[isapros] Re: TMG - Separate Forest?
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "'isapros@xxxxxxxxxxxxx'" <isapros@xxxxxxxxxxxxx>
- Date: Sat, 17 May 2008 11:47:47 -0700
Wow; this *finally* showed up in my mailbox...
This list worked so much better before we moved to freelists...
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: Monday, May 12, 2008 12:43 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: TMG - Separate Forest?
See, that's why you make the big bucks ;) You get right to the heart of
it...
"Practical" is obviously a sliding scale. Server Win2k8 actually brings
tangible value-add to the table here in regard to securing the forest.
If the deployment model supports multiple forests, then by all means
take advantage of that. And of course I would never put the DC on the
ISA/TMG box as you well know ;)
But here's the deal-- you and I have both been waging war on the
nay-sayer's when it comes to representing ISA as a true enterprise
product. With all respect, I can't help but feel when you use "DC on
ISA" or "DC in VM" as an argument for not deploying defense-in-depth
configurations, that you just keep ISA in the diminutive. There are
*many* deployment models that we have to consider here; many of which
can gain a leg up in the event of a compromise. You log on to your TMG
box as admin. Those credentials can be retrieved, obviously. Would you
have the rest of your network immediately rooted? What if you were an
ISP supporting multiple clients with write access to dir structures?
What if you were a company with subsidiaries? What if you had to "trust"
users that you had no control over?
"Least privilege" rules. Arguing against it is like arguing for McCain
(LOL - OK, private joke, and wholly inappropriate, but I LOL anyway ;)
-----------
Gave in and bought a Barackberry
t
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Monday, May 12, 2008 12:06 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: TMG - Separate Forest?
>
> It's not really a hornet's nest per se. Instead, it's a deployment
> issue
> problem and addition complexity that really add's no practical
security
> advantages, or at least none that I've heard of or considered viable.
>
> Would you recommend making the ISA Firewall the DC in this trust
> relationship? Or will have you a dedicated DC for the trusting domain?
> Where will you put that DC if not on the ISA Firewall? On the same
> network as the user accounts? In a DMZ network in a multi-homed ISA
> Firewall? In a VM co-located on the ISA Firewall? In a VM in a DMZ or
> on
> the default Internal Network, or somewhere else not mentioned here :)
>
> GMT
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
>
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > Of Thor (Hammer of God)
> > Sent: Monday, May 12, 2008 1:12 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: TMG - Separate Forest?
> >
> > Well, not to stir up the hornet's nest, but it actually *is* a good
> idea
> > of you don't have need for cross-forest cert auth or such. I'm not
> > really worried about "official docs" posturing on this one, as
anyone
> > who not only *can* go out of their way to set up an isolated forest
> with
> > a one-way trust, but who actually DOES it is way ahead of the curve
> > anyway. It's not like that are recommending a "workgroup" ;)
> >
> > t
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: Monday, May 12, 2008 9:58 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: TMG - Separate Forest?
> > >
> > > Those who want a reason will find one.
> > > Nothing we can do will change this fact of life.
> > > How many times have you banged your head on the "hardware
firewall"
> > > stack of bricks?
> > >
> > > I agree that this could have been better phrased, and the docs
> aren't
> > > fully baked yet, so there's still time to fix them.
> > >
> > > Jim
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> > > Sent: Monday, May 12, 2008 9:55 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: TMG - Separate Forest?
> > >
> > > Companies that hire consultants are a totally different breed. I
> was
> > > speaking more toward those that have internal staff that is just
> > > looking
> > > for a reason to keep the TMG out.
> > >
> > > thanks,
> > >
> > > Amy Babinchak
> > >
> > >
> > > Harbor Computer Services |(248) 850-8616
> > >
> > > Tech Blog http://securesmb.harborcomputerservices.net
> > > Client Blog http://smalltechnotes.blogspot.com
> > > Website http://www.harborcomputerservices.net
> > >
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Thomas W Shinder
> > > Sent: Monday, May 12, 2008 12:48 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: TMG - Separate Forest?
> > >
> > > True, but that's why you need to choose good customers. They hired
> you
> > > to shore up issues with documentation and provide clarification.
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- Microsoft Firewalls (ISA)
> > >
> > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > Of Amy Babinchak
> > > > Sent: Monday, May 12, 2008 11:45 AM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: TMG - Separate Forest?
> > > >
> > > > Yes, but the words are there and that's really all it takes for
> the
> > > > uninformed masses. They have something to point to. Again.
> > > >
> > > > thanks,
> > > >
> > > > Amy Babinchak
> > > >
> > > >
> > > > Harbor Computer Services |(248) 850-8616
> > > >
> > > > Tech Blog http://securesmb.harborcomputerservices.net
> > > > Client Blog http://smalltechnotes.blogspot.com
> > > > Website http://www.harborcomputerservices.net
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > > On Behalf Of Thomas W Shinder
> > > > Sent: Monday, May 12, 2008 12:02 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: TMG - Separate Forest?
> > > >
> > > > The documentation offers suggestions, and points out limitation.
> So,
> > > > those suggestions aren't considered by thoughtful security
admins
> as
> > > > commandments. If Active Directory security best practices are
> used,
> > > the
> > > > chance of compromise is minute, and as I've demonstrated
numerous
> > > times,
> > > > compromise of the ISA firewall will be the least of your
problems
> :)
> > > >
> > > > Thomas W Shinder, M.D.
