Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 611
  • Last Modified:

Do I need an additional Firewall in front of ISA / TMG

Dear All,

We have ISA installed on our network to provide access to internet. We have no published servers, we though have remote users to VPN to our network through ISA. So, I would like to know if I need an additional Firewall to protect my network or the current setup is sufficient?
0
Abid Muhammad
Asked:
Abid Muhammad
  • 4
  • 3
  • 2
  • +2
5 Solutions
 
Suliman Abu KharroubIT Consultant Commented:
For sure, adding another firewall on front of TMG will add a security layer to your network.

Please reed the following :

http://searchsecurity.techtarget.com/answer/Front-end-back-end-firewalls-vs-chassis-based-firewalls

http://technet.microsoft.com/en-us/library/bb123753(v=exchg.65).aspx
0
 
Neil RussellTechnical Development LeadCommented:
Its like asking if you need more than one Lock on your front door.  One lock has it shut and deters the opportunistic burgler for sure. Put another, bigger, lock on and it keeps even more out.

A hardware firewall in addition to ISA/TMG is a very good idea yes.
0
 
DarinTCHSenior CyberSecurity EngineerCommented:
Software firewalls have some vulnerabilities
so do hardware FW

adding the 2 together decreases your exposure

even a low end firewall is a good idea
the hardware can handle much of the crap traffic faster and then less load on the software firewall

ALL THE SOLUTIONS I propose make use of hardware and software security

Security is best when it is layered
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
footechCommented:
I'll come in on the other side of this.  I don't disagree that an additional firewall will provide more security.  However, ISA is a very good firewall and in many cases I believe it is sufficient on it's own.  Only by evaluating your security requirements can you answer the question of whether you need another.
0
 
Abid MuhammadIT ManagerAuthor Commented:
Hi!

Thank you all for suggesting / supporting the idea of having an additional firewall, but is it necessary to have one, when you have users for internet and VPN only and no DMZ?
0
 
Neil RussellTechnical Development LeadCommented:
Well that is entirely down to you. IF you want your network to be MORE secure then YES. If your happy to think that ISA is the be all and end all of internet security then no.

Personally I would never and have never recomended any client install ISA directly onto the internet link with no hardware firewall.

You need to define what YOU call "necessary "
0
 
footechCommented:
@Neilsr - Sorry, a bit off topic, but...
Personally I would never and have never recomended any client install ISA directly onto the internet link with no hardware firewall.
Could you explain why that is?  Are there some particular failings of ISA that ward you off, or is it just because it resides on top of Windows?
0
 
Neil RussellTechnical Development LeadCommented:
Its because no lock is pick proof so two locks are a far better, more secure, system.

Nothing to do with windows or ISA specifically no.
0
 
Neil RussellTechnical Development LeadCommented:
If an exploit is found in ISA you are vulnerable if thats your Only line of defence.
Likewise if you Only have a hardware firewall.

You have both, you now need two exploits at the same time to be compromised.
0
 
Abid MuhammadIT ManagerAuthor Commented:
Thanks Guys!

Got the point.

Regards
0
 
Abid MuhammadIT ManagerAuthor Commented:
Got the message
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now