RE: ISA Server or Firewall Appliance?

• Previous message: James Eaton-Lee: "Re: Renaming Administrator account"
• In reply to: James Eaton-Lee: "Re: ISA Server or Firewall Appliance?"
• Next in thread: Abe Getchell: "Re: ISA Server or Firewall Appliance?"
• Reply: Abe Getchell: "Re: ISA Server or Firewall Appliance?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <focus-ms@securityfocus.com>
Date: Tue, 15 Nov 2005 18:35:35 -0500

I've been using ISA 2004 on a box that's been facing the internet since it's
was released as a public beta. I've run other firewall "appliances" as well
as both m0n0wall and pfSense (pfSense is a variant of m0n0wall optimized for
use on standard PC hardware) and I've really found it to have the best
featureset. I also read an article on Network Computing or Windows Magazine
that put ISA2004 as one of the fastest firewalls, almost achieving "full"
1000Base-TX speeds.

I think ISA's real redemption comes from the hardware that it runs on,
standard (sometimes cheap) PC components. If you get a power surge on an
Ethernet card (because only in the engineer's dreamworld does the Ethernet
cable get it's on surge arrestor) and blow the card, there's a $20
replacement at the local computer store. On the other hand, you have the
sleek, integrated units that you have to throw away or RMA if something gets
zapped, and you won't be able to troubleshoot it to the same degree you'd be
able to troubleshoot an ISA server.

Personally, I was able to configure the ISA2004 box to do just about
everything, once I understood how the rules worked. I've got setup to
demand dial a PPPoE connection, it also handles the site-to-site VPN, which
was a PPTP connection at first, but then IPsec after the remote site got a
sonicwall Pro 330 (which is no where near as configurable, IMO). The only
real issues I've had with it are more related to windows, rather than ISA
(compared to a cisco 2600, windows' routing table leaves something to be
desired).

m0n0wall is a nice package if you're planning to use something like a PC
Engines' WRAP or a Soekris single-board computer (WRAPs are limited to about
45Mbps throughput, soekris is substantially more powerful). pfSense was
forked from the m0n0wall source and developed specifically to run on
standard PC hardware, it's SMP aware so there's a benefit if you need a
really fast firewall. PfSense has a lot of features, but I don't think
they'll all ever be as mature as the features that ISA has, which has more
features than I have explored.

I don't know how helpful I've been, but I figured I'd speak up since I've
worked with a few different types of firewalls (I work for an ISP).

-----Original Message-----
From: James Eaton-Lee [mailto:james.mailing@gmail.com]
Sent: Tuesday, November 15, 2005 16:28
To: Marcos Marrero
Cc: focus-ms@securityfocus.com
Subject: Re: ISA Server or Firewall Appliance?

On Tue, 2005-11-15 at 11:58 -0500, Marcos Marrero wrote:
> Hello to all,
>
> I have a question to see what everyone out there thinks. Here it goes...
>
> Is it better to have a firewall appliance (Checkpoint, Juniper, etc) or
> is ISA server enough to use as a firewall (along with all of the other
> options it provides)?
>
> Of course the ISA server would sit facing the internet, like a firewall
> would and it would have to sit on a hardened machine.
>
> Just want to know what everyone out there thinks about this
> configuration or idea?

What you have to bear in mind here is that an appliance is, generally, a
hardware platform fairly similar to that which you might deploy ISA on
top of, with a proprietary operating system (typically based on freebsd,
or some other BSD-derived OS). Oftentimes these firewalls will run from
flash memory rather than hard disks, but that aside there can be very
few differences - I've seen more than one appliance (checkpoint being
just one) based around a fairly standard ATX motherboard with an
AthlonXP chip!

Appliances have advantages in some instances and not in others.

Specifically, due to the overhead of running ISA (which is harder to
chop down to provide a subset of the capabilities of a simpler package)
and a large, general purpose operating system, you'll almost find that
an appliance will handle a greater load then ISA on a similar box,
particularly if you're doing anything remotely intensive (although with
modern hardware you'll frequently hit hardware limitations first).

Arguably, due to the dedicated nature of an appliance, it's also securer
as there are fewer running services, and there's more operating system
hardening and more functionality gutted out of the operating system -
less to go wrong, and less to exploit when something does.

There are also disadvantages to appliances - they're, generally
speaking, not designed to be administered in as comprehensive-a manner
as their 'software' counterparts - meaning that when you do need to
remove or add something it can be harder. This argument applies equally
to adding NICs and, for instance, adding proxying capability.

Specific to ISA, ISA is extremely flexible, and you'll probably find is
far more capable of being deployed in different roles than, for
instance, checkpoint. This is also a mixed blessing (as you don't
necessary want ISA providing routing for your internet backbone, even if
you can use it for this). It also benefits from domain integration, and
(in my opinion), this is one of the most compelling arguments in its
favour.

You could also argue that if you want separation between different
segments of your security strategy, this is a bad thing when compared to
a set of checkpoint firewalls.

You'll get a different argument on this from everyone (everyone has
their favourite firewall), but hopefully that's outlined some of the
broader arguments in favour of appliances vs. software firewalls.

It's also worth looking (shudder the thought) at 'free' alternatives, if
you're doing a comparison - and there are just as many different options
here as there are in the commercial world, from the use of an operating
system which provides routing/firewalling capability through
kernel&userspace tools generally bundled with the OS (such as openbsd
with pf, freebsd with ipfw, or linux with iproute2/netfilter) to an
'appliance' based on BSD or linux.

The latter choice starts to become more appealing when you bear in mind
that plenty of vendors (checkpoint, juniper and borderware being just a
few) base their network devices on BSD (and some on linux, like
linksys). It's another debate entirely what they add to bog-standard
BSD, but the comparison is worth making.

m0n0wall, ipcop, smoothwall and redwall are all worth looking at in
these situations - m0n0wall being perhaps the most appropriate for
deployments you may be looking at. They are worth at least looking at
when in the commercial world, license fees are such a large
consideration!

The only last point I'd make is that I'd be hesitant in deploying ISA in
an internet facing role (although I do and have done that before) - but
I don't really have a justification for this aside from "it just doesn't
feel quite right".

Hope that helps! :)

 - James.

> Regards
> Marcos Marrero * Banking Officer * Data Security
> Lloyds TSB Bank * US Information Technology
> _________________________________
> Tel: (305) 347-6421 * Fax (305) 371-8607
>
>
>
> **********************************************************************
> This Email is intended for the exclusive use of the addressee only.
> If you are not the intended recipient, you should not use the
> contents nor disclose them to any other person and you should
> immediately notify the sender and delete the Email.
>
> Lloyds TSB Bank plc is registered in England and Wales Number: 2065.
> Registered office: 25 Gresham Street, London EC2V 7HN.
>
> **********************************************************************
>
>
> This email has been scanned for all viruses by the MessageLabs SkyScan
> service.
>
>
---------------------------------------------------------------------------
>
---------------------------------------------------------------------------
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: James Eaton-Lee: "Re: Renaming Administrator account"
• In reply to: James Eaton-Lee: "Re: ISA Server or Firewall Appliance?"
• Next in thread: Abe Getchell: "Re: ISA Server or Firewall Appliance?"
• Reply: Abe Getchell: "Re: ISA Server or Firewall Appliance?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]