Jason Jones presents an interesting problem that stems from what those of us who understand the ISA firewall would consider a patently ridiculous deployment – that is to say, putting the firewall array between a front-end and back-end firewall. In essence, this is a three firewall solution that introduces:

• Unneeded complexity
• Increased risk of security misconfiguration
• Needless increases in hardware and software costs
• Reduced performance
• Increased costs in IT overhead due to troubleshooting issues
• Buy-in to a proven misconception that the ISA firewall is less secure than other firewalls

(Guy who puts ISA firewall array between two “hardware firewalls” –> )

There are many other issues with this deployment model, but needless to say, there are a lot of organizations out there who still work in 1990s mode, where the belief is that magic is somehow imbued in “hardware” firewalls and that somehow there is some mystical back-door to ISA firewalls. We all know that neither of these ideas are true, but it doesn’t keep many IT departments from capitalizing on the ignorance of their employers causing needless waste of money and time.

You’d think with the current economic climate, these wise-guys might try to reign in some costs by whacking the extraneous back-end firewalls.

Anyhow, check out Jason’s article, I think you’ll find it enlightening:

http://blog.msfirewall.org.uk/2009/09/group-policy...a.html

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)