• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on making the ISA firewall a domain member

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Discussion about article on making the ISA firewall a domain member Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion about article on making the ISA firewall a d... - 20.Jun.2006 4:23:59 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on making the ISA firewall a domain member over at http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: Discussion about article on making the ISA firewall... - 20.Jun.2006 10:22:19 PM   
adidell

 

Posts: 7
Joined: 5.Aug.2003
Status: offline
So,

What were Steve's arguments against domain membership?  To be fair, let's hear the other side :).

Thanks,

~Andrew

(in reply to tshinder)
Post #: 2
RE: Discussion about article on making the ISA firewall... - 20.Jun.2006 10:59:25 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Andrew,

Indeed! However, the problem was he didn't provide any arguments for his side.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to adidell)
Post #: 3
RE: Discussion about article on making the ISA firewall... - 21.Jun.2006 2:32:53 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Congrats on your 40,000 on this board...:))

very good article, I have added it to my good article ammunition list.

Steve 

(in reply to tshinder)
Post #: 4
RE: Discussion about article on making the ISA firewall... - 21.Jun.2006 2:44:02 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Steve,

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to SteveMoffat)
Post #: 5
RE: Discussion about article on making the ISA firewall... - 21.Jun.2006 6:46:01 AM   
drixie

 

Posts: 21
Joined: 15.Mar.2006
Status: offline
How about one-way trusts? Would'nt that work well, but still avoiding full domain membership for the ISA machine?

(in reply to tshinder)
Post #: 6
RE: Discussion about article on making the ISA firewall... - 21.Jun.2006 9:35:38 AM   
wbplomp

 

Posts: 144
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline
Hi Tom,

This is a very good article. I was also very surprised (and a bit disappointed) of Steve's argument. I thought that we finally left the basics of a resource domain in Windows NT 4.0 with Proxy Server 2.0. I always say ISA Server should be a member of the domain to have full function. But you do have to harden your ISA Server to take percuasion. On this moment I even use a third-party front-end firewall, I trust ISA do, but to be sure.

I thereby hope Microsoft will comment on this article...

Boudewijn

< Message edited by wbplomp -- 21.Jun.2006 9:40:01 AM >

(in reply to drixie)
Post #: 7
RE: Discussion about article on making the ISA firewall... - 21.Jun.2006 3:37:01 PM   
amm1270

 

Posts: 11
Joined: 6.Nov.2002
Status: offline
Hi Tom.  I agree with the article and have had my ISA firewall a domain member since ISA 2000.  I need the granular access control for both inbound and outbound traffic and having ISA in the domain makes that possible.  Also I enjoyed your talk at Tech Ed.

(in reply to tshinder)
Post #: 8
RE: Discussion about article on making the ISA firewall... - 21.Jun.2006 3:41:17 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: drixie

How about one-way trusts? Would'nt that work well, but still avoiding full domain membership for the ISA machine?


Hi Drixie,

Read the article! One-way trusts are a psychiatric salve! They problem no real security and only add complexity, while reducing your overall security posture.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to drixie)
Post #: 9
RE: Discussion about article on making the ISA firewall... - 21.Jun.2006 3:45:34 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: wbplomp

Hi Tom,

This is a very good article. I was also very surprised (and a bit disappointed) of Steve's argument. I thought that we finally left the basics of a resource domain in Windows NT 4.0 with Proxy Server 2.0. I always say ISA Server should be a member of the domain to have full function. But you do have to harden your ISA Server to take percuasion. On this moment I even use a third-party front-end firewall, I trust ISA do, but to be sure.

I thereby hope Microsoft will comment on this article...

Boudewijn


Hi Boudewijn,

I'll even argue that you don't need to "harden" the ISA firewall other than configuring a secure firewall policy and running the Security Configuration Wizard. And I never put a "hardware" firewall in front of the ISA firewall unless it's convenient or the customer is hymotized by the hardware firewall vendor and can't get out of his trance. Remember, the ISA firewall is more secure than the "hardware" firewall, which really doesn't provide much if any security to you applications.

You're absolutely right that the ISA firewall should in most cases be a domain member and that it's a shared delusion by most folks that there is a security issue with domain membership. Indeed there is a security issue -- not joining the ISA firewall to the domain weakens the ISA firewall to the extent that it becomes as useless as a "hardware" firewall!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to wbplomp)
Post #: 10
RE: Discussion about article on making the ISA firewall... - 21.Jun.2006 3:46:52 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: amm1270

Hi Tom.  I agree with the article and have had my ISA firewall a domain member since ISA 2000.  I need the granular access control for both inbound and outbound traffic and having ISA in the domain makes that possible.  Also I enjoyed your talk at Tech Ed.



