:) Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > Of Thor (Hammer of God) > Sent: Monday, May 12, 2008 2:43 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: TMG - Separate Forest? > > See, that's why you make the big bucks ;) You get right to the heart of > it... > > "Practical" is obviously a sliding scale. Server Win2k8 actually brings > tangible value-add to the table here in regard to securing the forest. > If the deployment model supports multiple forests, then by all means > take advantage of that. And of course I would never put the DC on the > ISA/TMG box as you well know ;) > > But here's the deal-- you and I have both been waging war on the > nay-sayer's when it comes to representing ISA as a true enterprise > product. With all respect, I can't help but feel when you use "DC on > ISA" or "DC in VM" as an argument for not deploying defense-in-depth > configurations, that you just keep ISA in the diminutive. There are > *many* deployment models that we have to consider here; many of which > can gain a leg up in the event of a compromise. You log on to your TMG > box as admin. Those credentials can be retrieved, obviously. Would you > have the rest of your network immediately rooted? What if you were an > ISP supporting multiple clients with write access to dir structures? > What if you were a company with subsidiaries? What if you had to "trust" > users that you had no control over? > > "Least privilege" rules. Arguing against it is like arguing for McCain > (LOL - OK, private joke, and wholly inappropriate, but I LOL anyway ;) > > ----------- > > Gave in and bought a Barackberry > t > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > Sent: Monday, May 12, 2008 12:06 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: TMG - Separate Forest? > > > > It's not really a hornet's nest per se. Instead, it's a deployment > > issue > > problem and addition complexity that really add's no practical > security > > advantages, or at least none that I've heard of or considered viable. > > > > Would you recommend making the ISA Firewall the DC in this trust > > relationship? Or will have you a dedicated DC for the trusting domain? > > Where will you put that DC if not on the ISA Firewall? On the same > > network as the user accounts? In a DMZ network in a multi-homed ISA > > Firewall? In a VM co-located on the ISA Firewall? In a VM in a DMZ or > > on > > the default Internal Network, or somewhere else not mentioned here :) > > > > GMT > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- Microsoft Firewalls (ISA) > > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > Of Thor (Hammer of God) > > > Sent: Monday, May 12, 2008 1:12 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: TMG - Separate Forest? > > > > > > Well, not to stir up the hornet's nest, but it actually *is* a good > > idea > > > of you don't have need for cross-forest cert auth or such. I'm not > > > really worried about "official docs" posturing on this one, as > anyone > > > who not only *can* go out of their way to set up an isolated forest > > with > > > a one-way trust, but who actually DOES it is way ahead of the curve > > > anyway. It's not like that are recommending a "workgroup" ;) > > > > > > t > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > > Sent: Monday, May 12, 2008 9:58 AM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: TMG - Separate Forest? > > > > > > > > Those who want a reason will find one. > > > > Nothing we can do will change this fact of life. > > > > How many times have you banged your head on the "hardware > firewall" > > > > stack of bricks? > > > > > > > > I agree that this could have been better phrased, and the docs > > aren't > > > > fully baked yet, so there's still time to fix them. > > > > > > > > Jim > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > > > > Sent: Monday, May 12, 2008 9:55 AM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: TMG - Separate Forest? > > > > > > > > Companies that hire consultants are a totally different breed. I > > was > > > > speaking more toward those that have internal staff that is just > > > > looking > > > > for a reason to keep the TMG out. > > > > > > > > thanks, > > > > > > > > Amy Babinchak > > > > > > > > > > > > Harbor Computer Services |(248) 850-8616 > > > > > > > > Tech Blog http://securesmb.harborcomputerservices.net > > > > Client Blog http://smalltechnotes.blogspot.com > > > > Website http://www.harborcomputerservices.net > > > > > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Thomas W Shinder > > > > Sent: Monday, May 12, 2008 12:48 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: TMG - Separate Forest? > > > > > > > > True, but that's why you need to choose good customers. They hired > > you > > > > to shore up issues with documentation and provide clarification. > > > > > > > > Thomas W Shinder, M.D. > > > > Site: www.isaserver.org > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > Book: http://tinyurl.com/3xqb7 > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > -----Original Message----- > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > Of Amy Babinchak > > > > > Sent: Monday, May 12, 2008 11:45 AM > > > > > To: isapros@xxxxxxxxxxxxx > > > > > Subject: [isapros] Re: TMG - Separate Forest? > > > > > > > > > > Yes, but the words are there and that's really all it takes for > > the > > > > > uninformed masses. They have something to point to. Again. > > > > > > > > > > thanks, > > > > > > > > > > Amy Babinchak > > > > > > > > > > > > > > > Harbor Computer Services |(248) 850-8616 > > > > > > > > > > Tech Blog http://securesmb.harborcomputerservices.net > > > > > Client Blog http://smalltechnotes.blogspot.com > > > > > Website http://www.harborcomputerservices.net > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > > > > On Behalf Of Thomas W Shinder > > > > > Sent: Monday, May 12, 2008 12:02 PM > > > > > To: isapros@xxxxxxxxxxxxx > > > > > Subject: [isapros] Re: TMG - Separate Forest? > > > > > > > > > > The documentation offers suggestions, and points out limitation. > > So, > > > > > those suggestions aren't considered by thoughtful security > admins > > as > > > > > commandments. If Active Directory security best practices are > > used, > > > > the > > > > > chance of compromise is minute, and as I've demonstrated > numerous > > > > times, > > > > > compromise of the ISA firewall will be the least of your > problems > > :) > > > > > > > > > > Thomas W Shinder, M.D. > > > > > Site: www.isaserver.org > > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > > Book: http://tinyurl.com/3xqb7 > > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > > Of Amy Babinchak > > > > > > Sent: Monday, May 12, 2008 10:12 AM > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: TMG - Separate Forest? > > > > > > > > > > > > As long as the official documentation says otherwise, you're > > > > tilting > > > > > at > > > > > > windmills. If we know better and MSIT knows better, then why > > > > doesn't > > > > > the > > > > > > documentation get fixed? DOD won't buy if it says otherwise? > > > > > > > > > > > > thanks, > > > > > > > > > > > > Amy Babinchak > > > > > > > > > > > > > > > > > > Harbor Computer Services |(248) 850-8616 > > > > > > > > > > > > Tech Blog http://securesmb.harborcomputerservices.net > > > > > > Client Blog http://smalltechnotes.blogspot.com > > > > > > Website http://www.harborcomputerservices.net > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > > > > > On Behalf Of Thomas W Shinder > > > > > > Sent: Monday, May 12, 2008 10:30 AM > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: TMG - Separate Forest? > > > > > > > > > > > > Exactly. The guidance as is applies to people who wear hard > > hats > > > > when > > > > > > they go outside out of fear that a falling piece from a > passing > > > > > airplane > > > > > > will hit them on their heads. :) > > > > > > > > > > > > MSIT does it right, and I follow MSIT's model in my > > deployments. > > > > Why > > > > > > lose Kerberos Constrained Delegation and other security > > features > > > > out > > > > > of > > > > > > fear of Comet strikes in the Gulf of Mexico? :)) > > > > > > > > > > > > Thomas W Shinder, M.D. > > > > > > Site: www.isaserver.org > > > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > > > Book: http://tinyurl.com/3xqb7 > > > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > > > Of Jim Harrison > > > > > > > Sent: Monday, May 12, 2008 8:21 AM > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > Subject: [isapros] Re: TMG - Separate Forest? > > > > > > > > > > > > > > Actually, that "old-school approach" does limit the threat > of > > > > > exposure > > > > > > for your internal > > > > > > > forest. It's not about "if ISA gets compromised" as much as > > "if > > > > an > > > > > > account is > > > > > > > compromised". > > > > > > > If you have the skill and means to build that and can > > tolerate > > > > the > > > > > > limits it imposes (no > > > > > > > KCD from the edge), then this is a good recommendation. > > > > > > > What isn't stated is that this can be one part of a layered > > ISA > > > > > > deployment. > > > > > > > FWIW, MSIT deploys ISA / TNG at the edge in the same forest > > as > > > > the > > > > > > user accounts. > > > > > > > > > > > > > > Jim > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > > > > > Of Jason Jones > > > > > > > Sent: Monday, May 12, 2008 1:13 AM > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > Subject: [isapros] TMG - Separate Forest? > > > > > > > > > > > > > > Just noticed this in the current TMG > > > documentation...disappointed > > > > > this > > > > > > old school > > > > > > > approach is still recommended :-( > > > > > > > > > > > > > > "At the edge, you can install Forefront TMG as a domain > > member > > > or > > > > in > > > > > > workgroup > > > > > > > mode. As a domain member, we recommend that you install > > > Forefront > > > > > TMG > > > > > > in a > > > > > > > separate forest (rather than in the internal forest of your > > > > > corporate > > > > > > network), with a > > > > > > > one-way trust to the corporate forest. This may help the > > > internal > > > > > > forest from being > > > > > > > compromised, even if an attack is mounted on the forest of > > the > > > > > > Forefront TMG > > > > > > > computer. There are some limitations with this deployment. > > For > > > > > > example, you can > > > > > > > configure client certificate authentication only for users > > > > defined > > > > > in > > > > > > the Forefront TMG > > > > > > > domain, and not for users in the corporate internal domain > or > > > > > forest." > > > > > > > > > > > > > > You guys spent much time looking at TMG yet? > > > > > > > > > > > > > > JJ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > This email and any files transmitted with it are > confidential > > > and > > > > > > intended solely for the > > > > > > > use of the individual to whom it is addressed. If you have > > > > received > > > > > > this email in error, > > > > > > > or if you believe this email is unsolicited and wish to be > > > > removed > > > > > > from any future > > > > > > > mailings, please contact our Support Desk immediately on > > 01202 > > > > > 360360 > > > > > > or email > > > > > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > > > > > > > > > If this email contains a quotation then unless otherwise > > stated > > > > it > > > > > is > > > > > > valid for 7 days and > > > > > > > offered subject to Silversands Professional Services Terms > > and > > > > > > Conditions, a copy of > > > > > > > which is available on request. Any pricing information, > > design > > > > > > information or > > > > > > > information concerning specific Silversands' staff contained > > in > > > > this > > > > > > email is > > > > > > > considered confidential or of commercial interest and exempt > > > from > > > > > the > > > > > > Freedom of > > > > > > > Information Act 2000. > > > > > > > > > > > > > > Any view or opinions presented are solely those of the > author > > > and > > > > do > > > > > > not necessarily > > > > > > > represent those of Silversands > > > > > > > > > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 > > 7BX. > > > > > > > Company Registration Number : 2141393. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >