I get asked a few times a week whether you should install anti-virus software on the ISA firewall. Its a good question and worth a few moments to consider what is being asked.
There are two general types of AV software that you can install on the ISA firewall:
- AV software designed to protect the host operating system (Windows) on which the ISA firewall runs
- AV software designed to scan and protect against viruses that might traverse the ISA firewall via HTTP, HTTPS, IM, P2P, FTP or other protocols that can transfer files
The first type of AV software is not required on the ISA firewall. Remember, the ISA firewall is not a workstation, so you never run Internet Explorer, Outlook Express (or any other email client), Kazaa, BitTorrent, FTP client, or any other client software on the firewall. Because there is no client software run on the ISA firewall that would enable downloads of files that would contain viruses, worms or spyware, the ISA firewall is not at risk for infection. However, if you purposely violate network and firewall security principles and use the ISA firewall as a workstation, then you will put yourself at risk for infection. However, if you operate your ISA firewall in a secure and professional fashion, then there is no reason to install host specific AV software on the firewall.
In addition, you should never install server applications that would significantly increase the attack surface on the ISA firewall. This means never installing IIS on the ISA firewall, never making the ISA firewall a DC, never installing MS Exchange on the ISA firewall and not installing any other server software that could harbor viruses and other malcode. Exceptions to this include installing the SMTP service, installing the DHCP service and installing the DNS server on the ISA firewall.
The second type of AV software is designed to work with the ISA firewall components to protect hosts on ISA firewall Protected Networks from malware infection. I highly recommend that you install 3rd party applications, or configure the ISA firewall’s built-in HTTP Security Filter, to protect yourself from viruses, worms, spyware and other code that puts network computers at risk.
Examples of such software include Websense, SurfControl, Akonix, GFI WebMon3 and many others. These third party applications can be installed on-box or off-box. The ISA firewall has an advantage over many other solutions because you can install these applications on-box, which reduces cost and administrative complexity because you don’t have to maintain a second hardware device and worry about connectivity and configuration issues with the second device.
To sum things up: no, you don’t need to install AV software to protect the ISA firewall’s host operating system, and yes, you should install AV software designed to work with the ISA firewall to protect you against downloads of malicious mobile code.
Thomas W Shinder, M.D.
MVP — ISA Firewalls