> > > > Site: www.isaserver.org
> > > > Blog: http://blogs.isaserver.org/shinder/
> > > > Book: http://tinyurl.com/3xqb7
> > > > MVP -- Microsoft Firewalls (ISA)
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > Of Amy Babinchak
> > > > > Sent: Monday, May 12, 2008 10:12 AM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] Re: TMG - Separate Forest?
> > > > >
> > > > > As long as the official documentation says otherwise, you're
> > > tilting
> > > > at
> > > > > windmills. If we know better and MSIT knows better, then why
> > > doesn't
> > > > the
> > > > > documentation get fixed? DOD won't buy if it says otherwise?
> > > > >
> > > > > thanks,
> > > > >
> > > > > Amy Babinchak
> > > > >
> > > > >
> > > > > Harbor Computer Services |(248) 850-8616
> > > > >
> > > > > Tech Blog http://securesmb.harborcomputerservices.net
> > > > > Client Blog http://smalltechnotes.blogspot.com
> > > > > Website http://www.harborcomputerservices.net
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > > > On Behalf Of Thomas W Shinder
> > > > > Sent: Monday, May 12, 2008 10:30 AM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] Re: TMG - Separate Forest?
> > > > >
> > > > > Exactly. The guidance as is applies to people who wear hard
> hats
> > > when
> > > > > they go outside out of fear that a falling piece from a
passing
> > > > airplane
> > > > > will hit them on their heads. :)
> > > > >
> > > > > MSIT does it right, and I follow MSIT's model in my
> deployments.
> > > Why
> > > > > lose Kerberos Constrained Delegation and other security
> features
> > > out
> > > > of
> > > > > fear of Comet strikes in the Gulf of Mexico? :))
> > > > >
> > > > > Thomas W Shinder, M.D.
> > > > > Site: www.isaserver.org
> > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > Book: http://tinyurl.com/3xqb7
> > > > > MVP -- Microsoft Firewalls (ISA)
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > Of Jim Harrison
> > > > > > Sent: Monday, May 12, 2008 8:21 AM
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] Re: TMG - Separate Forest?
> > > > > >
> > > > > > Actually, that "old-school approach" does limit the threat
of
> > > > exposure
> > > > > for your internal
> > > > > > forest. It's not about "if ISA gets compromised" as much as
> "if
> > > an
> > > > > account is
> > > > > > compromised".
> > > > > > If you have the skill and means to build that and can
> tolerate
> > > the
> > > > > limits it imposes (no
> > > > > > KCD from the edge), then this is a good recommendation.
> > > > > > What isn't stated is that this can be one part of a layered
> ISA
> > > > > deployment.
> > > > > > FWIW, MSIT deploys ISA / TNG at the edge in the same forest
> as
> > > the
> > > > > user accounts.
> > > > > >
> > > > > > Jim
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > > > Of Jason Jones
> > > > > > Sent: Monday, May 12, 2008 1:13 AM
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] TMG - Separate Forest?
> > > > > >
> > > > > > Just noticed this in the current TMG
> > documentation...disappointed
> > > > this
> > > > > old school
> > > > > > approach is still recommended :-(
> > > > > >
> > > > > > "At the edge, you can install Forefront TMG as a domain
> member
> > or
> > > in
> > > > > workgroup
> > > > > > mode. As a domain member, we recommend that you install
> > Forefront
> > > > TMG
> > > > > in a
> > > > > > separate forest (rather than in the internal forest of your
> > > > corporate
> > > > > network), with a
> > > > > > one-way trust to the corporate forest. This may help the
> > internal
> > > > > forest from being
> > > > > > compromised, even if an attack is mounted on the forest of
> the
> > > > > Forefront TMG
> > > > > > computer. There are some limitations with this deployment.
> For
> > > > > example, you can
> > > > > > configure client certificate authentication only for users
> > > defined
> > > > in
> > > > > the Forefront TMG
> > > > > > domain, and not for users in the corporate internal domain
or
> > > > forest."
> > > > > >
> > > > > > You guys spent much time looking at TMG yet?
> > > > > >
> > > > > > JJ
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > ________________________________
> > > > > > This email and any files transmitted with it are
confidential
> > and
> > > > > intended solely for the
> > > > > > use of the individual to whom it is addressed. If you have
> > > received
> > > > > this email in error,
> > > > > > or if you believe this email is unsolicited and wish to be
> > > removed
> > > > > from any future
> > > > > > mailings, please contact our Support Desk immediately on
> 01202
> > > > 360360
> > > > > or email
> > > > > > helpdesk@xxxxxxxxxxxxxxxxx
> > > > > >
> > > > > > If this email contains a quotation then unless otherwise
> stated
> > > it
> > > > is
> > > > > valid for 7 days and
> > > > > > offered subject to Silversands Professional Services Terms
> and
> > > > > Conditions, a copy of
> > > > > > which is available on request. Any pricing information,
> design
> > > > > information or
> > > > > > information concerning specific Silversands' staff contained
> in
> > > this
> > > > > email is
> > > > > > considered confidential or of commercial interest and exempt
> > from
> > > > the
> > > > > Freedom of
> > > > > > Information Act 2000.
> > > > > >
> > > > > > Any view or opinions presented are solely those of the
author
> > and
> > > do
> > > > > not necessarily
> > > > > > represent those of Silversands
> > > > > >
> > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17
> 7BX.
> > > > > > Company Registration Number : 2141393.
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
>
>
Other related posts:
