Search This Blog

Wednesday, January 26, 2011

ISAserver.org - January 2011 Newsletter

-------------------------------------------------------
ISAserver.org Monthly Newsletter of January 2011
Sponsored by: Winfrasoft
<http://www.winfrasoft.com/appliance.htm>

-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. In a Perpetually Cloudy World, Do You Still Need a Firewall?
--------------------------------------------------------------

If you've been reading the tech news recently, you have probably noticed the increased coverage of cloud computing. While cloud computing has been mostly talk until now, it's predicted that 2011 will be The Year of the Cloud, when cloud computing begins to take over major chunks of our datacenters. And over time, these same predictors indicate that eventually almost all of your datacenter will be in the cloud and that you'll need to consider polishing up your resume and embarking on a new career, since what you used to do in your on-premises datacenter will be taken care of by some faceless minion in a faraway cloud datacenter.

Whether that vision of cloud computing ever comes to pass or not, it's clear that many companies are currently considering cloud computing options for at least some of the services they now maintain on premises. It's also clear that Microsoft is fully invested in cloud computing. The writing was on the wall when Essential Business Server (EBS) was cancelled right before it was to be released to manufacturing. And there's the possibility that you'll see other Microsoft server products disappear in the coming months, to be replaced with a cloud option. All of this is consistent with Steve Ballmer's assertion that, regarding the cloud, "we're all in"!

So with huge chunks of the datacenter going to the cloud and Microsoft servers disappearing from the on-premises datacenter, what is the future role of the firewall? Will you have any need for a firewall after your entire datacenter has moved to the cloud? Is there a place for the TMG firewall any longer?

Some might argue that if all you have on your network are client operating systems, there be no need for a firewall, as you can manage those systems from the cloud and the host-based Windows Firewall with Advanced Security is enough to secure them. Pair the powerful host-based firewall on Windows 7 and future Windows 8 client operating systems with continuing advances in Microsoft anti-virus and anti-malware technology, and you have a situation where an edge firewall might be considered an expensive "bump on the wire" that really doesn't provide any significant level of network security.

On the other hand, you can make a good argument that a firewall will be required now, more than ever. Even though the servers and data are contained in some faraway cloud datacenter, there is still going to be data stored on those client operating systems. That means there is still a need to provide data leakage protection, and of course there is still a need to filter the web so that employees don't waste time or create a liability-inducing hostile work environment. And no matter how sophisticated the security becomes on the client operating systems, there are always going to be zero-day and other exploits that you can't protect against on the clients because of the lag time between the release of a security update and the time it takes for you to test the updates to insure that they don't bring down your network.

It seems to me that even if the entire datacenter moves to the cloud, there is one server that can't ever be moved off premises: the firewall. For this reason I think the reports of TMG's demise have been greatly exaggerated. The TMG firewall provides essential protection for all your client operating systems and the data they contain. The TMG firewall provides key URL filtering and web anti-malware that you need, regardless of the location of your datacenter. TMG's Network Inspection System helps insure that your client operating systems are protected against attacks during the lag time of security update release and testing.

What do you think? With almost everything moving to the cloud, is there a need for the TMG firewall? Do you think they should move the TMG firewall to the cloud too? Or will you always need on on-premises firewall to protect your client systems. Let me know your opinions! Send me a note at dshinder@isaserver.org and I'll share the results with our readers in the next newsletter.

See you next month! - Deb.
dshinder@isaserver.org

=======================
Quote of the Month - "Happiness is nothing more than good health and a bad memory". - Albert Schweitzer
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

* Microsoft Forefront TMG - How to configure Forefront TMG as a DirectAccess Server
<http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-How-configure-Forefront-TMG-DirectAccess-Server.html>

* TMG back to Basics - Part 3: Protocol Definitions <http://www.isaserver.org/tutorials/TMG-Back-Basics-Part3.html>

* GFI WebMonitor Voted ISAserver.org Readers' Choice Award Winner - Content Security
<http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Content-Security-GFI-WebMonitor-Nov10.html>

* DNS Configuration Review for Microsoft Forefront Threat Management Gateway (TMG) 2010
<http://www.isaserver.org/tutorials/DNS-Configuration-Review-Microsoft-Forefront-Threat-Management-Gateway-TMG-2010.html>

* TMG Back to Basics - Part 2: Using the TMG Firewall Log Viewer <http://www.isaserver.org/tutorials/TMG-Back-Basics-Part2.html>

* Microsoft Forefront TMG - How to use SQL Server 2008 Express Reporting Services <http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-How-to-use-SQL-Server-2008-Express-Reporting-Services.html>

* TMG Back to Basics - Part 1: Server Publishing Rules <http://www.isaserver.org/tutorials/TMG-Back-Basics-Part1.html>
Microsoft Forefront TMG - Explaining the Forefront TMG SDK <http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Explaining-Forefront-TMG-SDK.html>


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

Something that is often problematic with the TMG firewall is Network Load Balancing (NLB). There are a number of reasons why you might have problems with NLB, ranging from issues with how your routers handle ARP table entries to problems with convergence. You can drive yourself crazy trying to figure out what the problem is if you don't have a systematic approach to solving NLB problems. But where can you find such an approach? Right here! Check out the Troubleshooting NLB article on TechNet to begin your trek to fixing your NLB problems. <http://technet.microsoft.com/en-us/library/ff849728.aspx>


5. Tip of the Month
--------------------------------------------------------------

Did you know that the TMG firewall now supports SafeSearch? That's right! After you install TMG Update 1, you have a new SafeSearch option. When SafeSearch is enabled, the TMG firewall will enforce strict filtering of adult content from search results delivered by supported search engines.

