2002 10:40 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] OT? > > > > Curious.. I notice all the MS docs for ISA and > proxy say to do it with 2 nics.. And you cant do any packet > filtering or stateful inspection with one nic in the server. > > Ive also found Linux proxy documentation > showing the same thing. > > -----Original Message----- > From: Roger Seielstad > [mailto:roger.seielstad@;inovis.com] > Sent: Monday, November 04, 2002 10:34 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] OT? > > > Because the 2 NIC solution results in a box > bridging your firewall. In other words, your firewall is no > longer the only path between your internal and external networks. > > That's generally a bad idea. > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] > > Sent: Monday, November 04, 2002 10:06 AM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] OT? > > > > > > Can you explain why? > > > > -----Original Message----- > > From: Roger Seielstad > [mailto:roger.seielstad@;inovis.com] > > Sent: Monday, November 04, 2002 9:04 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] OT? > > > > > > You were told correctly. > > > > One NIC in the DMZ is the better choice. > > > > > ------------------------------------------------------ > > Roger D. Seielstad - MCSE > > Sr. Systems Administrator > > Inovis - Formerly Harbinger and Extricity > > Atlanta, GA > > > > > > > -----Original Message----- > > > From: MHR(Michael Ross) [mailto:mhr@;panduit.com] > > > Sent: Monday, November 04, 2002 9:55 AM > > > To: '[EMAIL PROTECTED]' > > > Subject: [ActiveDir] OT? > > > > > > > > > I dunno if this is off topic.. > > > but which is more secure? > > > a proxy (or isa server), with 1 NIC in a > DMZ, or a server > > > with 2 NICs .. one in the DMZ, one on the > internal LAN.. > > > internal NIC has no default gateway. > > > External NIC has WINS, SERVER service, > Workstation service > > > unbound from the NIC. > > > > > > im told a dual NICd proxy is a hole in the > firewall. > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> > 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
