ISA in SBS - yes, it's secure

A central location for SBS ISA specific configuration information relevant to small consulting practices and others smart enough to use the best technology in the world.

Lingo - The Talk of Broadband

Friday, October 06, 2006

Mailbag: To Firewall or not?

I received this question in my mailbox the other day. It wasn't the first time. Thought I may as well post the answer too.

Amy, I've heard you on the SBS Show and read your comments in the Yahoo
groups and on your own blog. I recently ran across Thomas Shinder's
blog post called "Why SBS is Insecure by Design and Not Even an ISA
Firewall can Fix the Problem" which can be found here:

http://blogs.isaserver.org/shinder/2006/09/03/why-sbs-is-insecure-by-des
ign-and-not-even-an-isa-firewall-can-fix-the-problem/

I wanted to get your opinion on a specific statement Mr. Shinder makes
in this post:

"The SBS 2003 SP1/ISA firewall box with a "hardware" firewall or NAT
device in front of it is no more secure than the SBS 2003 SP1 box
without the "hardware" firewall or NAT device in front of it. Putting a
"hardware" firewall in front of the SBS box is psychological exercise in
futility, and the money spent on the PIX 501 would be much better spent
on a couple hours of psychotherapy or a few bottles of Dom P. Whether
you choose the PIX, the shrink or the Dom, you'll end up with the same
level of security."

Do you think a hardware firewall in front of an SBS box is no more
secure then an SBS box without a hardware firewall in front of it? Do
the companies you consult for usually have a hardware firewall in front
of the SBS box, regardless of whether or not they are running ISA on
SBS?

Your opinion on this would be greatly appreciated!


______________________________________________________________________

Dear Reader,

Security is not an absolute. Most people agree that it is about risk mitigation. As a small business consultant I can say with certainty that SBS does make small business more functional and more secure. Without exception when I make first contact with a small business they are operating their business without backup, with expired anti-virus software, with a high speed Internet connection and without a firewall. After we install SBS, provide for backup, subscribe and deploy an anti-virus solution, configure monitoring and patching and deploy a firewall the business is more secure than before we started. Are they as secure as an enterprise that has embraced least privilege and separation of duties? No, but at least they are now on the right path.

You should always deploy a firewall. I only use SBS Premium in my practice because I believe that ISA can protect Microsoft products better than the competition and I've got a lot of Microsoft products running on SBS. Now, is a hardware firewall necessary in front of ISA? No, this will not make you anymore secure. If my clients have an ISP supplied router with some firewall capabilities built-in, then I enable that only because they already have it. I would never recommend that they go out and purchase one.

If you are using SBS standard, then you had better go out and purchase the best firewall that money can buy to protect it. You've got a lot of eggs in your basket to protect.

Amy Babinchak

2 Comments:

At 2:31 PM, Anonymous Anonymous said...

These myths, largely based on ignorance, fear, uncertainty and doubt, or just plain aloofness, have to stop.

The crux of it is ISA 2000 or 2004 on SBS is as secure as you make it and that goes for a non-SBS/ISA installation as well.

The difference is that there is more chance of misconfiguring something with ISA/SBS and then paying a higher price, since you have key systems on a single box.

However, in my long experience with single box ISA/Exchange/Web/etc. solutions, whether it be SBS or not, is that ISA 2K (in particular) is a rock solid product. I have no reason to doubt that ISA 2K4 is the same and probably moreso, although I certainly have had many more years with ISA 2000.

Hardware firewalls in front of ISA do not protect you from mis-configuring the ISA box, where all the incoming connections actually end (leaving aside routed non TCP/UDP protocols). Hence they might as well not be there. The point to note here is that they neither contribute, nor detract, from a rock-solid firewall product that is a well-configured ISA server. Why do you need a wet-suit if you already have one on?

Now, don't get me wrong, the level of complexity in configuring multiple network services to work together in a secure manner and proper manner, cannot be underestimated and as soon as an inexperienced person starts to fiddle, your security will probably go west.

At that stage, a second wet-suit may still keep you warm, but it's far from guaranteed.

A hardware firewall in front of your ISA server can also serve to off-load a lot of activity that you are not interested in and would, if presented to the ISA server, add an unnecessary load to it. On the downside, it's another thing to configure and maintain. Also, as noted above, it does nothing for any of the services that you may be publishing on the ISA server and if those have vulnerabilities, then that's that.

Well, for what it is worth, having run many multi-service+ISA one-box solutions over the years and monitored them closely over extended periods - I can confidently say that when properly configured, these solutions offer an outstanding level of protection (as good as any other that you can put together today) and compared to what many small businesses have (as noted in this blog) it is light years ahead.

Nonetheless, this is software and software can be susceptible to new vulnerabilities, particularly when new features are released.

Whatever your decision, you should have sound reasons behind it.

 
At 8:29 PM, Anonymous Anonymous said...

To Dr Shinder,

Referring to the article http://blogs.isaserver.org/shinder/2006/09/03/why-sbs-is-insecure-by-design-and-not-even-an-isa-firewall-can-fix-the-problem/#comment-13816 .

May I strongly suggest that you NOT sleep well at night, and that you DO donate the proceeds of your royalties received from security chapters written in SBS books to a well deserved charity?

What happened? Did you have an argument with an SBS consultant thus prompting you to write this article? Or did you simply not know what you were talking about when you wrote chapters upon chapters advocating SBS and ISA co-existing on a same box?

Either ways, the damage is done. As a non-IT consultant in a foreign country who DOES take his IT infrastructure very seriously, my decision to go with an SBS2K3 platform had very much to do with your name giving the stamp of "security" approval on the product.

You've completely lost credibility. I've followed and read your articles since the days of SBS2K where all you've done is flip flop from one point of view to another. I now have to look at the date of release of an article to find out what Tom Shinder's latest view is. Literally! I originally thought that this article was an old one from the days where you used to slam the SBS platform.

I've also got some news for you, Tom. There are people out there who are ½ way across the globe, who are non-IT consultants, read your articles and take your word at face value, and they DONT have the expertise to dissect your security opinions with a fine tooth comb.

You've already sold your soul, Tom. Instead of writing articles like this, your time would be much better spent in reviewing and recommending solutions in making SBS2K3 more secure at various price points, rather than confusing the non-technical SME community at large.

Very much less enlightened,

Thomas Tam

Dated: Forever.

 

Post a Comment

<< Home