Re: Firewall recommendations?

From: Chris Travers (chris@travelamericas.com)
Date: 03/09/03

  • Next message: Asif Munir: "Configuring OpenSSH-3.5p1 on Tru64" 
    Date: Sat, 08 Mar 2003 19:35:23 -0800
From: Chris Travers <chris@travelamericas.com>
To: rdusek@myway.com

    ISA's not a bad product.

    That being said, it is not the end-all-and-be-all of security solutions
    either. If security is important, you can run a filtering router
    behind your ISA server (on a non-MS OS for added defence in depth) and
    this is what I would do. You could use a Cisco solution, a Linux router
    with IPTables, or other options. Also if your defence is all on the
    same OS that your internal servers are, you lose an opertunity for
    defence in depth.

    The point is that security is a process not a product. No product you
    purchase can give you security, and implimentation is more important
    than products.

    Anyway, best of luck,
    Chris

    rdusek@myway.com wrote:

    >I am in charge of researching a firewall to replace what we currently
    >have. At my previous job I had used Microsoft ISA in a low-security
    >environment, and was happy with its features, and its integration with
    >the Windows environment there. However, at my current job, security is a
    >much greater concern, and I have to admit, I am somewhat uneasy running a
    >Microsoft firewall product on top of a Microsoft OS. We also had
    >investigated Checkpoint as well as Cisco Pix, and found that for our
    >needs, the Pix at least seemed to need _many_ separate components for the
    >same functionality. My question is what are your experiences with using
    >ISA from a security standpoint? Usability issues? From the Mac end? Or
    >would we be better off pursuing the Checkpoint or the Pix solution? We
    >also plan on implementing VPN over whatever we choose, so if you
    >recommend something other than these, it should support at least PPTP and
    >perhaps eventually IPSec/L2TP. We have also considered placing ISA
    >behind a Linux (or BSD) IP Chains firewall and our perimeter network to
    >block some of the traffic from getting to ISA. Any comments here? Thanks
    >to everybody in advance!
    >
    >
    >
    >

  • Next message: Asif Munir: "Configuring OpenSSH-3.5p1 on Tru64"

    Relevant Pages

    • RE: Front End/Back End communication
      ... MVP -- ISA Firewalls ... There is no such thing as security perfection. ... single front-end/back-end Exchange Server will find this setup to be ...
      (Focus-Microsoft)
    • RES: ISA firewall
      ... If we want to judge ISA as a firewall product (or if you want to judge ... Linux) were compromised by a security hole that was identified days ago, ... flaws, so does every single bit of line of code out there. ...
      (Security-Basics)
    • Re: Forest/Domain in the "DMZ" to accomodate web, front-end servers
      ... Now as for ISA 2004 being a seamless application layer inpspection security ... out of it too, but I have 500 servers, and 3000 desktops to worry about. ...
      (microsoft.public.security)
    • RE: [fw-wiz] Microsoft ISA
      ... Believe it or not ISA is one of the first software packages from ... Depending on your security ... Server off the DMZ interface). ... other Microsoft Documentation. ...
      (Firewall-Wizards)
    • RE: Administrivia: Are you seeing portscans from source 127.0.0.1 source port 80?
      ... I've also seen a collection of reports from ISA customers (big surprise, ... Security Business Unit ... source port 80? ... most highly-anticipated industry event of the year. ...
      (Incidents)