RE: ISA Server or Firewall Appliance?

From: Jim Harrison (ISA) (Jim.Harrison_at_microsoft.com)
Date: 11/17/05

  • Next message: Abe Getchell: "Re: ISA Server or Firewall Appliance?"
    Date: Wed, 16 Nov 2005 15:32:50 -0800
    To: "M W" <l1sts@yahoo.com>, "Marcos Marrero" <mmarrero@LLOYDSTSB-USA.com>, "James Eaton-Lee" <james.mailing@gmail.com>
    
    

    (resending; got rejected)

    If you've run into this, it was because whomever deployed ISA did so very poorly.
    From the tome of your concerns, it sounds as if you've not really reviewed the MS firewall offerings since Proxy 2.

    Jim Harrison
    Security Platform Group (ISA SE)

    If We Can't Fix It - It Ain't Broke!
    ________________________________________
    From: M W [mailto:l1sts@yahoo.com]
    Sent: Wednesday, November 16, 2005 1:24 PM
    To: Marcos Marrero; Jim Harrison (ISA); James Eaton-Lee
    Cc: focus-ms@securityfocus.com
    Subject: RE: ISA Server or Firewall Appliance?

    I would argue that the firewall appliance might be the better option from a functional point of view.  Most companies block all outbound ports on their firewall, except for port 80 / 443.  I believe Microsoft ISA requires port 80, leaving the actual HTTP website on port 81 (or any other port of their choosing).  I've seen a handful of instances where internal users can't browse to another companies  web application because the ISA firewall used port 80 and the web app is on port 81.  Then it requires a firewall rule allowing that specific traffic or the user can't browse to the app from inside a corporate network. 

    Not a big deal, but something I've run into.  Of course, I'm relying on the factualness of the other IT administrators I've talked to, who tell me that Microsoft ISA requires port 80, which required them to move their web app to another port.

    Marcos Marrero <mmarrero@LLOYDSTSB-USA.com> wrote:

    I think that the main argument for not deploying ISA in an internet
    facing environment is because of the underlying OS; Windows.

    Windows has been under attack for how many years now? I believe that if
    windows is locked down appropriately it can be used as described above.

    Regards
    Marcos Marrero

    -----Original Message-----

    **********************************************************************
    This Email is intended for the exclusive use of the addressee only.
    If you are not the intended recipient, you should not use the
    contents nor disclose them to any other person and you should
    immediately notify the sender and delete the Email.

    Lloyds TSB Bank plc is registered in England and Wales Number: 2065.
    Registered office: 25 Gresham Street, London EC2V 7HN.

    **********************************************************************

    From: Jim Harrison (ISA) [mailto:Jim.Harrison@microsoft.com]
    Sent: Tuesday, November 15, 2005 5:49 PM
    To: James Eaton-Lee; Marcos Marrero
    Cc: focus-ms@securityfocus.com
    Subject: RE: ISA Server or Firewall Appliance?

    This:
    " The only last point I'd make is that I'd be hesitant in deploying ISA
    in an internet facing role (although I do and have done that before) -
    but I don't really have a justification for this aside from "it just
    doesn't feel quite right".
    "

    ..statement is something that is expressed fairly often, but fortunately
    has not a single grain of substance to it. To James' credit, he does
    qualify his hesistation...
    I know it sounds like marketing spew, but the simple fact is; in 5+
    years of service on anything from an SBS server, OEM appliance to HUGE
    enterprise deployments, ISA server has the distinction of not having
    been the recipient of one single exploit in the wild.

    Yes; we've shipped patches for it and the odds are (realistically
    speaking), we may well do so again. So do Cisco, Juniper, et al and we
    don't hear the "just doesn't feel right" when they need patching.

    Contrast this with literally *no other* firewall maker (truthfully)
    making this claim and you have quite a piece of information at your
    disposal when you present your options in CxO-land.

    Jim Harrison
    Security Platform Group (ISA SE)
    If We Can't Fix It - It Ain't Broke!

    This email has been scanned for all viruses by the MessageLabs SkyScan
    service.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ________________________________________
    Yahoo! FareChase - Search multiple travel sites in one click.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Abe Getchell: "Re: ISA Server or Firewall Appliance?"

    Relevant Pages

    • RE: ISA Server or Firewall Appliance?
      ... > " The only last point I'd make is that I'd be hesitant in deploying ISA ... > years of service on anything from an SBS server, OEM appliance to HUGE ... Oftentimes these firewalls will run from ...
      (Focus-Microsoft)
    • Re: Default Gateway
      ... Jens Baier wrote: ... A single NIC ISA server cannot function as a router. ... If you point your default gateway address to an ISA server with only one NIC, you'll cut yourself off from everthing except your local subnet. ... In answer to the OP's question, the default gateway should be that of the internal side of the firewall appliance, but the *proxy server address*, should be that of the ISA server in order to take advantage of cached content. ...
      (microsoft.public.isa)
    • RE: ISA Server or Firewall Appliance?
      ... facing environment is because of the underlying OS; Windows. ... ISA Server or Firewall Appliance? ... " The only last point I'd make is that I'd be hesitant in deploying ISA ...
      (Focus-Microsoft)
    • RE: ISA Server or Firewall Appliance?
      ... There is a clear distinction between "under attack" and "compromised". ... Security Platform Group (ISA SE) ... ISA Server or Firewall Appliance? ... " The only last point I'd make is that I'd be hesitant in deploying ISA ...
      (Focus-Microsoft)
    • RE: ISA Server or Firewall Appliance?
      ... I currently utilise ISA partnered with other ... A good read-up is Tom Shinder's Configuring ISA Server 2004. ... ISA Server or Firewall Appliance? ...
      (Focus-Microsoft)