[isapros] Re: TMG - Separate Forest?
- From: Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Mon, 12 May 2008 23:27:59 +0100
Thanks for all the feedback on this, looks like I kinda hit on an emotive area
;-)
I don't totally disagree with the separate forest approach and I have actually
used this topology for quite a few SharePoint extranets where the external
forest provides a completely separate credential directory from the internal
forest. In this topology I can see the value of a separate forest and ISA can
be deployed in this forest to primarily protect SharePoint from the outside
world...it also does a pretty good job of defining the least privilege boundary
for the forest trust as how many other firewalls can secure RPC properly? ;)
However, for most ISA deployments I think the added complexity of the extra
forest may actually lower the overall security and customers only then want to
"poke holes" in ISA to allows for all the promiscuous management tools like
UniCenter that use thousands of ports (usually bi-directional!) just to monitor
boxes in the external forest.
Amy hit upon my key reason for disappointment, if it's in the docs, customers
assume by not doing it, we/me (as consultants) are doing something wrong and
not providing the "best practice" solution...this just means a lot more work to
convince people we do know what we are doing (sometimes :-P)
JJ
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: 12 May 2008 21:32
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: TMG - Separate Forest?
That's exactly the point.
How you go about deploying it is entirely "an exercise for the student".
I love the continuing "cert auth doesn't work" silliness, though.
It does work; it's auth delegation to the trusted forest that's broken, since
cert auth can only delegate to KCD and KCD is Windows-limited to same-domain
hosts.
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Monday, May 12, 2008 12:06 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: TMG - Separate Forest?
It's not really a hornet's nest per se. Instead, it's a deployment issue
problem and addition complexity that really add's no practical security
advantages, or at least none that I've heard of or considered viable.
Would you recommend making the ISA Firewall the DC in this trust
relationship? Or will have you a dedicated DC for the trusting domain?
Where will you put that DC if not on the ISA Firewall? On the same
network as the user accounts? In a DMZ network in a multi-homed ISA
Firewall? In a VM co-located on the ISA Firewall? In a VM in a DMZ or on
the default Internal Network, or somewhere else not mentioned here :)
GMT
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> Of Thor (Hammer of God)
> Sent: Monday, May 12, 2008 1:12 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: TMG - Separate Forest?
>
> Well, not to stir up the hornet's nest, but it actually *is* a good
idea
> of you don't have need for cross-forest cert auth or such. I'm not
> really worried about "official docs" posturing on this one, as anyone
> who not only *can* go out of their way to set up an isolated forest
with
> a one-way trust, but who actually DOES it is way ahead of the curve
> anyway. It's not like that are recommending a "workgroup" ;)
>
> t
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Monday, May 12, 2008 9:58 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: TMG - Separate Forest?
> >
> > Those who want a reason will find one.
> > Nothing we can do will change this fact of life.
> > How many times have you banged your head on the "hardware firewall"
> > stack of bricks?
> >
> > I agree that this could have been better phrased, and the docs
aren't
> > fully baked yet, so there's still time to fix them.
> >
> > Jim
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> > Sent: Monday, May 12, 2008 9:55 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: TMG - Separate Forest?
> >
> > Companies that hire consultants are a totally different breed. I was
> > speaking more toward those that have internal staff that is just
> > looking
> > for a reason to keep the TMG out.
> >
> > thanks,
> >
> > Amy Babinchak
> >
> >
> > Harbor Computer Services |(248) 850-8616
> >
> > Tech Blog http://securesmb.harborcomputerservices.net
> > Client Blog http://smalltechnotes.blogspot.com
> > Website http://www.harborcomputerservices.net
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thomas W Shinder
> > Sent: Monday, May 12, 2008 12:48 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: TMG - Separate Forest?
> >
> > True, but that's why you need to choose good customers. They hired
you
> > to shore up issues with documentation and provide clarification.
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> >
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > Of Amy Babinchak
> > > Sent: Monday, May 12, 2008 11:45 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: TMG - Separate Forest?
> > >
> > > Yes, but the words are there and that's really all it takes for
the
> > > uninformed masses. They have something to point to. Again.
> > >
> > > thanks,
> > >
> > > Amy Babinchak
> > >
> > >
> > > Harbor Computer Services |(248) 850-8616
> > >
> > > Tech Blog http://securesmb.harborcomputerservices.net
> > > Client Blog http://smalltechnotes.blogspot.com
> > > Website http://www.harborcomputerservices.net
> > >
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Thomas W Shinder
> > > Sent: Monday, May 12, 2008 12:02 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: TMG - Separate Forest?
> > >
> > > The documentation offers suggestions, and points out limitation.
So,
> > > those suggestions aren't considered by thoughtful security admins
as
> > > commandments. If Active Directory security best practices are
used,
> > the
> > > chance of compromise is minute, and as I've demonstrated numerous
> > times,
> > > compromise of the ISA firewall will be the least of your problems
:)
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- Microsoft Firewalls (ISA)
> > >
> > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > Of Amy Babinchak
> > > > Sent: Monday, May 12, 2008 10:12 AM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: TMG - Separate Forest?
