[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ISA 2004 - Allow IP Range

Posted on 2010-01-07
12
Medium Priority
?
1,105 Views
Last Modified: 2012-05-08
Hi Experts

I have requested a scan to be done on our network for vulnerability to attacks to our network by the below company.
https://www.securitymetrics.com/index.adp

We did a test run with the over night last night and it came back that we require to open a IP range and subnet mask range as they were getting blocked from ourside.
--------------------------------------------------------------------------------------------------------------------
This scan is inconclusive. Though your server had open ports, we were unable to connect to any of them successfully. There is a high probability that some type of firewall or scan-detection software is blocking us from accurately scanning your server. Please configure any firewall or software that would interfere with our scans to allow all traffic from SecurityMetrics - see https://www.securitymetrics.com/scanning .adp If you feel that you have received this notice in error, please contact SecurityMetrics support. [More]
--------------------------------------------------------------------------------------------------------------------
With that said we have a ISA 2004 proxy server.

My question is, how do I open up the below IP range and subnet mask range in ISA 2004?

IP Range
 204.238.82.16-32
Subnet Mask (Short)
 204.238.82.16/28
Subnet Mask (Long)
 204.238.82.16/255.255.255.240
 
Kind regards,
mustekkzn
0
Comment
Question by:mustekkzn
12 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 200 total points
ID: 26200672
The obvious response is 'no, we will not'. Why would you?

The fact that you are stopping traffic from the securitymetrics.com source IP address (204.238.82.16) is not a problem for you. As a Government agency we frequently have to undergo penetration testing by more than one organisation and we are often told that they can distinguish certain ports are opened but were not able to progress further than that.

The process is generally that you will have made a matrix in a spreadsheet or similar detailing the ports that you have opened in the firewall, the direction in which the traffic can flow (in, out or both) and who can access it (fqdns, users or IP addresses).

You would normally then compare the report provided against your spreadsheet and take appropriate action.

For example, if they tell you that they can see TCP port 999 open and you haven't got it on your list then either your list is out-of-date or you have a problem.
Conversely, if you know you have tcp port 888 open but they cannot get access it properly because they are not on the list of allowed users - so what, the firewall is doing what it is supposed to do.

Keith - ISA Forefront MVP

0
 
LVL 16

Expert Comment

by:Bruno PACI
ID: 26200812
Hi,

Well well well... Let me resume your situation :

You have been ask by a "security  experts company" to OPEN ALL access from an entire public IP range so that they are able to come in freely on your network to check for vulnerability !?!?!???

May be I've misunderstood something, but if not... you should change for a really serious security company.

The firewall is a absolutly important part of the security plan, so nobody can seriously ask you to reduce the security to make a security audit. If they are not able to remotely come in into your network to make their own test. If they want to make some tests on internal network, they send SOMEONE to visit your company and make tests directly from the internal network !


Have a good day.
0
 

Author Comment

by:mustekkzn
ID: 26201392
Hi Experts

Thank you for your posts.

May be I need to give you guys some more details on why we require this test done.
Because our company takes online payments via Barclays epdq payments, it is now a requirement from us to have these scans done every 3 months. The requirement also states that this company, Security Metrics, they also need to get onto our network to do scans from within our local network.
They dont require us to open all traffic, just enough for them to come in and do their scan, hence the given IP and subnet range given.

Your assistance in this matter is greatly appreciated.

Kind regards,
mustekkzn
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26201429
Then open up RDP access from their specific IP address (not a range) on port 3389 and let it pass to a single internal work station. They can run their scans from there.

0
 

Author Comment

by:mustekkzn
ID: 26201488
Hi Keith

It is all automated off their website. We enter our external IP address and then click on SCAN.
If it was only as simple as it sounds...

Kind regards,
Arno
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26201527
Your call then. We also use Barclays - amongst others - and they have certainly NEVER been given internal access though to our internal network. As I mentioned before we have to be checked regularly for penetration testing and would not dream of allowing unfettered access to the internal areas.
0
 

Author Comment

by:mustekkzn
ID: 26201734
Hi Keith

Can I please ask for assistance in how to open this range for them? I would obviously not leave this open all the time.
As this is requirement from Barclays.....I dont think we have much of a choice to "jump" through this hoop for them unfortunately.
It was good enough for me that this company, Security Metric wasnt able to get in themselveds, but apparently according to them, if they are not able to get in, doesnt mean that anyone else cant. Which is probably a fair point to make.

Kind regards,
mustekkzn
0
 

Author Comment

by:mustekkzn
ID: 26211940
Hi Experts

I would like to just say that this issue has been resolved. Apparently Security Metric had a problem with their line while conducting this scan and the error we received was just a generic error.
In the end we didnt have to open any of our security protocols for them to conduct their scan.

I appreciate all posts/ comments made above from all the experts.  

Just to end off, we passed their scan and they were happy with our level of security on our network.

Kind regards,
mustekkzn.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26212575
Pleased to hear it. As mentioned, we work VERY closely with Barclays - and we are doing wexactly what you are intending to do - and have never had to open ports for ANY reason.
We gave you the correct answer but I have no issue with refunding your points.

Keith - ISA Forefront MVP
0
 

Author Comment

by:mustekkzn
ID: 26281845
Hi Keith

My humble apology.
You are absolutely right. You warned me that for NO reason I should be opening up my network to anyone or anything.
Thinking now in hindsight I cant even believe I was even willing to consider this. Just because of a default notice saying that the problem could be the fact that our firewall could be the possible cause.

Kind regards,
mustekkzn
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26282647
:)
0
 
LVL 1

Expert Comment

by:sunnylowe
ID: 36218837
Well, they are at it again with us. Telling us that,
This scan is inconclusive. Though your server had open ports , we were unable to
connect to any of them successfully. There is a high probability that some type of
firewall or scan-detection software is blocking us from accurately s canning your
server. Please configure any firewall or software that would interfere with our
scans to allow all traffic from SecurityMetrics - see
https ://www.securitymetrics .com/scanning.adp If you feel that you have received
this notice in error, please contact SecurityMetrics support.

Open in new window


We have a SonicWall running 5.81 and it keeps them out. The point of keeping people out is to protect our servers. Why should we let a company come into our network in a way that we would not let anyone else in? Also, this opens our network to a spoof attack, by turning off the aggressive protection in the firewall. Someone can start spoof attacking all networks by sending packets orriginating from that subnet. Really strange.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses
Course of the Month19 days, 18 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question