ISAserver.org Monthly Newsletter of February 2012
Sponsored by: Collective Software
<http://www.collectivesoftware.com/isaserver.newsletter.201202.lockoutguard>
-------------------------------------------------------
Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org
1. TMG - "When the Walls Fell"
--------------------------------------------------------------
If you're like the rest of us, you've probably been thinking a lot about cloud computing and how it's going to affect your network security architecture, design and plans in the coming decade. I thought about it even more last week when I was with Tom at TechDays 2012 Belgium <http://www.microsoft.com/belux/techdays/2012/SessionDetail.aspx?sessionId=253>, where he was giving a presentation about private cloud security architecture and principles. He talked about the things you need to consider from a security perspective when you deploy a private cloud, and one of the important considerations was how do you handle perimeter defenses.
Tom said that it was difficult for him, as someone who has been an ISA and TMG guy for over a decade, to say that in the future he imagines that there will be little need for perimeter devices such as firewalls. He pointed out that with the advent of IPv6, protocol tunneling, and the increasingly popular tolerance for - and even encouragement of - the BYOD ("Bring Your Own Device") mentality in the enterprise, perimeter security in the future won't be able to provide the necessary "value add" that will justify the costs of purchasing the equipment, maintaining the equipment and paying the personnel to configure the equipment.
His point was that the firewall is something that worked well and provided a measure of security that justified its cost and effort in the 1990s and the early 21st century. But beginning in the second decade of the 21st century, firewalls are contributing decreasingly to the overall security posture of the network and security is going to need to be pushed back to the applications and to the data itself.
In fact, cloud security seems to be falling in line with what members of the Jericho Forum have been saying for years. The Jericho forum has maintained that we live in an increasingly deperimeterized world and that we need to take an approach to security that pushes it back closer to the assets that need securing, and spend relatively less time trying to protect the network edge. The group's name comes from the Biblical account of the battle of Jericho, wherein the walls around the city fell down.
What's my take on this? I remember listening to former Microsoft security evangelist Steve Riley talking about "the death of the DMZ" a few years ago and thinking that he was nuts. Of course, I didn't realize at that time that he was setting the stage for what would later become DirectAccess. What's interesting, though, is that even DirectAccess assumes to a certain extent that there is a network perimeter. In the full realization of the Jericho project's vision, there would be no perimeters (except maybe at the edge of the datacenter, and even then, perhaps not).
In ancient times, the only way to protect a city from enemies was to build walls around it. The higher and stronger and thicker those walls were, the safer the city was. But if the enemy made it over or through the walls, the city was lost. Today, except for the occasional "gated community," we generally don't rely on walls as the primary means of defending our citizens and their possessions. Our individual homes, however, are far better secured than they were in the olden days. We have guard dogs, alarm systems, deadbolt locks, and safes where we store our most important values. We've taken the security closer to the assets. That's what's beginning to happen now on our networks, as well.
What does this mean to you, the TMG firewall admin? Probably not much at the moment. The digital world is still highly perimeterized. However, times are changing and you'll need to think about how the walls will fall in the next five to ten years. I'll be here to help you move forward on your journey to network security in a cloudy world!
See you next month! – Deb.
dshinder@isaserver.org
=======================
Quote of the Month - Action is the real measure of intelligence. - Napoleon Hill
=======================
2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------
Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.
Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.
3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------
* Forefront Threat Management Gateway (TMG) 2010 Web Proxy Client Redundancy Deep Dive (Part 1) - DNS Configuration
http://www.isaserver.org/tutorials/Forefront-Threat-Management-Gateway-TMG-2010-Web-Proxy-Client-Redundancy-Deep-Dive-Part1.html
TMG Firewall Flood Mitigation (Part 1)
http://www.isaserver.org/tutorials/TMG-Firewall-Flood-Mitigation-Part1.html
Publishing Microsoft SharePoint 2010 with Forefront TMG and different authentication options (Part 1)
http://www.isaserver.org/tutorials/Publishing-Microsoft-SharePoint-2010-Forefront-TMG-different-authentication-options-Part1.html
How to Publish an RDP Server on an Alternate Port using the TMG Firewall
http://www.isaserver.org/tutorials/How-Publish-RDP-Server-Alternate-Port-using-TMG-Firewall.html
Reasons to Upgrade from IAG Server to Unified Access Gateway
http://www.isaserver.org/tutorials/Reasons-Upgrade-IAG-Server-Unified-Access-Gateway.html
TMG Firewall Web Filtering (Part 2)
http://www.isaserver.org/tutorials/TMG-Firewall-Web-Filtering-Part2.html
Advanced Forefront TMG debugging
http://www.isaserver.org/tutorials/Advanced-Forefront-TMG-debugging.html
GFI WebMonitor for ISA Server Voted ISAserver.org Readers' Choice Award Winner - Content Security
http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Content-Security-GFI-WebMonitor-Nov11.html
4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------
Remember when installing a service pack was as easy as downloading the service pack and then double clicking on the service pack .msi file? Yeah, I remember that time too. However, for the TMG firewall, life isn't quite that easy any more. How you install a service pack depends on your deployment. Before you install a service pack or update pack, make sure to read the article Installing Forefront TMG Service Packs over at http://technet.microsoft.com/en-us/library/ff717843.aspx . You'll be glad you did!
