tshinder
Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Watts,
I never run AV software on the ISA firewall because there's no mechanism for it to be attacked. I never use client applications on the firewall itself. That means, no Outlook Express, no IE, no RDP outbound, no nothing. Of course, the ISA box could be hit by something like the Sasser worm or something similar, but you would have to allow inbound access to the firewall from a network that had an infected client, and access would have to be allowed on the worm's port. In that case, you'll get hit before Norton or any other AV finds it. However, there are other's who believe that its a good idea to have an AV on the ISA box. I recommend that you do what you're most comfortable with. I'm comfortable without it, so I continue doing it that way
I would definitely NOT put SMS or comparable software on the ISA firewall because of the service that need inbound and outbound access to and from the firewall. That's getting into a scary situation, almost as bad as putting an Exchange server on the firewall!
I like putting the caching-only DNS server on the ISA firewall because it represents a forwarder that I trust and have configured to prevent issues such as cache poisoning, etc. I have control over the forwarder and I also configure the forwarder on the ISA firewall to use my ISP's DNS server as a forwarder, because I trust my ISPs and typically use only trusted ISPs (i.e., not AOL/Earthlink/Charter). However, if I have the option, I prefer to put the caching-only forwarder on a DMZ segment. The goal is to prevent any Internal network host from having a "direct" connection with Internet hosts. This is the same as the firewall philosophy that no Internal network host should be "Internet facing", although they typically mean not accepting new inbound connections when they use that term. I prefer to have my Internal network hosts never have any contact with Internet hosts. However, this is not required and you can safely use a trusted ISP's DNS server as your only forwarder.
There are NO advantages to running a DHCP server on the ISA firewall. However, I included that info in the Getting Started doc because a lot of shops expect the firewall to be a DHCP allocator/server. However, I far prefer having the DHCP server on another machine on the network, such as the same machine that is acting as the WINS/DNS/RADIUS/Certificate server. Prefer to not have it on a DC, but you can certainly do that, however there are security implications if you use dynamic DNS registrations on your network.
HTH, Tom
|