RE: ISA Server or Firewall Appliance?
From: Derick Anderson (danderson_at_vikus.com)
Date: 11/16/05
- Previous message: enine: "Re: More... On the topic of Windows Hardening, MS05-018?"
- Maybe in reply to: Marcos Marrero: "ISA Server or Firewall Appliance?"
- Next in thread: James Eaton-Lee: "RE: ISA Server or Firewall Appliance?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Nov 2005 12:03:51 -0500 To: <focus-ms@securityfocus.com>
> -----Original Message-----
> From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> [mailto:sbradcpa@pacbell.net]
> Sent: Tuesday, November 15, 2005 8:52 PM
> To: James Eaton-Lee
> Cc: Marcos Marrero; focus-ms@securityfocus.com
> Subject: Re: ISA Server or Firewall Appliance?
>
> The annoying SBSer with ISA on her box is going to challenge
> you on that one.
>
> What exactly doesn't feel quite right? Why does it not feel right?
>
> In my network I like it because it's on a platform that I can
> monitor easier. Control better. Patch easier. [WSUS will
> soon support ISA as a matter of fact]
>
> Isn't the same true for big networks?
>
> I think we all need to let go of our OS perceptions and look
> at the realities of operating systems these days and what
> not. If we can't control it...understand it...I'm not sure
> it's not helping in the security fabric of my network.
>
> Our firewalls are not our perimeters any more.
>
> http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?Eve
> ntID=1032286231&EventCategory=3&culture=en-US&CountryCode=US
>
I'll add my two cents - I've never used ISA (or Cisco, Juniper,
WatchGuard, etc.), in fact I've only ever used netfilter on Debian
Linux, with no GUI and as few packages installed as necessary. I believe
in deploying servers with the minimum number of services required for it
to function as intended.
I don't need a GUI to configure my firewall, nor do I need Remote
Desktop or IIS or a JVM or DCOM or wallpaper or Windows startup sounds
or a certification from Cisco. However, I did need to spend a lot of
time learning how network protocols, NAT, connection tracking and
netfilter work. I think it was well worth the investment.
Performance-wise, I believe Netfilter is adequate: 200,000 pps/20,000
new requests per second, with filtering, connection tracking, and NAT on
an Opteron-based system (Intel was significantly slower).
I think it depends on whether you need something to work now, securely,
or whether you can trade off time for a minimal installation, which is
theoretically more secure than one which brings the trappings of a
user-oriented operating system, like Windows or Red Had/SUSE.
Derick Anderson
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: enine: "Re: More... On the topic of Windows Hardening, MS05-018?"
- Maybe in reply to: Marcos Marrero: "ISA Server or Firewall Appliance?"
- Next in thread: James Eaton-Lee: "RE: ISA Server or Firewall Appliance?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
