• RSS
  • Twitter
  • FaceBook

Deb Shinder Blog RSS

All Blogs  »  Deb Shinder Blog  »  ISA Central  »  Blog article: To Join the Domain or Not Join the Domain, that is The Question

To Join the Domain or Not Join the Domain, that is The Question

It never ceases to amaze me when I get into it with "packet filter" guys about domain membership. You know, the "hardware" firewall guys who’ve hijacked your network security in the feckless game of "port control" through DMZs and the Internet. The sorry state of affairs these network security guys manqué puts our network applications (you know, the stuff we’re trying to protect) at serious risk. When I get into application protection discussions with these guys I often think that the inmates are running the asylum.

Here’s the straight dope on domain membership. It’s the preferred configuration and the more secure one. As long as your create an intelligent firewall policy and kept the principle of least privilege on the top of your list, domain membership will make your ISA firewall configuration easier and more secure. It just doesn’t get any better than that. BTW — I’m talking about real domain membership, not the hork where you create a separate forest for the ISA firewall. When you do that, you lose key security advantages.

 

Advantages of Domain Membership:

Granular user/group access controls for all protocols

Don’t need to create array accounts for intra-array communications

Results in more secure deployment

Full support for user certificate authentication for publishing

Full support for the Firewall client

Full support for Microsoft Operations Manager (MOM)

Full support for Group Policy management

Array admins can log in from any Active Directory managed machine with remote admin permissions

MUCH easier to deploy and maintain

 

Disadvantages of Domain Membership:

If someone compromises the Active Directory they can own the firewall

However, they’ll own everything else too, with the Firewall being the least of your problems

If the Firewall is owned, the Active Directory may become accessibile

The ISA firewall has never been compromised to the extent of being owned

Attackers don’t try to own firewalls, they try to own services protected by the firewall

Domain Admins can admin the Firewall

If you can’t trust your domain admins, you have bigger problems

Advantages of workgroup membership:

If firewall is compromised, attacker might not be able to get to Active Directory

If an attacker can own the firewall, he’ll be able to access the Active Directory whether or not the firewall is a domain member

Domain admins can’t admin the array

If you don’t trust your domain admins, you have bigger problems than this

If the Active Directory is “owned” the firewall won’t be effected

ISA will be the last man standing, while the entire business has gone up in flames – does it really matter at this point?

Disadvantages of workgroup membership:

Requires server certificate on CSS

Requires CA certificates on array members

Must track certificate status

Must use RADIUS authentication (slow) or RSA SecurID (expensive)

On-box accounts required for intra-array communication and management

No centralized password policy

Could become a security or access issue

Can’t use user certificate authentication for VPN or Web Publishing

No support for VPN user mapping when users connect from non-Windows VPN clients

ONLY ONE CSS SUPPORTED IN A WORKGROUP!

HTH,

Tom

Thomas W Shinder, M.D.

Site: www.isaserver.org

Blog: http://blogs.isaserver.org/shinder/

Book: http://tinyurl.com/3xqb7

MVP — ISA Firewalls

Technorati Tags: , , , , , , , ,

This entry was posted on Sunday, June 4th, 2006 at 3:08 pm and is filed under ISA Central. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 Responses to “To Join the Domain or Not Join the Domain, that is The Question”

  1. ISA - ISA 2006 - Rein in die Domain oder nicht? - MCSEboard.de MCSE Forum Says:

    January 27th, 2009 at 12:43 pm

    […] Zitat von Landschaftsgest Hallo zusammen. Habe mal ein paar grundstzliche Fragen zum ISA Server 2006. Sollte ein ISA-Server lieber in einer Arbeitsgruppe stehen anstatt ein Domnenmitglied zu sein? Fr die OWA-Authentifizierung kann man dann einen LDAP-Server (z.B. DC mit GC bei Stand-Alone-ISA) eintragen. Gilt selbiges auch fr die Verffentlichung von SharePoint? Besten Dank Es unterschiedliche Auffassungen dazu, ob ein ISA-Server Domain-Member sein sollte, oder nicht. Lies mal auf ISAserver.org nach: Debunking the Myth that the ISA Firewall Should Not be a Domain Member Thomas Shinder Blog Blog Archive To Join the Domain or Not Join the Domain, that is The Question Es spielt imho auch keine Rolle, ob Du OWA oder Sharepoint ber LDAP-PreAuthentication absicherst, sollte beides funktionieren. Wie das fr OWA aussehen kann, kannst Du auch bei Shinder nachlesen: LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access (Part 1) LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access (Part 2) LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access (Part 3) LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access (Part 4) Christoph […]

  2. Chris Says:

    April 7th, 2009 at 9:05 pm

    Great article. Nice comparison. I have a couple questions. I am using ISA Server as my only firewall and I have multiple network interfaces connected to different network segments off of my firewall (public, production network, lab network, DMZ network). The production and lab networks each have their own Active Directory forest that are not trusted between each other. I want to be able to VPN into both networks as well as publish resources from each network through my ISA server. Would I still be better off placing the ISA 2006 server in one of the domains or leaving it in a workgroup? If I place the ISA server in the production domain, will I be able to authenticate VPN and implement user-based access from users in the non-trusted lab domain?

  3. Britt Whitby Says:

    January 29th, 2011 at 1:59 pm

    Whole Handle Advertising Review- Excellent piece of particulars that you?ve obtained on this site article. Hope I could quite possibly get some a great deal a lot more on the stuff on your personal Internet web site. I’ll arrive once more.

  4. numpoffence Says:

    February 2nd, 2011 at 6:12 pm

    Women often have a common problem known medically as dysmenorrhea painful periods. It is… That’s what i want to say here.

  5. Monte Woodley Says:

    May 6th, 2011 at 10:13 pm

    really like this website layout . How was it produced. It is somewhat nice!

  6. Push Button Services Says:

    July 7th, 2011 at 11:49 am

    Hi there thanks for this very interesting post. But I still dont understand the third part though!

  7. overseas job search Says:

    July 12th, 2011 at 2:21 pm

    Hey this post is nice and interesting. I’ll link to it on my blog :) .

  8. Funeral Urns Says:

    July 18th, 2011 at 8:49 am

    really fine work. i certainly like that new perspective introduced appropriate here. i just ask yourself the way the global power struggle may effect most this

Leave a Reply


Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!