I received this question in my mailbox the other day. It wasn't the first time. Thought I may as well post the answer too.
Amy, I've heard you on the SBS Show and read your comments in the Yahoo
groups and on your own blog. I recently ran across Thomas Shinder's
blog post called "Why SBS is Insecure by Design and Not Even an ISA
Firewall can Fix the Problem" which can be found here:
I wanted to get your opinion on a specific statement Mr. Shinder makes
in this post:
"The SBS 2003 SP1/ISA firewall box with a "hardware" firewall or NAT
device in front of it is no more secure than the SBS 2003 SP1 box
without the "hardware" firewall or NAT device in front of it. Putting a
"hardware" firewall in front of the SBS box is psychological exercise in
futility, and the money spent on the PIX 501 would be much better spent
on a couple hours of psychotherapy or a few bottles of Dom P. Whether
you choose the PIX, the shrink or the Dom, you'll end up with the same
level of security."
Do you think a hardware firewall in front of an SBS box is no more
secure then an SBS box without a hardware firewall in front of it? Do
the companies you consult for usually have a hardware firewall in front
of the SBS box, regardless of whether or not they are running ISA on
Your opinion on this would be greatly appreciated!
Security is not an absolute. Most people agree that it is about risk mitigation. As a small business consultant I can say with certainty that SBS does make small business more functional and more secure. Without exception when I make first contact with a small business they are operating their business without backup, with expired anti-virus software, with a high speed Internet connection and without a firewall. After we install SBS, provide for backup, subscribe and deploy an anti-virus solution, configure monitoring and patching and deploy a firewall the business is more secure than before we started. Are they as secure as an enterprise that has embraced least privilege and separation of duties? No, but at least they are now on the right path.
You should always deploy a firewall. I only use SBS Premium in my practice because I believe that ISA can protect Microsoft products better than the competition and I've got a lot of Microsoft products running on SBS. Now, is a hardware firewall necessary in front of ISA? No, this will not make you anymore secure. If my clients have an ISP supplied router with some firewall capabilities built-in, then I enable that only because they already have it. I would never recommend that they go out and purchase one.
If you are using SBS standard, then you had better go out and purchase the best firewall that money can buy to protect it. You've got a lot of eggs in your basket to protect.