After setting up a new replacement ISA2006 server, I found that the ISA server can access shares on all internal clients after normal authentication. There are no firewall policies that permit this and the default Deny policy is still in its normal last position.
I have even disabled all policies except the Default Deny policy and the ISA server still has smb/cifs access to internal clients.
The only setting that I did that supports this is DNS name resolution. The ISA server is in its own workgroup so I added the internal domain name to the suffix search order on the ISA's internal interface.
The clients are just "secure nat clients"
Is this a normal hidden built-in policy ?
< Message edited by swbruce21 -- 16.Feb.2009 5:03:20 PM >
Right-or-wrong, The ISA server in our office is setup to approximate the model of a independent hardware firewall with the least possible porting of communication between the firewall and the LAN. I work as security assessment analyst for the banking industry which rarely uses firewalls that access internal directory services or account based access control for inbound or outbound communication.
I was keeping it similar to what I see with the hardware firewalls where I work.
After your posted your comment saying "Far more secure in the domain" I did a search and found the Jun 20, 2006 Thomas W Shinder article on this subject.
It seems his passion for the product has colored his analysis for the ISA server's application in the real world of business. The pros and cons of having the ISA server as a domain member all look good, but as a practitioner who audits the IT practices of about 100 banks per year, I see that bank staffs and bank IT contractors are completely unqualified to exploit the configuration possibiities of the ISA server. Even the vast majority of large regional IT contractors that I see don't deploy or support the ISA server.
Thomas W Shindler also classifies all hardware firewalls as simple packet filtering devices. This isn't an accurate characterization.
In the real world environments that I audit, an advanced application level firewall that proxys all permitted traffic, performs subscription based inbound/outbound malware filtering and is out of the reach of the banks staff and their neigboryhood IT contractors is a better solution than Shindler suggests.
In spite of the merits of the ISA server the lack of IT industry support is why less than 1/2 of 1% of all finanacial organizations that I audit have an ISA server.
This post does not dismiss the value of the ISA server. We use it in our office for it merits.
< Message edited by swbruce21 -- 17.Feb.2009 8:49:11 AM >
There isn't a firewall out there capable of proxying all permitted traffic in a complex scenario, unless only few protocols are permitted, by the true meaning of the word proxy. I doubt that even some of the vendors label their firewall as proxy firewalls, but you didn't give any names...
Market shares are ambiguous. Cisco has the biggest market share for firewalls, still the Cisco firewalls are not the best firewalls in the world. Just compare Cisco ASA with Secure Computing's Secure Firewall....
ISA itself is not a full-blown UTM out-of-the-box, and may not be even with add-ons, depending what are you searching for, so you can't just compare it with other solutions as it lacks certain features, thus ISA itself may not cover all the customers' needs provinding an unified solution. Microsoft has worked in this direction, and the results can be seen in the new TMG Beta2(which does not expose everything). The Stirling platform: http://technet.microsoft.com/en-us/forefront/stirling/default.aspx
Rather ISA is deployed in specific scenarios to protect certain resources which certain hardware firewalls may fail to protect at the required level. Some configuration scenarios of ISA require more skills, but the protection afforded may be superior to other solution.
Placing the wrong box in the wrong place, don't blame the box or the game, just blame the player.