• Top Ten Clues Indicating a Consultant Shouldn't Be Within Ten Parsecs of your ISA Firewall
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Post of the Month
• ISA Firewall Links of the Month
• Ask Dr. Tom

1. Top Ten Clues Indicating a Consultant Shouldn't Be Within Ten Parsecs of your ISA Firewall

I'm seeing a lot of requests on the ISAserver.org mailing list and Web boards for expert consultant help in setting up ISA firewalls for organizations of all sizes. This is great news, because it shows the word is getting out that the ISA firewall is indeed ready for prime time and is an enterprise grade firewall that works for any company, regardless of size.

As with all consultant situations, caveat emptor should be the working phrase. There are some darned good ISA firewall consultants out there, and there are some who figure that since they're the best Xbox guys on the block, they might as well be highly paid firewall consultants. Seek the former and run from the latter.

To help you folks currently in the market for an ISA firewall consultant, I present my list of the top ten warning signs that your firewall consultant might be off the reservation. If you hear the potential consultant utter any of these phrases or ideas, run and not walk away.

Consultant recommends that you "open a port"

You can't "open a port" on a firewall, because ports are not bidirectional "holes" in some sort of digital pegboard. Even the least powerful of real firewalls control traffic based on source and destination IP address and source and destination port, and that's just for TCP and UDP protocols. Implicit in the concept of "open a port" is that the device allows all traffic to and from a particular host or network by default. The basic firewall fact is that "open a port" means nothing to a firewall administrator and if the consultant utters this phrase, you need to put your guard up. Accept use of this phrase only if the firewall consultant says it only to condemn it.

Consultant recommends a "hardware firewall"

All firewalls run software. Hardware is dumb and only does what software tells it to do. A "hardware firewall", in terms of common usage, means a dedicated firewall device that doesn't run on Windows. There are other definitions of hardware firewalls, such as those having no fans, no hard disks, or in general "no moving parts". The misconception is that "hardware firewalls" are more secure than a firewall that runs on a hardened operating system. Objective data and experience show that this is an illusion, and is strongly promulgated by "hardware" firewall manufacturers. I don't blame the vendors for spewing out this information, they're just trying to gain a competitive advantage, but I do blame someone who claims to be a firewall expert if he chooses to believe this canard. The fact is no correctly configured ISA firewall has been successfully attacked to the extent that there was data loss. So-called "hardware" firewall vendors cannot make this claim. If your consultant recommends a "hardware" firewall for security reasons, you better look at the guy with a jaundiced eye and check the phonebook for another consultant.

Consultant calls a host-based or personal firewall a "software firewall"

As mentioned earlier, all firewalls run on software. That's a fact and there's no way around it. Even "hardware" firewalls with no moving parts have software included in memory. One of the most useful measures for assessing consultant cluelessness is when they refer to host-based or personal firewalls as "software firewalls" and low-cost NAT devices as "hardware firewalls". This is a common error made in the consumer radio personality space, and it creates no end of confusion in that space. However, profession firewall consultants never refer to host-based or personal firewalls as "software firewalls" because he knows that all firewalls require software instructions to carry out their firewall duties.

Consultant says you need to "poke a hole" or "create a pinhole" in the firewall

In the same way that you can't "open a port" on a firewall, you can't "poke a hole" or "create a pinhole" in the firewall. Again, a network firewall is not an electronic pegboard, where you can poke a hole in one of the punch outs and allow "stuff" to flow in both directions. There is no "stuff" that flows through such "hole pokes". Again, if someone thinks in terms of poking holes in firewalls, it indicates that he doesn't understand how firewalls work, and that should reflect on the consultant's lack of understanding and skill set.

Consultant refers to a NAT device as a "firewall"

There are a number of low cost devices on the market today providing simple NAT services for SOHO and very small businesses and branch offices. These unsophisticated devices are able to NAT outbound connections and sometimes reverse NAT inbound connections. However, these devices do not perform stateful packet and application layer inspection, do not enable strong user/group based access control for protocols, sites, content and time of day, and do not maintain comprehensive logging information about all connections moving through and to the alleged firewall device. Firewall experts will call a spade and spade, and a NAT device is neither a spade or a firewall. Consultants who refer to them as firewalls are showing that they have a bad hand.

