Thomas Shinder Blog RSS

All Blogs  »  Thomas Shinder Blog  »  News ISA Central  »  Blog article: Update on ISA Firewall Security Design Article on TechNet Site

Update on ISA Firewall Security Design Article on TechNet Site

Yesterday I pointed out that Chris Avis, a TechNet Security Evangelist, mentioned on his blog site that the ISA Firewall was designed to not be a member of the domain. I took great umbrage with that remark because we’ve spent a lot of time over the last several years trying to debunk the myth that the ISA Firewall shouldn’t be a domain member.

That blog post can be found at http://blogs.technet.com/chrisavis/archive/2007/04...s.aspx

Chris update his blog yesterday and I really appreciate it! Chris talks to a lot of admins in his TechNet presentations and Webcasts and it really helps to get his support in this area.

Thanks Chris!

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

This entry was posted on Monday, April 30th, 2007 at 5:48 am and is filed under News, ISA Central. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “Update on ISA Firewall Security Design Article on TechNet Site”

  1. Chris E. Avis Says:

    April 30th, 2007 at 2:39 pm

    My pleasure Tom! Keep up the great work on ISA!

    Chris

  2. Edward Ray Says:

    May 3rd, 2007 at 11:02 am

    I deploy ISA 2006 as an AD member behind a few other security devices. I would not recommend ISA 2006 be deployed at the network edge as an AD member (or at the edge at all for that matter) as it crates to much of a security risk IMHO. It would be almost like deploying a domain controller at the edge.

    It depends on what you are using ISA for. If I had to deploy ISA at the edge, I would not have it as an AD member and have it perform basic firewall functions only, leaving the application layer filtering/inspection to the next layer firewall.

    My $0.02

    Edward Ray aka hunglikethor

  3. Thomas Shinder Says:

    May 3rd, 2007 at 11:29 am

    Hi Ray,

    Not at all. There analogy of the ISA Firewall on the edge is like a DC is not quite accurate.

    I’ve done a complete analysis of the situation and you can find it by searching this site for “debunking”. Whether or not the ISA Firewall is a domain member is immaterial from a security point of view, except that the ISA Firewall provides a lower level of overall security when its not a domain member.

    I routinely make the ISA firewall an edge firewall and join it to the domain. In hundreds of deployments, there has never been an issue. Of course, you have to configure the machine correctly to prevent compromises, but the Myth that the ISA Firewall Should Not Be a Domain Member is mostly just that, and a favorite ploy of “hardware” firewall vendors.

    Thanks!
    Tom

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 5 chars within 0..9 and A..F, and submit the form.

  

If CAPTCHA image is missing or you cannot read the characters above, please generate a




Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Solution Center