Hi Ammm,
Thanks for the kind words about my talk :)
You get it! That's great!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to amm1270)
Post #: 11
RE: Discussion about article on making the ISA firewall... - 21.Jun.2006 7:39:59 PM   
drixie

 

Posts: 21
Joined: 15.Mar.2006
Status: offline
OK, OK, almost converted... we've been having issues with FW client authentication, could it be because our ISA is in a one-way trust relationship with the main domain? Also, if we're planning to use Radius OTP authentication, wouldn't a one-way trust be "enough"? Why would we need client certificates?

PS: Many thanks for the site and the book - it has saved us a lot of work!

(in reply to tshinder)
Post #: 12
RE: Discussion about article on making the ISA firewall... - 21.Jun.2006 7:43:55 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Drixie,

For RADIUS OTP, you don't even need a trust relationship or a domain, as certificates aren't even required. But RADIUS OTP is limited to Web Publishing only.

Thanks for the kind words about the site and the books!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to drixie)
Post #: 13
RE: Discussion about article on making the ISA firewall... - 21.Jun.2006 9:45:12 PM   
drixie

 

Posts: 21
Joined: 15.Mar.2006
Status: offline
OK, I'm convinced... we'd like some people to have VPN access beyond web publishing, so I guess we really have no choice. Thanks again!

(in reply to tshinder)
Post #: 14
RE: Discussion about article on making the ISA firewall... - 21.Jun.2006 11:18:00 PM   
agentsmith

 

Posts: 5
Joined: 18.Jan.2005
From: Austria
Status: offline
quote:

ORIGINAL: SteveMoffat

Congrats on your 40,000 on this board...:))

very good article, I have added it to my good article ammunition list.

Steve 


Hi Steve,

would you mind sharing your "ammunition list" of Tomīs Best with the community ?

@Tom - Great Article - exactly the same discussions with our "die-hard-security-ends-@-layer3-fw-gurus" here ....

wbr
Agent

(in reply to SteveMoffat)
Post #: 15
RE: Discussion about article on making the ISA firewall... - 22.Jun.2006 12:28:35 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: drixie

OK, I'm convinced... we'd like some people to have VPN access beyond web publishing, so I guess we really have no choice. Thanks again!


Hi Drixie,

You bet!
Thanks!!!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to drixie)
Post #: 16
RE: Discussion about article on making the ISA firewall... - 22.Jun.2006 12:32:45 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: agentsmith

quote:

ORIGINAL: SteveMoffat

Congrats on your 40,000 on this board...:))

very good article, I have added it to my good article ammunition list.

Steve 


Hi Steve,

would you mind sharing your "ammunition list" of Tomīs Best with the community ?

@Tom - Great Article - exactly the same discussions with our "die-hard-security-ends-@-layer3-fw-gurus" here ....

wbr
Agent


Hi Agent,

This is one I love to throw at heads in the sand "network guys" who are clueless about network security:

http://www.isaserver.org/articles/2004tales.html

They usually blanch or drag their withering carcasses away mumbling something about "but it runs on Windows, but it runs..on..Windows.....but......it........runs...........on..............Windows........but.......
.........but............but.......................................but................................



HTH,
Tom 

_____________________________

Thomas W Shinder, M.D.

(in reply to agentsmith)
Post #: 17
RE: Discussion about article on making the ISA firewall... - 22.Jun.2006 3:01:18 AM   
SteveRiley

 

Posts: 2
Joined: 7.Apr.2006
From: Seattle, WA, USA
Status: offline
Friends! Either I misstated my point at TechEd (more likely) or Tom misunderstood (less likely), but that doesn't really matter. Fact is, Tom and I are in violent agreement about domain membership; I'm simply approaching a particular intractable problem from my experience dealing with certain customers. There's no debate here, because Tom is correct: domain membership is better.

I wrote a bit more in my blog: http://blogs.technet.com/steriley/archive/2006/06/21/438111.aspx

Steve Riley
steve.riley@microsoft.com

(in reply to tshinder)
Post #: 18
RE: Discussion about article on making the ISA firewall... - 22.Jun.2006 4:23:03 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Steve,

Hey, welcome to the Web boards!

I'll go check out your blog now.

Thanks!!!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to SteveRiley)
Post #: 19
RE: Discussion about article on making the ISA firewall... - 23.Jun.2006 9:02:55 PM   
ChrisP

 

Posts: 7
Joined: 23.Jun.2006
Status: offline
Just wanted to say great article on this.  I get this question sometimes and now have a resource to send to people for review. :)

-cp

(in reply to tshinder)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> Discussion about article on making the ISA firewall a domain member Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts