From: Taylorville, IL
I would like everyone's opinion on the future of the DMZ. When I was at the CIO summit at Microsoft, I asked a question about Microsoft's stance on the DMZ and the speaker replied, "What DMZ?". This leads me to believe Microsoft feels comfortable putting an an array of dual-homed ISA firewalls that separates the Internet from the internal network.
Feels comfortable??? That is what it was designed for!
One of the largest IT Systems in the world belongs to MS,...the System with the biggest brightest Bullseye painted on it is MS,...the largest Firewall Array in the world is the one at MS,...they protect their own network with their own product. I don't know if they used a DMZ or not,...but if they say they didn't,...I believe them
Is that the future though? Less and less MSFT products are being supported within the DMZ (Exchange 2007 CAS servers are one) so I am not sure if the model I list below is going the way of
The future?? Try the Past, Present, and Future. I've been in the business for 10 years and never ran an DMZ,...don't believe in them,....not "sold" on them,...never have been. When I started it was MS Proxy Server v2,....like the product or not, think what you want of the old product,... but it was never broken into.
a) Are DMZ's really needed anymore now that we have advanced application firewalls like ISA/TMG?
No they aren't needed,...and never were. The need for them was superstition and "I.T. religion" more than anything else as far as I am concerned.
b) Are the risks any more terrifying with a pair of ISA servers vs. the expensive alternative of multiple firewalls, a separate IP subnet and multiple sets of firewall rules?
Expensive alternate? ISA cost just as much for the additional purchase. Factor in the hardware cost for a good quality server and you'll spend over $10,000.00 for an ISA installation. Then look at the prices of the ISA Appliances,...they ain't cheap either.
IP Subnets and multip sets of rules? Complexity does not equal security,...it may even mean the opposite,...more complex = more opportunity for mistakes.
It is also important to note that when the Secunia Reports came out, the ISA2006 had 2 vulnerabilities,...with the Cisco ASA had 6. Both companies of course have them patched by now and both products sit at 0.
Microsoft ISA Server 2006 Supportability Update
Will everyone agree with me?? No way,...in fact just watch,...it will probably start a big argument already. But you asked for a professional opinion,...well I'm a professional,...and that was my opinion.