First, I really like the ISA as a Firewall. But often the customers have a big/expensive firewall structure in place. What I would really like to see, ISA acting as a simple secure proxy (Single Nic). By a secure proxy I mean features like:
The market today has a lot of vendor specific appliance solutions for the above. But often these solution do not integrate very well with your infrastructure (Active directory). Also you dont know if these solutions will be here tommorow. I think the ISA focus today is all about VPN and web publishing (owa, sharepoint). But to me these features are history.
I would like to see ISA acting as a strong outbound defense layer, keeping my network nice and clean.
If you follow ISA's evolution you will see that ISA is now a true firewall on not just a simple proxy. If you read this article about ISA 2006 you will find out more about ISA's arhitecture and also the fact that the Web Proxy Filter is an application filter and not an independent service as was with ISA 2000. This means that ISA has a unified arhitecture, a critical design for modern networks. The HTTP protocol represents a great threat. ISA acting as a proxy firewall can mitigate the risks of HTTP. Using ISA as a simple web proxy would be a major drawback in my opinion. I'm wonder if ISA 2008(or how they will call it) would still support the single NIC mode. The way I see it: ISA as a simple web proxy has for some admins the same meaning as WINS. Some did not like it at the beginning and now the are in love with it and cannot let it go. Just saying....
I agree with you that ISA is a great firewall. But if you like me has to convince the customer, to replace their current firewall setup or do the back-to-back DMZ, then it can be really hard to sell in. Becuase you had to turn-around their current layout. With a single nic setup, you could be up an running within a few hours and still provide them with a strong defense layer. After that it would be so much easier to convince them, about all the other feaures ISA provides as a true firewall. Everytime someone in this forum talks about single nic mode they are told to nuke it and do it the right way. But the fact is that the lack of the features I listed still remains even if i choose the back-to-back DMZ. Am I the only one feeling that the focus on ISA today is all about OWA publishing. If the customeres are running Notes and have the need for a secure proxy/gateway, then im out of luck ?.
Hi Jesper, I do not smoke! Lucky me! I would agree that the fact of buying a firewall and simple throw it into the existing infrastructure is not something that you can do in a couple of hours. First before actually touching anything you must convince people to do so. The Risk Management, based on Asset Identification and Valuation, Threat Assesment, can be very helpful in some situations. For example, the Residual Risk from their current design(no ISA yet) might introduce ISA as a firewall in the game or just as a simple proxy. This(as firewall) probably might be true if their current infrastructure is a little old and the Residual Risk has grown. If the Residual Risk only recommend the use of ISA as a proxy and the costs of using it as a firewall are unjustified then that's the way of doing it. We would not buy a 200$ device to secure our bicycle(which cost 300$). And who knows, maybe with ISA 2008 Microsoft will introduce two ISAs: one as a full firewall and one as astripped down edition which will do what you want(however I have doubts it would be like so). And yes, discussing the unihomed ISA mode is a sensible subject on this forum, but this is primary due to the "smart" comments people do(like I do not trust Microsoft and thus I do not trust ISA or ISA is just a proxy it cannot act like a firewall and so on), comments often based on lack of education/knowledge. If you hit with such comments a person who is been using ISA as a firewall for a while to secure networks and has a good knowledge of what ISA can do, well, words might start flowing like bullets. I guess we will have to wait and see what ISA 2008 will bring! Probably many good things(in my opinion)! Cheers!
< Message edited by justmee -- 21.Jun.2007 1:05:59 PM >
Hi ITEngineer, Actually I do not drink either! And regarding those features, yes cool stuff, but I do not think Microsoft will ofer them for free(if they are going to offer them). A subscription will be needed(in my opinion). Also we can have them on ISA with third party add-ons for extra $. And if they are going to be offered it remains to be seen how good they really are! Best regards!(not Cheers)