Discussion about article on making the ISA firewall a domain member (Full Version)

All Forums >> [ISA Server 2004 General ] >> General



Message


tshinder -> Discussion about article on making the ISA firewall a domain member (20.Jun.2006 4:23:59 PM)

This thread is for discussing the article on making the ISA firewall a domain member over at http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html

Thanks!
Tom




adidell -> RE: Discussion about article on making the ISA firewall a domain member (20.Jun.2006 10:22:19 PM)

So,

What were Steve's arguments against domain membership?  To be fair, let's hear the other side :).

Thanks,

~Andrew




tshinder -> RE: Discussion about article on making the ISA firewall a domain member (20.Jun.2006 10:59:25 PM)

Hi Andrew,

Indeed! However, the problem was he didn't provide any arguments for his side. [:'(]

Tom




SteveMoffat -> RE: Discussion about article on making the ISA firewall a domain member (21.Jun.2006 2:32:53 AM)

Congrats on your 40,000 on this board...:))

very good article, I have added it to my good article ammunition list.

Steve  [image]http://forums.isaserver.org/micons/m6.gif[/image]




tshinder -> RE: Discussion about article on making the ISA firewall a domain member (21.Jun.2006 2:44:02 AM)

Hi Steve,

Thanks!
Tom




drixie -> RE: Discussion about article on making the ISA firewall a domain member (21.Jun.2006 6:46:01 AM)

How about one-way trusts? Would'nt that work well, but still avoiding full domain membership for the ISA machine?




wbplomp -> RE: Discussion about article on making the ISA firewall a domain member (21.Jun.2006 9:35:38 AM)

Hi Tom,

This is a very good article. I was also very surprised (and a bit disappointed) of Steve's argument. I thought that we finally left the basics of a resource domain in Windows NT 4.0 with Proxy Server 2.0. I always say ISA Server should be a member of the domain to have full function. But you do have to harden your ISA Server to take percuasion. On this moment I even use a third-party front-end firewall, I trust ISA do, but to be sure.

I thereby hope Microsoft will comment on this article...

Boudewijn




amm1270 -> RE: Discussion about article on making the ISA firewall a domain member (21.Jun.2006 3:37:01 PM)

Hi Tom.  I agree with the article and have had my ISA firewall a domain member since ISA 2000.  I need the granular access control for both inbound and outbound traffic and having ISA in the domain makes that possible.  Also I enjoyed your talk at Tech Ed.




tshinder -> RE: Discussion about article on making the ISA firewall a domain member (21.Jun.2006 3:41:17 PM)

quote:

ORIGINAL: drixie

How about one-way trusts? Would'nt that work well, but still avoiding full domain membership for the ISA machine?


Hi Drixie,

Read the article! One-way trusts are a psychiatric salve! They problem no real security and only add complexity, while reducing your overall security posture.

Thanks!
Tom




tshinder -> RE: Discussion about article on making the ISA firewall a domain member (21.Jun.2006 3:45:34 PM)

quote:

ORIGINAL: wbplomp

Hi Tom,

This is a very good article. I was also very surprised (and a bit disappointed) of Steve's argument. I thought that we finally left the basics of a resource domain in Windows NT 4.0 with Proxy Server 2.0. I always say ISA Server should be a member of the domain to have full function. But you do have to harden your ISA Server to take percuasion. On this moment I even use a third-party front-end firewall, I trust ISA do, but to be sure.

I thereby hope Microsoft will comment on this article...

Boudewijn


Hi Boudewijn,

I'll even argue that you don't need to "harden" the ISA firewall other than configuring a secure firewall policy and running the Security Configuration Wizard. And I never put a "hardware" firewall in front of the ISA firewall unless it's convenient or the customer is hymotized by the hardware firewall vendor and can't get out of his trance. Remember, the ISA firewall is more secure than the "hardware" firewall, which really doesn't provide much if any security to you applications.

You're absolutely right that the ISA firewall should in most cases be a domain member and that it's a shared delusion by most folks that there is a security issue with domain membership. Indeed there is a security issue -- not joining the ISA firewall to the domain weakens the ISA firewall to the extent that it becomes as useless as a "hardware" firewall! [:)]

Thanks!
Tom




tshinder -> RE: Discussion about article on making the ISA firewall a domain member (21.Jun.2006 3:46:52 PM)

quote:

ORIGINAL: amm1270

Hi Tom.  I agree with the article and have had my ISA firewall a domain member since ISA 2000.  I need the granular access control for both inbound and outbound traffic and having ISA in the domain makes that possible.  Also I enjoyed your talk at Tech Ed.



Hi Ammm,
Thanks for the kind words about my talk :)
You get it! That's great!

Thanks!
Tom




drixie -> RE: Discussion about article on making the ISA firewall a domain member (21.Jun.2006 7:39:59 PM)

OK, OK, almost converted... we've been having issues with FW client authentication, could it be because our ISA is in a one-way trust relationship with the main domain? Also, if we're planning to use Radius OTP authentication, wouldn't a one-way trust be "enough"? Why would we need client certificates?

PS: Many thanks for the site and the book - it has saved us a lot of work!




tshinder -> RE: Discussion about article on making the ISA firewall a domain member (21.Jun.2006 7:43:55 PM)

Hi Drixie,

For RADIUS OTP, you don't even need a trust relationship or a domain, as certificates aren't even required. But RADIUS OTP is limited to Web Publishing only.

Thanks for the kind words about the site and the books! [:D]

Tom




drixie -> RE: Discussion about article on making the ISA firewall a domain member (21.Jun.2006 9:45:12 PM)

OK, I'm convinced... we'd like some people to have VPN access beyond web publishing, so I guess we really have no choice. Thanks again!




agentsmith -> RE: Discussion about article on making the ISA firewall a domain member (21.Jun.2006 11:18:00 PM)

quote:

ORIGINAL: SteveMoffat

Congrats on your 40,000 on this board...:))

very good article, I have added it to my good article ammunition list.

Steve  [image]http://forums.isaserver.org/micons/m6.gif[/image]


Hi Steve,

would you mind sharing your "ammunition list" of Tomīs Best with the community ?

@Tom - Great Article - exactly the same discussions with our "die-hard-security-ends-@-layer3-fw-gurus" here ....

wbr
Agent




tshinder -> RE: Discussion about article on making the ISA firewall a domain member (22.Jun.2006 12:28:35 AM)

quote:

ORIGINAL: drixie

OK, I'm convinced... we'd like some people to have VPN access beyond web publishing, so I guess we really have no choice. Thanks again!


Hi Drixie,

You bet!
Thanks!!!
Tom




tshinder -> RE: Discussion about article on making the ISA firewall a domain member (22.Jun.2006 12:32:45 AM)

quote:

ORIGINAL: agentsmith

quote:

ORIGINAL: SteveMoffat

Congrats on your 40,000 on this board...:))

very good article, I have added it to my good article ammunition list.

Steve  [image]http://forums.isaserver.org/micons/m6.gif[/image]


Hi Steve,

would you mind sharing your "ammunition list" of Tomīs Best with the community ?

@Tom - Great Article - exactly the same discussions with our "die-hard-security-ends-@-layer3-fw-gurus" here ....

wbr
Agent


Hi Agent,

This is one I love to throw at heads in the sand "network guys" who are clueless about network security:

http://www.isaserver.org/articles/2004tales.html

They usually blanch or drag their withering carcasses away mumbling something about "but it runs on Windows, but it runs..on..Windows.....but......it........runs...........on..............Windows........but.......
.........but............but.......................................but................................

[8D]

HTH,
Tom 




SteveRiley -> RE: Discussion about article on making the ISA firewall a domain member (22.Jun.2006 3:01:18 AM)

Friends! Either I misstated my point at TechEd (more likely) or Tom misunderstood (less likely), but that doesn't really matter. Fact is, Tom and I are in violent agreement about domain membership; I'm simply approaching a particular intractable problem from my experience dealing with certain customers. There's no debate here, because Tom is correct: domain membership is better.

I wrote a bit more in my blog: http://blogs.technet.com/steriley/archive/2006/06/21/438111.aspx

Steve Riley
steve.riley@microsoft.com




tshinder -> RE: Discussion about article on making the ISA firewall a domain member (22.Jun.2006 4:23:03 AM)

Hi Steve,

Hey, welcome to the Web boards! [:D]

I'll go check out your blog now.

Thanks!!!

Tom




ChrisP -> RE: Discussion about article on making the ISA firewall a domain member (23.Jun.2006 9:02:55 PM)

Just wanted to say great article on this.  I get this question sometimes and now have a resource to send to people for review. :)

-cp




Page: [1] 2   next >   >>