i am looking for a solution to define the rule sets for our new isa-servers. normally i would block everything, and open only those ports which are really needed. This is secure, but not efficient - and my phone never stand still
so the question ist: what is the best practise to define a new rule-set ?
what do you think about that: 1. "allow all" for awhile and log all traffic through the isa-server 2. then make a analysis of the log-file and then 3. define the rule-set but this is unsecure for a short time ... days ? weeks ?...
From: Southern California
Allowing all traffic is never a good idea, IMO. You'd be surprised at how few open ports you can actually get away with on your edge firewall. My suggestion would be to assess your current application needs as best you can and create a rule set based on that information. When you implement the changes, watch the TMG logs for denied traffic and create access rules for anything you believe to be legitimate. If/when customers complain, you can implement changes pretty quickly after that.
yes, basically i agree with you. I will make a basic rule-set, based on customers informations regarding the used applications and communcation-partners. It depends on the quality of the customers information, if this rule-set is more or less useable. So i think, that we will have some starting problems ! Do you know a (freeware) tool for analysing the log-files from the ISA server ?