[isapros] Re: TMG - Separate Forest?

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: <isapros@xxxxxxxxxxxxx>
• Date: Mon, 12 May 2008 19:09:09 -0500

:)

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)


> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> Of Thor (Hammer of God)
> Sent: Monday, May 12, 2008 2:43 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: TMG - Separate Forest?
> 
> See, that's why you make the big bucks ;)  You get right to the heart
of
> it...
> 
> "Practical" is obviously a sliding scale.  Server Win2k8 actually
brings
> tangible value-add to the table here in regard to securing the forest.
> If the deployment model supports multiple forests, then by all means
> take advantage of that.  And of course I would never put the DC on the
> ISA/TMG box as you well know ;)
> 
> But here's the deal-- you and I have both been waging war on the
> nay-sayer's when it comes to representing ISA as a true enterprise
> product.  With all respect, I can't help but feel when you use "DC on
> ISA" or "DC in VM" as an argument for not deploying defense-in-depth
> configurations, that you just keep ISA in the diminutive.  There are
> *many* deployment models that we have to consider here; many of which
> can gain a leg up in the event of a compromise.  You log on to your
TMG
> box as admin.  Those credentials can be retrieved, obviously.  Would
you
> have the rest of your network immediately rooted?  What if you were an
> ISP supporting multiple clients with write access to dir structures?
> What if you were a company with subsidiaries? What if you had to
"trust"
> users that you had no control over?
> 
> "Least privilege" rules. Arguing against it is like arguing for McCain
> (LOL - OK, private joke, and wholly inappropriate, but I LOL anyway ;)
> 
> -----------
> 
> Gave in and bought a Barackberry
> t
> 
> 
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > Sent: Monday, May 12, 2008 12:06 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: TMG - Separate Forest?
> >
> > It's not really a hornet's nest per se. Instead, it's a deployment
> > issue
> > problem and addition complexity that really add's no practical
> security
> > advantages, or at least none that I've heard of or considered
viable.
> >
> > Would you recommend making the ISA Firewall the DC in this trust
> > relationship? Or will have you a dedicated DC for the trusting
domain?
> > Where will you put that DC if not on the ISA Firewall? On the same
> > network as the user accounts? In a DMZ network in a multi-homed ISA
> > Firewall? In a VM co-located on the ISA Firewall? In a VM in a DMZ
or
> > on
> > the default Internal Network, or somewhere else not mentioned here
:)
> >
> > GMT
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> >
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > Of Thor (Hammer of God)
> > > Sent: Monday, May 12, 2008 1:12 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: TMG - Separate Forest?
> > >
> > > Well, not to stir up the hornet's nest, but it actually *is* a
good
> > idea
> > > of you don't have need for cross-forest cert auth or such.  I'm
not
> > > really worried about "official docs" posturing on this one, as
> anyone
> > > who not only *can* go out of their way to set up an isolated
forest
> > with
> > > a one-way trust, but who actually DOES it is way ahead of the
curve
> > > anyway.  It's not like that are recommending a "workgroup" ;)
> > >
> > > t
> > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > Sent: Monday, May 12, 2008 9:58 AM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: TMG - Separate Forest?
> > > >
> > > > Those who want a reason will find one.
> > > > Nothing we can do will change this fact of life.
> > > > How many times have you banged your head on the "hardware
> firewall"
> > > > stack of bricks?
> > > >
> > > > I agree that this could have been better phrased, and the docs
> > aren't
> > > > fully baked yet, so there's still time to fix them.
> > > >
> > > > Jim
> > > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> > > > Sent: Monday, May 12, 2008 9:55 AM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: TMG - Separate Forest?
> > > >
> > > > Companies that hire consultants are a totally different breed. I
> > was
