Additional firewall in front of ISA?

I'd appreciate a show of hands from the experts here - Do you recommend
installing a separate firewall device in between a dual-homed SBS2000
machine running ISA and the Internet? I am very impressed with ISA, and
support 8 SBS sites without the 2nd firewall, but I am becoming paranoid
that if somehow ISA is compromised, the entire network will be open for the
world to see.

Thanks in advance for your input!

Mike

Kevin
Mon Jan 12 14:15:19 CST 2004

if by dual-homes you mean a two NIC card setup, yes I still put a firewall
in front of the 2nd nic that's attached to the Internet.
-kw

"Mike Dewdney" <mike@animate.com> wrote in message
news:zlCMb.6421$881.853567@news20.bellglobal.com...
> I'd appreciate a show of hands from the experts here - Do you recommend
> installing a separate firewall device in between a dual-homed SBS2000
> machine running ISA and the Internet? I am very impressed with ISA, and
> support 8 SBS sites without the 2nd firewall, but I am becoming paranoid
> that if somehow ISA is compromised, the entire network will be open for
the
> world to see.
>
> Thanks in advance for your input!
>
> Mike
>
>

IBC
Mon Jan 12 14:45:16 CST 2004

If you're supporting 8 sites, you MUST know more about these things than me,
but here's my take:

I have run the Firewall/2nd Nic/ISA/Local Network setup since SBS2000 was
released. Nothing wrong with MORE security, right?

Well, if you aren't super familiar with all the intricacies of firewalls it
can get fun. I've always had to know 2 different ways of doing the exact
same thing since it happens one way in ISA, and then I have to go to the
firewall and do it again another way. Sometimes troubleshooting can start to
be a pain if you can't figure out which firewall is jamming you up. To me
though, its worth losing my mind for a little peace of mind.

JM2C

"Kevin Weilbacher" <kweilbac@NO_SPAM_gte.net> wrote in message
news:uCQROjU2DHA.2360@TK2MSFTNGP10.phx.gbl...
> if by dual-homes you mean a two NIC card setup, yes I still put a firewall
> in front of the 2nd nic that's attached to the Internet.
> -kw
>
> "Mike Dewdney" <mike@animate.com> wrote in message
> news:zlCMb.6421$881.853567@news20.bellglobal.com...
> > I'd appreciate a show of hands from the experts here - Do you recommend
> > installing a separate firewall device in between a dual-homed SBS2000
> > machine running ISA and the Internet? I am very impressed with ISA, and
> > support 8 SBS sites without the 2nd firewall, but I am becoming paranoid
> > that if somehow ISA is compromised, the entire network will be open for
> the
> > world to see.
> >
> > Thanks in advance for your input!
> >
> > Mike
> >
> >
>
>

Chris
Mon Jan 12 14:38:24 CST 2004

I have put a Pix firewall in front of the SBS/ISA server.


"Mike Dewdney" <mike@animate.com> wrote in message
news:zlCMb.6421$881.853567@news20.bellglobal.com...
> I'd appreciate a show of hands from the experts here - Do you recommend
> installing a separate firewall device in between a dual-homed SBS2000
> machine running ISA and the Internet? I am very impressed with ISA, and
> support 8 SBS sites without the 2nd firewall, but I am becoming paranoid
> that if somehow ISA is compromised, the entire network will be open for
the
> world to see.
>
> Thanks in advance for your input!
>
> Mike
>
>

dilltech
Mon Jan 12 15:44:01 CST 2004

I am far from an expert on this subject, but, I have a
gateway router doing NAT and passing to my external NIC,
with the internal network on a completely different
private IP range. In effect NATTING an already NATTED IP
address. external IP 192.168.xxx.xxx becomes 10.10.xxx.xxx

I am running ISA, and (knock wood) not had a problem yet.

I have also done some port scanning and determined that my
domain is entirely "stealth" and all ports are closed
until needed. (for this I used Foundstone's SuperScan).

RickD
>-----Original Message-----
>I'd appreciate a show of hands from the experts here - Do
you recommend
>installing a separate firewall device in between a dual-
homed SBS2000
>machine running ISA and the Internet? I am very
impressed with ISA, and
>support 8 SBS sites without the 2nd firewall, but I am
becoming paranoid
>that if somehow ISA is compromised, the entire network
will be open for the
>world to see.
>
>Thanks in advance for your input!
>
>Mike
>
>
>.
>

Dave
Mon Jan 12 16:10:14 CST 2004

How do you like the Pix? Do you use inbound VPN?