5. Tip of the Month
--------------------------------------------------------------
You might have heard Tom argue in the past that you don't need to install antivirus software on TMG or UAG because you would never use the machine as a workstation and the TMG firewall prevents network based attacks against the system. However, at other times Tom has noted that one of the advantages of the TMG firewall and UAG server is that you can install antivirus programs on them, and therefore have a higher level of security than you might with non-Windows products because you don't have the visibility into compromise that you have with Windows based network gear. If you do install antivirus software on the TMG firewall or UAG server, then you know that you need to include the correct path exclusions. If you don't do that, you'll see performance issues and system instability. However, there is a problem with some of the recommendations for paths to exclude in the official article on the TechNet site. Jason Jones corrects this issue in his article Forefront TMG: Antivirus Exclusions and Process Path Correction at http://blog.msedge.org.uk/2011/12/forefront-tmg-antivirus-exclusions.html
6. ISA/TMG/IAG/UAG Links of the Month
--------------------------------------------------------------
Have you noticed that the SQL process on your TMG firewall seems to use a lot of memory? Many people have been worried about that, but the fact is that SQL will take the memory it needs from the available memory and will release that memory if it's required by other services. However, if you expect other services on the TMG firewall to require memory in a "spiky" fashion, you might want to reduce the maximum amount of memory used by the SQL processes on the TMG firewall. Check out the article Configuring SQL Memory Limits on Forefront TMG 2010 at http://tmgblog.richardhicks.com/2012/01/23/configuring-sql-memory-limits-on-forefront-tmg-2010/ for more information about how to adjust the maximum amount of memory the SQL processes will use.
7. Blog Posts
--------------------------------------------------------------
* TMG Firewall Services Do Not Start when Installed in Workgroup Array
http://blogs.isaserver.org/shinder/2012/01/31/tmg-firewall-services-do-not-start-when-installed-in-workgroup-array/
How to Bypass the Web Proxy Filter in TMG and ISA Firewalls
http://blogs.isaserver.org/shinder/2012/01/31/how-to-bypass-the-web-proxy-filter-in-tmg-and-isa-firewalls/
Problems when combining UAG TMG and KMS
http://blogs.isaserver.org/shinder/2012/01/31/problems-when-combining-uag-tmg-and-kms/
Congrats to TMG Firewall MVP Jason Jones for His Role as Virtual TSP
http://blogs.isaserver.org/shinder/2012/01/31/congrats-to-tmg-firewall-mvp-jason-jones-for-his-role-as-virtual-tsp/
How to Customize the UAG Portal
http://blogs.isaserver.org/shinder/2012/01/31/how-to-customize-the-uag-portal/
Publishing Lync Web Services through UAG
http://blogs.isaserver.org/shinder/2012/01/31/publishing-lync-web-services-through-uag/
The End of ISA Server
http://blogs.isaserver.org/shinder/2012/01/31/the-end-of-isa-server/
Migrating from ISA 2006 to TMG Firewalls
http://blogs.isaserver.org/shinder/2012/01/30/migrating-from-isa-2006-to-tmg-firewalls/
Why You Should Upgrade your ISA Firewall to a TMG Firewall
http://blogs.isaserver.org/shinder/2012/01/30/why-you-should-upgrade-your-isa-firewall-to-a-tmg-firewall/
Users in remote forests cannot change their passwords through ISA Server 2006 or Forefront Threat Management Gateway 2010
http://blogs.isaserver.org/shinder/2012/01/30/users-in-remote-forests-cannot-change-their-passwords-through-isa-server-2006-or-forefront-threat-management-gateway-2010/
8. Ask Sgt Deb
--------------------------------------------------------------
QUESTION:
Hi Deb,
Maybe you will give a faster response than literature.
With ISA 2006, it isn't possible to use LDAP or LDAP GC to authenticate outbound web proxy users (Isa 2006 configured on a DMZ in its own workgroup separate from corporate Active Directory by a firewall) as it knows how to do that with reverse proxy configurations.
Question: Is that now possible with TMG 2010?
Other question: ISA 2006 couldn't filter https URLs, Is that possible with TMG 2010?
Best Regards -François
ANSWER:
Hi Francois!
Thanks for writing! While there are a number of big improvements in the TMG firewall, support for outbound LDAP authentication is not one of them. You should consider joining the TMG firewall to the domain; it's the most secure configuration and the one that we've promoted as a best practice for years, ever since the introduction of the ISA 2004 firewall.
On the other hand, I have good news for you when it comes to URL filtering. With ISA 2006, you have to use URL sets and Domain Name Sets to get something that looks like web filtering. This is a difficult and manual process and it can be hard to keep up with all the sites you need or want to block. This problem has been solved with the TMG firewall. The TMG firewall includes its own web filtering capabilities and allows you to configure "block" and "allow" web filtering rules based on out-of-the-box categories. You can also create your own categories and customize the default categories.
Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.
TechGenix Sites
--------------------------------------------------------------
MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2012. All rights reserved.
No comments:
Post a Comment