• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

how secure is ISA?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> how secure is ISA? Page: [1]
Login
Message << Older Topic   Newer Topic >>
how secure is ISA? - 7.Mar.2007 12:27:27 PM   
mclaughlin

 

Posts: 15
Joined: 26.Feb.2007
Status: offline
We have decided to go with ISA using one nic as an external IP address. The server will sit behind our router. Basically what I want to know is, what steps can I take on my router and Windows Server 2003 box that ISA sits on to make everything as secure as possible? Thanks in advance!!
Post #: 1
RE: how secure is ISA? - 7.Mar.2007 12:45:18 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
You need two NICs on the ISA Firewall to get security. It needs an internal and external interface, and there must be no physical connectivity between the external and internal networks.

ISA 2004/2006 has NO security exploits, as seen at www.secunia.com. It's an amazing feat, especially when you consider all the security exploits found in traditional "hardware" firewalls. ISA truely is an exceptional network firewall and application layer inspection security solution.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mclaughlin)
Post #: 2
RE: how secure is ISA? - 7.Mar.2007 12:52:25 PM   
mclaughlin

 

Posts: 15
Joined: 26.Feb.2007
Status: offline
Yes, sorry, forgot to mention that it will have an external and an internal nic. So do I need to anything on the router or Server 2003? I hear nothing but good press on ISA, just concerned about the server 2003 it's on!! Thanks Tom....

(in reply to mclaughlin)
Post #: 3
RE: how secure is ISA? - 8.Mar.2007 12:00:47 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
That's the great thing about the ISA Firewall, it doesn't matter if there are issues on the underlying OS -- how would an attacker get access to the OS? You never use the browser or any other client app on the ISA Firewall, you never create rules that allow traffic to the ISA Firewall, the stateful packet engine performs stateful packet and application layer inspection on all traffic through the ISA Firewall. Bottom line is the underlying OS is immaterial as long as the ISA Firewall is protecting it.

However, a lot of people don't appreciate this fact, and feel (notice feelings here, not reasons) that the OS must be hardened. In that case run the SCW for ISA 2006 and maybe you'll feel better

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mclaughlin)
Post #: 4
RE: how secure is ISA? - 9.Mar.2007 10:23:47 AM   
mclaughlin

 

Posts: 15
Joined: 26.Feb.2007
Status: offline
Thanks Tom, I feel much better about it now!!

(in reply to mclaughlin)
Post #: 5
RE: how secure is ISA? - 9.Mar.2007 11:20:23 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline


_____________________________

Thomas W Shinder, M.D.

(in reply to mclaughlin)
Post #: 6
RE: how secure is ISA? - 16.Mar.2007 12:40:27 PM   
tinto

 

Posts: 247
Joined: 9.Sep.2004
From: Italy
Status: offline
quote:

ORIGINAL: mclaughlin
Basically what I want to know is, what steps can I take on my router and Windows Server 2003 box that ISA sits on to make everything as secure as possible?


my experience since the last 3 years tells "nothing particular"

_____________________________

Tinto

(in reply to mclaughlin)
Post #: 7
RE: how secure is ISA? - 20.Mar.2007 12:07:31 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tinto,

Same here. I don't even do anything to "harden" the box, as there's no need to. The only "hardening" I do is a close review of system policy to make sure it's secure for my networks, and that's about it.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to tinto)
Post #: 8
RE: how secure is ISA? - 20.Mar.2007 4:29:34 PM   
JesusisLord

 

Posts: 64
Joined: 19.Aug.2006
Status: offline
Hi Guys,

While we're on the subject of security, would you advice disabling all of the system policies and configuring rules your self? or you never bother doing that? Also, I'm a little confused with my ISA config as users seem to be able to do a lot of things that I haven't actually set rules for, for example people can PING I believe, and use remote desktop, and netbios seems to work, I'll probably have to check through the system rules again but I didn't notice any to say allow rdp for internal network.

Another quick question, does the internal network have full access to the internal network by default? I was under the impression that nothing had access unless u sepcified it apart from the system policies.