> > > >
> > > > As long as the official documentation says otherwise, you're
> > tilting
> > > at
> > > > windmills. If we know better and MSIT knows better, then why
> > doesn't
> > > the
> > > > documentation get fixed? DOD won't buy if it says otherwise?
> > > >
> > > > thanks,
> > > >
> > > > Amy Babinchak
> > > >
> > > >
> > > > Harbor Computer Services |(248) 850-8616
> > > >
> > > > Tech Blog http://securesmb.harborcomputerservices.net
> > > > Client Blog http://smalltechnotes.blogspot.com
> > > > Website http://www.harborcomputerservices.net
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > > On Behalf Of Thomas W Shinder
> > > > Sent: Monday, May 12, 2008 10:30 AM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: TMG - Separate Forest?
> > > >
> > > > Exactly. The guidance as is applies to people who wear hard hats
> > when
> > > > they go outside out of fear that a falling piece from a passing
> > > airplane
> > > > will hit them on their heads. :)
> > > >
> > > > MSIT does it right, and I follow MSIT's model in my deployments.
> > Why
> > > > lose Kerberos Constrained Delegation and other security features
> > out
> > > of
> > > > fear of Comet strikes in the Gulf of Mexico? :))
> > > >
> > > > Thomas W Shinder, M.D.
> > > > Site: www.isaserver.org
> > > > Blog: http://blogs.isaserver.org/shinder/
> > > > Book: http://tinyurl.com/3xqb7
> > > > MVP -- Microsoft Firewalls (ISA)
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > Of Jim Harrison
> > > > > Sent: Monday, May 12, 2008 8:21 AM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] Re: TMG - Separate Forest?
> > > > >
> > > > > Actually, that "old-school approach" does limit the threat of
> > > exposure
> > > > for your internal
> > > > > forest. It's not about "if ISA gets compromised" as much as
"if
> > an
> > > > account is
> > > > > compromised".
> > > > > If you have the skill and means to build that and can tolerate
> > the
> > > > limits it imposes (no
> > > > > KCD from the edge), then this is a good recommendation.
> > > > > What isn't stated is that this can be one part of a layered
ISA
> > > > deployment.
> > > > > FWIW, MSIT deploys ISA / TNG at the edge in the same forest as
> > the
> > > > user accounts.
> > > > >
> > > > > Jim
> > > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > Of Jason Jones
> > > > > Sent: Monday, May 12, 2008 1:13 AM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] TMG - Separate Forest?
> > > > >
> > > > > Just noticed this in the current TMG
> documentation...disappointed
> > > this
> > > > old school
> > > > > approach is still recommended :-(
> > > > >
> > > > > "At the edge, you can install Forefront TMG as a domain member
> or
> > in
> > > > workgroup
> > > > > mode. As a domain member, we recommend that you install
> Forefront
> > > TMG
> > > > in a
> > > > > separate forest (rather than in the internal forest of your
> > > corporate
> > > > network), with a
> > > > > one-way trust to the corporate forest. This may help the
> internal
> > > > forest from being
> > > > > compromised, even if an attack is mounted on the forest of the
> > > > Forefront TMG
> > > > > computer. There are some limitations with this deployment. For
> > > > example, you can
> > > > > configure client certificate authentication only for users
> > defined
> > > in
> > > > the Forefront TMG
> > > > > domain, and not for users in the corporate internal domain or
> > > forest."
> > > > >
> > > > > You guys spent much time looking at TMG yet?
> > > > >
> > > > > JJ
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > ________________________________
> > > > > This email and any files transmitted with it are confidential
> and
> > > > intended solely for the
> > > > > use of the individual to whom it is addressed. If you have
> > received
> > > > this email in error,
> > > > > or if you believe this email is unsolicited and wish to be
> > removed
> > > > from any future
> > > > > mailings, please contact our Support Desk immediately on 01202
> > > 360360
> > > > or email
> > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > >
> > > > > If this email contains a quotation then unless otherwise
stated
> > it
> > > is
> > > > valid for 7 days and
> > > > > offered subject to Silversands Professional Services Terms and
> > > > Conditions, a copy of
> > > > > which is available on request. Any pricing information, design
> > > > information or
> > > > > information concerning specific Silversands' staff contained
in
> > this
> > > > email is
> > > > > considered confidential or of commercial interest and exempt
> from
> > > the
> > > > Freedom of
> > > > > Information Act 2000.
> > > > >
> > > > > Any view or opinions presented are solely those of the author
> and
> > do
> > > > not necessarily
> > > > > represent those of Silversands
> > > > >
> > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17
7BX.
> > > > > Company Registration Number : 2141393.
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> >
> >
> >
>
>
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
Other related posts:
