RE: isa 2004 authnticated

• From: "David Farinic" <davidf@xxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 21 Dec 2004 12:46:25 +0100

Well ISA2004 firewall service is now running under limited "nt
authority\NetworkService" opposite to local system in isa2000 

So there are/have been concerns ...

Sometimes security planning is about imagine unimaginable... visualizing
things which u don't have yet prove of concept as hacking is about
laying things in way they been never thought of.



-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Tuesday, December 21, 2004 12:28 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: isa 2004 authnticated

http://www.ISAserver.org

Hi Yossi,

I hear this type of reasoning from security "wonks" all the time. 

"For security reasons" means nothing. That's why I ask for specific,
exact, reproducible and replicable reasons for not making the ISA
firewall a member of the domain. 

If someone breaks into the firewall to the extent where they can
leverage the ISA firewall's domain membership to launch an attack, then
what advantage will they have if the firewall is not a member of the
domain? If you're firewall is "owned" to that extent, then whether the
machine is a domain member is immaterial. That's how I see it.

However, if there are specific, reproducible reasons, that I can
demonstrate in my own lab (and the scenarios can't be based on gross
misconfiguration, which again, is a security issue regardless if the ISA
firewall is a member of the domain), then I'll change my position on
this.

To this point in time, and I've button-holed a lot of security wankers
on this, no one has been able to demonstrate why the ISA firewall as a
domain member is a security issue, other than saying "it's a security
issue". I was one of those wanks myself at one time, but someone asked
me to demonstrate the security issue. I couldn't demonstrate it, which
made me rethink the issue and realize the security benefits of making
the ISA firewall a member of the domain far outweight the theoretical
and perhaps fantastical reasons for not making the ISA firewall a domain
member.

HTH, 


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls



  
This mail was checked for viruses by GFI MailSecurity. 
GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI 
FAXmaker), and network security and management software (GFI LANguard) - 
www.gfi.com 

Other related posts:

• » isa 2004 authnticated
• » RE: isa 2004 authnticated
• » RE: isa 2004 authnticated
• » RE: isa 2004 authnticated
• » RE: isa 2004 authnticated
• » RE: isa 2004 authnticated
• » RE: isa 2004 authnticated
• » RE: isa 2004 authnticated

1. Home
2. isalist
3. Archive
4. 12-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---