> > > > speaking more toward those that have internal staff that is just
> > > > looking
> > > > for a reason to keep the TMG out.
> > > >
> > > > thanks,
> > > >
> > > > Amy Babinchak
> > > >
> > > >
> > > > Harbor Computer Services |(248) 850-8616
> > > >
> > > > Tech Blog http://securesmb.harborcomputerservices.net
> > > > Client Blog http://smalltechnotes.blogspot.com
> > > > Website http://www.harborcomputerservices.net
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > bounce@xxxxxxxxxxxxx]
> > > > On Behalf Of Thomas W Shinder
> > > > Sent: Monday, May 12, 2008 12:48 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: TMG - Separate Forest?
> > > >
> > > > True, but that's why you need to choose good customers. They
hired
> > you
> > > > to shore up issues with documentation and provide clarification.
> > > >
> > > > Thomas W Shinder, M.D.
> > > > Site: www.isaserver.org
> > > > Blog: http://blogs.isaserver.org/shinder/
> > > > Book: http://tinyurl.com/3xqb7
> > > > MVP -- Microsoft Firewalls (ISA)
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > Of Amy Babinchak
> > > > > Sent: Monday, May 12, 2008 11:45 AM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] Re: TMG - Separate Forest?
> > > > >
> > > > > Yes, but the words are there and that's really all it takes
for
> > the
> > > > > uninformed masses. They have something to point to. Again.
> > > > >
> > > > > thanks,
> > > > >
> > > > > Amy Babinchak
> > > > >
> > > > >
> > > > > Harbor Computer Services |(248) 850-8616
> > > > >
> > > > > Tech Blog http://securesmb.harborcomputerservices.net
> > > > > Client Blog http://smalltechnotes.blogspot.com
> > > > > Website http://www.harborcomputerservices.net
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > > > On Behalf Of Thomas W Shinder
> > > > > Sent: Monday, May 12, 2008 12:02 PM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] Re: TMG - Separate Forest?
> > > > >
> > > > > The documentation offers suggestions, and points out
limitation.
> > So,
> > > > > those suggestions aren't considered by thoughtful security
> admins
> > as
> > > > > commandments. If Active Directory security best practices are
> > used,
> > > > the
> > > > > chance of compromise is minute, and as I've demonstrated
> numerous
> > > > times,
> > > > > compromise of the ISA firewall will be the least of your
> problems
> > :)
> > > > >
> > > > > Thomas W Shinder, M.D.
> > > > > Site: www.isaserver.org
> > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > Book: http://tinyurl.com/3xqb7
> > > > > MVP -- Microsoft Firewalls (ISA)
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > Of Amy Babinchak
> > > > > > Sent: Monday, May 12, 2008 10:12 AM
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] Re: TMG - Separate Forest?
> > > > > >
> > > > > > As long as the official documentation says otherwise, you're
> > > > tilting
> > > > > at
> > > > > > windmills. If we know better and MSIT knows better, then why
> > > > doesn't
> > > > > the
> > > > > > documentation get fixed? DOD won't buy if it says otherwise?
> > > > > >
> > > > > > thanks,
> > > > > >
> > > > > > Amy Babinchak
> > > > > >
> > > > > >
> > > > > > Harbor Computer Services |(248) 850-8616
> > > > > >
> > > > > > Tech Blog http://securesmb.harborcomputerservices.net
> > > > > > Client Blog http://smalltechnotes.blogspot.com
> > > > > > Website http://www.harborcomputerservices.net
> > > > > >
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > > > > On Behalf Of Thomas W Shinder
> > > > > > Sent: Monday, May 12, 2008 10:30 AM
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] Re: TMG - Separate Forest?
> > > > > >
> > > > > > Exactly. The guidance as is applies to people who wear hard
> > hats
> > > > when
> > > > > > they go outside out of fear that a falling piece from a
> passing
> > > > > airplane
> > > > > > will hit them on their heads. :)
> > > > > >
> > > > > > MSIT does it right, and I follow MSIT's model in my
> > deployments.
> > > > Why
> > > > > > lose Kerberos Constrained Delegation and other security
> > features
> > > > out
> > > > > of
> > > > > > fear of Comet strikes in the Gulf of Mexico? :))
> > > > > >
> > > > > > Thomas W Shinder, M.D.
> > > > > > Site: www.isaserver.org
> > > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > MVP -- Microsoft Firewalls (ISA)
