RE: Domain on Edge

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 28 Oct 2005 17:29:41 -0700

Yeh; dammit; it's Jenyus...

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] 
Sent: Friday, October 28, 2005 17:29
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Domain on Edge

http://www.ISAserver.org

You spelled "genius" wrong....   bwaahahaha!  Sorry man, I had to. ;)

----- Original Message ----- 
From: "Joseph Danielsen" <JDanielsen@xxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, October 27, 2005 10:09 PM
Subject: [isalist] RE: Domain on Edge


http://www.ISAserver.org

Brother - you can say that again! At 11:30pm, I get a second wind and
can't fall asleep (especially after a bad (network) day).  At the
firehouse, we call this GENIOUS hour. Later it gets, smarter we become.

Also, you see, I've learned EVERYTHING for fudging through, trial and
error, screwing up network services and blaming defenseless people not
present to argue...... and I get it all done in the end without reading
any books, articles, lists or even HELP. Expert I tell you. I've gotten
so good - I want to teach other people how to do it just like me..... so
I'm writing the book now. :) (I kill myself)

Seriously, thank you very much for the excellent material below. My
standing ISA 2004 is in Workgroup - is it painful to change it to Domain
mode.

Also please forward a mailing address for the cigars.

Joseph F. Danielsen, MCSA-Messaging, MCP
Network Blade Inc.
49 Marcy Street
Somerset, NJ 08873
(732) 213-0600
www.NetworkBlade.Com


-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Friday, October 28, 2005 12:43 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Domain on Edge

http://www.ISAserver.org

Hi Joseph,

LOL! Man, you are a late night guy, aren't you? You're an hour ahead of
me, so its after midnight. Must be all that crank, eh? :)  Thanks for
getting the book!

Funny you should ask such a question. I had planned such an article, but
other things came up and it never got done.

Can I trade the Beer of the Month Club for Cigar of the Month? My wife
want let me bring beer into the house. Jim can even confirm that!

Here was an outline I drew on a cocktail party napkin after waiting
until 2AM for the girls to think that men looked better at that time.
Always make me think girls look better at that time.

So here you go -- take it for what its worth:

Increasing ISA Firewall Security by Joining the domain



Advantages of domain membership:

*        Transparent authentication for Web proxy and Firewall clients

*        Integrated authentication for Web proxy and Firewall clients

*        User name, application and machine names logging in the ISA
firewall's log files

*        Full support for user certificate authentication at the ISA
firewall

*        Pre-authenticate users at the ISA firewall and avoid dual
authentication prompts

*        Use the certificates MMC to obtain machine certificate and CA
certificate

*        Avoid the use of RADIUS authentication

*        Avoid the use of basic authentication

*        Avoid the use of SecureNAT client configuration

*        Support for all protocols, including those requiring secondary
connections

*        Support for all protocols, without requiring them to be defined
as an ISA firewall Protocol Definition

*        Improved management from using ISA firewall OUs

*        Greatly simplified management of ISA EE arrays

*        Enable ISA firewall Enterprise configurations

*        Deploy Enterprise Policies to multiple arrays

*        ISA EE multiple CSS locations



Disadvantages of non-domain membership:

*        Must mirror user accounts on the ISA firewall

*        Must use RADIUS

*        Encourages the use of basic authentication

*        May require IPSec for client/server communications

*        Limited support for user names in log files

*        Limited support for computer name in log file

*        Limited support for application name in log file

*        Unable to use the Certificates MMC to obtain cert

*        CA certificate not automatically added Trusted Root machine
store

*        Unable to authenticate with user certificate authentication

*        Unable to authenticate users at the ISA firewall without
generating dual authentication prompts

*        No support for ISA firewall Enterprise configurations

*        Unable to support Enterprise policies for multiple arrays

*        Limited to a single CSS - no CSS replication or fault tolerance



What are the imagined risks of domain membership?

*        No one has said

*        LSADump? Try it on a Windows Server 2003 ISA firewall and see
what happens

*        Rainbow tables? Require passphrases. But Rainbow tables do not
allow access to the Active Directory database from the ISA firewall.

*        Enable LDAP connections to the DCs? How would the intruder do
it? They would need to "own" the ISA firewall, install their tools, and
then control the tool from a remote location. What if the ISA firewall
weren't a domain member? They have control of the firewall, so they
sniff traffic, find the DCs, configure the firewall to allow LDAP
connections, and away you go.

*        Key concept is that if the firewall is "owned" to that extent,
the attacker can install whatever tools he likes. Network sniffers
gather password hashers, clear text passwords, machine names, NetBIOS
broadcasts, DNS queries, etc. Attacker can also install sniffer or IDS
software, and replay sessions. It doesn't matter if the machine is a
domain member or workgroup member - same tools work on both types of
deployment

*        No proof of concept demonstrated at this time

*        Can't leverage permissions of logged on user, since the
firewall doesn't have logged on users.

*        Misconfigured firewalls of any type are the primary cause of
firewall related compromises. The more difficult it is to configure the
firewall, the more likely that there will be a misconfiguration.

*        Is the difference that an attacker will be able to compromise
domain accounts more quickly? What is the delta?



Conclusions:

*        Domain membership increases the firewall's overall security
posture

*        Workgroup membership reduces the firewall's overall security
posture

*        If you're superstitious or afraid of falling pieces from
passing airplanes, then put on a psychotronic reflector beanie and
deploy domain member firewalls only when there is obvious benefit

*        Examples of ISA firewalls that benefit from domain membership
those that have interfaces directly on user networks

*        Examples of ISA firewalls that don't benefit form domain
membership are those that don't abut user networks, such as front-end
ISA firewalls in back to back configs, or those that won't authenticate
domain users at any time.

*        This is not meant to be definitive or the last word on the
subject. I'd be happy to publish any papers describing proof of concept
attacks that work only on domain member ISA firewalls but fail on
workgroup member ISA firewalls.




Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
**Who is John Galt?**




________________________________

From: Joseph Danielsen [mailto:JDanielsen@xxxxxxxxxxxxxxxx]
Sent: Thursday, October 27, 2005 11:02 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Domain on Edge


http://www.ISAserver.org


Is there any way you can provide me (via email or article) key
points of putting ISA in Domain mode vs. Workgroup mode?

(Tom - if an article doesn't exist for this topic, please
schedule your weekend around completing this for Monday. Thank you sir
J).



***There is a Beer of the Month Club membership with your name
on it ***



P.S. Coincidentally, I purchased your book this past Monday. Not
that this would sway your decision or anything.





Joseph F. Danielsen, MCSA-Messaging, MCP

Network Blade Inc.

49 Marcy Street

Somerset, NJ 08873

(732) 213-0600



------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jdanielsen@xxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » Domain on Edge
• » RE: Domain on Edge
• » RE: Domain on Edge
• » RE: Domain on Edge
• » RE: Domain on Edge

1. Home
2. isalist
3. Archive
4. 10-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---