Re: ISA Server or Firewall Appliance?

• Previous message: Jim Harrison (ISA): "RE: ISA Server or Firewall Appliance?"
• In reply to: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: ISA Server or Firewall Appliance?"
• Next in thread: Jim Harrison (ISA): "RE: ISA Server or Firewall Appliance?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 16 Nov 2005 09:10:56 -0800
To: focus-ms@securityfocus.com

Susan et all... :) I'll attempt to address from the other end...I
usually work with large clients on major networks. One cavaet: While
quite familiar with Windows and it's positives/negatives, I haven't
personally used ISA yet...gotta get it up in my lab.

For me, I usually try to be OS-agnostic. An OS is a tool; as long as
that tool meets my needs in an effective and efficient manner, I'm happy.
In the environments I work in, network security is handled by network
teams - firewalls usually are Checkpoint, Cisco or Juniper/Netscreen.
They all have their pros and cons.

As a security professional, I became ok with the concept of Windows in
the infrastructure as a db/app/web server, as long as the OS is hardened
and the box is firewalled at least to layer 4. Boxes that I recommend as
firewalls have proven over time that they have a reliable network stack,
can provide fault-tolerance, can easily handle wire-speed attacks, and
use a command line which the network administrators[1] are familiar with.
Windows has not demonstrated a reliable network stack to me, and while
it can be fairly reliable as an OS I can't comment on high-availability
designs of ISA since I haven't tested it. Microsoft still isn't providing
me with the level of satisfacation I'd want from a security vendor.

So, if you're a windows shop, with a small to medium size network,
ISA might just treat you fine, but personally that idea is scary as
all hell. I'll always recommend firewalling windows servers, even
if they have firewall software on them. For a larger shop that uses
managed switches, dynamic routing, multiple VLANs...They're just going
to be more comfortable with the CLIs.

My recommendation for a "small" firewall - check out Netscreen's 5GT -
sweet little box for a few hundred bucks.

Oh, last thing, regarding talking about NICs getting burned out in a PC -
most PC firewalls I've seen in the last year or two have on-board NICs,
so if that gets smoked, you might be seeing more than just a NIC go up
in a poof. Just something to keep in mind...

John
1: "Network Administrators" is being used in it's "real" definition -
people who administer networks. This differs from "Windows
administrators" or "UNIX administrators."

On Tue, Nov 15, 2005 at 05:51:30PM -0800, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> The annoying SBSer with ISA on her box is going to challenge you on that
> one.
>
> What exactly doesn't feel quite right? Why does it not feel right?
>
> In my network I like it because it's on a platform that I can monitor
> easier. Control better. Patch easier. [WSUS will soon support ISA as a
> matter of fact]
>
> Isn't the same true for big networks?
>
> I think we all need to let go of our OS perceptions and look at the
> realities of operating systems these days and what not. If we can't
> control it...understand it...I'm not sure it's not helping in the
> security fabric of my network.
>
> Our firewalls are not our perimeters any more.
>
> http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032286231&EventCategory=3&culture=en-US&CountryCode=US
>
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Jim Harrison (ISA): "RE: ISA Server or Firewall Appliance?"
• In reply to: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: ISA Server or Firewall Appliance?"
• Next in thread: Jim Harrison (ISA): "RE: ISA Server or Firewall Appliance?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]