Serious Error Regarding ISA Firewall Security Design Made at Microsoft TechNet Blog Site
I tried to post a response to this article http://blogs.technet.com/chrisavis/archive/2007/04...s.aspx on the Microsoft TechNet blog site but it wouldn’t allow me to post. So, I’ll post my response to Chris Avis’ ISA Firewall article here.
===============================================
Hi Chris,
You made a very serious error in this article. The quote:
”Since ISA is designed to be implemented on a workgroup based machine (isolated from the domain for enhanced security), there is no built in method for applying an access policy to built in Windows Groups or OU’s.”
is quite wrong, since a non-domain member is LESS Secure. In fact, the ISA Firewall was really designed to be a domain member so that you can take full advantage of all the security features that the ISA Firewall has to offer.
Please correct this and read the following article so that you don’t spread this superstition much further:
http://www.isaserver.org/tutorials/Debunking-Myth-...r.html
The domain member is not secure myth is used only by ABMers and “hardware” firewall sales guys. ISA pros know that domain members are more secure than non-domain member ISA Firewall and any “hardware” firewall.
HTH,
Tom
===============================================
Hopefully Chris will be able to correct this error soon, and more importantly, not spread the disinformation regarding the ISA Firewall’s domain membership as being a security risk — instead, all of us should be promoting the ISA Firewall as a domain member when the overall secure posture dictates that this is the more secure configuration.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Tarek Majdalani Says:
April 29th, 2007 at 10:07 am
Hi Tom,
There are quite a few numbers of people that believe the ISA should be on a workgroup outside the domain, or even on a SEPERATE domain and build a one way trust between the Main Internal Network domain and ISA’s domain!!!
You can feel this is true also with 70-227 (ISA 2000 exam)!!!
BUT with 70-350 (ISA 2004 Exam) you strongly notice that setting up ISA to be a Domain member is much preferred
You can’t blame these people, because with ISA 2000, I have read so many articles that setting up ISA in a separate domain is much more secure , or on a workgroup by itself.
These people believe, that if ISA was separated from your MAIN domain and it was compromised, then your are still SAFE!!! And your Domain is not touched yet!!!
I strongly disagree with them, and ALSO recommend them to read this article: http://www.isaserver.org/tutorials/Debunking-Myth-...r.html
Best Regards,
Tarek Majdalani
Chris E. Avis Says:
April 29th, 2007 at 11:05 am
Thanks for setting me staright, Tom. Post is updated.
Chris
http://blogs.technet.com/chrisavis/archive/2007/04...s.aspx