Questions and Answers About Microsoft's ISA Firewall Deployment
John Wolfort from MSIT spent a couple of hours with the ISA Firewall MVPs talking about how Microsoft uses the ISA Firewall to protect their corporate network. John's talk was similar to the one that you can view on the microsoft.com Web site, but this time we had the unique opportunity to ask John questions about his presentation and ask about other configuration options that Microsoft uses as part of their ISA Firewall deployment all over the world.
Here are some of John's answers to our questions:
Q: Do you use any firewalls other than the ISA Firewall on the Microsoft corporate network?
A: No. The only corporate firewall in use throughout the Microsoft organization is the ISA Firewall.
Q: Do you use autodiscovery on the network? If so, do you use DNS or DHCP WPAD?
A: We do use autodiscovery on the Microsoft corporate network. All clients are configured as Firewall and Web proxy clients using autodiscovery. We use DHCP based autodiscovery.
Q: Do you find that increasing the Web cache size had any significant impact on performance? Did a larger cache speed up return rates for the users?
A: We found that there was almost no difference between a 250GB cache in our main array, and a 50GB cache. Larger cache sizes do not necessarily mean better performance. Use your counters to determine your optimal cache size and go with that.
Q: Do you see your processors pegged often?
A: No. Our processor utilization on our inbound and outbound arrays are typically way below 50% utilization. We've not found processors to be bottlenecks in either our inbound or outbound arrays
Q: Do you do any special "hardening" of the ISA Firewalls in your arrays? Many people think they have to go nuts "hardening" the OS so that the ISA Firewall will not be attacked.
A: There are no documented instances of an ISA Firewall ever being successfully attacked due to an underlying OS issue. The ISA Firewall software protects the underlying OS, so even if there are OS issues, the ISA Firewall, which has no publicly reported exploits, protects the OS from being attacked due to these issues. We do very little to "harden" the OS either before or after the ISA Firewall is installed.
Q: What type of logging do you use on your ISA Firewall arrays?
A: In the past we've used text and on-box SQL logging. Now we use the built-in MSDE logging and export our log files on a regular basis to a SQL based data warehouse.
Q: Some "security guys" say that on-box logging isn't secure. What's your take on this?
A: If someone "owns" your ISA Firewall to the extent where on-box logging is an issue, then you have much bigger problems to worry about. As it stands right now, we trust that our ISA Firewalls are so secure that it's unrealistic to think that they could ever be compromised in this fashion, so that the issue of on-box logging is moot. We have used off-box SQL logging, but the risk of losing log information for off-box logging is much, much higher than the risk of an ISA Firewall being compromised, so we decided not to use off-box logging, since the logs are all important to us and our security team.
Q: Who determines security policy in your organization? You're the "firewall guy", so do you tell Microsoft how firewall policy and access controls should be set?
A: No, I'm not the "Internet Police" for Microsoft. My job is to keep the ISA Firewall's up and running, with over four nines of reliably and tip top performance. The Microsoft security team determines firewall policy and I take my directions from them. Microsoft security teams are also responsible for following up security issues related to user activity, either on the corpnet or external users. I do what I can to facilitate this, but the job of planning, implementing and maintaining corporate security policy is the job of the security staff, not mine as the "firewall guy".
Q: That's interesting, because we often hear of companies that will not use the ISA Firewall because the "firewall" or "network" guy says the ISA Firewall is not secure. They also think it's their job to determine networks security policy. Do you think Microsoft should let you determine policy?
A: Like I said, my job is to maintain and optimize the ISA Firewall arrays and implement security policy, not make it. It's not my job to develop policy, although I'll give my input where I think it will enhance security -- bottom line -- security guys are the security experts.
Well, that was just a handful of questions and answers. I found the session really illuminating and hope you'll be able to use this information to come back to your bosses and check writers and let them know that there's more to the "hardware firewall" debates than facts -- if the "hardware" guy can't provides facts to back up his opinions, them he's lost credibility, and the organization needs to take that into account when evaluating his opinion.