I hope someone out there involved with the development of this product is listening because,they need some help.

With the exception of ME, I have never seen a worse product than this. This is the poorest excuse for an enterprise level firewall that I have ever seen.

Before everyone gets all bent out of shape, let me just say that I love Microsoft products. They piss me off frequently enough, but they are good overall if you really get down to it. I am a security guy and I have been using Linux based firewall solutions for a while now. I am an MCSE though and I was very enthusiastic about ISA server. I WANTED this product to work. Let me be clear about that. And I tried. I tried for a long time. This product is just crap, in its current form.

First off, I scan my newly secured machine from the outside using a Linux box and nmap and come back with 139 open, among others. I already unbound file and print sharing from that adapter and ran the high security wizard, and I come back with the WORST port possible open. Not impressive. Then, I realize that the IDS didn't even notice the scan. Not impressive. So I mess with all the settings and see what I can do to tweak it to make it work. Nothing. The product is unwilling to cooperate. The configuration is very cumbersome for the firewall rules. How about an interface that says what can come in, what can go out, and to who. A simple ruleset. How hard is this? And for the love of god, some cooperation between the IDS (which I don't believe at this point is working at all) and the firewall. How about automatic blocking of offending ip's? Nothing. You can just scan and scan and ISA won't even notice.

Let me tell you a secret. I installed a Linux based solution during the time it takes to reboot my ISA server. I am not joking. Let me tell you what it has. Full stateful inspection based on the 2.4 kernel, http proxy, smtp proxy (with av scanning), AWESOME interface via https connection, VPN support via IPSEC or pptp, automated firewall updates, and tons more. Free for home users and cheap as hell for corporate use.

I scan myself after taking like 5 minutes to install it and guess what? Fully stealthed. Why? Because the IDS detected the scan and blocked the intruder immediately. You can pass your services out very easily and it is rock solid stable. You turn it on and it keeps working until you turn it off...an interesting concept.

I am only posting this here because I want to see ISA improved. I want to use it. Hell, I am taking it as one of my electives for my MCSE upgrade (yes I am an MCSE talking like this). I can't believe that nobody in all these posts has come out and said that the product is lame. I see tons of people saying this won't work and that won't work, but they don't realize that those things DO work with other products. Don't be afraid to try other things. This will make Microsoft improve their documentation and their quality of release products when they see people using other stuff.

This is just ridiculous. Would you put this on a network with thousands of users and call yourself secure? I sure as hell wouldn't. Of course, I see the potential. That is why I installed it. But damn, get the product to that level before you give it to us. This is just hurtful when I preach how good MS is to all my buddies and then get embarassed by it.

In the meantime I will be here running my Linux solution waiting for the service pack. As soon as you fix these problems and let us know that you have, I am going to be all over it. I eagerly await your addressing of these issues.

And to you guys here in the forums...sorry about the rant. I figured that if I was pissed at ISA and Microsoft this was a good place to talk about it.

Let me know what you guys think.

Regards,

------------------
What is wanted is not the will to believe, but the will to find out, which is the exact opposite.

Bertrand Russell

It can be frustrating to learn a new product. I can assure you that 139 is not open on any of our servers. Neither is any other port we do not want open on the external interface of the ISA Server.

I find that ISA Server is MUCH easier, and more intuitive than any other firewall I've seen, esp. Linux firewalls! It just seems hard because you don't know it well yet. But when you work with it, it beats the others, IMHO.

You can "stealth" your ports if you want, but what's the big difference? Turn off the ICMP packet filter that allows the responses to the probes. If a port is closed, its closed. If its open its open. If there's an open port with no services listening, then what?

There have been no security breaches reported on patched ISA Servers.

Don't give up on it! Its really good, it just takes some getting used to. And I assure you that you can learn ISA Server a lot faster than I could learn Linux!

Thanks!

Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!

[This message has been edited by tshinder (edited 05 September 2001).]

[This message has been edited by tshinder (edited 05 September 2001).]

What about the fact that Bertrand "ran the high security wizard"

I know lots of people have had very strange things after running the security wizard.

