Re: Use or Not to use ISA

From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: 05/21/05 

Date: Sat, 21 May 2005 01:07:05 -0400

"Ron" <Ron@discussions.microsoft.com> wrote in message
news:64746411-FC78-477D-BDD7-CA87B6501960@microsoft.com...

> Would i be logical to run ISA on the IIS box for more security?
> And what benefits would it give me?
> Since i don't have the funds to place another firewall between the IIS box
> and the rest of my internal network to create a DMZ.

ISA is very expensive, compared to, say, a www.netscreen.com low-end
appliance starting at around $600 US, or even a low end www.netgear.com
appliance starting around $100 US. If you prefer, there are also a number
of absoutely free *nix based firewalls that will run on any old 486 or
Pentium computer, such as www.openbsd.org, or a variety of free boot CDs
that include firewalls. You could also look into adding an additional
firewalled network interface port on your firewall appliance to create a DMZ
that way, many firewall appliances come with a "DMZ port" already.

Running ISA on your web server itself is not the ideal configuration for a
firewall IMHO for reasons of performance and security. If you wanted to run
a host-based software firewall on a web server, you could probably get
almost as much security with something like www.sygate.com or
www.blackice.com for under $100 US.

Relevant Pages

  • Re: Exchange server in DMZ, not FE server. Is this ever ok?
    ... It will turn out that it doesn't add value in terms of security ... If I hear you as saying having a firewall present is without value, ... NICs - one for the internal network, and the other for the DMZ. ...
    (microsoft.public.security)
  • Re: [fw-wiz] Content Switch as security device?
    ... As long as the CSS thing is only between the outside world and a DMZ I don't ... I always believe that publically available webservers should be confined to ... and performance of your webservers, rather than their security per se, ... firewall provides to a webserver. ...
    (Firewall-Wizards)
  • Re: DMZ or not to DMZ
    ... > I have a router which includes a basic NAT firewall. ... If I activate the DMZ and point it at my ... In fact, it lowers your security ...
    (comp.security.firewalls)
  • RE: Question about firewalls.
    ... > opportunity to rethink the way I have my private network set up. ... your firewall is a *bad* idea, but sometimes it's all you can do. ... Check out my article on neworder.box.sk about setting up a DMZ - it ... Thinking About Security Training? ...
    (Security-Basics)
  • Re: Security model for back to back ISA server solution?
    ... IMHO joining either firewall to the domain potentially lessens security. ... DMZ if you can. ... I would consider NOT using ISA server for both your firewalls. ...
    (microsoft.public.win2000.security)