Consultant recommends putting a Web or FTP server on the firewall

The network or perimeter firewall is a highly specialized piece of security gear and everything possible should be done to reduce the attack surface on the firewall. Any time you allow connections to services on the firewall, you exponentially increase the risk related to an increased attack surface, and if you enable connections from the Internet to services on the firewall, then you've increased the attacker surface by many orders of magnitude. Any firewall consultant that recommends running Web or FTP services on the firewall should be run out of town on a rail or hung by his own petard, or both.

Consultant refers to the ISA firewall as a "proxy server" and recommends a single-NIC configuration

The ISA firewall is a firewall, first, second and last. Even if you try to harpoon the ISA firewall's network security model by installing it in unihomed Web proxy only mode, it's still a firewall (albeit providing firewall protection only for itself). The ISA firewall does include a Web proxy filter that works with the ISA firewall's firewall services, but it's a filter like any other filter. The ISA firewall also supports the Winsock proxy client (Firewall client), which can remote Winsock connections directly to the ISA firewall, but the ISA firewall is a firewall that supports these proxy components, not a proxy server with firewall components. Therefore, be suspicious of those who refer to the ISA firewall as a proxy server, since it may indicate that they think the ISA firewall is something like Proxy Server 4.0, which is definitely not the case and indicates that the consultant may not understand the ISA firewall's firewall architecture.

Consultant creates "all open" Access Rules to the ISA firewall's Local Host Network

The ISA firewall's Local Host Network includes all IP addresses bound to all interfaces on the ISA firewall. System Policy is the primary method you should use when controlling traffic to and from the ISA firewall itself. You should be very careful about allowing any traffic to and from the ISA firewall itself, since any such traffic could have potentially disastrous effects. If you ever see a consultant create or recommend a rule allowing all traffic to or from the ISA firewall, you need to steer clear of this consultant. There are no valid scenarios where all traffic should be allowed to or from the ISA firewall. Any consultant who would create such a rule shows that he doesn't appreciate the profound effects that such rules could have not only on the ISA firewall, but on your entire network infrastructure.

Consultant says that ISA firewall should not be on the Edge of the Network

I've spent a lot of time teaching ISA firewall admins that the ISA firewall can and should be used as an edge firewall, and that it is designed to be an edge firewall. After installation is complete, the ISA firewall is a network brick and no one is going to get past that brick until you create rules making is possible. No one is going to break through the ISA firewall. For this reason, you should be completely at ease with putting the ISA firewall at the edge of the network. Give a wide berth to the consultant who recommends putting a "hardware" firewall in front of the ISA firewall, if the recommendation is made because "he doesn't trust" the ISA firewall on the edge. In fact, you should not trust the consultant. Stop him before he harms your network security.

Consultant recommends against using the Firewall and Web proxy client configuration

You can significantly increase the overall level of security the ISA firewall can provide your network if you deploy both the Firewall and Web proxy client configurations throughout your network, as appropriate. Any ISA firewall consultant who doesn't push for such configurations demonstrates a impressive lack of knowledge about the outrageous security advantages these client configurations represent. If the consultant says "I prefer the SecureNAT client because it provides all the security you need", then you need to lock your checkbook away in a safe place, call security, and have the consultant escorted swiftly, but considerately, out the door.

=======================

Quote of the Month - "I've never thought of the IRS and network security together before. I don't think I want to, makes my brain panic" - Amy Babinchak responding to Tom Shinder's observations on dealing with painful issues

=======================

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Configure ISA 2004 as a Network Services Segment Perimeter Firewall - Part 1: Perimeter Network Design Principles and Considerations
• Tom Shinder's Trek through Small Business Server 2003 Service Pack 1 - Part 5: Checking DNS and Certificate Settings and Installing the ISA Firewall
• Enabling ISA Firewall Forms-based Authentication (FBA) for OWA Connections for both Internal and External Clients (Part 2)
• Enabling ISA Firewall Forms-based Authentication (FBA) for OWA Connections for both Internal and External Clients - Part 1
• Using the ISA Firewall to Configure Granular Access Controls for VPN Clients (Part 1)
• Using the ISA Firewall to Configure Granular Access Controls for VPN Clients (Part 2)
• Understanding the Web Proxy and Firewall Client Automatic Configuration

