RE: [fw-wiz] PIX -> ISA -> OWA Configuration
From: Chris Blask (chris_at_blask.org)
Date: 05/16/05
- Previous message: FirewallAdmin: "RE: [fw-wiz] A fun smackdown..."
- Maybe in reply to: Jason Gomes: "[fw-wiz] PIX -> ISA -> OWA Configuration"
- Next in thread: Paul Melson: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Thomas W Shinder" <tshinder@tacteam.net>, <firewall-wizards@honor.icsalabs.com> Date: Mon, 16 May 2005 01:59:35 -0400
Hey Tom!
At 02:16 PM 5/13/2005, Thomas W Shinder wrote:
>Since the ISA firewall was designed to protect OWA, what would be the
>rationale for not using an ISA firewall?
It isn't inherently a bad idea, as long as you can make that ISA server as
secure as any other option. Making that server secure means configuring
the OS and all assorted paraphernalia correctly (much of which is there for
reasons having nothing to do with - and in many cases in contrevention of -
the intended purpose), keeping up on patches (and making sure they don't
stomp on existing desired function) and otherwise on-going care and fiddling.
Pros of ISA:
o You have a single vendor solution with integrated mangement and function.
o Some of what you learn working on other MS solutions may apply to the
ISA server (but you may pick up bad habits, as well).
o There could be proprietary functions with the single-vendor solution
that you cannot achieve via other means, and you could want to use these
features (don't know of any, but they could be there in theory).
Cons:
o With all due respect to the folks at Microsoft, they do not have a
stellar track record on security. They do other things for a living.
o Running ISA on a Win OS means you will have lots of great capabilities
installed on that ISA server and, hopefully, for now, those capabilities
are turned off. The hackers' mission, should they choose to accept it, is
to turn some of those capabilities back on and use your security device to
eviscerate your network.
o You have a chain of implementations with similar
characteristics. Should someone find an exploit that works on one link in
the chain, it is quite possible it will work on all links in the chain.
An appliance built and maintained by folks who focus on nothing else for a
living is a coherent specific answer to a question, as opposed to a one-off
implementation of a collection of components, some intended for the purpose
and some not. Like all emerging technologies, at some point front-ending
mail securely into a network precipitates out of solution into the
infrastructure and becomes a standard feature of something already there,
but that time does not seem to be now.
For a topic in as much flux as email security, I think it is still the
right time to go with the specialists. For my vote, a physical box that
demarks the edge of trusted mailspace is a reliable solution that won't
comsume undue resource to implement or maintain and will more likely
provide the function and security you require.
-cheers!
-chris
PS - I have no involvement with BorderWare at the moment, so no axe to
grind here. They and their competitors had good workable solutions last I
looked.
Chris Blask
chris@blask.org
blaskworks.blogspot.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: FirewallAdmin: "RE: [fw-wiz] A fun smackdown..."
- Maybe in reply to: Jason Gomes: "[fw-wiz] PIX -> ISA -> OWA Configuration"
- Next in thread: Paul Melson: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
