Re: Security model for back to back ISA server solution?
From: x y, mvp (levinson_k@despammed.com)
Date: 03/09/03
- Next message: Doug Fox: "event log filter"
- Previous message: avi: "how can i print to log all my ntfs security"
- In reply to: Ade Morgan: "Security model for back to back ISA server solution?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "x y, mvp" <levinson_k@despammed.com> Date: Sun, 9 Mar 2003 08:17:19 -0500
IMHO joining either firewall to the domain potentially lessens security.
The reason why you would join the firewall to the domain would be if you
need to authenticate users either inbound to, say, VPN or a company web
site, or outbound to, say, limit and log what they're doing with their web
browser. Joining a firewall to a domain like this would be to implement
single sign on to reduce the number of passwords the user has... but
generally single sign on tends to increase convenience by decreasing
security. I think Microsoft has a different opinion about all this, since
they seem to encourage joining ISA to a domain in order to get additional
features... however, generally you don't join firewalls from other vendors
to a domain.
If you wanted to do this, I would probably be more inclined to permit the
internal firewall to be joined to your domain, the one in between your
company and the DMZ, unless you feel for some reason that it doesn't make
sense to use this firewall as the proxy server / VPN server.
NetBIOS and windows domain authentication are chatty and require anonymous
null session enumeration and dynamic RPC port numbers, all of which make it
difficult to successfully monitor and tell the attacks from the normal
traffic. It's good to try to block or at least reduce this traffic in your
DMZ if you can.
I'm confused as to why you'd join the external firewall to the domain.
First, unless I'm mistaken, the internal firewall would be the one in
between your internal administrators and the DMZ. Second, your
administrators wouldn't necessarily need to authenticate with the firewall.
If you wanted your DMZ administrators to authenticate with the firewall and
then again with the DMZ server, I would think this would be done as an
additional layer of protection, but arguably you lose that extra layer of
protection if everything is joined to the same domain with single signon
[e.g. you again have just one password protecting the whole connection]. I
personally would feel safer with those accounts and passwords not being in
the domain or otherwise synchronized with the domain, because you wouldn't
want a password discovered on one vulnerable device to also permit access to
other devices.
Last, I would consider NOT using ISA server for both your firewalls.
Personally I find ISA server to be expensive and needlessly complex to
administer. Plus, if you had a vulnerability on one ISA server, you'd
probably have it on both, and that could permit hacking. And, Microsoft's
VPN solution is not the fastest or highest rated one out there. You might
consider the www.netscreen.com 5XP starting around $500 or $600 US, it has a
lot of nice features that you may or may not get for free with ISA, such as
content filtering, bandwidth monitoring, award-winning VPN, easy GUI, etc.
There are a number of free but respected Linux firewalls that will run on an
old 486 or 586, some of them run from a boot CD. The advantage there is
lots of free add-on utilities, you can afford to have a spare machine
waiting in the corner, you can purchase 24x7 on-site tech support at a more
reasonable price, etc.
http://securityadmin.info/faq.htm#firewall
More info on ISA is at www.isaserver.org and in the ISA server newsgroups
[this group is really for Windows 2000]
These links might also be useful if you need to permit windows networking
through your firewall:
How to configure a firewall to allow Windows domain networking [or consider
using PPTP or VPN instead]:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q179442
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q154596
http://securityadmin.info/faq.htm#ipsec
"Ade Morgan" <ademo@msn.com> wrote in message
news:00ae01c2e554$ba58f1c0$a001280a@phx.gbl...
> It is not totally clear to me or my colleagues when using
> 2 ISA servers to protect a DMZ and corporate network
> whether the outside ISA server(and DMZ servers) should be
> part of the active directory for the domain, or whether
> the DMZ and outside ISA server should be in a separate
> domain.
>
> My gut feeling is that the external ISA and DMZ servers
> should be part of the domain so that users in the
> corporate environment can access and update servers in the
> DMZ. (Obviously none should be domain controllers as the
> security information for the domain is then available to
> anyone who has mananged to break into DMZ.)
>
> Has anybody any comments as to which method offers the
> best security model for this back2back scenario?
- Next message: Doug Fox: "event log filter"
- Previous message: avi: "how can i print to log all my ntfs security"
- In reply to: Ade Morgan: "Security model for back to back ISA server solution?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
