RE: ISA Server or Firewall Appliance?

From: Jim Harrison (ISA) (Jim.Harrison_at_microsoft.com)
Date: 11/17/05

  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: SBS always a security compromise ?" 
    Date: Thu, 17 Nov 2005 13:28:38 -0800
To: "John Kinsella" <jlk@thrashyour.com>, <focus-ms@securityfocus.com>

    Your statements are fine as far as they go, but there is real (as
    opposed to anecdotal) data that directly contradicts your stated
    concerns.
    There are *lots* of Enterprise networks running ISA 2000 and/or ISA 2004
    on the edge.
    Several of these customers have also consented to public case studies
    which are (proudly) posted on the microosft.com/isaserver pages.

    Short story - no one has offered anything more than "ancient history" to
    counter the facts offered in ISA's favor.

    I can guarantee that literally no one would be more interested in
    hearing of a properly configured ISA server breach than I would. The
    fact is - it just hasn't happened.

    Jim Harrison
    Security Platform Group (ISA SE)
    If We Can't Fix It - It Ain't Broke!

    -----Original Message-----
    From: John Kinsella [mailto:jlk@thrashyour.com]
    Sent: Wednesday, November 16, 2005 9:11 AM
    To: focus-ms@securityfocus.com
    Subject: Re: ISA Server or Firewall Appliance?

    Susan et all... :) I'll attempt to address from the other end...I
    usually work with large clients on major networks. One cavaet: While
    quite familiar with Windows and it's positives/negatives, I haven't
    personally used ISA yet...gotta get it up in my lab.

    For me, I usually try to be OS-agnostic. An OS is a tool; as long as
    that tool meets my needs in an effective and efficient manner, I'm
    happy.
    In the environments I work in, network security is handled by network
    teams - firewalls usually are Checkpoint, Cisco or Juniper/Netscreen.
    They all have their pros and cons.

    As a security professional, I became ok with the concept of Windows in
    the infrastructure as a db/app/web server, as long as the OS is hardened
    and the box is firewalled at least to layer 4. Boxes that I recommend
    as
    firewalls have proven over time that they have a reliable network stack,
    can provide fault-tolerance, can easily handle wire-speed attacks, and
    use a command line which the network administrators[1] are familiar
    with.
    Windows has not demonstrated a reliable network stack to me, and while
    it can be fairly reliable as an OS I can't comment on high-availability
    designs of ISA since I haven't tested it. Microsoft still isn't
    providing
    me with the level of satisfacation I'd want from a security vendor.

    So, if you're a windows shop, with a small to medium size network,
    ISA might just treat you fine, but personally that idea is scary as
    all hell. I'll always recommend firewalling windows servers, even
    if they have firewall software on them. For a larger shop that uses
    managed switches, dynamic routing, multiple VLANs...They're just going
    to be more comfortable with the CLIs.

    My recommendation for a "small" firewall - check out Netscreen's 5GT -
    sweet little box for a few hundred bucks.

    Oh, last thing, regarding talking about NICs getting burned out in a PC
    -
    most PC firewalls I've seen in the last year or two have on-board NICs,
    so if that gets smoked, you might be seeing more than just a NIC go up
    in a poof. Just something to keep in mind...

    John
    1: "Network Administrators" is being used in it's "real" definition -
    people who administer networks. This differs from "Windows
    administrators" or "UNIX administrators."

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: SBS always a security compromise ?"

    Relevant Pages

    • Workgroupt is not accessible
      ... The only network connection with the ... Even when it accesses the workgroup, ... >firewalls while troubleshooting. ... >Windows XP Internet Connection Firewall ...
      (microsoft.public.windowsxp.network_web)
    • Re: workgroup networking with home and pro
      ... Computer B Laptop - Windows Xp Pro ... can see all 3 workgroup computers on computer A, ... computers B and C (went to my network places, ... What firewalls did you disable? ...
      (microsoft.public.windowsxp.network_web)
    • Re: Connecting Xbox 360 and MCE 2005 roll up 2
      ... The fact that your 360 is connecting to the Internet, ... indicate that your network is properly set up for the Media Center Extender ... For the time being, disable third-party Firewalls, but do use the Windows ...
      (microsoft.public.windows.mediacenter)
    • Re: Argghhh... 30 Minute Log-ins :-(
      ... The two server's that are not DC's are my mail server and my proxy ... my ISA server is set up correctly. ... This network ... Windows cannot establish a connection to domain.com with. ...
      (microsoft.public.win2000.active_directory)
    • Re: File/Print share workgroup on ME and XP machines
      ... Have disabled all the firewalls I can find on the XP. ... infected Windows machines for clients. ... Go to MVP Hans-Georg Michna's network troubleshooter and do it: ...
      (microsoft.public.windowsxp.network_web)
    • Quantcast