Re: ISA Server or Firewall Appliance?
From: Abe Getchell (mailing.list.spooler_at_gmail.com)
Date: 11/16/05
- Previous message: James Eaton-Lee: "RE: ISA Server or Firewall Appliance?"
- In reply to: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: ISA Server or Firewall Appliance?"
- Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: ISA Server or Firewall Appliance?"
- Reply: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: ISA Server or Firewall Appliance?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Nov 2005 12:37:01 -0500 To: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
Susan,
ISA is a very flexible piece of software, as mentioned previously in
this conversation. In technology, flexibility usually implies
complexity. In this case, that implication is very true, as both ISA and
Windows are extremely complex pieces of software. Complexity is not
something you want in a firewall, under any circumstances, but
especially not on the perimeter (given a "buffer" which usually exists
in regards to an internal firewall). Complexity means more moving parts,
more things to break, more things to misconfigure, more things to
manage... With an appliance (or appliance-like) solution, the vast
majority of that complexity doesn't exist. This theory is a simple "best
practice" which many organizations follow, or should, if they don't.
Another problem I have, personally, with ISA is the fact that it's
(usually) tied into the same directory which an organization uses to
manage the rest of their business systems. This functionality should be
completely separate in theory (in accordance with "best practices" as
well as what Microsoft has stated in numerous whitepapers), but in
practice, it usually is not. Managing your perimeter firewall via the
same directory you use to manage the print server which is on your
internal network is NOT a good idea, for any number of reasons.
Abe
-- Abe Getchell abegetchell@gmail.com http://abegetchell.com/ Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: > The annoying SBSer with ISA on her box is going to challenge you on that > one. > > What exactly doesn't feel quite right? Why does it not feel right? > > In my network I like it because it's on a platform that I can monitor > easier. Control better. Patch easier. [WSUS will soon support ISA as a > matter of fact] > > Isn't the same true for big networks? > > I think we all need to let go of our OS perceptions and look at the > realities of operating systems these days and what not. If we can't > control it...understand it...I'm not sure it's not helping in the > security fabric of my network. > > Our firewalls are not our perimeters any more. > > http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032286231&EventCategory=3&culture=en-US&CountryCode=US --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: James Eaton-Lee: "RE: ISA Server or Firewall Appliance?"
- In reply to: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: ISA Server or Firewall Appliance?"
- Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: ISA Server or Firewall Appliance?"
- Reply: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: ISA Server or Firewall Appliance?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