Last question (I think) I have two groups of users, group a & group b, and I would like group a to have full access to the internet all the time, while group b can only use internet at scheduled times and are not allowed to download anything. Do you have any articles showing me how to do this, I know this is probably a peace of cake, but for when i tried implementing it, it started prompting the other group to authenticate which isn't what i was expecting.

Any advice or help would be great?

Ok, last last question :-) do you know if ISA can block by MAC address, or setup rules via MAC address.

Kindest Regards and thanks again

JIL

(in reply to tshinder)
Post #: 9
RE: how secure is ISA? - 21.Mar.2007 8:00:28 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
While we're on the subject of security, would you advice disabling all of the system policies and configuring rules your self? or you never bother doing that? Also, I'm a little confused with my ISA config as users seem to be able to do a lot of things that I haven't actually set rules for, for example people can PING I believe, and use remote desktop, and netbios seems to work, I'll probably have to check through the system rules again but I didn't notice any to say allow rdp for internal network.
TOM: No need to disable all the System Policy Rules, and you really don't want to do that. Instead, check each one carefully and make sure it's appropriate for your Network. If not, make a change or disable it.

Another quick question, does the internal network have full access to the internal network by default? I was under the impression that nothing had access unless u sepcified it apart from the system policies.
TOM: Internal to Internal communications are not handled by the ISA Firewall, so the ISA Firewall is never involved.

Last question (I think) I have two groups of users, group a & group b, and I would like group a to have full access to the internet all the time, while group b can only use internet at scheduled times and are not allowed to download anything. Do you have any articles showing me how to do this, I know this is probably a peace of cake, but for when i tried implementing it, it started prompting the other group to authenticate which isn't what i was expecting.
TOM: Create two rules, one for the group that has always access, and one for the group that has limited access. There is no such thing as a "download" protocol, so you will need to configure the protocols and other characteristics of the protocols to stop downloads for the specific protocol. Easy? No. That's why Websense is a rich company :)

Any advice or help would be great?

Ok, last last question :-) do you know if ISA can block by MAC address, or setup rules via MAC address.
TOM: No, MAC address control is of no use, as most ISA Firewall enterprise deployments have the internal interface on a stub segment, and remote segment MAC addresses are invalid on the stub.
HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to JesusisLord)
Post #: 10
RE: how secure is ISA? - 21.Mar.2007 10:16:14 AM   
JesusisLord

 

Posts: 64
Joined: 19.Aug.2006
Status: offline
Dear Tom,

Thanks for clarifying things for me, well that sort of sucks :) I was wondering why my deny rules are not working, and why internal <> Internal seemed to be able to so what ever they like.

I assumed that the networks you defined in ISA, i.e Internal LAN = subnet x, were able to have deny or allow actions assigned to them. So if i create a rule from internal to internal and say no ICMP that ISA would block ICMP traffic.

Or does ISA only block traffic which is going through the physical interfaces? I assume so.

Sorry to waste your time, its a good learning curve for me.

Kindest Regards

JIL

(in reply to tshinder)
Post #: 11
RE: how secure is ISA? - 21.Mar.2007 10:53:38 AM   
JesusisLord

 

Posts: 64
Joined: 19.Aug.2006
Status: offline
Dear Tom,

I have just added a route to the local routing table to force the client to go to the gateway, and all of a sudden the ISA rules are taking affect which is great but it causes a problem for me.

A few of the users here have their own laptops and are using Linux, MacOS & Windows - but not part of the doman, so adding a local route or trying to roll this out would only work for domain users (that's if it is at all possible to roll out changes to the local routing table via group policy or login scripts?)

Do you know if it is advised to do what I am doing? would using routers or VLAN's get around my issue?

Kindest Regards

JIL

(in reply to JesusisLord)
Post #: 12
RE: how secure is ISA? - 22.Mar.2007 3:16:31 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: JesusisLord

Dear Tom,

Thanks for clarifying things for me, well that sort of sucks :) I was wondering why my deny rules are not working, and why internal <> Internal seemed to be able to so what ever they like.

I assumed that the networks you defined in ISA, i.e Internal LAN = subnet x, were able to have deny or allow actions assigned to them. So if i create a rule from internal to internal and say no ICMP that ISA would block ICMP traffic.

Or does ISA only block traffic which is going through the physical interfaces? I assume so.

