RE: Microsoft ISA

["Symon Thurlow" <sthurlow () webvein com>]

Why put two NIC's in the ISA box with one Internal? That negates putting
the ISA box in the DMZ, you may as well just leave it internal with one
NIC.

If it were to get compromised, it has full unrestricted access to the
Internal LAN.

Unless I'm missing something?

Cheers,

Symon

-----Original Message-----
From: Claussen, Ken [mailto:Ken () kccweb com] 
Sent: 09 March 2003 15:54
To: Rob Beyman; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Microsoft ISA


Bob,
Believe it or not ISA is one of the first software packages from
Microsoft which seems to be written from the ground up with Security in
mind. They allow you to choose the failure mode, To Pass or To Not Pass
traffic when the firewall service fails. Depending on your security
policy you can choose appropriately. There have been two critical
patches, but neither one allowed System or Admin access. I highly
recommend a screening router with basic ACLs and NAT, this will allow
you to limit what reaches the ISA server and provide some defense in
depth. You may even want to talk them into a 515U Pix. ISA provides good
control and access restrictions from the LAN/Source side, but it's
ability to limit the destinations is surprisingly weak. It seems to only
have taken one half of the connection into account. The Pix provides an
easy way to limit the destinations based on a given source (the ISA
Server off the DMZ interface). I like to Dual Home my ISA servers with
the private on the Internal and the Public in the DMZ. This allows
different outbound policies to easily be applied to the Pix. All Traffic
through the internal interface can be restricted to force it through the
proxy server, unless explicitly allowed. This way you have the option to
bypass the proxy if you need to for a documented business reason. Mind
you I am describing Utopia, there are always people who override
security decisions in the name of business, but document the Risks and
make them sign it if they refuse to implement your full suggestions. At
least that way they are aware of the risk they are accepting.

PS Be Sure you harden the ISA Server according to the IIS Checklist and
other Microsoft Documentation. Tighten NTFS permissions, and use Windows
update or the Automatic Update service to bring the server up to current
prior to deployment. Also disable all unnecessary services. Treat this
as a Bastion Host and unbind all services from the DMZ interface, except
TCP/IP (Disable NetBIOS Here Though). Read Zwickey et al 2nd Edition
Building Internet Firewalls for a fuller description of Bastion
Hardening techniques.

Ken Claussen MCSE(NT42K) CCNA CCA
"In Theory it should work as you describe, but the difference between
theory and reality is the truth! For this we all strive"



-----Original Message-----
From: Rob Beyman [mailto:robbeyman () yahoo com] 
Sent: Friday, March 07, 2003 11:36 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Microsoft ISA


Hello all,

I have been contracted to manage the security for a
site that is being built entirely on W2K servers. The development and
infrastructure team that is working on the site have convinced the
owners of the site that the only security they need is the services that
come built into the ISA suite offered up by our friends at Microsoft.

I'm not going to rant about how they should have
brought a security person in on the beginning of the
project, we all know that, but now that I'm here, I
want to learn everything I can about this product
before I make a recommendation. Obviously I'm checking
bugtraq and CERT, etc, and I've gotten my hands on the
MS Security Resource Kit... But what I'd really like
is some real world input.  Has anyone used this, and
if so, is it as bad as I think it's going to be or is
it just my prejudice from too much time spent plugging
the holes that the worm of the month exploits showing
through?

Thanks and sorry the length of the mail.
Bob

__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/ _______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

===============

 This email has been content filtered and
 subject to spam filtering. If you consider
 this email is unsolicited please forward
 the email to postmaster () webvein com and
 request that the sender's domain be
 blocked from sending any further emails.

===============


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards