• RSS
  • Twitter
  • FaceBook

Deb Shinder Blog RSS

All Blogs  »  Deb Shinder Blog  »  News ISA Central  »  Blog article: Auditors -- You Do Not Need to Put a Firewall in Front of the ISA Firewall

Auditors — You Do Not Need to Put a Firewall in Front of the ISA Firewall

From time to time I hear an ISA firewall admin talk about how an auditor told him that he needs to put a “firewall” in front of the firewall (the ISA firewall). Most of the time the ISA firewall admin is too busy to deal with it and just goes ahead and put some cheap NAT device in front of the ISA firewall and it palliates the auditor.

However, for those ISA firewall admins who are concerned about cost containment and security, I recommend that you confront the auditor with the following fact:

You do not need to put a firewall in front of your ISA firewall in order to be compliant for any industry regulations. The ISA firewall meets all requirements for an edge firewall and no other firewall is ever required to meet regulatory requirements

The above paragraph is a fact. It’s incontrovertible and cannot be denied.

So, if you run into an auditor who says you must put another firewall in front of the firewall, you should confront the auditor and find out why. Ask him to point to the specific regulation that states that a non-ISA firewall has to be put in front of the ISA firewall. Then ask how introducing increased complexity and adding costs to the solution leads to meeting regulatory requirements.

The auditor should back down. If the auditor does not back down, you should have them sign off on a statement that they agree to take responsibility for any security events that take place because of the non-ISA firewall. In addition, they would also sign off on the costs of the non-ISA firewall, since the non-ISA firewall is not required, they should be willing to pay for your new ISA firewall, since it is their opinion that is not based on fact, that lead to the recommendation.

Usually the auditor will back down and admit that he didn’t know what he was talking about. At that point you should thank him for his efforts and commend him for his ability to learn about new technologies, and finally give him props for realizing that “hardware” isn’t magic.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

This entry was posted on Sunday, July 6th, 2008 at 8:22 am and is filed under News, ISA Central. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 Responses to “Auditors — You Do Not Need to Put a Firewall in Front of the ISA Firewall”

  1. Paulo Oliveira Says:

    July 7th, 2008 at 8:28 am

    Hi Tom,

    this is a great advice. I already read many articles of you beating on this! Maybe after the auditor back down, we also should advice them to read the articles ar isaserver.org :)

    Regards,
    Paulo Oliveira.

  2. Giannopoulos Antonis Says:

    July 7th, 2008 at 9:48 am

    I Agree with “some cheap NAT device in front of the ISA firewall” but what if is not a cheap NAT device

  3. Oystein Says:

    July 9th, 2008 at 5:41 am

    Actually I don’t think there is a way around a Cisco in from of ISA in the setup I’m currently doing.

    Running one Hyper-V server with ISA2006 as one of the virutal servers, need either another ISA in front or a router in front. This due to the host server running the virtual servers is not protected by the ISA running as a guest OS, and as seen with VMWare attacks can be done across the images via the network adapter.

    Running a seond ISA in front doubles the cost, compared to runnign a Cisco.

    If workarounds exist, please let me know
    c
    Oystein

  4. Glenn Barnas Says:

    July 13th, 2008 at 6:47 am

    I think the auditor’s recommendation can be based on two words - “Microsoft” and “Server” - we all know the beating MS has taken in the past on server security. That’s why I make a point of referring to the “ISA Firewall” and not the “ISA Server” when I have any discussions about it, including posts here.

    “Threat Management Gateway” is more than a name change or product enhancement, it’s about a change in perspective. The negative connotation of “server” has been dropped, and rightly so.

    Finally, who coined the term “hardware” firewall? Doesn’t that imply that the logic is entirely in the hardware? Sure, there are ASICs that improve network routing and packet processing, but there is still a CPU and Software to get the job done. By the same definition, does a pre-packaged “box” that runs linux and a software firewall constitute a “hardware” firewall because when you bought the box, it was already a firewall? Just rhetorical questions that illustrate how false perspectives can influence one’s understanding.

    Glenn

  5. tshinder Says:

    July 13th, 2008 at 7:57 am

    Hi Glenn,

    Exactly. The auditors are not paying attention to any facts, just “homemade” and “homestyle” wisdom and folklore.

    You are right about the term “server”. You’ll notice that I almost never use the term ISA “server” and almost always use the term ISA firewall or Firewall. Its a matter of perception, as you note.

    The TMG firewall should put an end to all of this, I hope.

    Thanks!
    Tom

  6. gratis sex Says:

    August 15th, 2012 at 2:24 am

    Nice website over here! I’ll just wanna say thnx for that. If you like to visit my website check out our website to please! thanks for visiting!

Leave a Reply


Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!