Sorry to waste your time, its a good learning curve for me.

Kindest Regards

JIL


Hi JIL,

Yes, you are correct. ISA Firewall Networks are based on the interface as the "root" of the ISA Firewall Network. All networks behind that interface are part of the same ISA Firewall network. That is to say, all IP addresses behind an interface are part of the same ISA Firewall Network.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to JesusisLord)
Post #: 13
RE: how secure is ISA? - 22.Mar.2007 3:18:04 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: JesusisLord

Dear Tom,

I have just added a route to the local routing table to force the client to go to the gateway, and all of a sudden the ISA rules are taking affect which is great but it causes a problem for me.

A few of the users here have their own laptops and are using Linux, MacOS & Windows - but not part of the doman, so adding a local route or trying to roll this out would only work for domain users (that's if it is at all possible to roll out changes to the local routing table via group policy or login scripts?)

Do you know if it is advised to do what I am doing? would using routers or VLAN's get around my issue?

Kindest Regards

JIL


Hi JIL,

Yes, using a LAN router would fix the problem. You configure the clients to use the LAN router for as their default gateway and configure the router to use the ISA Firewall as its route of last resort.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to JesusisLord)
Post #: 14
RE: how secure is ISA? - 24.Mar.2007 4:42:26 PM   
remdotc

 

Posts: 42
Joined: 18.Feb.2005
From: Detroit, USA
Status: offline
Security is a double edged sword.

How secure is ISA?
Well, What does ISA run on ? Windows . How secure is Windows?

While ISA has many nice features, and is a lower cost alternative to some other comercial products, ISA by enheritence of what it runs on is less secure due to the multiple security issues with its host OS. I would state this about Checkpoint Firewall running on Windows, or any other Firewall application for Windows

Out of the box , Is ISA secure? NO!!!!!!!
Neither is  any other comercial appliance or sollution, open source or otherwise.

Is ISA Less secure, than most other comercial products. YES!

Remember you are only as secure as your weakest link.

(in reply to mclaughlin)
Post #: 15
RE: how secure is ISA? - 26.Mar.2007 10:49:41 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Remdoc,

You're very WRONG in many of your asserations and you don't and will not be able to back them up, which helps prove that the ISA Firewall is more secure than any other firewall on the market today! Thanks for making these common mistakes to prove our points:

Error #1: How secure is ISA?
Well, What does ISA run on ? Windows . How secure is Windows?
How would a Windows exploit be carried out when the ISA firewall is protecting the OS and the network? This is one of the most common logical errors PIX sales guys make. We always win on this one because they cannot ever demonstrate how they can reach the Windows OS when the ISA Firewall is installed on the device.

Error #2: While ISA has many nice features, and is a lower cost alternative to some other comercial products, ISA by enheritence of what it runs on is less secure due to the multiple security issues with its host OS. I would state this about Checkpoint Firewall running on Windows, or any other Firewall application for Windows
This is a corallary of error #1. The Firewall system protects both the machine on which the Firewall is installed and the network. Only when an incompetent operator runs the configuration of the machine is the security of the underlying operating system compromised. While the PIX sales guy will go out of his way to misconfigure the ISA Firewall, the ISA Firewall admin will not, so you are incorrect that the underlying operating system is an issue in the security of the ISA Firewall product.

Error #3: Is ISA Less secure, than most other comercial products. YES!
This is my FAVORITE error! Why? Becuase there are no doucmented incidents of the ISA Firewall ever being compromised, and if you check Secunia.com, you'll see that all the "hardware" firewalls have numerous exploits and security flaws, while the ISA Firewall has remained clean. Why? Because Microsoft is now using the SDL+C to code software, and the competitiors are just using their "business as usual" coding practices. MS is now the leader in secure computing and the "hardware" guys just can't handle this, as it's almost a violation of their religious beliefs. Neverless, I appreciate remdoc's input, as he sounds almost like a plant I put here to communicate the most common errors made when critiquing the ISA Firewall.
 
Thanks!
Tom

< Message edited by tshinder -- 26.Mar.2007 10:50:57 AM >


_____________________________

Thomas W Shinder, M.D.

(in reply to remdotc)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> how secure is ISA? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts