From a security perspective, how secure is an IFD deployment of MS CRM 2013 or CRM 2015? I know it's the recommended way to expose MS CRM to the net, but what are the vulnerabilties? Is it recommended to also use a kind of Web Application Firewall or is this already included in the software or the deployment itself? What are the best practices?
I already searched the internet for this but I couldn't get a satisfying answer...
That's quite a broad question, so I'll answer in broad terms if that's okay.
For an IFD deployment typically you are only exposing the front end web servers to the internet. Users have to authenticate with the front end web server using ADFS to get access to any data. Typically the IFD is only exposed over HTTPS. So in some ways you are asking how secure ADFS and HTTPS is. Which in general terms is probably as secure as any other modern web application.
In the background the platform and database servers are not normally exposed to the internet. So in terms of how secure those things largely depends on your infrastructure setup.
In terms of a 'product' firewall as far as I know there isn't one. Typically you will throw up a firewall somewhere, where that is again depends on your infrastructure.
You will probably want to have a read of, Deploying and administering Microsoft Dynamics CRM Online and Microsoft Dynamics CRM 2015. The MSDN has a whole host of information around these areas which should help guide you with your infrastructure decisions. Additionally the sub topic Security considerations for Microsoft Dynamics CRM and its sub topics seems to have information relevant to this question. In particular Known risks and vulnerabilities.
If you are looking for some confidence, I suppose if setup correctly, IFD is secure as CRM Online which seems to work for everyone else.
