Announcement

Collapse
No announcement yet.

Using ISA as a firewall

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using ISA as a firewall

    Hi there,
    How can I make ISA server 2006 works as a firewall without joining the ISA server to the domain. Some people told that it's insecure to join the ISA server machine to the domain. Any extra information?
    Thanks

  • #2
    Re: Using ISA as a firewall

    Well those some people are mistaken then...
    Read this first: http://www.isaserver.org/blogs/shind...stion-228.html
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Using ISA as a firewall

      Hi Dumber,
      I think i didn't explain it properly. I have already configured the DNS and the Active directory. My question is, will the network be safe if the ISA server is a member of the domain? The problem here, i guess, the domain will be connected to the internet which decreases the security of the network.

      Comment


      • #4
        Re: Using ISA as a firewall

        Originally posted by Dumber View Post
        Well those some people are mistaken then...
        Read this first:
        Some of those arguments make very little sense.

        For instance, when some security professionals point out that making an ISA server a domain member makes it possible for any Domain Admin to reconfigure the firewall, the blog author replies "if you can’t trust your domain admins, you have bigger problems". He seems oblivious to the fact that by trusting all members of the Domain Admin group, you also implicitly trust any workstation used by a member of that group, and every service running with administrative privileges on any domain controller.

        His response to the concern that an attacker gaining access to Active Directory will also be in full control of the firewall, is "they’ll own everything else too, with the Firewall being the least of your problems". So, if an attacker/insider manages to exploit a privilege escalation bug and obtain administrative privileges in AD, we might as well give him control of the firewall too, so he can send confidential data across the Internet? Really?

        There are a few more poorly thought out arguments in that blog post, but the underlying problem is that the author doesn't seem to consider well-established guidelines for network design and security as important, such as the principle of least privilege, the layered approach and diversity of defense.

        In addition, the benefits of having ISA/TMG/UAG as a domain member are extremely limited. The blog mentions the ability to filter on users and groups if you deploy the Firewall Client, but in today's heterogenous network environments with smart phones and tablets, the Windows-only Firewall Client is of limited use. Also, you can achieve more or less the exact same functionality by setting up an AD-integrated proxy server.

        This leaves only integration with AD certificate services, but again, who says that your edge firewall also has to be the VPN concentrator?

        Comment


        • #5
          Re: Using ISA as a firewall

          Well I'm not going to defend his or her blogpost, and I'm not planning to start some discussion about this with you Ser Olmy. I've no time for that....

          There are some advantages and some disadvantaged. Authentication doesn't only work with the Firewall Client but also with the proxy client.

          About authentication for managing ISA. Which actually doesn't work without AD membership.
          http://technet.microsoft.com/en-us/l.../bb794769.aspx

          Also have a read on this:
          http://www.isaserver.org/articles-tu...in-Member.html

          But in the end I can start a discussion about every item, every configuration setting with either Firewall.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Using ISA as a firewall

            Originally posted by Dumber View Post
            There are some advantages and some disadvantaged. Authentication doesn't only work with the Firewall Client but also with the proxy client.
            Authenticating proxy clients works with RADIUS as well.

            Originally posted by Dumber View Post
            About authentication for managing ISA. Which actually doesn't work without AD membership.
            http://technet.microsoft.com/en-us/l.../bb794769.aspx
            Actually, that article contains details on managing ISA server as a workgroup member as well. There's nothing about the role-based management approach that requires domain membership. Sure, it may be (slightly) easier to configure an ISA server when the underlying OS is AD-integrated, at least initially, but as always there's a trade-off between security and functionality.

            Originally posted by Dumber View Post
            The arguments in that article is nearly a word-for-word copy of the blog post. This includes the illogical arguments regarding compromised AD accounts and trusting the Domain Admins group, and it does not address any of the concerns I raised in my other post (which I didn't come up with entirely by myself, by the way; these are concerns raised by many security professionals).

            It's interesting to note that the article emphasizes a number of perceived disadvantages of not having the ISA server as a domain member, particularly with regards to VPN certificates and the Configuration Storage Service. These may be real issues, but highlighting limitations specific to the ISA Server product when installed in a non-domain member context does not alleviate concerns about the security implications of making the server a domain member.

            So yes, there may be real advantages of having the ISA Server computer as a domain member. And yes, there are very real security issues specific to that particular configuration.

