From: United Kingdom
Hello ISA users!
I just had a request from my upper management to determine how secure it is to publish our LAN IIS servers through the WEB Publishing feature of ISA 2004. Let's say our ISA 2004 is fully updated. What are the chances that someone could hack the WEB site(s) we publish, and then have access to our local LAN?
To me, it sounds impossible, mostly I guess because I'm no hacker / security specialist... I understand that a DMZ zone back in the old times was exactly to address this kind of problem, but today, with all ports closed, and a problem anti-virus protection, is there still a "real" risk to give a hacker access to our network just by publishing an IIS web site? Does the DMZ infrastructure still very important to maintain?
Could someone give me some articles to read, advices, books, anything to tell me I have to have a DMZ zone?
It is a vague question, but I think you got the point...
The best way to measure the risk is to have the someone provide a security or penetration test. It is these guys job to test systems (they do it, day in, day out) and provide a view or "measure" of security risk.
In my expereince, from pretty much all of the penetration tests I have had on our customer deployments it has always been the web application that is weak and susceptible to things like cross-site scripting (CSS) and SQL inection, not the ISA configuration.
If you employ all the features of ISA, you will mitigate a fair bit of risk, but there are limits...the following article is a good overview of what you can do:
My hit list would be:
* Pre-auth web applications with ISA (ideally increase level of auth using two-factor solutions)
* Always use web publishing for web apps, nt server pubs
* SSL bridge to keep end-to-end encrytion (with SSL3.0 and TLS1.0 min)
* Enforce FQDN and path restrictions to exact application need; no more
* Enforce HTTP filters to exact application need; no more
Personally, I would consider a move to ISA2k6 (or TMG) for the very best level of protection. TMG has some greatl technology on the IDS/IPS front to go a fair bit futher than before...
Summary: Get ISA as close to best practive as you can, then get it tested by professionals; once done, hand the report to management with mitigation recommendations. You will then have an expert view of "risk" and be able to prioritise the high risk areas (probably like CSS and SQL injection or other code problems).
Finally, IMHO the DMZ still has some value as it allows you to separate assests that are Internet facing and those that aren't. Different trust levels should be isolated. Compromise of an Internet facing host is then less likely to impact systems that are not Internet facing. The only problem is that the line between DMZ and LAN is often very blurred (and getting worse) by application connectivity to other internal services. For me, the key is to inspect and classify data rather than worry so much about how it gets from A to B.
Having said that I still use ISA as a great way of creating a layer 7 DMZ, and much more useful than a layer 3 DMZ which is what more hardware firewalls provide. Layer 3 DMZs that provide no L7 protection is often what people mean when they use the term "DMZ". It often depends on the protocols involved; for example if the DMZ=>Intranet traffic uses protocols like HTTP, RPC and SMTP, ISA has appliction layer filters that can add real value here as ISA can control both Internet=>DMZ traffic *and* DMZ=>Intarnet traffic both to a deep inspection level...
Anyhow, I'm starting to ramble, so I will stop now
Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/