<http://www.isaserver.org/img/ISA-MWN-January-11-1.jpg>

For more information on the SafeSearch feature, check out the TMG firewall Team Blog over at <http://blogs.technet.com/b/isablog/archive/2010/09/21/new-in-forefront-tmg-update-1-safesearch-enforcement.aspx>


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

Speaking of new stuff - did you know that there is a lot of new functionality included in TMG Service Pack 1? Together with the usual bug fixes comes a bevy of new fun features and tools. You can find out what you get with TMG Service Pack 1 over at <http://technet.microsoft.com/en-us/library/ff686709.aspx>


7. Blog Posts
--------------------------------------------------------------

* Winfrasoft Gateway Appliance 9500-DE Gets Five Star Review <http://blogs.isaserver.org/shinder/2011/01/14/winfrasoft-gateway-appliance-9500-de-gets-five-star-review/>

* Hey Edge Man - How is that Multi-Site Test Lab Guide and Document Coming Along? <http://blogs.isaserver.org/shinder/2011/01/14/hey-edge-manhow-is-that-multi-site-test-lab-guide-and-document-coming-along/>

* UAG SP1 DirectAccess Contest 1–Round 2/Quiz 2 and Contest 2 Round 1/Quiz 2 <http://blogs.isaserver.org/shinder/2011/01/14/uag-sp1-directaccess-contest-1round-2quiz-2-and-contest-2-round-1quiz-2/>

* Random authentication prompts while accessing internet through ISA Server followed by ISA Server becoming unresponsive <http://blogs.isaserver.org/shinder/2011/01/14/random-authentication-prompts-while-accessing-internet-through-isa-server-followed-by-isa-server-becoming-unresponsive/>

* Tom Shinder Wins Society of Technical Communications (STC) Award <http://blogs.isaserver.org/shinder/2011/01/10/tom-shinder-wins-society-of-technical-communications-stc-award/>

* Details on TMG and ISA Firewall Rollups <http://blogs.isaserver.org/shinder/2011/01/10/details-on-tmg-and-isa-firewall-rollups/>

* New rollups released for TMG 2010 and ISA 2006 <http://blogs.isaserver.org/shinder/2011/01/10/new-rollups-released-for-tmg-2010-and-isa-2006/>

* Why Upgrading from the ISA to the TMG Firewall is a Good Thing <http://blogs.isaserver.org/shinder/2011/01/04/why-upgrading-from-the-isa-to-the-tmg-firewall-is-a-good-thing/>

* Searching the Firewall Rule Base on TMG Firewalls <http://blogs.isaserver.org/shinder/2010/12/31/searching-the-firewall-rule-base-on-tmg-firewalls/>

* UAG Service Pack 1 Upgrade and Integrated Packs <http://blogs.isaserver.org/shinder/2010/12/22/uag-service-pack-1-upgrade-and-integrated-packs/>


8. Ask Sgt Deb
--------------------------------------------------------------

* QUESTION:

Hi Deb,
Let me introduce myself. My name is Alejandro (Alexander, if you prefer) and I work as an IT assistant.

In these days I've been given a task to search for a new application for the company because we want to change the proxy server that we are using right now. We are interested in applying an ISA Server for this new instance but I have some doubts about it.

Right now we are using a windows server 2003 with Winproxy as the proxy server and firewall and we feel that it's not completely secure and that it's not at its full potential. We want to implement ISA Server 2006 for better security but neither my boss nor me, had any contact with any ISA Server.

I would like to know if the ISA Server is what we really need or if it is too much for us? We can use some characteristics on the ISA Server and activate others if needed?

Any additional information you would like to know, or anything else, I'll be glad to help you.

Thanks! - Alejandro

* ANSWER

Hi Alejandro -

Good question. First, you should know that ISA 2006 is not the most current version of the Microsoft firewall, which had a name change. I recommend that you take a look at the Threat Management Gateway 2010 (TMG) firewall, which is the current version of what used to be the ISA firewall.

TMG would be an ideal solution for you. Designed from the ground up to be a network firewall, the TMG firewall is also a web proxy server, remote access VPN server, site to site VPN gateway, and Winsock proxy server. You can also use it to publish web sites and other servers, and it supports very robust user/group based access controls and reporting.

If you only need a web proxy server, you can configure the TMG firewall with a single NIC and use it for only forward and reverse proxy. But you might find that the other security features (for example, the Network Inspection System) are something that you want to take advantage of and therefore utilize all the web proxy and firewall features included with the TMG firewall.


Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.

TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2011. All rights reserved.

No comments: