It is always good to listen, step back and let someone else look to the big picture to see if can see what you can’t see. A friend of mine (Jim Harrison) once told me: review that for me, I’m too close to the forest to see the monkeys throwing poop at me. I'm saying that now because I just posted the previous article on my blog and got a feedback from Tom Shinder about this. He brought to me the following fact:
You can’t force authentication and security to DCs in domain isolation. If you try to force authentication, domain members are not able to receive Group Policy and thus are not able to log into the domain.
When Tom says that he is referring to a known fact that we can exemplify with the following post from Network Team Blog:
Exceptions are needed for unprotected communication with network infrastructure servers such as DHCP, DNS, and Domain Controllers. For example: When a computer is starting, it must be able to obtain an IP address, use DNS to find a domain controller, and then log in to its domain before it can begin to use Kerberos authentication to authenticate itself as an IPSec peer.From: http://blogs.technet.com/networking/archive/2008/05/30/ipsec-domain-isolation-a-test-study.aspx
So, this statement already justifies placing a firewall in between the DCs and the client’s, correct? Yes. But it will always depend on how deep you want to secure your environment. This is part of an old discussion about reduce, transfer or accept the risk. Security is always a balance and you have to go through all the calculations of risk analyzes and see if it is worth it to invest in multiple firewalls for that. Wait a minute, did you say multiple firewalls? Why? The reason way is because you don’t want to concentrate all the traffic in one single point of failure. If you do, than you are throwing away all your investment because you are not considering a key point called “availability”.
Your Edge Firewall is your Edge device and that should be pretty much it. After doing all the risk analyzes calculations if you come to a point that it is required to have this device part of your internal network protection, than add to the cost of the acquisition of multiple firewalls (ISA Server in this caseJ). Where one will be your Edge firewall and the other can be used to secure your DCs/App Servers.
That being said, it is important to carefully plan your deployment, analyzes all the facts, cost and scenarios. The network design is something that can positively or negatively impact your business; therefore it is a key element that need to be correctly address it.