Wednesday, 18 August 2010

Should I Place Forefront TMG at the Edge of My Network?

Is Forefront TMG trustworthy?

Given that ISA is a EAL4+ certified firewall and that TMG is on the way to the same thing, and the decade long history of a firewall that has never been the focus of a successful, documented attack, I'd say you're in good shape for putting TMG at the network edge if that's what you want to do.

Is it all about security? 

As good as TMG is (and secure too) there are still some limitations with regard to NAT functionality that are often bettered by traditional network firewall vendors. There are some good improvements with Enhanced NAT in TMG, but you may be left wanting when it comes to full NAT control. Some of the changes in selection of source IP address introduced in Windows Server 2008 don't help either, as covered in the following article: which may not provide expected or wanted results. Consequently, there may be some advantage of placing another network device (border router or firewall) at the network edge, in front of TMG.

I always believed in placing ISA/TMG closest to the assets you want to protect, so its role as a back-end application firewall is often the most useful. Some folks are comfortable with a single-tier application level firewall (e.g. TMG at the edge) but many aren't and look for at least a two-tier firewall topology. Is this better? Not sure, but they often feel they have "covered their arse" anyhow by following a more defence in depth approach. 

The other element to consider is that people don't hack firewalls anymore; they hack applications. Consequently, good firewall protection is about protecting at the application level. A front-end "network" firewall can be handy for noise reduction and enhanced network functionality (like more advanced NAT perhaps) but often the application firewall behind it is actually doing most of the heavy lifting. Many times, the front-end firewall only ever sees encrypted incoming connections (SSL/TLS) to which it has no understanding, and hence provides pretty low security value. If you combine UAG or DirectAccess into the mix, the front-end firewall becomes even more clueless, as all the clever stuff happens behind it... 

With the advent of UAG DirectAccess and the need for public IPv4 addresses on the UAG external interface, I think many more people will (perhaps not always knowingly) put TMG on the edge (by placing UAG at the edge) as they have limited options with regard to meeting the DA public addressing requirements. This should consequently build confidence that Microsoft have a product which "they the customer" believe can be trusted in that role/location. More on this in a future blog post…

Is an appliance version of Forefront TMG more secure?

Finally, the use of a hardware platform (like the Celestix MSA range perhaps) shouldn't really change the overall risk and edge placement assessment, as this is a platform choice, not a security choice, and you should go that route for other reasons than improved security protection. Well, unless you believe that a "hardware device" is better than a "software firewall" that is ;)


I also not sure there is a right or wrong answer here, as peoples acceptance of risk varies greatly. Assuming you are happy with the native network level feature set of TMG (and potential limitations) I see no reason not to place it at the network edge, but as is often the case, your mileage may vary! :)

1 comment:

  1. Great post, Jason!

    In addition I wanna say that today leaving hardware firewall as the only single-tier firewall on the edge of your company isn't a right choise. Definitly :)

    So the question is can we use our ISA/TMG as the only edge firewall or we need to complete this topology with the front-end network-level firewall. IMHO