Thomas Shinder Blog RSS

All Blogs  »  Thomas Shinder Blog  »  News ISA Central  »  Blog article: Domain Membership of ISA Firewalls Enhances SOX Compliance

Domain Membership of ISA Firewalls Enhances SOX Compliance

I received an email from someone yesterday who said that domain membership of the ISA Firewalls might have an adverse effect on Sarbanes-Oxley compliance. I thought this was interesting, because domain membership of the ISA Firewall confers a higher level of security than workgroup ISA Firewalls. However, having never actually read the entire Sarbanes-Oxley Act of 2002, I couldn’t say authoritatively that domain membership wasn’t an issue for ISA Firewalls and ISA Firewall arrays.

Today I decided to spend the morning reading the entire 66 page SOX Act of 2002. If you’d like to read it yourself, you can find it http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi...st.pdf

The result of my investigation is that there are no references to ISA Firewall domain membership, or to any specific IT or network security related configurations. The only references I found that were related to IT operations is that in several areas it is mentioned that “internal controls” must be exercised over corporate data that apply to SOX.

Because of these multiple references to internal controls, this argues for making the ISA Firewall a domain member because when the ISA Firewall is a domain member, you have enhanced security in a number of areas, including User Certificate based authentication, outbound access control and enhanced reporting using both the Web Proxy and Firewall clients, and centralized security controls by using highly codified Group Policy objects for ISA Firewall arrays. Perhaps most importantly, domain joined ISA Firewalls are easier to configure and maintain, and complexity of configuration is the leading cause of firewall related security events.

For all these reasons, to the best of my knowledge after reviewing the entirety of the SOX Act of 2002, there is no reason why the ISA Firewall or ISA Firewall array should not be domain members, and in fact, domain membership enhances the internal controls required by SOX.

NOTE: This is a review of SOX only. I will also review COBIT 4.1 to determine if there are domain related comments in there, but a quick review shows nothing related to ISA Firewall domain membership. I plan to review this with Jim Harrison and Tim Mullen next week and provide a more detailed analysis of anything that COBIT might infer related to domain membership.

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

This entry was posted on Tuesday, July 24th, 2007 at 12:49 pm and is filed under News, ISA Central. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses to “Domain Membership of ISA Firewalls Enhances SOX Compliance”

  1. jim Harrison Says:

    July 24th, 2007 at 1:36 pm

    Nice!

    One other aspect that I discovered last night - if the person performing the SOX testing is also providing consultancy services related to the client’s SOX compliance, then a conflict of interest is indicated and must be resolved.

    IOW, the person who is hired to determine and satisfy any SOX requirement *CANNOT* be from the same company that was hired to provide the SOX compliance testing.

    If your “consultant” offers to “validate your SOX compliance” while simultaneously “creating processes and security” to satisfy SOX requiements (they don’t have to be the same requirements), your SOX compliance is now at risk.

    IOW, youcan’t use the same entity to both establish and validate your SOX compliance.

  2. Amy Babinchak Says:

    July 26th, 2007 at 8:05 am

    Tom -

    You could have written a very similar post for any of the new regulations. Too many companies are being led down the garden path by compliance “experts”. These experts usually have cookie cutter programs to recommend under the guise of keeping you out of potential trouble. Unfortunately it ends up costing companies big money in the short and long run not necessarily because it’s that difficult to comply but because of the cost of implementing the experts recommendations.

  3. Tom Shinder Says:

    July 26th, 2007 at 8:12 am

    Hi Amy,

    Yes, and much of it may be related to what Jim said — the compliance “testers” are also the ones who will benefit from costs of coming into “compliance”. There’s a built in conflict of interest there.

    I think we need to put these jokers on the defensive. We’ll hammer on the SOX situation first and analyze the CORBIT 4.1 guidelines. I’m sure the CORBIT will say NOTHING about domain membership. That will blow a hole in the compliance tester’s OPINION and then they’ll have their hands forced to prove their other recommendations. I suspect that out of laziness and greed, they’ll relent on the domain membership issue if this issue forces them to defend their other marginal or just plain WRONG OPINIONS.

    We’ll tackle HIPAA next.

    Tom

  4. Nizar Shanaah Says:

    August 7th, 2007 at 1:04 am

    Regarding ISA Membership in the domain, regulations and standards are to provide high level requirements. I think of them as minimum requirements, they don’t ensure security.

    You will have [always] to exceed the regulations in your setup.

    ISA membership in the domain is dependent on the environment, in some setups maybe it is recommended like if you use ISA to manage user’s outbound traffic.

    If you have an environment with two levels of firewalls lets say: Level 1-Checkpoint and Level 2 – PIX) and you have Exchange F-E resides internally, ISA server is put in the DMZ (between L1 and L2) to publish OWA,

    To avoid opening domain ports for ISA, RADIUS authentication is used for OWA.

    In this environment I think ISA being not member of the domain is more secure, off course you would have another internal ISA+WebFilters+..etc managing outbound users’ traffic.

    Regards,

    Nizar Shanaah

  5. Tom Shinder Says:

    August 7th, 2007 at 8:55 am

    Hi Nizar,

    Yours is an interesting opinion, but there is no evidence to support it and there are no guidelines in either SOX or CORBIT 4.1 that support it either.

    For example, you mention Check Point or PIX and then ISA behind them. While this is definitely the conventional wisdom in the “hardware firewall” world trained by Cisco sales reps, there is definititely no support for this supposition in either SOX or CORBIT.

    In fact, if you understood the ISA Firewall, you would use it as a front end domain member server in many scenarios where the “auditors” have fantasized that it shouldn’t be done. When you confront these auditors, they can provide NO EVIDENCE regarding their opinion.

    In contrast, we’ve proven that domain membership for the ISA Firewall actually enhances SOX compliance based on actual working in the SOX and CORBIT guidelines. Now, there’s something you can take to the bank!

    BTW — don’t use terminology like “opening domain ports” — it makes you sound like a “port opener” neophyte, which we know isn’t true. Check out www.tacteam.net/openport.htm

    HTH,
    Tom

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 5 chars within 0..9 and A..F, and submit the form.

  

If CAPTCHA image is missing or you cannot read the characters above, please generate a




Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Solution Center