To Join the Domain or Not Join the Domain, that is The Question
It never ceases to amaze me when I get into it with "packet filter" guys about domain membership. You know, the "hardware" firewall guys who’ve hijacked your network security in the feckless game of "port control" through DMZs and the Internet. The sorry state of affairs these network security guys manqué puts our network applications (you know, the stuff we’re trying to protect) at serious risk. When I get into application protection discussions with these guys I often think that the inmates are running the asylum.
Here’s the straight dope on domain membership. It’s the preferred configuration and the more secure one. As long as your create an intelligent firewall policy and kept the principle of least privilege on the top of your list, domain membership will make your ISA firewall configuration easier and more secure. It just doesn’t get any better than that. BTW -- I’m talking about real domain membership, not the hork where you create a separate forest for the ISA firewall. When you do that, you lose key security advantages.
Advantages of Domain Membership:
Granular user/group access controls for all protocols
Don’t need to create array accounts for intra-array communications
Results in more secure deployment
Full support for user certificate authentication for publishing
Full support for the Firewall client
Full support for Microsoft Operations Manager (MOM)
Full support for Group Policy management
Array admins can log in from any Active Directory managed machine with remote admin permissions
MUCH easier to deploy and maintain
Disadvantages of Domain Membership:
If someone compromises the Active Directory they can own the firewall
However, they’ll own everything else too, with the Firewall being the least of your problems
If the Firewall is owned, the Active Directory may become accessibile
The ISA firewall has never been compromised to the extent of being owned
Attackers don’t try to own firewalls, they try to own services protected by the firewall
Domain Admins can admin the Firewall
If you can’t trust your domain admins, you have bigger problems
Advantages of workgroup membership:
If firewall is compromised, attacker might not be able to get to Active Directory
If an attacker can own the firewall, he’ll be able to access the Active Directory whether or not the firewall is a domain member
Domain admins can’t admin the array
If you don’t trust your domain admins, you have bigger problems than this
If the Active Directory is “owned” the firewall won’t be effected
ISA will be the last man standing, while the entire business has gone up in flames – does it really matter at this point?
Disadvantages of workgroup membership:
Requires server certificate on CSS
Requires CA certificates on array members
Must track certificate status
Must use RADIUS authentication (slow) or RSA SecurID (expensive)
On-box accounts required for intra-array communication and management
No centralized password policy
Could become a security or access issue
Can’t use user certificate authentication for VPN or Web Publishing
No support for VPN user mapping when users connect from non-Windows VPN clients
ONLY ONE CSS SUPPORTED IN A WORKGROUP!
Thomas W Shinder, M.D.
MVP -- ISA Firewalls