I'm on the edge of getting a Sonicwall, but I'm not 100% decided. (I'm
getting ready to replace my Linksys with a more robust device. For one
thing, the Linksys only supports one inbound VPN connection at a time, and
we expect to have 2-4 connections fairly frequently).


"Chris Gumm" <xxx@xxx.xxx> wrote in message
news:ektNJwU2DHA.2580@TK2MSFTNGP09.phx.gbl...
> I have put a Pix firewall in front of the SBS/ISA server.
>
>
> "Mike Dewdney" <mike@animate.com> wrote in message
> news:zlCMb.6421$881.853567@news20.bellglobal.com...
> > I'd appreciate a show of hands from the experts here - Do you recommend
> > installing a separate firewall device in between a dual-homed SBS2000
> > machine running ISA and the Internet? I am very impressed with ISA, and
> > support 8 SBS sites without the 2nd firewall, but I am becoming paranoid
> > that if somehow ISA is compromised, the entire network will be open for
> the
> > world to see.
> >
> > Thanks in advance for your input!
> >
> > Mike
> >
> >
>
>

Mike
Mon Jan 12 16:30:53 CST 2004

Thanks for the feedback - So far everyone runs a firewall in addition to the
standard SBS setup. I am considering offering this to my clients as an
"enhanced security" option. Can you guys provide me with some compelling
reasons that the additional security is necessary? How vulnerable is the
standard SBS ISA configuration when exposed directly to the Internet?

BTW - All my clients do use OWA and host their own email on Exchange, so the
appropriate ports do need to be open. SSL'ing OWA would be part of the
"enhanced security" package. Does this throw a wrench into the works for
the 2nd firewall?

Thanks again for all the help!!

Mike


"dilltech" <support@dilltech.com> wrote in message
news:067a01c3d955$30e0eb00$a101280a@phx.gbl...
> I am far from an expert on this subject, but, I have a
> gateway router doing NAT and passing to my external NIC,
> with the internal network on a completely different
> private IP range. In effect NATTING an already NATTED IP
> address. external IP 192.168.xxx.xxx becomes 10.10.xxx.xxx
>
> I am running ISA, and (knock wood) not had a problem yet.
>
> I have also done some port scanning and determined that my
> domain is entirely "stealth" and all ports are closed
> until needed. (for this I used Foundstone's SuperScan).
>
> RickD
> >-----Original Message-----
> >I'd appreciate a show of hands from the experts here - Do
> you recommend
> >installing a separate firewall device in between a dual-
> homed SBS2000
> >machine running ISA and the Internet? I am very
> impressed with ISA, and
> >support 8 SBS sites without the 2nd firewall, but I am
> becoming paranoid
> >that if somehow ISA is compromised, the entire network
> will be open for the
> >world to see.
> >
> >Thanks in advance for your input!
> >
> >Mike
> >
> >
> >.
> >

IBC
Mon Jan 12 17:22:22 CST 2004

It seems like an extortion techniques, but simply inform them that if
somebody finds a hole in the Microsoft products (never happens, right?) it
will cost them far more to have you repair/rebuild the server in the long
term than a firewall for under $1000. Pay me now or pay me later. My
'second' firewall is never anything incredibly fancy, usually a programmable
one inside my router. This means you have to know how to speak firewall and
don't get pretty interfaces, but if you know what you are doing, its just as
strong as the rest of them. I'm just learning how to use my Netopia and it
seems like a fine product. We went with it based on the recommendations of
some here. We needed a router anyhow, so getting one with the built-in
firewall and VPN is a logical choice.


"Mike Dewdney" <mike@animate.com> wrote in message
news:e7XPjwV2DHA.2620@TK2MSFTNGP09.phx.gbl...
> Thanks for the feedback - So far everyone runs a firewall in addition to
the
> standard SBS setup. I am considering offering this to my clients as an
> "enhanced security" option. Can you guys provide me with some compelling
> reasons that the additional security is necessary? How vulnerable is the
> standard SBS ISA configuration when exposed directly to the Internet?
>
> BTW - All my clients do use OWA and host their own email on Exchange, so
the
> appropriate ports do need to be open. SSL'ing OWA would be part of the
> "enhanced security" package. Does this throw a wrench into the works for
> the 2nd firewall?
>
> Thanks again for all the help!!
>
> Mike
>
>
> "dilltech" <support@dilltech.com> wrote in message
> news:067a01c3d955$30e0eb00$a101280a@phx.gbl...
> > I am far from an expert on this subject, but, I have a
> > gateway router doing NAT and passing to my external NIC,
> > with the internal network on a completely different
> > private IP range. In effect NATTING an already NATTED IP
> > address. external IP 192.168.xxx.xxx becomes 10.10.xxx.xxx
> >
> > I am running ISA, and (knock wood) not had a problem yet.
> >
> > I have also done some port scanning and determined that my
> > domain is entirely "stealth" and all ports are closed
> > until needed. (for this I used Foundstone's SuperScan).
> >
> > RickD
> > >-----Original Message-----
> > >I'd appreciate a show of hands from the experts here - Do
> > you recommend
> > >installing a separate firewall device in between a dual-
> > homed SBS2000
> > >machine running ISA and the Internet? I am very
> > impressed with ISA, and
> > >support 8 SBS sites without the 2nd firewall, but I am
> > becoming paranoid
> > >that if somehow ISA is compromised, the entire network
> > will be open for the
> > >world to see.
> > >
> > >Thanks in advance for your input!
> > >
> > >Mike
> > >
> > >
> > >.
> > >
>
>

