Firewall Wizards mailing list archives
RE: Microsoft ISA
From: "Symon Thurlow" <sthurlow () webvein com>
Date: Mon, 10 Mar 2003 07:52:20 -0000
Why put two NIC's in the ISA box with one Internal? That negates putting the ISA box in the DMZ, you may as well just leave it internal with one NIC. If it were to get compromised, it has full unrestricted access to the Internal LAN. Unless I'm missing something? Cheers, Symon -----Original Message----- From: Claussen, Ken [mailto:Ken () kccweb com] Sent: 09 March 2003 15:54 To: Rob Beyman; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Microsoft ISA Bob, Believe it or not ISA is one of the first software packages from Microsoft which seems to be written from the ground up with Security in mind. They allow you to choose the failure mode, To Pass or To Not Pass traffic when the firewall service fails. Depending on your security policy you can choose appropriately. There have been two critical patches, but neither one allowed System or Admin access. I highly recommend a screening router with basic ACLs and NAT, this will allow you to limit what reaches the ISA server and provide some defense in depth. You may even want to talk them into a 515U Pix. ISA provides good control and access restrictions from the LAN/Source side, but it's ability to limit the destinations is surprisingly weak. It seems to only have taken one half of the connection into account. The Pix provides an easy way to limit the destinations based on a given source (the ISA Server off the DMZ interface). I like to Dual Home my ISA servers with the private on the Internal and the Public in the DMZ. This allows different outbound policies to easily be applied to the Pix. All Traffic through the internal interface can be restricted to force it through the proxy server, unless explicitly allowed. This way you have the option to bypass the proxy if you need to for a documented business reason. Mind you I am describing Utopia, there are always people who override security decisions in the name of business, but document the Risks and make them sign it if they refuse to implement your full suggestions. At least that way they are aware of the risk they are accepting. PS Be Sure you harden the ISA Server according to the IIS Checklist and other Microsoft Documentation. Tighten NTFS permissions, and use Windows update or the Automatic Update service to bring the server up to current prior to deployment. Also disable all unnecessary services. Treat this as a Bastion Host and unbind all services from the DMZ interface, except TCP/IP (Disable NetBIOS Here Though). Read Zwickey et al 2nd Edition Building Internet Firewalls for a fuller description of Bastion Hardening techniques. Ken Claussen MCSE(NT42K) CCNA CCA "In Theory it should work as you describe, but the difference between theory and reality is the truth! For this we all strive" -----Original Message----- From: Rob Beyman [mailto:robbeyman () yahoo com] Sent: Friday, March 07, 2003 11:36 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Microsoft ISA Hello all, I have been contracted to manage the security for a site that is being built entirely on W2K servers. The development and infrastructure team that is working on the site have convinced the owners of the site that the only security they need is the services that come built into the ISA suite offered up by our friends at Microsoft. I'm not going to rant about how they should have brought a security person in on the beginning of the project, we all know that, but now that I'm here, I want to learn everything I can about this product before I make a recommendation. Obviously I'm checking bugtraq and CERT, etc, and I've gotten my hands on the MS Security Resource Kit... But what I'd really like is some real world input. Has anyone used this, and if so, is it as bad as I think it's going to be or is it just my prejudice from too much time spent plugging the holes that the worm of the month exploits showing through? Thanks and sorry the length of the mail. Bob __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards =============== This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to postmaster () webvein com and request that the sender's domain be blocked from sending any further emails. =============== _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Microsoft ISA Rob Beyman (Mar 08)
- Re: Microsoft ISA Volker Tanger (Mar 10)
- <Possible follow-ups>
- RE: Microsoft ISA Claussen, Ken (Mar 09)
- RE: Microsoft ISA Symon Thurlow (Mar 10)