            Comment


            • #7
              Re: Using ISA as a firewall

              toi get back on topic a bit:

              OP - ISA works in the same manner whether it's a domain member, or not a domain member. (In relation to the way it works as a firewall, anyway)

              If you're wanting to base some of your rules on AD based groups, then no it's not going to work because it can't enumerate the groups..

              if that makes sense ?
              Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

              Comment


              • #8
                Re: Using ISA as a firewall

                Well, I guess the risk of having an ISA server is that this will expose the domain to the external AD to the outside. Is it ok to have a new domain that dedicated to ISA and make trust relationship with the main AD?
                Any idea?

                Comment


                • #9
                  Re: Using ISA as a firewall

                  I think you're over-complicating the whole thing! The idea of the firewall has virtually nothing to do with domain membership--the firewall will only route the traffic you have configured it to allow, whether it's a domain member or not. Domain membership or RADIUS authentication would be used, for example, to have each user authenticate to create a web connection thru the firewall, but the firewall itself doesn't have any reason to belong to the domain it's protecting.

                  I have knowledge of a running config with a domain sitting behind an ISA Server 2004 firewall. It's got the traditional 3-leg network config. It has domain certs imported so it can get updates from the internal WSUS server; it's AV install is managed from the domain console, and the backup solution records full or incremental backups, same as the domain members. When the system was stood up, it was deemed more secure to keep the firewall out of the domain, because there was no need to define any domain-related traffic from it to the internal leg.

                  Ultimately, it's your choice which way around you want to do it, depending on how your environment is managed.
                  *RicklesP*
                  MSCA (2003/XP), Security+, CCNA

                  ** Remember: credit where credit is due, and reputation points as appropriate **

                  Comment


                  • #10
                    Re: Using ISA as a firewall

                    Originally posted by tiger1 View Post
                    Well, I guess the risk of having an ISA server is that this will expose the domain to the external AD to the outside. Is it ok to have a new domain that dedicated to ISA and make trust relationship with the main AD?
                    Any idea?
                    But that's not true, you don't expose AD as long as you don't allow traffic towards AD.

                    ISA is a strong but also a retired firewall. TMG is the latest release and there will be no new versions of it. That would be a much bigger concern.
                    Also there is no written article anywhere on the internet where ISA has been breached.

                    Oh well, it's up to your needs and what you want.....
                    I've other things keeping me busy right now.

                    @Ser Omly, quick question:
                    The arguments in that article is nearly a word-for-word copy of the blog post. This includes the illogical arguments regarding compromised AD accounts and trusting the Domain Admins group, and it does not address any of the concerns I raised in my other post (which I didn't come up with entirely by myself, by the way; these are concerns raised by many security professionals).
                    Where is stated that a well configured, hardened ISA server will be or can be compromised that the AD might become at risk? The problem is, every device has there issues and without proper management, like patching, updating, trained users, etc. there's always a risk. From ISA 2004 it became a products which hasn't been breached. And sure it is possible to users other methods as well. It's great there are other methods when needed.

                    However, going back to what I said earlier, TMG will be discontinued and the mainstream support ends at April 14, 2015. That would be a bigger concern imho.
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: Using ISA as a firewall

                      Originally posted by Dumber View Post
                      @Ser Omly, quick question:


                      Where is stated that a well configured, hardened ISA server will be or can be compromised that the AD might become at risk?
                      I was referring to the reverse scenario, where an AD compromise also leads to an implicit ISA/TMG compromise. Infect a PC used by a Domain Admin with a trojan, and can reprogram the firewall without having access to a single password.

                      But of course, I don't see any reason why one should offer an attacker a valid AD (computer) account in the event of an ISA/TMG compromise (which may not necessarily be the result of a defect in ISA/TMG itself, but could be caused by any number of issues, such as misconfiguration or a security vulnerability in an OS component).

                      Also, when the ISA/TMG computer is a domain member, you have to allow traffic between that system and the DCs for a number of AD/CIFS related protocols. If it's not a domain member, you can (and should) add those protocols to the IDS/IPS filter.

                      As always, one has to evaluate the pros and cons for any given scenario. And as you point out, the biggest "cons" relate to the fact that ISA and TMG are discontinued products and will soon be out of support.

                      Comment

                      Working...
                      X