Andrew
Mon Jan 12 20:40:34 CST 2004

If you do this, be sure that both firewalls are properly configured;
otherwise, the two-firewall arrangement may in reality be just a
one-firewall arrangement in disguise. Configure ISA first without the second
firewall and do a port scan to be sure. Then make sure ISA is set to send
alerts if it detects a compromise or an attack that it should never even be
seeing if the other firewall is working properly. Lately, I've been more
inclined to use ISA by itself; simplicity is easier to manage than
complexity, and things are hard enough to get working when they are simple.

"Mike Dewdney" <mike@animate.com> wrote in message
news:zlCMb.6421$881.853567@news20.bellglobal.com...
> I'd appreciate a show of hands from the experts here - Do you recommend
> installing a separate firewall device in between a dual-homed SBS2000
> machine running ISA and the Internet? I am very impressed with ISA, and
> support 8 SBS sites without the 2nd firewall, but I am becoming paranoid
> that if somehow ISA is compromised, the entire network will be open for
the
> world to see.
>
> Thanks in advance for your input!
>
> Mike
>
>

Susan
Mon Jan 12 20:53:04 CST 2004

One firewall properly maintained and patches is better than two
unmaintained firewalls.

Patch.

My desktops are more insecure than a firewall on my domain controller.

Andrew M. Saucci, Jr. wrote:
> If you do this, be sure that both firewalls are properly configured;
> otherwise, the two-firewall arrangement may in reality be just a
> one-firewall arrangement in disguise. Configure ISA first without the second
> firewall and do a port scan to be sure. Then make sure ISA is set to send
> alerts if it detects a compromise or an attack that it should never even be
> seeing if the other firewall is working properly. Lately, I've been more
> inclined to use ISA by itself; simplicity is easier to manage than
> complexity, and things are hard enough to get working when they are simple.
>
> "Mike Dewdney" <mike@animate.com> wrote in message
> news:zlCMb.6421$881.853567@news20.bellglobal.com...
>
>>I'd appreciate a show of hands from the experts here - Do you recommend
>>installing a separate firewall device in between a dual-homed SBS2000
>>machine running ISA and the Internet? I am very impressed with ISA, and
>>support 8 SBS sites without the 2nd firewall, but I am becoming paranoid
>>that if somehow ISA is compromised, the entire network will be open for
>
> the
>
>>world to see.
>>
>>Thanks in advance for your input!
>>
>>Mike
>>
>>
>
>
>

--
http://www.sbslinks.com/really.htm

Chris
Tue Jan 13 13:11:53 CST 2004

Well I used these arguments to get the cost of a firewall approved.


#1. Your LAN in not directly connected to the internet. This is probably
poor wordage, I concider the zone between ISA and the firewall as a "DMZ"
zone.

#2. You have mutiple vendors in the setup.

#3. Redundancy, If ISA or the SBS box totally fail, I can still receive/send
email and surf the web by simply redirecting ports in the firewall to a
standby box.

#4. The firewall has features that ISA doesn't

I have not had any issues with OWA ans SSL with our firewall setup.

"Mike Dewdney" <mike@animate.com> wrote in message
news:e7XPjwV2DHA.2620@TK2MSFTNGP09.phx.gbl...
> Thanks for the feedback - So far everyone runs a firewall in addition to
the
> standard SBS setup. I am considering offering this to my clients as an
> "enhanced security" option. Can you guys provide me with some compelling
> reasons that the additional security is necessary? How vulnerable is the
> standard SBS ISA configuration when exposed directly to the Internet?
>
> BTW - All my clients do use OWA and host their own email on Exchange, so
the
> appropriate ports do need to be open. SSL'ing OWA would be part of the
> "enhanced security" package. Does this throw a wrench into the works for
> the 2nd firewall?
>
> Thanks again for all the help!!
>
> Mike