MCSEGURU
Mon Sep 19 19:23:16 CDT 2005
I disagree... While the implementation may be poorly thoughout, and more of
a bandaid to satisfy compliance with some directive, I assume network
segmentation may be only one goal of the implementation. Logging and
intrusion detection may be the driving force for his restrictive
architecture, which is becoming more and more sought after by IT auditors.
The benefit of a passive firewall device logging all activity, is it's alot
harder to spoof at the passive interface, because we don't realize it's
there, additionally, should a server be compramised, it's local logging
could be totally lost.
After all in todays' computer threats, our internal employees present a much
higher risk than the internet hacker. Reason being, is we fail to enforce
all the security we could on our internal servers we leave many
vulnerabilities subject to accidental, or inentional misuse. This includes
patches, policies, and account management.
Architecture and Infrastructure Security teams can't easily force and manage
these patches, configuration lockdowns, and other common oversights our
applications teams, business units, and systems teams are implementing, , so
the direction to segment all internal PC's from the server segments, and
provide restricted port access based on implementation design scopes, allows
security manager the control to manage, document and control exposed
vulnerabilities much better.
It's what I would do. Now would I use ISA 2004, probably not. There are
Firewall technologies that manage the actual header conversations, and
payload data in addition to the standard port/protocol access, which allows
the security managers to really control what's going on with systems to the
application layer we all wish we could monitor and log at.
My 2 cents.
"Keith I" <kirby at top dot com> wrote in message
news:OUyfnbXvFHA.1988@TK2MSFTNGP10.phx.gbl...
> Marlon,
>
> What is the purpose of the network segmentation? Would the Front-End
> Exchange and Share Point Services (SPS) now exposed directly to the
> Internet? If so, you are negating the value of ISA 2004. ISA 2004 has
> the hardened External interface, the other server roles do not by default.
> Do you trust ISA, if not dump it and use another device for your network
> segmentation control. However, I believe ISA 2004 provides a hardened
> service for Exchange and SPS. That is the objective of using ISA.
>
> Second, would that DMZ-Domain be trusted by the corporate domain for
> authentication? If you are trusting, what should be non-trusted, then you
> are again devising a less secure solution than existed prior. The domain
> is not the not the Windows 200x security boundy, the forest is the
> boundry. So, you'd have to create a new forest with a minimum of two
> domain controllers for redundancy.
>
> The other solution might be the DMZ-Domain trusting the corporate domain
> for management. While this makes it easier to manage this domain, and is
> recommended by some persons for systems of 25 or greater in DMZ, it seems
> like this is not your case.
>
> This IT guru is imposing solutions that are just bad ideas, based on ideas
> 5-10 years ago. Your solution seems right on track. I like Microsoft's
> solution provided at
>
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/workgroup_ee.mspx
> the best.
>
>
>
>
>