I mainly install and administer SBS networks for various organisations. In the past I have used an adsl modem to connect the external network card to the internet, rather than a router with a firewall. Since Server 2000 came along, I've always trusted ISA and had no problems.
A couple of weeks ago I started a thread to discuss a problem. During this discussion I mentioned the above philosophy and got severely criticised for taking unecessary risks by allowing ISA to be the only firewall.
This week I have installed a new SBS system for a customer. Taking on board what I had been told, I used a Netgear DG834 router instead of the usual modem, and set up the necessary port forwarding to the web and mail servers which reside behind ISA.
As an experiment, from the server console, I visited grc.com. They have a port scanning utility called ShieldsUP. This correctly identified that I had ports 80 and 443 open. I then created a firewall rule in the router to forward ALL traffic to the ISA firewall. I ran Shields Up again. It now showed that ALL ports were now operating in Stealth Mode.
I would have thought that the best philsophy would be to open just the required ports on the router. But with the router forwarding everything to ISA, I have SMTP, HTTP, HTTPS, IMAP and RDP functionality and the server appears invisible to the port scanner!
So why is this? I repeated the experiment on a server that was connected using just an ADSL modem and the open ports are correctly identified as being open.