Do I need an additional Firewall in front of ISA / TMG

Abid Muhammad
Abid Muhammad used Ask the Experts™
on
Dear All,

We have ISA installed on our network to provide access to internet. We have no published servers, we though have remote users to VPN to our network through ISA. So, I would like to know if I need an additional Firewall to protect my network or the current setup is sufficient?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
For sure, adding another firewall on front of TMG will add a security layer to your network.

Please reed the following :

http://searchsecurity.techtarget.com/answer/Front-end-back-end-firewalls-vs-chassis-based-firewalls

http://technet.microsoft.com/en-us/library/bb123753(v=exchg.65).aspx
Neil RussellTechnical Development Lead
Commented:
Its like asking if you need more than one Lock on your front door.  One lock has it shut and deters the opportunistic burgler for sure. Put another, bigger, lock on and it keeps even more out.

A hardware firewall in addition to ISA/TMG is a very good idea yes.
DarinTCHSenior CyberSecurity Engineer
Commented:
Software firewalls have some vulnerabilities
so do hardware FW

adding the 2 together decreases your exposure

even a low end firewall is a good idea
the hardware can handle much of the crap traffic faster and then less load on the software firewall

ALL THE SOLUTIONS I propose make use of hardware and software security

Security is best when it is layered
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2014

Commented:
I'll come in on the other side of this.  I don't disagree that an additional firewall will provide more security.  However, ISA is a very good firewall and in many cases I believe it is sufficient on it's own.  Only by evaluating your security requirements can you answer the question of whether you need another.
Abid MuhammadIT Manager

Author

Commented:
Hi!

Thank you all for suggesting / supporting the idea of having an additional firewall, but is it necessary to have one, when you have users for internet and VPN only and no DMZ?
Neil RussellTechnical Development Lead

Commented:
Well that is entirely down to you. IF you want your network to be MORE secure then YES. If your happy to think that ISA is the be all and end all of internet security then no.

Personally I would never and have never recomended any client install ISA directly onto the internet link with no hardware firewall.

You need to define what YOU call "necessary "
Top Expert 2014

Commented:
@Neilsr - Sorry, a bit off topic, but...
Personally I would never and have never recomended any client install ISA directly onto the internet link with no hardware firewall.
Could you explain why that is?  Are there some particular failings of ISA that ward you off, or is it just because it resides on top of Windows?
Neil RussellTechnical Development Lead
Commented:
Its because no lock is pick proof so two locks are a far better, more secure, system.

Nothing to do with windows or ISA specifically no.
Neil RussellTechnical Development Lead
Commented:
If an exploit is found in ISA you are vulnerable if thats your Only line of defence.
Likewise if you Only have a hardware firewall.

You have both, you now need two exploits at the same time to be compromised.
IT Manager
Commented:
Thanks Guys!

Got the point.

Regards
Abid MuhammadIT Manager

Author

Commented:
Got the message

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial