I received an email from someone yesterday who said that domain membership of the ISA Firewalls might have an adverse effect on Sarbanes-Oxley compliance. I thought this was interesting, because domain membership of the ISA Firewall confers a higher level of security than workgroup ISA Firewalls. However, having never actually read the entire Sarbanes-Oxley Act of 2002, I couldn’t say authoritatively that domain membership wasn’t an issue for ISA Firewalls and ISA Firewall arrays.
Today I decided to spend the morning reading the entire 66 page SOX Act of 2002. If you’d like to read it yourself, you can find it http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.tst.pdf
The result of my investigation is that there are no references to ISA Firewall domain membership, or to any specific IT or network security related configurations. The only references I found that were related to IT operations is that in several areas it is mentioned that “internal controls” must be exercised over corporate data that apply to SOX.
Because of these multiple references to internal controls, this argues for making the ISA Firewall a domain member because when the ISA Firewall is a domain member, you have enhanced security in a number of areas, including User Certificate based authentication, outbound access control and enhanced reporting using both the Web Proxy and Firewall clients, and centralized security controls by using highly codified Group Policy objects for ISA Firewall arrays. Perhaps most importantly, domain joined ISA Firewalls are easier to configure and maintain, and complexity of configuration is the leading cause of firewall related security events.
For all these reasons, to the best of my knowledge after reviewing the entirety of the SOX Act of 2002, there is no reason why the ISA Firewall or ISA Firewall array should not be domain members, and in fact, domain membership enhances the internal controls required by SOX.
NOTE: This is a review of SOX only. I will also review COBIT 4.1 to determine if there are domain related comments in there, but a quick review shows nothing related to ISA Firewall domain membership. I plan to review this with Jim Harrison and Tim Mullen next week and provide a more detailed analysis of anything that COBIT might infer related to domain membership.