Re: ISA Server or Firewall Appliance?
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 11/16/05
- Previous message: Laura A. Robinson: "RE: Renaming Administrator account"
- In reply to: Abe Getchell: "Re: ISA Server or Firewall Appliance?"
- Next in thread: Abe Getchell: "Re: ISA Server or Firewall Appliance?"
- Reply: Abe Getchell: "Re: ISA Server or Firewall Appliance?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Nov 2005 09:50:48 -0800 To: mailing.list.spooler@gmail.com
I've seen/read the CISCO security guides on NSA... I've seen
misconfigured appliance firewalls. There's a lot of complexity out
there even in these dedicated devices.
I'm not convinced 'the vast majority of that complexity doesn't exist'
is a valid statement anymore in what we have going through our
firewalls these days and what we have installed.
I'm a SBSer so throw me out the best practices window anyway as I break
all of 'em ... but take a box [a], stick a secure.inf template on it or
run the Secure Configuration Wizard, I'm just not convinced that unless
you have folks that understand that firewall you can make such blanket
statements these days.
Cisco Router Security Recommendation Guides // National Security Agency //:
http://nsa2.www.conxion.com/cisco/
[a] and when I say ..take a box... that means Windows 2003 only, 2000
even with .inf's applied just isn't the same beast.
Abe Getchell wrote:
> Susan,
>
> ISA is a very flexible piece of software, as mentioned previously in
> this conversation. In technology, flexibility usually implies
> complexity. In this case, that implication is very true, as both ISA
> and Windows are extremely complex pieces of software. Complexity is
> not something you want in a firewall, under any circumstances, but
> especially not on the perimeter (given a "buffer" which usually exists
> in regards to an internal firewall). Complexity means more moving
> parts, more things to break, more things to misconfigure, more things
> to manage... With an appliance (or appliance-like) solution, the vast
> majority of that complexity doesn't exist. This theory is a simple
> "best practice" which many organizations follow, or should, if they
> don't.
>
> Another problem I have, personally, with ISA is the fact that it's
> (usually) tied into the same directory which an organization uses to
> manage the rest of their business systems. This functionality should
> be completely separate in theory (in accordance with "best practices"
> as well as what Microsoft has stated in numerous whitepapers), but in
> practice, it usually is not. Managing your perimeter firewall via the
> same directory you use to manage the print server which is on your
> internal network is NOT a good idea, for any number of reasons.
>
> Abe
>
-- Letting your vendors set your risk analysis these days? http://www.threatcode.com --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Laura A. Robinson: "RE: Renaming Administrator account"
- In reply to: Abe Getchell: "Re: ISA Server or Firewall Appliance?"
- Next in thread: Abe Getchell: "Re: ISA Server or Firewall Appliance?"
- Reply: Abe Getchell: "Re: ISA Server or Firewall Appliance?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