4. KB Articles of the Month

Here are some interesting and useful ISA Server related Q articles posted by Microsoft in the last month:

• You receive an "ADDRESS_IN_USE" error message when you restart the firewall service in Microsoft Internet Security and Acceleration Server 2004
• Internet Security and Acceleration Server 2004 stops responding or performs slowly after you configure a Web listener to use OWA forms-based authentication
• The Firewall service may not start in Internet Security and Acceleration (ISA) Server 2004 after you select a certificate for a, SSL listener
• Routing and Remote Access stops responding in Windows Server 2003
• You cannot specify a path statement that ends in a wildcard character when you create a Web publishing rule in ISA Server 2004
• You cannot disable the "Web Browser" tab on a computer that is running Firewall Client for ISA Server 2004
• When you use an OWA client to access an Exchange Server 2003 computer, you may receive an "HTTP 403.4" error message
• Users who do not have the appropriate permissions can receive restricted content from ISA Server 2004

5. Post of the Month

I see a lot of requests for backing up the ISA firewall configuration. At first I thought this was a marginal idea, because I've made it a habit of backing up my configuration each time I make a change, so I always have delta backups available. However, I do understand how the underpaid, overworked, and multitasking firewall administrator can forget to make a backup and that could leave him in a lurch.

The good news is that an ISAserver.org member has come to the plate with a configuration backup script! You'll need to schedule it, but the script does the rest.

Check it out at:

http://www.rmbt.co.uk/isahowto.php

HTH -Tom.

6. ISA Firewall Links of the Month

ISA Server 2004 Enterprise Edition Quick Start Guide

http://download.microsoft.com/download/3/e/2/3e2ae4a2-67a0-4431-88aa-dda29e592e3c/isaeequickstart.doc

ISA Server 2004 Enterprise Edition Configuration Guide

http://download.microsoft.com/download/6/9/0/690d2ee7-a4e0-4c0a-80d4-1e30ebcac1de/isa_2004_ee_configuration_guide.doc

Monitoring and Troubleshooting ISA Firewall Performance

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/isa_2004_perftroubleshooting.mspx

ISA Firewalls Receive Common Criteria EAT 4+ Certification

http://www.microsoft.com/isaserver/techinfo/deployment/commoncrit.mspx

TechNet Webcast: SurfControl Web Filter for ISA Server 2004: Helping You STOP Unwanted Content Risks (Level 200)

http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=1032282030&EventCategory=4&culture=en-US&CountryCode=US

ISA Server 2000 Security Hardening Guide

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx

Learn about ISA Hardware Firewalls

http://www.microsoft.com/isaserver/hardware/default.mspx

7. Ask Dr. Tom

QUESTION: We want to allow VPN clients access only to our Microsoft Exchange Server via Secure Exchange RPC. Is this possible? Thanks! --Davide

ANSWER: You can use the Mail Server Publishing Wizard to create a Secure Exchange RPC Server Publishing Rule with a listener on the VPN Clients Network. Then create a DNS Server Publishing Rule with a listener on the VPN Clients Network. Using the combination of these two Server Publishing Rules, you can publish your corporate network DNS and Exchange servers to members of the VPN Clients Network and allow them to connect to your Exchange Server using only secure Exchange RPC and allow them access only to the Exchange and DNS servers and no other servers on the Network.

QUESTION: SSL to HTTP bridging is configured for our published Web site but its not working. How can I fix the Web Publishing Rule so that SSL to HTTP bridging works correctly? --Danny

ANSWER: The problem with SSL to HTTP bridging is that Web servers often dynamically generate links based on the protocol used for the connection. Since the link between the ISA firewall and published Web server uses HTTP, the link generated by the Web server is an HTTP link and this is returned to the Web client on the Internet. Since the connection between the Web client and the ISA firewall requires SSL, the connection fails. You may be able to solve this problem using the ISA firewall's Link Translation feature, but a better solution is to implement SSL to SSL bridging. Not only does SSL to SSL bridging solve the link problem, it also increases the overall level of security of your Web Publishing solution

Got a question for Dr. Tom? Send it to tshinder@isaserver.org