RE: [fw-wiz] Application Proxy/L7 Firewall Recommendation?

From: Noonan, Wesley (Wesley_Noonan@bmc.com)
Date: 09/10/02


From: "Noonan, Wesley" <Wesley_Noonan@bmc.com>
To: firewall-wizards@honor.icsalabs.com
Date: Tue Sep 10 07:41:01 2002

inline

Wes Noonan, MCSE/CCNA/CCDA/NNCSS
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
wnoonan@bmc.com
http://www.bmc.com

> -----Original Message-----
> From: kaptain [mailto:kaptain@kaptain.com]
> Sent: Monday, September 09, 2002 14:47
> To: firewall-wizards@honor.icsalabs.com
> Subject: RE: [fw-wiz] Application Proxy/L7 Firewall Recommendation?
>
> I'd recommend Network Appliance NetCache or Blue
> Coat (formerly Cacheflow) Secure Gateways.
>
> I'm not ISA bashing here...I'm sure it's plenty good for some people.
> Here are the major advantages I see with the aformentioned appliances.
>
> [1] These appliances have sophisticated policy engines and ACL
> capabilities. They can support all the major types of streaming media.
> They can do content filtering, throttle bandwidth, be prepopulated with
> content, display real time metrics, proxy DNS, virus scan, GSLB (with
> NetCache at least for distributed content access), central multi-box
> managment, etc.

I think ISA pretty much covers all of what you mentioned as well:

Policy engines and ACLs - yes
Streaming Media - yes
Content filtering - yes, including SMTP content filtering among others.
Prepopulated with content - not sure I follow what you mean
Display real time metrics - would need to know the metrics in question, but
I am pretty sure ISA does this as well.
Proxy DNS - I am honestly not sure if it can proxy DNS or not. If it can't
this is a shortcoming that should be fixed IMO.
Virus Scan - yes
GSLB - Dunno how well it performs here. I know that it does have some load
balancing functions via ISA arrays, but haven't seen a contrast of
performance (though the MS website proclaims that it trounced everyone
else... I don't put much stock in that though)
Central Multi-box management - yes

Heck, this comes from the marketing slugs, but it seems like it has plenty
of sophistication:

http://www.microsoft.com/isaserver/evaluation/features/default.asp

I guess the point I am trying to make is that folks might be surprised at
what ISA can do, if they take a fair look at it[1].
 
> [2] They both have proprietary OS's that aren't subject to exploits
> common to platforms that run Linux or Windows. These general purpose OS's
> require constant maintenance.

Very fair point.

> Both platforms support SmartFilter, Websense and WebWasher. I believe the
> WebWasher product is off-box and the filtration happens via request
> modification as part of the ICAP protocol. Both platforms allow ACLs
> based on filter categories and users (and groups) along with
> authentication (NTLM, Radiu, LDAP, and user defined on box).

Websense runs on/with ISA as well. The other two (in addition to websense)
may well be able to do the most of what the original poster was looking for.
Plus, SmartFilter and WebWasher can be run off box (if I read everything
correctly), which kind of goes to prove the point that security is becoming
less and less about "the box" and more and more about "the process".

Thanks for all of the feedback. You brought up some good points and
contrasts. I think the original poster has plenty of stuff he can track down
for a solution that will work for him.

[1] Truth be told, I don't use it, I like PIXen for what I need to do 99% of
the time...



Relevant Pages

  • Re: Reports are blank
    ... Are you logging on seperate SQL server? ... And ISA 2004+SP1? ... I see plenty that should be logged. ...
    (microsoft.public.isaserver)
  • Re: Is your PC HD ready?
    ... Then you'll have plenty of bandwidth. ... ISA went out years ago. ... than a simple hi res game per frame rate. ... Not running a P2 and haven't been for years, idiot. ...
    (alt.video.dvd)
  • Re: Malaysias Mahathir challenges govt to charge him
    ... Can he also be found a place at Kemunting under the ISA? ... in solitary confinement will give him plenty of time to meditate and reflect ...
    (soc.culture.malaysia)
  • Re: GFI Download Security for ISA Server as Spyware Blocker?
    ... but I should point out that there is apparently a bug in ISA ... 2004's content filtering that affects ASP pages. ... Also, bear in mind that MIME types take precidence over file extensions, so ...
    (microsoft.public.isaserver)
  • Re: GFI Download Security for ISA Server as Spyware Blocker?
    ... but I should point out that there is apparently a bug in ISA ... 2004's content filtering that affects ASP pages. ... Also, bear in mind that MIME types take precidence over file extensions, so ...
    (microsoft.public.isa)