Thomas Shinder Blog RSS

All Blogs  »  Thomas Shinder Blog  »  ISA Central  »  Blog article: Should You Install Anti-virus Software on Your ISA Firewall?

Should You Install Anti-virus Software on Your ISA Firewall?

I get asked a few times a week whether you should install anti-virus software on the ISA firewall. Its a good question and worth a few moments to consider what is being asked.

There are two general types of AV software that you can install on the ISA firewall:

  • AV software designed to protect the host operating system (Windows) on which the ISA firewall runs
  • AV software designed to scan and protect against viruses that might traverse the ISA firewall via HTTP, HTTPS, IM, P2P, FTP or other protocols that can transfer files

The first type of AV software is not required on the ISA firewall. Remember, the ISA firewall is not a workstation, so you never run Internet Explorer, Outlook Express (or any other email client), Kazaa, BitTorrent, FTP client, or any other client software on the firewall. Because there is no client software run on the ISA firewall that would enable downloads of files that would contain viruses, worms or spyware, the ISA firewall is not at risk for infection. However, if you purposely violate network and firewall security principles and use the ISA firewall as a workstation, then you will put yourself at risk for infection. However, if you operate your ISA firewall in a secure and professional fashion, then there is no reason to install host specific AV software on the firewall.

In addition, you should never install server applications that would significantly increase the attack surface on the ISA firewall. This means never installing IIS on the ISA firewall, never making the ISA firewall a DC, never installing MS Exchange on the ISA firewall and not installing any other server software that could harbor viruses and other malcode. Exceptions to this include installing the SMTP service, installing the DHCP service and installing the DNS server on the ISA firewall.

The second type of AV software is designed to work with the ISA firewall components to protect hosts on ISA firewall Protected Networks from malware infection. I highly recommend that you install 3rd party applications, or configure the ISA firewall’s built-in HTTP Security Filter, to protect yourself from viruses, worms, spyware and other code that puts network computers at risk.

Examples of such software include Websense, SurfControl, Akonix, GFI WebMon3 and many others. These third party applications can be installed on-box or off-box. The ISA firewall has an advantage over many other solutions because you can install these applications on-box, which reduces cost and administrative complexity because you don’t have to maintain a second hardware device and worry about connectivity and configuration issues with the second device.

To sum things up: no, you don’t need to install AV software to protect the ISA firewall’s host operating system, and yes, you should install AV software designed to work with the ISA firewall to protect you against downloads of malicious mobile code.

HTH,

Tom

Thomas W Shinder, M.D.

Site: www.isaserver.org

Blog: http://blogs.isaserver.org/shinder/

Book: http://tinyurl.com/3xqb7

MVP — ISA Firewalls

This entry was posted on Friday, May 5th, 2006 at 7:57 am and is filed under ISA Central. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 Responses to “Should You Install Anti-virus Software on Your ISA Firewall?”

  1. Joyce Says:

    June 9th, 2006 at 1:45 am

    We are living in an internet time where you can not without Anti Virus Software and such. Too bad, but I think it will only get worse by time.

    My place for free Anti Virus Software is:
    http://www.freespamfilter.nl/uk/anti-virus.htm

    They always have the latest and best anti virus available and have good reviews of all available anit virus programs.

    Viruses should be stopped and people distributing these viruses should be put in jail. They jeopardize our operating system.

    Joyce

  2. Tom Shinder Says:

    June 9th, 2006 at 8:19 am

    It should be made clear that you SHOULD NOT install a host AV on the ISA firewall. It doesn’t require it if you are a competent ISA firewall admin

  3. Neil Scott Says:

    December 17th, 2007 at 4:41 am

    I can’t believe this to be the case… if your are running a back-toback firewall then yes I can see that you wouldn’t need it on your front-end ISA servers but what about your CSS server that is on the normal LAN and open to attack?

    You are saying never to run Internet Explorer on the servers but every admin does this when they quickly need to check something on the web when they are investigating issues.

  4. Gary Hawkins Says:

    March 11th, 2008 at 7:02 am

    Hi Tom,

    Another great informative article but I need a little more info…

    We’re running MS ISA 2006 STD both as a web browsing gateway and as a web publisher for internal IIS websites to the external web.

    Our outbound web browsing traffic is routed to an MSP and so that traffic does not need AV filtering on-the-box (to reduce user licence costs).

    It’s proving difficult to find a product that filters the inbound traffic to published websites and which can also be applied to specific rules/groups.

    Are you able to provide any further advice on this?

    Regards,
    G

  5. paulo.oliveira Says:

    May 6th, 2008 at 3:56 pm

    Hi Tom,

    this is a very unusual opinion, because even if no one uses ISA as “workstation” (not browsing around, download e-mails…) the people from internal network is in charge to do that and a lot more!
    So, ISA is “exposed” to the internal network whose, in my opinion is the most untrusted network. All because of the f… users who download e run viruses, worms…

  6. tshinder Says:

    May 6th, 2008 at 5:23 pm

    Hi Paulo,

    Not true. You may be thinking of the ISA 2000 networking model. With ISA 2004/2006, internal network users have no more access to the ISA Firewall than external network users. The ISA2004/2006 network model applies stateful packet and application layer inspection on *all* interfaces. So, unless you create a rule that allows internal users and malware access, there’s no reason to install AV software on the ISA Firewall (assuming again, that you do not bring the malware in yourself by using the ISA Firewall as a workstation).

    Note that is is NOT true for SBS installations — they broke the ISA networking model to support SBS, so in that case, you would need to use AV/AM software on the SBS machine.

    HTH,
    Tom

  7. Mike Hoerner Says:

    September 3rd, 2008 at 1:46 pm

    I have ISA 2004 Server configured in Reverse Proxy Mode (Single NIC). Would your comments above regarding a file-level anti-virus scanner on ISA apply for an ISA Server running as a Reverse Proxy?

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 5 chars within 0..9 and A..F, and submit the form.

  

If CAPTCHA image is missing or you cannot read the characters above, please generate a




Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Solution Center