Why SBS is Insecure by Design and Not Even an ISA Firewall can Fix the Problem
Susan Bradley recently shared an incident with some ISA firewall and general security MVPs regarding some comments an outside consultant made about SBS and it's security situation. The general consensus among security professionals is that SBS is not, and cannot be made secure using generally accepted principles of network security. Now I realize that this will upset more than a few people, so I better have something other an CO2 spewing out of my mouth to back up this claim.
It's usually thought that the SBS’ers problem is that the ISA firewall is co-located on an SBS box and thus ISA can't fully do its job as a network stateful packet inspection and application layer inspection firewall. In the co-located configuration, the ISA firewall is sort of a blend between a network firewall performing inbound and outbound access control to and from the corporate network and a host-based firewall protecting the Microsoft Server services running on the SBS 2003 SP1 computer . Because of this, there has been a lot of discussion about whether there should be a "hardware" firewall or a NAT device placed in front of the SBS box.
The major security problem with SBS isn't that the ISA firewall is co-located on the box, although it is a big one. Conventional wisdom dictates that each non-firewall service loaded up on a firewall device significantly reduces the overall security provided by the firewall because of the increased "attack surface" exposed by the non-firewall components. This is all correct, but anyone who considers placing a simple "hardware" firewall in front of the SBS device with the goal of increasing security, is accomplishing nothing other than putting money into some opportunistic security "expert's" pocket.
The security issue with SBS is not so much related to the ISA firewall being co-located on the directory server, Exchange Server, SQL server, and multifunctional Web server (as well as whatever line of business applications the company might require) as it is the positioning of the SBS box itself in the network topology. The ISA firewall is a top of the line, and in many ways, cutting edge stateful packet and application layer inspection firewall. When properly configured, no one is going to "break through" the ISA firewall’s stateful packet and application layer inspection components to own your SBS box.
Note that the operating term here is properly configured. The ISA firewall’s firewall feature set enables it to be a network brick, or a fully porous sponge, depending on how you configured it. The default configuration created by the CEICW makes attacks coming from the outside somewhat difficult, but leaves the internal interface almost entirely unsecured, using a security model similar to that employed in the ISA Server 2000 firewall. Note that I say similar, because the situation is not exactly the same as that found in ISA Server 2000. The reason for this is that the stateful packet inspection feature set cannot be turned off on any interface. Unfortunately, stateful packet inspection provides only rudimentary protection and almost none against the application specific attacks seen on modern networks.
No, the primary security problem with SBS, which can't be fixed, is a topological one. The actual security issue as it relates to SBS 2003 SP1 is that the SBS 2003 SP1 with the ISA firewall installed is an Internet facing device. Internet facing devices are by definition part of a security zone separate and distinct from security zones where a company’s core assets are located. While it can be argued that most network based compromises take place from within the corporate network, the fact that the attacker [sic] surface for Internet facing hosts is many orders of magnitude greater than that presented by corporate network hosts.
Even in the internal network scenario, core infrastructure servers should be segregated away from the end-user network and least privilege should be set so that end-user computers have access only to required servers using only required protocols. Although the attacker surface presented by the Internet is much larger, the attacker surface on the internal network is much like a Fifth Column and thus even more dangerous and insidious.
A well designed network infrastructure never allows direct incoming connections to core infrastructure servers. There should always be a gateway and application proxy to terminate and forward the connections to the back-end infrastructure servers. This is why we always use inbound SMTP relays instead of allowing email directly to our back-end Exchange Servers. This is why we use a front-end Exchange Server located on an authenticated access DMZ instead of allowing OWA, OMA, ActiveSync and RPC/HTTP directly to the back-end Exchange Server (in spite of the fact that the ISA firewall provides Web proxy, it still doesn't change the fact that FE Exchange Server is an Internet facing host), this is why publicly accessible Web servers are placed in an anonymous access DMZ.
SBS doesn't allow you to separate the components of the solution into the appropriate security zones. Multiple applications and services that belong to completely separate security zones are loaded on the same box, and end-users have access to virtually any protocol or service on that box, regardless of the need to access that service. A single weakness in any of the services or the core operating system can and does put the entire core infrastructure services at risk. In contrast, if these services were segmented from one another, and from the Internet and corporate network, the risk of a "domino effect" taking down the entire services infrastructure would be non-existent at best, and minimal at worst.
With the fact that the SBS box is an Internet facing host in mind, it should be clear that it doesn’t matter if there is a "hardware" firewall in front of the SBS 2003 SP1/ISA firewall device since the connections are still terminated at the SBS box. The SBS 2003 SP1/ISA firewall box with a "hardware" firewall or NAT device in front of it is no more secure than the SBS 2003 SP1 box without the "hardware" firewall or NAT device in front of it. Putting a "hardware" firewall in front of the SBS box is psychological exercise in futility, and the money spent on the PIX 501 would be much better spent on a couple hours of psychotherapy or a few bottles of Dom P. Whether you choose the PIX, the shrink or the Dom, you'll end up with the same level of security.
Now, with all this said, does that mean I think that SBS is a bad solution for small business? It depends. Most small businesses really don't take their information resources seriously and are unwilling to pay what it takes to create a secure infrastructure. They are willing to take on more risk than larger businesses. They often don't have health insurance plans, even for the owners of the business. They are comfortable allowing employees unfettered access to the Internet. They're comfortable allowing end-users RDP access to their network (in my opinion, one of the worst security moves anyone could ever make). They are more concerned with "making it work" than "making it safe". Small business computers are typically unmanaged, and their networks usually look like something that "grew that way". They claim that IT isn't their business, at least until they lose everything, then suddenly IT appears to be a big part of their business.
If the small business fits within the above profile, then SBS is good enough for them. Not because it's a secure solution, but because its a great deal with tons of useful software that they're getting at loss leader pricing.
However, SBS can be more than good enough. I've worked with small businesses that plan to become big businesses some day and want to know how big businesses do IT, because that's where they're going. I'll recommend that they begin with SBS, but we'll also use a dedicated ISA firewall to segment their network into security zones and bring in other servers to create a secure network segmentation solution. Although you won't find the SBS community providing any guidance in this area, I can assure you that it can be done if the customer is willing to pay for it. And I'll tell you something, it's a great feeling to see these small businesses take their information security seriously, as they're the ones who are ready to get into the big boys game.
Unfortunately, the latter customer is a very rare exception and most SBS customers seem to fit into the former profile. Perhaps its for this reason that a friend of mine, Tim Mullen (Thor from www.hammerofgod.com), an extremely well respected security expert and one of the smartest people I've ever had a chance to get to know, said the following about SBS:
"...I can say now that I would sooner sandpaper a bobcat's ass in a telephone booth than flay my infrastructure with the product..."