Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Secure proxy
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Secure proxy - 19.Jun.2007 11:45:03 AM
|
|
|
Jesper_Ravn
Posts: 3
Joined: 23.May2007
Status: online
|
Hello
First, I really like the ISA as a Firewall.
But often the customers have a big/expensive firewall structure in place.
What I would really like to see, ISA acting as a simple secure proxy (Single Nic).
By a secure proxy I mean features like:
built-in malware protection (E.g. Forefront)
built-in content filter (Web updates)
built-in P2P blocking (web updates)
built-in antispam (E.g. IMF)
The market today has a lot of vendor specific appliance solutions for the above.
But often these solution do not integrate very well with your infrastructure (Active directory). Also you dont know if these solutions will be here tommorow.
I think the ISA focus today is all about VPN and web publishing (owa, sharepoint). But to me these features are history.
I would like to see ISA acting as a strong outbound defense layer, keeping my network nice and clean.
Thanks,
Jesper
|
|
|
|
|
RE: Secure proxy - 21.Jun.2007 8:47:11 AM
|
|
|
justmee
Posts: 481
Joined: 14.May2007
Status: online
|
If you follow ISA's evolution you will see that ISA is now a true firewall on not just a simple proxy.
If you read this article about ISA 2006 you will find out more about ISA's arhitecture and also the fact that the Web Proxy Filter is an application filter and not an independent service as was with ISA 2000.
This means that ISA has a unified arhitecture, a critical design for modern networks. The HTTP protocol represents a great threat. ISA acting as a proxy firewall can mitigate the risks of HTTP.
Using ISA as a simple web proxy would be a major drawback in my opinion.
I'm wonder if ISA 2008(or how they will call it) would still support the single NIC mode.
The way I see it: ISA as a simple web proxy has for some admins the same meaning as WINS. Some did not like it at the beginning and now the are in love with it and cannot let it go.
Just saying....
|
|
|
|
|
RE: Secure proxy - 21.Jun.2007 11:48:00 AM
|
|
|
Jesper_Ravn
Posts: 3
Joined: 23.May2007
Status: online
|
Hello justmee
Nice try, but no cigar :-)
I agree with you that ISA is a great firewall.
But if you like me has to convince the customer, to replace their current firewall setup or do the back-to-back DMZ, then it can be really hard to sell in.
Becuase you had to turn-around their current layout. With a single nic setup, you could be up an running within a few hours and still provide them with a strong defense layer.
After that it would be so much easier to convince them, about all the other feaures ISA provides as a true firewall.
Everytime someone in this forum talks about single nic mode they are told to nuke it and do it the right way.
But the fact is that the lack of the features I listed still remains even if i choose the back-to-back DMZ.
Am I the only one feeling that the focus on ISA today is all about OWA publishing. If the customeres are running Notes and have the need for a secure proxy/gateway, then im out of luck ?.
Thanks,
Jesper
|
|
|
|
|
RE: Secure proxy - 21.Jun.2007 1:01:00 PM
|
|
|
justmee
Posts: 481
Joined: 14.May2007
Status: online
|
Hi Jesper,
I do not smoke! Lucky me!
I would agree that the fact of buying a firewall and simple throw it into the existing infrastructure is not something that you can do in a couple of hours. First before actually touching anything you must convince people to do so.
The Risk Management, based on Asset Identification and Valuation, Threat Assesment, can be very helpful in some situations.
For example, the Residual Risk from their current design(no ISA yet) might introduce ISA as a firewall in the game or just as a simple proxy. This(as firewall) probably might be true if their current infrastructure is a little old and the Residual Risk has grown. If the Residual Risk only recommend the use of ISA as a proxy and the costs of using it as a firewall are unjustified then that's the way of doing it. We would not buy a 200$ device to secure our bicycle(which cost 300$).
And who knows, maybe with ISA 2008 Microsoft will introduce two ISAs: one as a full firewall and one as astripped down edition which will do what you want (however I have doubts it would be like so).
And yes, discussing the unihomed ISA mode is a sensible subject on this forum, but this is primary due to the "smart" comments people do(like I do not trust Microsoft and thus I do not trust ISA or ISA is just a proxy it cannot act like a firewall and so on), comments often based on lack of education/knowledge. If you hit with such comments a person who is been using ISA as a firewall for a while to secure networks and has a good knowledge of what ISA can do, well, words might start flowing like bullets.
I guess we will have to wait and see what ISA 2008 will bring!
Probably many good things(in my opinion)!
Cheers!
< Message edited by justmee -- 21.Jun.2007 1:05:59 PM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
! 
)
