Re: Forest/Domain in the "DMZ" to accomodate web, front-end servers

From: Steve Clark [MSFT] (bogus_at_microsoft.com)
Date: 09/20/05 

Date: Tue, 20 Sep 2005 12:24:02 -0700

Um, I don't know where you came up with the idea that ISA Server doesn't
perform application layer inspection and filtering, but you are dead wrong
as it's been doing that since ISA 2000 debuted a number of years ago now.

As to your point about the "internal" threat, this has always been the case.
In addition to that, the network "edge" is essentially dead as a concept and
the DMZ is deader than Julius Caesar as a security mechanism. Secure the
transports, and the conversations to/from hosts. Provide isolation of
trusted hosts from untrusted hosts. Who cares if untrusted hosts compromise
other untrusted hosts? Who cares about what "normal" looks like on the
Internet (or on my large corporate WAN for that matter)? I care about the
hosts, and the data that resides on them. That is what attackers are after:
the network is simply and end to a means.

Authenticate users *and* machines. Clearly articulate and document policies
in companies and provide for enforcement mechanisms for non-compliance.
Provide enough detail in logging to be useful forensically. Have admins
work as users unless they are performing administrative functions. Don't
give admin privileges to non-admins.

Many many more mantras can be placed here.

My point is the network edge is not the place to have all your security.
Rather, provide defense in depth and let ISA do what it is designed to do,
and leverage the remaining layer 1-4 hardware to augment that.

"MCSEGURU" <mcseguruhere@aol.com> wrote in message
news:%23vhi$lXvFHA.3000@TK2MSFTNGP12.phx.gbl...
>I disagree... While the implementation may be poorly thoughout, and more
>of a bandaid to satisfy compliance with some directive, I assume network
>segmentation may be only one goal of the implementation. Logging and
>intrusion detection may be the driving force for his restrictive
>architecture, which is becoming more and more sought after by IT auditors.
>
> The benefit of a passive firewall device logging all activity, is it's
> alot harder to spoof at the passive interface, because we don't realize
> it's there, additionally, should a server be compramised, it's local
> logging could be totally lost.
>
> After all in todays' computer threats, our internal employees present a
> much higher risk than the internet hacker. Reason being, is we fail to
> enforce all the security we could on our internal servers we leave many
> vulnerabilities subject to accidental, or inentional misuse. This
> includes patches, policies, and account management.
>
> Architecture and Infrastructure Security teams can't easily force and
> manage these patches, configuration lockdowns, and other common oversights
> our applications teams, business units, and systems teams are
> implementing, , so the direction to segment all internal PC's from the
> server segments, and provide restricted port access based on
> implementation design scopes, allows security manager the control to
> manage, document and control exposed vulnerabilities much better.
>
> It's what I would do. Now would I use ISA 2004, probably not. There are
> Firewall technologies that manage the actual header conversations, and
> payload data in addition to the standard port/protocol access, which
> allows the security managers to really control what's going on with
> systems to the application layer we all wish we could monitor and log at.
>
> My 2 cents.

Relevant Pages

  • RE: Front End/Back End communication
    ... MVP -- ISA Firewalls ... There is no such thing as security perfection. ... single front-end/back-end Exchange Server will find this setup to be ...
    (Focus-Microsoft)
  • Re: Security experts criticize an SBS installation
    ... If I had a dime every time some two bit "security expert" thought Microsoft products were insecure I'd have a lot of dimes and a lot of folks that haven't looked at Microsoft products since WinNT. ... I have a GSEC security credential, volunteer for the Center for Internet Security and know that my security of my network is based more on the lack of control of my workstations than it is with that ISA box. ... I cannot, to the best of my knowledge, remember a SBS box that has been hacked when the passwords are long/strong/secure, the box is patched, and the workstations are configured based on the risk of each person. ... But a SBS server ..even with that "so called" hacked in umpteen minutes ISA server ...Get him to tell you in details how he hacked into ISA server. ...
    (microsoft.public.windows.server.sbs)
  • Re: MS ISA any good?
    ... I think ISA is fabulous! ... to integrate the logs into SQL server which makes things quite nice. ... I'm sure you can set up most of the same functionality ... > security device, as well as providing web cache services. ...
    (comp.security.firewalls)
  • RE: [fw-wiz] Microsoft ISA
    ... Believe it or not ISA is one of the first software packages from ... Depending on your security ... Server off the DMZ interface). ... other Microsoft Documentation. ...
    (Firewall-Wizards)
  • Re: Can not access web from ISA Server
    ... a mail server and a stats server. ... Thank you for your patience with my security noobishness... ... > publish a web site that is behind the ISA. ... > browser and you must configure an Access Rule just for it. ...
    (microsoft.public.isa)