RE: [fw-wiz] Application Proxy/L7 Firewall Recommendation?

From: Noonan, Wesley (
Date: 09/10/02

From: "Noonan, Wesley" <>
Date: Tue Sep 10 07:41:01 2002


Senior QA Rep.
BMC Software, Inc.
(713) 918-2412

> -----Original Message-----
> From: kaptain []
> Sent: Monday, September 09, 2002 14:47
> To:
> Subject: RE: [fw-wiz] Application Proxy/L7 Firewall Recommendation?
> I'd recommend Network Appliance NetCache or Blue
> Coat (formerly Cacheflow) Secure Gateways.
> I'm not ISA bashing here...I'm sure it's plenty good for some people.
> Here are the major advantages I see with the aformentioned appliances.
> [1] These appliances have sophisticated policy engines and ACL
> capabilities. They can support all the major types of streaming media.
> They can do content filtering, throttle bandwidth, be prepopulated with
> content, display real time metrics, proxy DNS, virus scan, GSLB (with
> NetCache at least for distributed content access), central multi-box
> managment, etc.

I think ISA pretty much covers all of what you mentioned as well:

Policy engines and ACLs - yes
Streaming Media - yes
Content filtering - yes, including SMTP content filtering among others.
Prepopulated with content - not sure I follow what you mean
Display real time metrics - would need to know the metrics in question, but
I am pretty sure ISA does this as well.
Proxy DNS - I am honestly not sure if it can proxy DNS or not. If it can't
this is a shortcoming that should be fixed IMO.
Virus Scan - yes
GSLB - Dunno how well it performs here. I know that it does have some load
balancing functions via ISA arrays, but haven't seen a contrast of
performance (though the MS website proclaims that it trounced everyone
else... I don't put much stock in that though)
Central Multi-box management - yes

Heck, this comes from the marketing slugs, but it seems like it has plenty
of sophistication:

I guess the point I am trying to make is that folks might be surprised at
what ISA can do, if they take a fair look at it[1].
> [2] They both have proprietary OS's that aren't subject to exploits
> common to platforms that run Linux or Windows. These general purpose OS's
> require constant maintenance.

Very fair point.

> Both platforms support SmartFilter, Websense and WebWasher. I believe the
> WebWasher product is off-box and the filtration happens via request
> modification as part of the ICAP protocol. Both platforms allow ACLs
> based on filter categories and users (and groups) along with
> authentication (NTLM, Radiu, LDAP, and user defined on box).

Websense runs on/with ISA as well. The other two (in addition to websense)
may well be able to do the most of what the original poster was looking for.
Plus, SmartFilter and WebWasher can be run off box (if I read everything
correctly), which kind of goes to prove the point that security is becoming
less and less about "the box" and more and more about "the process".

Thanks for all of the feedback. You brought up some good points and
contrasts. I think the original poster has plenty of stuff he can track down
for a solution that will work for him.

[1] Truth be told, I don't use it, I like PIXen for what I need to do 99% of
the time...