RE: ISA Server or Firewall Appliance?

From: Jim Harrison (ISA) (Jim.Harrison_at_microsoft.com)
Date: 11/18/05

  • Next message: matthew patton: "RE: ISA Server or Firewall Appliance?" 
    Date: Fri, 18 Nov 2005 11:39:10 -0800
To: <focus-ms@securityfocus.com>

    To tell the truth, I'm surprised at the lack of ISA / MS bashing in this
    thread. Is it an indication of MS' place in the general security
    community, a general lack of interest in ISA or the holiday season
    approaching? The world may never know...

    Actually, I was trying to be just that specific.
    As was agreed to earlier in this thread, all modern firewalls can be
    accurately oversimplified as "applications running on operating
    systems".
    All of those OS's have been compromised to some degree, and so obviates
    this contextual "joining of church & state".

    Following this context, we then examine the exploits and compromises
    each firewall product *itself* has experienced; i.e, that attack that
    succeeded in the context of the firewall code itself.
    It's in this context where I state that ISA has experienced no reported
    compromises.

    Also, ISA (and to be fair; the aforementioned competitors) is far more
    than a simple "firewalling stack". What separates ISA from the others
    is the fact that ISA has and continues to "lead the pack" in L4+
    inspection.

    Hope that clarifies things a bit...

    Jim Harrison
    Security Platform Group (ISA SE)
    If We Can't Fix It - It Ain't Broke!

    -----Original Message-----
    From: James Eaton-Lee [mailto:james.mailing@gmail.com]
    Sent: Friday, November 18, 2005 9:23 AM
    To: Jim Harrison (ISA)
    Cc: John Kinsella; focus-ms@securityfocus.com
    Subject: RE: ISA Server or Firewall Appliance?

    Jim,

    On Thu, 2005-11-17 at 13:28 -0800, Jim Harrison (ISA) wrote:
    > Your statements are fine as far as they go, but there is real (as
    > opposed to anecdotal) data that directly contradicts your stated
    > concerns.
    > There are *lots* of Enterprise networks running ISA 2000 and/or ISA
    2004
    > on the edge.
    > Several of these customers have also consented to public case studies
    > which are (proudly) posted on the microosft.com/isaserver pages.
    >
    > Short story - no one has offered anything more than "ancient history"
    to
    > counter the facts offered in ISA's favor.

    Not to be flippant, but I tried - I wasn't really trying to ISA bash,
    but I disagreed with you when you said on Tuesday that:

    > I know it sounds like marketing spew, but the simple fact is; in 5+
    > years of service on anything from an SBS server, OEM appliance to HUGE
    > enterprise deployments, ISA server has the distinction of not having
    > been the recipient of one single exploit in the wild.
    >
    and then that...

    > I know it sounds like marketing spew, but the simple fact is; in 5+
    > years of service on anything from an SBS server, OEM appliance to HUGE
    > enterprise deployments, ISA server has the distinction of not having
    > been the recipient of one single exploit in the wild.

    ..more specifically, the bulk of my point was that you weren't comparing
    like with like, you were comparing a whole firewall platform
    (IOS/Juniper) with something (ISA) which is just a firewalling stack
    which necessarily has pre-requisite software which it's combined with to
    make up the whole firewall, and ignoring the platform (windows) which it
    was running on top of.

    So far I haven't had a reply.. ;)

    If you want to discuss this, I'd be more than happy to re-send my
    original post on this topic to the list, as this is really a
    bastardisation of what I was originally trying to say!
    >
     - James.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: matthew patton: "RE: ISA Server or Firewall Appliance?"
    • Quantcast