Introduction

Most "in the know" ISA Server administrators consider the trihomed DMZ configuration a bit of a kludge, the reason being that the trihomed DMZ configuration represents a single point of failure. If someone is able to compromise the single ISA server hosting both the DMZ segment and the internal network, he will be able to access resources on both the DMZ and the internal network. While we should expect the resources on the DMZ to be compromised, we should not accept compromise of internal network resources.

This might be overstating the case. There have been no reported incidents where someone has compromised a correctly configured ISA server. Therefore, it's not entirely accurate to say that it would be easy to compromise the ISA server and access both the internal network and DMZ resources.

However, mistakes do happen, and sometimes an Internet criminal gets lucky. That's why we need firewall fault tolerance. The ideal firewall fault tolerance scheme is the back-to-back firewall configuration.

It's not the end of the world if the external firewall is compromised when using a back-to-back firewall configuration; the attacker will only be able to access resources on the DMZ. The intruder will have to compromise the internal firewall to access resources on the internal network. You'll already be on the alert because you'll know about the compromise of the external firewall and take countermeasures to prevent the attacker from taking down the internal firewall.

You can use ISA Server to create two types of...