For years I said that you don’t need to install a host-based AV on the ISA or TMG firewall. The putative reason for this was that if you managed the firewall as you should, there is no reason why AV needs to be installed on the firewall. The thinking was that if you don’t need to install AV on a “hardware” firewall, there’s no reason to install it on an ISA or TMG firewall.
However, I think that a major motivation on my part was that if you gave in to the idea that you needed to install AV on the ISA or TMG firewall, you’ve sort of admitted that the ISA or TMG firewall isn’t quite as secure as it’s “hardware” counterpart.
But recently I’ve been thinking that perhaps I’ve been wrong about this. Indeed, defense in depth is a good thing. In fact, the fact that you can install AV and other anti-malware software on the ISA or TMG firewall actually represents a security advantage compared to “hardware” firewalls. Why? We take it for granted that “hardware” firewalls can’t be tampered with, and that malicious software can’t be stored in memory. Of course, that’s not true – and since there are no mechanisms in place to detect this malware on the “hardware” firewall, they suffer from a security hole that an ISA or TMG firewall doesn’t when AV and other host-based anti-malware software is installed on it.
However, you have to configure the software so that certain files and directories aren’t scanned – because if you do, you’re going to see some significant performance issues.
For more information in this area, check out:
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer