RE: ISA Server or Firewall Appliance?

From: Derick Anderson (danderson_at_vikus.com)
Date: 11/16/05

  • Next message: Laura A. Robinson: "RE: Renaming Administrator account"
    Date: Wed, 16 Nov 2005 12:03:51 -0500
    To: <focus-ms@securityfocus.com>
    
    

     

    > -----Original Message-----
    > From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
    > [mailto:sbradcpa@pacbell.net]
    > Sent: Tuesday, November 15, 2005 8:52 PM
    > To: James Eaton-Lee
    > Cc: Marcos Marrero; focus-ms@securityfocus.com
    > Subject: Re: ISA Server or Firewall Appliance?
    >
    > The annoying SBSer with ISA on her box is going to challenge
    > you on that one.
    >
    > What exactly doesn't feel quite right? Why does it not feel right?
    >
    > In my network I like it because it's on a platform that I can
    > monitor easier. Control better. Patch easier. [WSUS will
    > soon support ISA as a matter of fact]
    >
    > Isn't the same true for big networks?
    >
    > I think we all need to let go of our OS perceptions and look
    > at the realities of operating systems these days and what
    > not. If we can't control it...understand it...I'm not sure
    > it's not helping in the security fabric of my network.
    >
    > Our firewalls are not our perimeters any more.
    >
    > http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?Eve
    > ntID=1032286231&EventCategory=3&culture=en-US&CountryCode=US
    >

    I'll add my two cents - I've never used ISA (or Cisco, Juniper,
    WatchGuard, etc.), in fact I've only ever used netfilter on Debian
    Linux, with no GUI and as few packages installed as necessary. I believe
    in deploying servers with the minimum number of services required for it
    to function as intended.

    I don't need a GUI to configure my firewall, nor do I need Remote
    Desktop or IIS or a JVM or DCOM or wallpaper or Windows startup sounds
    or a certification from Cisco. However, I did need to spend a lot of
    time learning how network protocols, NAT, connection tracking and
    netfilter work. I think it was well worth the investment.
    Performance-wise, I believe Netfilter is adequate: 200,000 pps/20,000
    new requests per second, with filtering, connection tracking, and NAT on
    an Opteron-based system (Intel was significantly slower).

    I think it depends on whether you need something to work now, securely,
    or whether you can trade off time for a minimal installation, which is
    theoretically more secure than one which brings the trappings of a
    user-oriented operating system, like Windows or Red Had/SUSE.

    Derick Anderson

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Laura A. Robinson: "RE: Renaming Administrator account"

    Relevant Pages

    • Re: Internet Intermittent Connection
      ... Here are my IPs for the network: ... ISA Internal NIC: 192.168.100.1 ... Modem External: Public IP Address ... I have an intermittent Internet connection that has been going on for ...
      (microsoft.public.isa)
    • Re: ISA 2006 configuration question - multiple VLANs and domains
      ... very familiar with network segments vs. domains et. al. ... multihomed ISA 2006 server forward a DHCP request to the proper VLAN ... ISA is a Firewall Product designed to protect a network from the Internet. ...
      (microsoft.public.isa.configuration)
    • Re: Disable dynamic route entries in Windows 2003?
      ... and how they're configured/managed by the network folks. ... My ISA servers have two NIC's: one in a VLAN that is an "internal" DMZ, ... So, from the standpoint of ISA Server, there are two separate interfaces ... the "Internal VLAN can NOT route to the Internet VLAN, ...
      (microsoft.public.windows.server.networking)
    • RE: SBS 2003, ISA 2004
      ... ISA and IIS try listening on these two ports. ... by default the Web Proxy is listening on port 8080 ... of the local network adapter. ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)
    • Re: VPN not working when i connect through SBS 2003 server running ISA 2004
      ... appears in the Application log in ISA Server 2006 or in ISA Server 2004 ... do not correlate with the network element to which this adapter belongs. ... VPN to another network where there is a Draytek router as ... Telnetting to port 1723 on network 1 seems to elicit a connection. ...
      (microsoft.public.windows.server.sbs)