Wednesday, March 30, 2011

ISAserver.org - March 2011 Newsletter

-------------------------------------------------------
ISAserver.org Monthly Newsletter of March 2011
Sponsored by: Winfrasoft
<http://www.winfrasoft.com/appliance>

-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. The Tragic End of the Hardware Firewall Myth
--------------------------------------------------------------

Several years ago, Tom wrote a blog post (and maybe a newsletter article) about what he called the "hardware firewall scam". In those posts, he made the point that all hardware runs software, and that the distinction between a hardware and software firewall was indeed an artificial one - one that was created by "hardware firewall" vendors to give the impression that their equipment was inherently better and more secure because it ran on "hardware".

At the time a lot of people "poo-poo'd" Tom's assertion. They went on to say that hardware and firmware were inherently more secure and that everyone knew that and that Tom had gone off the deep end or swallowed some kind of Microsoft Kool Aid that prevented him from understanding that "software" could never be as secure as "hardware", in spite of the fact that the statistics on security issues related to ISA and the subsequent TMG firewall were far superior to those found with common so-called "hardware" firewalls.

Now let's fast forward to the year 2011. Virtual datacenters based on VMware vSphere or Microsoft Hyper-V are taking over, as organizations realize the cost savings and administrative benefits. In today's enterprise networks, when an old piece of hardware needs to be decommissioned, the workload hosted by that server will almost invariably be assigned to a virtual machine. What's important within the context of this discussion is that this is happening for firewall workloads too.

That's right - the old "hardware" firewalls are being decommissioned and their workloads moved to virtual machines within the virtual datacenter. VMware already has integrated firewall-like functionality that you can use to create network security and segmentation within the vSphere cloud environment, and you can certainly do similar things using the TMG firewall within your virtual datacenter, regardless of whether you're using vSphere or Hyper-V. The private cloud not only supports your applications and application security, it's now the nexus of your networking and network security, and that includes network firewalls.

What's particularly remarkable is how easily the changeover is taking place. In the past, you got the impression that "hardware firewalls" were handed down from on high by the Gods of Networking, and that because they were hardware, their security reputation and behavior was inviolate. But now that we're moving our firewall and network security infrastructure to a virtual datacenter and a private cloud, all of a sudden the magic and the mystery and the might of hardware has melted away - because the myth of hardware firewall security couldn't stand up to the advantages of virtualizing the network firewall role, with higher availability, increased security, better performance, and dynamic network security resource allocation that you can get when instantiating your firewall infrastructure in a virtual datacenter or private cloud.

A major side effect of this realization that the "hardware" firewall can be virtualized is that deploying so-called "software" firewalls like the ISA or TMG firewall can no longer be argued to be less secure than "hardware" firewalls. Since the virtualized firewalls are by definition "software only" and are considered as secure as or more secure than their "hardware" counterparts, perhaps the ISA and TMG "software" firewall will now be recognized as being as secure as or more secure than their "hardware" firewall counterparts.

Over time, I expect all the TMG firewall implementations to be virtualized. Performance is excellent, and if you pay attention to basic security considerations for deploying virtual firewalls, you lose nothing in the area of network security and can end up with a more secure configuration.

Let's fast forward again, to the year 2014. I can imagine that the TMG firewall will no longer need to be installed in a Hyper-V environment. Instead, in my vision all of the TMG firewall functionality will be baked into the Hyper-V networking configuration – so that you can apply the strong network and application layer security controls as you currently do in the TMG firewall, but as part of the network configuration right there in the Hyper-V console. VMware currently has something similar to this, and there's no reason that Microsoft can't leverage the power of the ISA/TMG line of products and bake them into a powerful and secure private cloud option for Hyper-V.

What do you think? Has virtualization of network firewalls proven that that the emperor of "hardware" firewalls indeed had no clothes? Or do you think that virtualization of network firewalls has no influence over the relative security of hardware versus software firewalls, and that the Gods of Hardware Firewalls are alive and well and continue to imbue "hardware" with some immutable level of security that mere mortals (and software firewalls) will never understand. Send me your thoughts at dshinder@isaserver.org

And if you want to learn about how TMG can protect your Exchange servers and you can make it out to Tempe, AZ on March 30th, be sure to attend the Phoenix Unified Communications User Group meeting, where Richard Hicks will be presenting on that very topic. Find out more, including how to register, here:
<http://tmgblog.richardhicks.com/2011/03/14/phoenix-unified-communications-user-group/>

