• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

has ISA or TMG ever been compromised?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> has ISA or TMG ever been compromised? Page: [1]
Login
Message << Older Topic   Newer Topic >>
has ISA or TMG ever been compromised? - 5.May2011 5:44:33 PM   
paul_psmith

 

Posts: 79
Joined: 2.Nov.2006
Status: offline
I would like to argue the point when our company moves from ISA 2006 to TMG that we should put the TMG servers on the internet and not behind another firewall. I don't have a lot of hope of this happening, but it's worth a shot.

I'd like to know if there are any documented, reliable reports of a properly configured ISA or TMG server being compromised? And if so, what was the result. Was it a big thing or was it small potatoes.

I know many here have argued that it is perfectly safe and have stated it has not happened since ISA 2000, but I'd really like to see if there is anything out there that anyone knows. I don't want to know how it was done, or who did it, or what was taken. Just some simple answers.

If you want to go off record, you can send me some info at my addy..

mr dot
paul dot psmith @ gmail dot com

Thanks!!
PS
Post #: 1
RE: has ISA or TMG ever been compromised? - 6.May2011 11:10:43 AM   
dvizzle

 

Posts: 236
Joined: 20.Apr.2009
Status: offline
I had to fight the same battle. Most of the security people in many places are either straight up anti-microsoft, or they have hesitations on trusting a MS product as an edge firewall.

I at least won the battle to have TMG as a dual nic set up (single nic is a nightmare), but we still have a different 3rd party hardware FW between TMG and the internet.

If you can win that battle, you should be good.

(in reply to paul_psmith)
Post #: 2
RE: has ISA or TMG ever been compromised? - 6.May2011 11:17:23 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
No.  It has never been compromised,...ever. 

Neither has the predecessor MS Proxy2.  MS Proxy2 was DoS'ed by Nimda,...but the product was never penetrated.

_____________________________

Phillip Windell

(in reply to paul_psmith)
Post #: 3
RE: has ISA or TMG ever been compromised? - 6.May2011 11:24:56 AM   
paul_psmith

 

Posts: 79
Joined: 2.Nov.2006
Status: offline
Thanks for the replies. I had "heard" that ISA 2000 could be compromised, but never found anything saying it actually had been. This was all just doing googles for this sort of thing.

But we are a long way from 2000....

I currently have our ISA 2006 boxen with one foot in the DMZ and one in the inside. They are behind various vendors hardware FW's right now. But setting them up requires the extra steps of NAT'ing the outside IP to the DMZ IP and setting those access rules, etc. I think that just putting them outside is just one less step and one less bit of complication.

And I am one of the admins for those outside FW's, but I am not the decision maker on how to set this up. At least the ISA/TMG servers are under my control too.

Thanks again! Wish me luck.
PS

(in reply to pwindell)
Post #: 4
RE: has ISA or TMG ever been compromised? - 6.May2011 11:30:53 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
If the things you read was written by an "Anti-MS'er" then they will also fail to distinguish the difference between and Admin who misconfigured an ISA and created a security problem,...which is not the same thing as there being a flaw in the product that allowed it to be compromised,...but their goal is to bash the MS product in any way they can.

In  the Secunia Reports I read, Cisco had double the security flaws of ISA at one point.  Since then, both companies have patched the products and both come out as "0",...at least at the time the report was made.

Secunia Reports
Microsoft ISA Server 2006 Supportability Update
http://secunia.com/advisories/product/26019/?task=advisories_2009
Cisco ASA/PIX
http://secunia.com/advisories/product/16163/?task=advisories

< Message edited by pwindell -- 6.May2011 11:32:51 AM >


_____________________________

Phillip Windell

(in reply to paul_psmith)
Post #: 5
RE: has ISA or TMG ever been compromised? - 6.May2011 11:44:20 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Seems those reports have been updated since last I looked.  It seems ASA has some lingering problems while ISA has been completely covered by the security patches.

The summary of ISA says:

Most Critical Unpatched
There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied..

The summary of ASA says:

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Cisco Adaptive Security Appliance (ASA) 8.x, with all vendor patches applied, is rated Moderately critical.

_____________________________

Phillip Windell

(in reply to pwindell)
Post #: 6
RE: has ISA or TMG ever been compromised? - 10.May2011 7:14:45 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

just adding more info:

TMG 2010 has none!!

And it is Common Criteria EAL 4+ certified!

Regards,
Paulo Oliveira.

< Message edited by paulo.oliveira -- 10.May2011 7:16:15 AM >


_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to pwindell)
Post #: 7
RE: has ISA or TMG ever been compromised? - 10.May2011 9:18:59 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
Over the time I was called to assist with a few "compromised" ISA server machines.
Always turned out to be silly cases of ISA misuse.
In most of the cases the "admin" somehow thought ISA was his workstation and browsed the web from it, thus the ISA machine became infected with malware.
In other cases, an admin, to "solve" connectivity "issues" simply allowed all from everywhere to everywhere, for several months, without even bothering to apply patches(any of them).
Other ones, a server running IIS(FTP and web) became rooted. The "admin" "cleaned" the machine and had the bright idea to install ISA on it to "protect" the IIS server. A few days later discovered the machine was still rooted(he did not get right the "cleaning" phase), and wondered how ISA itself was compromised. :)

Might worth reading:
http://www.carbonwind.net/blog/post/ISA-ServerForefront-TMG-on-the-edge-done-fine-and-doing-fine-real-world-attacks.aspx

Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to paulo.oliveira)
Post #: 8
RE: has ISA or TMG ever been compromised? - 10.May2011 9:33:01 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

Might worth reading:
http://www.carbonwind.net/blog/post/ISA-ServerForefront-TMG-on-the-edge-done-fine-and-doing-fine-real-world-attacks.aspx


Very good!
Thanks Adrian!

Thanks for the "backup" on this one guys!

_____________________________

Phillip Windell

(in reply to adimcev)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> has ISA or TMG ever been compromised? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts