RE: [ActiveDir] OT?

Mon, 04 Nov 2002 17:12:03 -0800

Title: Message
As I read through this thread, the one point that I noted NOT made that could help to clear up the entire thought process is that a firewall and a proxy work and act differently.
 
A proxy, by and large, is designed to speak FOR another server so that the external request is not allowed to go directly to the server.  It's not possible to tell who the ture server is - the proxy is configured to mask its identity - hence providing a 'hidden destination'.
 
A firewall, OTOH, needs to have two (or more) NICS because of the fact that a rules engine passes data (packets) to the appropriate interface based on rules or packet filters (or both) that have been put in place to either allow or deny a particular traffic patter, packet type, port, source or destination.
 
In a nutshell, that's about it.  MS Proxy Server was not really a firewall, though marketing tried to sell it as one.  The packet filtering was rudemantary, the stateful inspection non-existent and rules-based filtering was painful to the nth degree.
 
However, ISA is all of these and more.  Proxy, though, makes (made) a great cache engine - that is its contribution to ISA.  If you only want to proxy, a single NIC is all that you need because there is not filtering to speak of taking place.  A packet comes in, is modified to now have a source of the proxy and a destination of the intended.  The proxy knows which packets are going to which servers, and modifies them appropriately, and they are sent back to the proxy for the out-going trip for the reverse process to get to the originator.
 
Hope this helps to some degree....
 

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone



-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MHR(Michael Ross)
Sent: Monday, November 04, 2002 12:00 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT?

You may be right about MS' design of ISA.. But Ive even seen their documentation show firwalls and a dual NICd server.
You cannot do packet filtering in ISA or Proxy2.0 with one nic.. A pop up comes up and confirms that.

-----Original Message-----
From: Roger Seielstad [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 04, 2002 11:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT?


I believe you can - it might be harder, but I'd bet you can.

I'd leave packet filtering up to the firewall, since that's what you spent the money on it for.

Keep in mind that Microsoft built ISA to be used in place of a firewall in some setups - that's why the 2 NIC options are described.

------------------------------------------------------
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA


> -----Original Message-----
> From: MHR(Michael Ross) [mailto:[EMAIL PROTECTED]]
> Sent: Monday, November 04, 2002 12:43 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] OT?
>
>
> Downside to that is that you cant do packet fileting or
> domain filtering with one nic.
>
> -----Original Message-----
> From: Roger Seielstad [mailto:[EMAIL PROTECTED]]
> Sent: Monday, November 04, 2002 11:25 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] OT?
>
>
> You are correct, sort of.
>
> You can still do packet filtering and inspection on traffic
> not destined back through your firewall - you just need to
> write the ruleset correctly.
>
> Personally, were I to add a proxy box to my network, I'd put
> it inside the firewall, with a single NIC, and set the
> firewall to only allow outbound HTTP to/from that box.
>
> ------------------------------------------------------
> Roger D. Seielstad - MCSE
> Sr. Systems Administrator
> Inovis - Formerly Harbinger and Extricity
> Atlanta, GA
>
>
> > -----Original Message-----
> > From: MHR(Michael Ross) [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, November 04, 2002 11:40 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: [ActiveDir] OT?
> >
> >
> > Curious.. I notice all the MS docs for ISA and proxy say to
> > do it with 2 nics.. And you cant do any packet filtering or
> > stateful inspection with one nic in the server.
> >
> > Ive also found Linux proxy documentation showing the same thing.
> >
> > -----Original Message-----
> > From: Roger Seielstad [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, November 04, 2002 10:34 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] OT?
> >
> >
> > Because the 2 NIC solution results in a box bridging your
> > firewall. In other words, your firewall is no longer the only
> > path between your internal and external networks.
> >
> > That's generally a bad idea.
> >
> > ------------------------------------------------------
> > Roger D. Seielstad - MCSE
> > Sr. Systems Administrator
> > Inovis - Formerly Harbinger and Extricity
> > Atlanta, GA
> >
> >
> > > -----Original Message-----
> > > From: MHR(Michael Ross) [mailto:[EMAIL PROTECTED]]
> > > Sent: Monday, November 04, 2002 10:06 AM
> > > To: '[EMAIL PROTECTED]'
> > > Subject: RE: [ActiveDir] OT?
> > >
> > >
> > > Can you explain why?
> > >
> > > -----Original Message-----
> > > From: Roger Seielstad [mailto:[EMAIL PROTECTED]]
> > > Sent: Monday, November 04, 2002 9:04 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] OT?
> > >
> > >
> > > You were told correctly.
> > >
> > > One NIC in the DMZ is the better choice.
> > >
> > > ------------------------------------------------------
> > > Roger D. Seielstad - MCSE
> > > Sr. Systems Administrator
> > > Inovis - Formerly Harbinger and Extricity
> > > Atlanta, GA
> > >
> > >
> > > > -----Original Message-----
> > > > From: MHR(Michael Ross) [mailto:[EMAIL PROTECTED]]
> > > > Sent: Monday, November 04, 2002 9:55 AM
> > > > To: '[EMAIL PROTECTED]'
> > > > Subject: [ActiveDir] OT?
> > > >
> > > >
> > > > I dunno if this is off topic..
> > > > but which is more secure?
> > > > a proxy (or isa server), with 1 NIC in a DMZ,   or a server
> > > > with 2 NICs .. one in the DMZ, one on the internal LAN..
> > > > internal NIC has no default gateway.
> > > > External NIC has WINS, SERVER service, Workstation service
> > > > unbound from the NIC.
> > > > 
> > > > im told a dual NICd proxy is a hole in the firewall.
> > > >
> > > List info   : http://www.activedir.org/mail_list.htm
> > > List FAQ    : http://www.activedir.org/list_faq.htm
> > > List archive:
> > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> > >
> > >
> > List info   : http://www.activedir.org/mail_list.htm
> > List FAQ    : http://www.activedir.org/list_faq.htm
> > List archive:
> > http://www.mail-archive.com/activedir%> 40mail.activedir.org/
> >
> >
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
>
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to