See you next month! - Deb.
dshinder@isaserver.org

=======================
Quote of the Month - "I have noticed even people who claim everything is predestined, and that we can do nothing to change it, look before they cross the road." - Stephen Hawking
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

* Optimizing Performance on the Forefront Threat Management Gateway (Part 2) <http://www.isaserver.org/tutorials/Optimizing-Performance-Forefront-Threat-Management-Gateway-Part2.html>

* Customizing error messages and forms based authentication in Forefront TMG <http://www.isaserver.org/tutorials/Customizing-error-messages-forms-based-authentication-Forefront-TMG.html>

* TMG Back to Basics - Part 6: Reports
<http://www.isaserver.org/tutorials/TMG-Back-Basics-Part6.html>

* Celestix MSA Threat Management Gateway Series Voted ISAserver.org Readers&#146; Choice Award Winner - Hardware Appliances
<http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Hardware-Appliances-Celestix-MSA-Threat-Management-Gateway-Series-Jan11.html>

* Optimizing Performance on the Forefront Threat Management Gateway (Part 1) <http://www.isaserver.org/tutorials/Optimizing-Performance-Forefront-Threat-Management-Gateway-Part1.html>

* TMG Back to Basics - Part 5: Network Objects (Cont.) <http://www.isaserver.org/tutorials/TMG-Back-Basics-Part5.html>

* Forefront TMG - Scripting with VBScript and Powershell <http://www.isaserver.org/tutorials/Forefront-TMG-Scripting-with-VBScript-Powershell.html>

* TMG Back to Basics - Part 4: Network Objects <http://www.isaserver.org/tutorials/TMG-Back-Basics-Part4.html>


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

This is an oldie but goodie:Unsupported Configurations. The Unsupported Configurations document provides detailed information on what you can't do with the TMG firewall. While many of these configurations might seem possible, and if you tried, you might even be able to get them to work, for one reason or another the product team and customer support services will not be able to support you if you deploy the TMG firewall in one of these unsupported configurations. For this reason, I highly recommend that you review the unsupported configurations document before you deploy your TMG firewall. After all, you don't want to get stuck with something that seems to work but then have to undo everything because it's not supported.

Find the Unsupported Configurations document at <http://technet.microsoft.com/en-us/library/ee796231.aspx>


5. Tip of the Month
--------------------------------------------------------------

This month's tip of the month is to never use a USB Ethernet connection on the TMG firewall when the TMG firewall is configured on a Hyper-V server as a virtual machine.

Now that I have your attention, you might wonder why I would even think about this scenario. I actually ran into this on a real-world TMG firewall and found that the USB Ethernet connection can create some very odd behavior on the TMG firewall.

The symptoms I experienced were that download speeds were mildly affected, but upload speeds slowed to a crawl. Even though the connection at the time was rated at 5Mbps, the best we could do through the TMG firewall was in the range of 256Kbps. Ouch!

The virtual TMG firewall had three interfaces: an external interface, which was bound to the physical external NIC on the Hyper-V server, an internal interface, which was bound to the internal interface on the Hyper-V server, and a DMZ interface, which was bound to the USB Ethernet NIC. What happened was that occasionally, the USB Ethernet NIC would not initialize after restarting the Hyper-V server. When the USB NIC didn't start, the upload speed through the TMG slowed to almost zero.

Why does this happen? I don't know. I figure that using USB NICs on a TMG firewall is rare enough that I wasn't going to harass CSS with this problem, and only in a makeshift environment would you install a USB NIC on a TMG firewall. Nevertheless, who knows? You might find yourself in the same predicament someday and if you do, you'll have my experience as proof that you're not crazy.


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

Given the number of new TMG admins coming on board from the ISA 2004 and ISA 2006 spaces, I thought it might be helpful for you folks to get a "quick start" overview of what&#146;s new with the TMG firewall, compared to earlier versions. This article by Richard Hicks here on ISAserver.org will give you the info you need to know to begin getting familiar with TMG 2010 with Service Pack 1:
<http://www.isaserver.org/tutorials/Whats-New-Forefront-Threat-Management-Gateway-TMG-2010-Service-Pack1.html>


7. Blog Posts
--------------------------------------------------------------

* Another Cause for the DirectAccess Client 'No Usable Certificates' Error <http://blogs.isaserver.org/shinder/2011/03/18/another-cause-for-the-directaccess-client-no-usable-certificates-error/>

