• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SMB/CIFS Connections Permitted without Firewall Policy

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> SMB/CIFS Connections Permitted without Firewall Policy Page: [1]
Login
Message << Older Topic   Newer Topic >>
SMB/CIFS Connections Permitted without Firewall Policy - 16.Feb.2009 5:02:06 PM   
swbruce21

 

Posts: 10
Joined: 10.Jan.2008
Status: offline
After setting up a new replacement ISA2006 server, I found that the ISA server can access shares on all internal clients after normal authentication.  There are no firewall policies that permit this and the default Deny policy is still in its normal last position.

I have even disabled all policies except the Default Deny policy and the ISA server still has smb/cifs access to internal clients.  

The only setting that I did that supports this is DNS name resolution.  The ISA server is in its own workgroup so I added the internal domain name to the suffix search order on the ISA's internal interface.

The clients are just "secure nat clients" 

Is this a normal hidden built-in policy ?

< Message edited by swbruce21 -- 16.Feb.2009 5:03:20 PM >
Post #: 1
RE: SMB/CIFS Connections Permitted without Firewall Policy - 16.Feb.2009 6:19:35 PM   
Dumber

 

Posts: 278
Joined: 21.Mar.2008
Status: offline
Check out the system policy and the logging tab.
The logging tab should give you an answer which rule has been used for access.

Also is there a specific reason why you haven't joined the ISA server to the domain?

_____________________________

Marcel
Netherlands

MCTS, MCITP (SA,EA) MCP, MCSA:Security, MCSE:Security, CCNA, CCSA, CCSE, CCSE+
No matter how secure, there is always the human factor.
http://www.phetios.com/

(in reply to swbruce21)
Post #: 2
RE: SMB/CIFS Connections Permitted without Firewall Policy - 16.Feb.2009 8:49:07 PM   
swbruce21

 

Posts: 10
Joined: 10.Jan.2008
Status: offline
Re:  ISA as Domain Member.
 
Right-or-wrong,  The ISA server in our office is setup to approximate the model of a independent hardware firewall with the least possible porting of communication between the firewall and the LAN.  I work as security assessment analyst for the banking industry which rarely uses firewalls that access internal directory services or account based access control for inbound or outbound communication. 

I was keeping it similar to what I see with the hardware firewalls where I work.

Thank You,  I will check the logs.
 

(in reply to swbruce21)
Post #: 3
RE: SMB/CIFS Connections Permitted without Firewall Policy - 16.Feb.2009 9:04:22 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Far more secure in the domain.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to swbruce21)
Post #: 4
RE: SMB/CIFS Connections Permitted without Firewall Policy - 17.Feb.2009 8:45:45 AM   
swbruce21

 

Posts: 10
Joined: 10.Jan.2008
Status: offline
After your posted your comment saying "Far more secure in the domain" I did a search and found the Jun 20, 2006 Thomas W Shinder article on this subject.

It seems his passion for the product has colored his analysis for the ISA server's application in the real world of business. The pros and cons of having the ISA server as a domain member all look good, but as a practitioner who audits the IT practices of about 100 banks per year, I see that bank staffs and bank IT contractors are completely unqualified to exploit the configuration possibiities of the ISA server. Even the vast majority of large regional IT contractors that I see don't deploy or support the ISA server.


Thomas W Shindler also classifies all hardware firewalls as simple packet filtering devices.  This isn't an accurate characterization.

 
In the real world environments that I audit, an advanced application level firewall that proxys all permitted traffic, performs subscription based inbound/outbound malware filtering and is out of the reach of the banks staff and their neigboryhood IT contractors is a better solution than Shindler suggests.       
 
In spite of the merits of the ISA server the lack of IT industry support is why less than 1/2 of 1% of all finanacial organizations that I audit have an ISA server. 

This post does not dismiss the value of the ISA server.  We use it in our office for it merits.

 
 

< Message edited by swbruce21 -- 17.Feb.2009 8:49:11 AM >

(in reply to swbruce21)
Post #: 5
RE: SMB/CIFS Connections Permitted without Firewall Policy - 17.Feb.2009 9:43:39 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
System Policy:
http://blogs.technet.com/isablog/archive/2006/01/15/417478.aspx
Audit closer:
"Allow Microsoft CIFS from ISA Server to trusted servers"
http://technet.microsoft.com/en-us/library/cc302534.aspx
http://blogs.technet.com/isablog/archive/2008/05/23/isa-server-2006-service-pack-1-features.aspx
And closer:
http://technet.microsoft.com/en-us/library/cc302501.aspx

There isn't a firewall out there capable of proxying all permitted traffic in a complex scenario, unless only few protocols are permitted,  by the true meaning of the word proxy. I doubt that even some of the vendors label their firewall as proxy firewalls, but you didn't give any names...

Market shares are ambiguous. Cisco has the biggest market share for firewalls, still the Cisco firewalls are not the best firewalls in the world. Just compare Cisco ASA with Secure Computing's Secure Firewall....

ISA itself is not a full-blown UTM out-of-the-box, and may not be even with add-ons, depending what are you searching for, so you can't just compare it with other solutions as it lacks certain features, thus ISA itself may not cover all the customers' needs provinding an unified solution.
Microsoft has worked in this direction, and the results can be seen in the new TMG Beta2(which does not expose everything).
The Stirling platform:
http://technet.microsoft.com/en-us/forefront/stirling/default.aspx

Rather ISA is deployed in specific scenarios to protect certain resources which certain hardware firewalls may fail to protect at the required level.
Some configuration scenarios of ISA require more skills, but the protection afforded may be superior to other solution.

Placing the wrong box in the wrong place, don't blame the box or the game, just blame the player.

For example, Jason's blog covers some key/very used scenarios or configs for ISA:
http://blog.msfirewall.org.uk/

Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to swbruce21)
Post #: 6
RE: SMB/CIFS Connections Permitted without Firewall Policy - 17.Feb.2009 9:53:55 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
And don't forget to watch this video:
http://edge.technet.com/Media/Forefront-Threat-Management-Gateway-TMG-PM-video/
May touch some of your questions...

Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to adimcev)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> SMB/CIFS Connections Permitted without Firewall Policy Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts