Re: ISA Server or Firewall Appliance?

• Previous message: Ansgar -59cobalt- Wiechers: "Re: What server hardening are you doing these days?"
• In reply to: Thomas W Shinder: "RE: ISA Server or Firewall Appliance?"
• Next in thread: Barrie Dempster: "SBS always a security compromise ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 17 Nov 2005 12:28:52 -0800
To: Thomas W Shinder <tshinder@tacteam.net>

My 'edge' of my network is my Windows Mobile cell phone that has a
username/password that uses activesync to my domain. I have firm
information on that device and must assign resources for it as it's
outside 'my wall'. I'm not talking about the traditional edge but
rather the informational edge of my network.

http://www.microsoft.com/windowsserversystem/updateservices/evaluation/faqs.mspx

        Will Microsoft Internet Security and Acceleration (ISA) Server updates
be handled by WSUS? <javascript:toggleQuestion('title46', 'question46',
'answer46')>

        
A.

Over time, WSUS will support all Microsoft updates, including ISA
Server. However, at release, the plan is for WSUS is to support Windows,
Office XP, Office 2003, SQL Server 2000, MSDE 2000, and Exchange Server
2003.

Thomas W Shinder wrote:
> Hi Susan,
>
> I think you misunderstood what they were trying to communicate during
> that Webcast, and the presenters didn't do a really good job at
> explicating their positions.
>
> Many people think that there is no more perimeter (or edge), or that the
> perimeter (or edge) somehow magically changed to the end point on the
> corporate network. Neither assertion is true or believable. Sure, there
> is a more heterogenous set of security zones that need to be segmented
> from one another, but to say that there is no more "perimeter" or no
> more "edge" is ridiculous at best, delusional at worst (sort of like
> saying that SBS doesn't represent a security compromise).
>
> Try this experiment to prove this fact: deploy an ISA firewall (not on
> SBS but in a real firewall configuration)on the edge of the network.
> Lock down the System Policy and create well designed, thoughtful and
> functional firewall policy that controls both inbound and outbound
> access through the ISA firewall. Make sure you deploy both the Web proxy
> and Firewall client so you get comprehensive user information in the log
> files that you can use for comprehensive reporting later.
>
> Let that run for a month and see what the effects are on network
> performance and the overall security position of all host hosts on all
> network segments on the corporate network that require Internet access.
>
> Now, try this: Assign all your network hosts public addresses and put a
> router (a real router, not a NAT device) on the edge and allow
> everything in and everything out. Don't change anything on your clients
> -- don't upgrade the Oss don't install any new software other than what
> you have now -- just like the ISA firewall test. (no fair cheating by
> installing local host firewalls, NIDS, upgradeing OSs, etc to make up
> for the problems that you know will result from this test).
>
> Now compare the results of your network performance metrics and overall
> security situation with that you had with the ISA firewall in place.
>
> OK. Now, tell me -- its there a "edge" or "perimeter" or whatever you
> want to call it and has it disappeared? Is the DMZ dead? Are the
> endpoints the only things we need to "firewall"? I'm really afraid that
> Microsoft's push for NAP (which is what all this stuff is about) is
> confusing Microsoft networking folks and making them think that NAP
> somehow obviates the need for a network firewalls, both at the edge and
> at all security perimeters.
>
> PS -- what do you mean that WSUS will support ISA?
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
>
>> -----Original Message-----
>> From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>> [mailto:sbradcpa@pacbell.net]
>> Sent: Tuesday, November 15, 2005 7:52 PM
>> To: James Eaton-Lee
>> Cc: Marcos Marrero; focus-ms@securityfocus.com
>> Subject: Re: ISA Server or Firewall Appliance?
>>
>> The annoying SBSer with ISA on her box is going to challenge
>> you on that
>> one.
>>
>> What exactly doesn't feel quite right? Why does it not feel right?
>>
>> In my network I like it because it's on a platform that I can monitor
>> easier. Control better. Patch easier. [WSUS will soon
>> support ISA as a
>> matter of fact]
>>
>> Isn't the same true for big networks?
>>
>> I think we all need to let go of our OS perceptions and look at the
>> realities of operating systems these days and what not. If we can't
>> control it...understand it...I'm not sure it's not helping in the
>> security fabric of my network.
>>
>> Our firewalls are not our perimeters any more.
>>
>> http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?Eve
>>
> ntID=1032286231&EventCategory=3&culture=en-US&CountryCode=US
>
>>
>>
>>
>>
>>
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
>
>
>

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Ansgar -59cobalt- Wiechers: "Re: What server hardening are you doing these days?"
• In reply to: Thomas W Shinder: "RE: ISA Server or Firewall Appliance?"
• Next in thread: Barrie Dempster: "SBS always a security compromise ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]