So I’m reading Dana’s blog and he’s ranting that SBS doesn’t allow ISA server to “work” unless there are two network cards on the server. If you only have one server, as you run the wizard it won’t set up ISA [or RRAS on the Standard SBS] to be a firewall and you must be dependent on an external hardware firewall. I’ll be the first to admit that I run at the office with two firewalls, my outside little non beefy, no where near like ISA Server, hardware firewall and THEN I run ISA server. Why? For one thing I like to have two walls, one to thin out the log files and then I want ISA server. A firewall integrated with active directory, so much logging that it gives my auditor background happy, and on a platform that with a push button I can patch. I can’t do that with my hardware firewall. And these days with the Secunia web site throwing out as many firewall vulnerabilities as operating system, the idea that the software on a hardware box is more secure is silly unless it’s like as someone said the base of OpenBSD right after boot up when you have a command line prompt and nothing else. We add on the cutesy wutsey GUI to make people like me happy and you start introducing vulnerabilities.
The knowledge base article that talks about two network cards is here:
825763 – How to configure Internet access in Windows Small Business Server 2003: A two-network-adapter configuration connects one adapter to the local area network and connects the other to the Internet. A one-network adapter configuration connects a single network adapter to the local area network.
Then in this KB it clearly states
323387 – How To Connect Your Company to the Internet by Using an ISA Firewall with Windows Server 2003:
Install the ISA Server
To install an ISA firewall, you need a computer with two network adapters. You must connect one of these adapters to your internal network and the other adapter to your Internet service provider (ISP). Your ISP can help you make this connection. A firewall acts as a security barrier between your internal network (or intranet) and the Internet by preventing outside users on the Internet from gaining access to the confidential information on your intranet or your computer.
Thus you need two network cards to enable the ISA firewall. Dana responds to my comments that any firm that is doing a virtual firm would want this setup. He may have a point, but I’ll refer back to the first time Dana posted into the community newsgroup and was like “Dana Epp, THE security blogger Dana Epp? You aren’t the normal “SBS“ customer“. And beleive me, I mean that in the MOST complementary way. Dana is not the normal SBSer and the wizards are built for the rest of the 99.99999999% of the marketplace. SBS is flexible, but this is where the Enterprise folks say they don’t like the wizards… because they force the “best“ practice or the “best“ balance. As I’ve blogged before, the wizards leave behind an audit trail. They do the heavy lifting for you. They want to help you make the best choices…. like…. two network cards.
Hmmmm… a virtual organization SBS network. Interesting…. we are certainly doing more and more things “virtually“ rather than physically these days. I know I’ve been collaborating with other folks from around the world and we certainly get a lot done without physically being in the same room. I think I’ll email Dana’s blog post to some folks that just might be interested in that.