* TechNet Webcast: Talk TechNet with Keith Combs and Matt Hester - Episode 12: Dr. Tom Shinder on DirectAccess
<http://blogs.isaserver.org/shinder/2011/03/18/technet-webcast-talk-technet-with-keith-combs-and-matt-hester-episode-12-dr-tom-shinder-on-directaccess-2/>

* Tom Shinder Hits 50K Posts on the ISAserver.org Web Boards <http://blogs.isaserver.org/shinder/2011/03/18/tom-shinder-hits-50k-posts-on-the-isaserverorg-web-boards/>

* Tom Shinder Clears the Air on ISATAP <http://blogs.isaserver.org/shinder/2011/03/18/tom-shinder-clears-the-air-on-isatap/>

* Your TMG Firewall has a New PAL <http://blogs.isaserver.org/shinder/2011/03/18/your-tmg-firewall-has-a-new-pal/>

* Free TMG Firewall Seminar in Tempe Arizona <http://blogs.isaserver.org/shinder/2011/03/18/free-tmg-firewall-seminar-in-tempe-arizona/>

* Preparing Forefront TMG 2010 for Enterprise Workgroup Deployment <http://blogs.isaserver.org/shinder/2011/03/18/preparing-forefront-tmg-2010-for-enterprise-workgroup-deployment/>

* Win a Signed Copy of Forefront TMG 2010 Administrator's Companion <http://blogs.isaserver.org/shinder/2011/03/18/win-a-signed-copy-of-forefront-tmg-2010-administrators-companion/>

* CSS Forefront Edge Team is Hiring in the United States <http://blogs.isaserver.org/shinder/2011/02/21/css-forefront-edge-team-is-hiring-in-the-united-states/>

* TechNet Webcast: Talk TechNet with Keith Combs and Matt Hester - Episode 12: Dr. Tom Shinder on DirectAccess <http://blogs.isaserver.org/shinder/2011/02/21/technet-webcast-talk-technet-with-keith-combs-and-matt-hester-episode-12-dr-tom-shinder-on-directaccess/>


8. Ask Sgt Deb
--------------------------------------------------------------

* QUESTION:

Hi Deb!

It seems you are the person with all the answers these days.:)

We are novice users, in a real bind and desperate for a solution. If you could help or direct us to someone for help with making our issues go away, we would be ready to spend whatever it takes to make it happen.

We have 2 domains with a two-way trust from the primary to a secondary domain. The primary domain uses the 192.168.254.0 subnet while the secondary domain uses a 192.168.252.0 subnet.

We now have a need to get traffic from the secondary domain routed to the primary domain to a Cisco PIX that is maintaining a site-to-site tunnel from our primary domain to an external site (with a target endpoint of 10.1.1.1).

The tunnel is working, but how do I configure the TMG on the secondary domain to route requests to the 10.1.1.1 target to the pix on the primary domain?

Additionally, the secondary domain users are inbound from the internet, if that makes any difference.

Please advise asap.
Burt

* ANSWER

While it would help to know the details of your network infrastructure, it sounds as if you have a site to site VPN connecting two offices, with each office hosting an Active Directory forest, and you have a TMG firewall at each of the offices to provide Internet access.

There are many ways you can handle this, but if you don&#146;t have a routing expert on board, the easiest way is to remove routing considerations from the way your client systems connect to the ISA firewalls on each side of the connection. What you would do is configure the clients at Office A to be web proxy and firewall clients of the Office A TMG firewall. Then you would configure the client systems at Office B to be web proxy and firewall clients of the TMG firewall at Office B.
Since the web proxy and firewall client configurations only depend on the clients being able to reach the internal IP address of the TMG firewall, you don&#146;t have to worry about configuring the clients to use the TMG firewall as your "gateway of last resort". Instead, you can configure the clients to use the PIX as their gateway of last resort, or better, remove the default gateway setting on the client systems and enter routing table entries on the hosts so that they will know the route to the remote office.

Finally, remember to add all of your internal domains to the exceptions list for the Firewall client and the web proxy client. You do this in the Properties dialog box for the TMG Network from which those clients are connecting. When clients try to connect to domains included in the exception list (sometimes called the &#147;Direct Access list&#148; &#150; which is not related to DirectAccess), they will bypass their web proxy and firewall client configurations and use their routing table information (including the default gateway) to reach the destination resource.


Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.

TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2011. All rights reserved.

No comments:

Post a Comment