RE: ISA best practice
From: Kit (kit@smallfoxx.com)Date: 06/11/02
- Previous message: Greene, Michael: "RE: Help me and my ISA server => ISA best practice"
- In reply to: Greene, Michael: "RE: Help me and my ISA server => ISA best practice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kit" <kit@smallfoxx.com> To: "Greene, Michael" <MGreene@lrs.com>, <focus-ms@securityfocus.com> Date: Tue, 11 Jun 2002 12:27:56 -0500
Well, let me start at the end and work backwards. Very few, if any, software/host-based firewalls will ever outperform a hardware firewall such as a PIX. There are just too many performance enhancements you get from it all being in chips.
Secondly, its always better to diversify and deepen your defenses. By that I mean, if you can have multiple interfaces/nodes/tiers to get through to go into or out of a network and the more diverse the vendors, the less likely it will be to penetrate all the way through them by exploiting a vendor vulnerability. However, in order to properly configure this diverse and complex area the more diverse and thorough your understanding needs to be. Otherwise you increase your chances for opening up a hole by administrative error.
That being said, if I had unlimited resources and bandwidth wasn't an issue, I'd consider putting a PIX array at the perimeter of my company network, a *NIX based firewall between my DMZ and my internal network, an ISA proxy array behind the *NIX firewall, a firewall between my backoffice & users (probably ISA), probably a *NIX or hardware based firewall between my accounting/billing/HR systems & my other backoffice, and host based firewalls on all my clients.
Internet
^
PIX
^
DMZ
^
*NIX
^
ISA Proxy
^
Internal -> ISA FW -> Backoffice -> *NIX/Hardware FW -> port filtering -> Acct/Bill/HR
^ └-------> port filtering -> servers
└------- host-based FW <- clients
That's just my personal opinion. However, one of the often deciding factors for a company or enterprise is cost vs benefit. For a large complex organization, this is nothing and could often be scaled up even further. For a mid size company, this should be a okay. For a small company, this is probably overkill. And that environment (small company) is where it could come in useful. If your not on a major high target on a hitlist, an ISA Proxy/FW would be very cost efficient and relatively easy for an NT Admin to setup properly without having to put them through a years worth of diverse training. Now, it'd be best for that NT Admin to get all the knowledge and for the good ones it would be much, but unfortunately, most small companies want to go with the safest/cheapest options. Unfortunately, those two factors do usually not coincide with one another.
Therefore, if you got a small company and the only thing your admin.'s know are NT/2000, then ISA is a nice option. However, after you install ISA, tell the Admin.'s they need to learn more options or they're outta there.
$.02
-K
> -----Original Message-----
> From: Greene, Michael [mailto:MGreene@lrs.com]
> Sent: Tuesday, June 11, 2002 10:38 AM
> To: focus-ms@securityfocus.com
> Subject: RE: Help me and my ISA server => ISA best practice
>
>
> There are, of course, many ways for an ISA server to fit into the network
> perimeter. I do not mean to distract attention from the intent of this
> thread, which is to help determine where it will fit best into a
> particular
> network, especially if doing so might prolong a colleague from receiving
> needed support. Therefore, with that in mind, I would like to spawn a
> separate thread.
>
>
>
> What is the consensus of using ISA as a firewall in an enterprise network
> design? What is the most effective and best practice method of
> implementation? I don't think we necessarily need specific's
> here, but from
> a bird's eye view what are the most effective placement and installation?
>
>
>
> I personally would rather see an ISA array functioning as a method of
> monitoring traffic and restricting access with Active Directory
> integration
> and a hardware-based firewall with a proprietary platform on a separate
> device(s). To explain a bit more without getting off-topic, the servers
> would only need one NIC because they are only connected to the
> internal (RFC
> 1918 compliant) network, but I believe most of the outbound access control
> will still function.
>
>
>
> I am very excited to hear other professionals' opinions on this topic. Do
> you trust ISA as a firewall? Does the fact that it is operating on a
> Windows platform make it inherently less secure? Is it as robust and
> effective as a PIX or a Firewall 1? (only suggestions, I am not
> trying to be
> vendor specific) If so, or if not, why and what would be the
> best practice
> method of implementation?
>
>
>
> Michael
>
>
>
- Previous message: Greene, Michael: "RE: Help me and my ISA server => ISA best practice"
- In reply to: Greene, Michael: "RE: Help me and my ISA server => ISA best practice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