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > Of Jim Harrison
> > > > > > > Sent: Monday, May 12, 2008 8:21 AM
> > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > Subject: [isapros] Re: TMG - Separate Forest?
> > > > > > >
> > > > > > > Actually, that "old-school approach" does limit the threat
> of
> > > > > exposure
> > > > > > for your internal
> > > > > > > forest.  It's not about "if ISA gets compromised" as much
as
> > "if
> > > > an
> > > > > > account is
> > > > > > > compromised".
> > > > > > > If you have the skill and means to build that and can
> > tolerate
> > > > the
> > > > > > limits it imposes (no
> > > > > > > KCD from the edge), then this is a good recommendation.
> > > > > > > What isn't stated is that this can be one part of a
layered
> > ISA
> > > > > > deployment.
> > > > > > > FWIW, MSIT deploys ISA / TNG at the edge in the same
forest
> > as
> > > > the
> > > > > > user accounts.
> > > > > > >
> > > > > > > Jim
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > > Of Jason Jones
> > > > > > > Sent: Monday, May 12, 2008 1:13 AM
> > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > Subject: [isapros] TMG - Separate Forest?
> > > > > > >
> > > > > > > Just noticed this in the current TMG
> > > documentation...disappointed
> > > > > this
> > > > > > old school
> > > > > > > approach is still recommended :-(
> > > > > > >
> > > > > > > "At the edge, you can install Forefront TMG as a domain
> > member
> > > or
> > > > in
> > > > > > workgroup
> > > > > > > mode. As a domain member, we recommend that you install
> > > Forefront
> > > > > TMG
> > > > > > in a
> > > > > > > separate forest (rather than in the internal forest of
your
> > > > > corporate
> > > > > > network), with a
> > > > > > > one-way trust to the corporate forest. This may help the
> > > internal
> > > > > > forest from being
> > > > > > > compromised, even if an attack is mounted on the forest of
> > the
> > > > > > Forefront TMG
> > > > > > > computer. There are some limitations with this deployment.
> > For
> > > > > > example, you can
> > > > > > > configure client certificate authentication only for users
> > > > defined
> > > > > in
> > > > > > the Forefront TMG
> > > > > > > domain, and not for users in the corporate internal domain
> or
> > > > > forest."
> > > > > > >
> > > > > > > You guys spent much time looking at TMG yet?
> > > > > > >
> > > > > > > JJ
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >   ________________________________
> > > > > > > This email and any files transmitted with it are
> confidential
> > > and
> > > > > > intended solely for the
> > > > > > > use of the individual to whom it is addressed. If you have
> > > > received
> > > > > > this email in error,
> > > > > > > or if you believe this email is unsolicited and wish to be
> > > > removed
> > > > > > from any future
> > > > > > > mailings, please contact our Support Desk immediately on
> > 01202
> > > > > 360360
> > > > > > or email
> > > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > > >
> > > > > > > If this email contains a quotation then unless otherwise
> > stated
> > > > it
> > > > > is
> > > > > > valid for 7 days and
> > > > > > > offered subject to Silversands Professional Services Terms
> > and
> > > > > > Conditions, a copy of
> > > > > > > which is available on request. Any pricing information,
> > design
> > > > > > information or
> > > > > > > information concerning specific Silversands' staff
contained
> > in
> > > > this
> > > > > > email is
> > > > > > > considered confidential or of commercial interest and
exempt
> > > from
> > > > > the
> > > > > > Freedom of
> > > > > > > Information Act 2000.
> > > > > > >
> > > > > > > Any view or opinions presented are solely those of the
> author
> > > and
> > > > do
> > > > > > not necessarily
> > > > > > > represent those of Silversands
> > > > > > >
> > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole,
BH17
> > 7BX.
> > > > > > > Company Registration Number : 2141393.
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
> 
> 

Other related posts:

• » [isapros] TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?
• » [isapros] Re: TMG - Separate Forest?

1. Home
2. isapros
3. Archive
4. 05-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---