Solved

Do I need an additional Firewall in front of ISA / TMG

Posted on 2013-01-01
11
522 Views
Last Modified: 2013-01-08
Dear All,

We have ISA installed on our network to provide access to internet. We have no published servers, we though have remote users to VPN to our network through ISA. So, I would like to know if I need an additional Firewall to protect my network or the current setup is sufficient?
0
Comment
Question by:AbXd
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 38734440
For sure, adding another firewall on front of TMG will add a security layer to your network.

Please reed the following :

http://searchsecurity.techtarget.com/answer/Front-end-back-end-firewalls-vs-chassis-based-firewalls

http://technet.microsoft.com/en-us/library/bb123753(v=exchg.65).aspx
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 175 total points
ID: 38734459
Its like asking if you need more than one Lock on your front door.  One lock has it shut and deters the opportunistic burgler for sure. Put another, bigger, lock on and it keeps even more out.

A hardware firewall in addition to ISA/TMG is a very good idea yes.
0
 
LVL 12

Assisted Solution

by:DarinTCH
DarinTCH earned 25 total points
ID: 38734864
Software firewalls have some vulnerabilities
so do hardware FW

adding the 2 together decreases your exposure

even a low end firewall is a good idea
the hardware can handle much of the crap traffic faster and then less load on the software firewall

ALL THE SOLUTIONS I propose make use of hardware and software security

Security is best when it is layered
0
Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

 
LVL 39

Expert Comment

by:footech
ID: 38734990
I'll come in on the other side of this.  I don't disagree that an additional firewall will provide more security.  However, ISA is a very good firewall and in many cases I believe it is sufficient on it's own.  Only by evaluating your security requirements can you answer the question of whether you need another.
0
 

Author Comment

by:AbXd
ID: 38735549
Hi!

Thank you all for suggesting / supporting the idea of having an additional firewall, but is it necessary to have one, when you have users for internet and VPN only and no DMZ?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 38735833
Well that is entirely down to you. IF you want your network to be MORE secure then YES. If your happy to think that ISA is the be all and end all of internet security then no.

Personally I would never and have never recomended any client install ISA directly onto the internet link with no hardware firewall.

You need to define what YOU call "necessary "
0
 
LVL 39

Expert Comment

by:footech
ID: 38736115
@Neilsr - Sorry, a bit off topic, but...
Personally I would never and have never recomended any client install ISA directly onto the internet link with no hardware firewall.
Could you explain why that is?  Are there some particular failings of ISA that ward you off, or is it just because it resides on top of Windows?
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 175 total points
ID: 38737988
Its because no lock is pick proof so two locks are a far better, more secure, system.

Nothing to do with windows or ISA specifically no.
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 175 total points
ID: 38738002
If an exploit is found in ISA you are vulnerable if thats your Only line of defence.
Likewise if you Only have a hardware firewall.

You have both, you now need two exploits at the same time to be compromised.
0
 

Accepted Solution

by:
AbXd earned 0 total points
ID: 38739490
Thanks Guys!

Got the point.

Regards
0
 

Author Closing Comment

by:AbXd
ID: 38754015
Got the message
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question