Just my 2 cents...

------------------
-=john=-
MCSE,MCP+I,CCNA,CCA

We bought this as an upgrade to Proxy with hopes of installing Websense or SurfControl so we could limit sites that are visited. Before I even dare adding more controls and policies to this product, I want to make sure that its 'out of the box' behavior is predictable. So with a fresh (re)install, and running the security wizard set to dedicated, setting up OWA and client VPN connectivity, we can't make the standard site and content rule work unless "All content groups" is selected. Anything else, for starters, blocks all https traffic. Anything Yahoo related will subsequently fail since they apparently don't return content type in their headers (not an ISA problem but a workaround would be nice). So the whole "http content' tab seems useless. Anyway, Microsoft can replicate my problems but not fix them. Our clients are all firewall, web proxy, AND securenat. I've had other unpredicted behavior along the way but these are the items I'm currently working on. I'm quite frustrated. Any help would be greatly appreciated.

[This message has been edited by MB (edited 10 September 2001).]

Unfortunately, I think the only people doing so have a completely overpowering (and unfounded) fear of the Linux platform. I mentioned in my original post that I installed an enterprise level firewall based on the 2.4 kernel in just about the time it took to reboot my ISA server. I was not joking. It is that easy, and the product is POWERFUL. We don't have time as admins to mess with sub-standard product like this.

I can't wait until this product is what it is supposed to be. Once it is I am going to give it another chance, but this is crazy. Just a couple of things right off the top of my head...

1. Why doesn't the IDS do anything when someone scans the machine in the default configuration? In Linux things work like they are supposed to...the FIRST time.

2. Why is my port 139 open on the external interface on an enterprise level firewall? Granted I couldn't connect to it, but damn...

3. Why is my web surfing performance MUCH worse than on ISA than when I use Astaro (there, I said it) which is free for home use?

4. Why we don't have a simple "Checkpointesque" rule interface rather than having multiple places to configure your rules?

5. Why do you have to reboot when you make changes sometimes? Can't we get past that?

6. Why is there absolutely horrible documentation for the flagship security product? That is deplorable.

7. Finally, why does the 'stateful' inspection not detect scans and lock the offending machine out? I scan myself with NMAP or Nessus from one of my other machines remotely using Astaro or any other decent stateful firewall and it comes back with NOTHING. The firewall detects a scan and it doesn't allow any more information to go to that IP. I scan ISA and it lights up with open ports...not impressive.

Anyway, once again I am getting angry. The point to me is that anyone who has had experience with anything other than MS products knows that this is completely inferior. Unlike people who bash MS for no reason and hate them unconditionally I actually like MS. I simply get very upset when the company that I defend puts out a product like this.

If there is someone out there who has used other firewalls like IPtables based Linux distros or Checkpoint or something, and you think that ISA is a great product, please set me straight. You may or may not believe me when I say this, but I really want someone to say just that...and to be right. I just don't see it happening.

Daniel

------------------
What is wanted is not the will to believe, but the will to find out, which is the exact opposite.

Bertrand Russell

[This message has been edited by danielrm26 (edited 11 September 2001).]

quote:

---

Originally posted by jgrabiec:
Tom,

What about the fact that Bertrand "ran the high security wizard"

I know lots of people have had very strange things after running the security wizard.

Just my 2 cents...

---

Hi John,

Excellent point! After the dreaded security wizard is run, all hell breaks loose. I admit that should have been documented somewhere, but its not ISA Server's fault. Its the dreaded wizard.

Again, whether a port shows open or not is not an issue if there's nothing to connect to. You can close the applicable ICMP filters and have the coveted "stealth" for what little that's worth.

Yes, ISA has some issues, but so does all software. But don't judge it too harshly until you've run it on a machine that hasn't been corrupted by the Security Wizard.

HTH,
Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!

In the meantime, use Astaro. If you have any questions let me know and we can talk through email and get you going with it. Once ISA gets its shit together we can migrate to that.

Regards,

Daniel

------------------
What is wanted is not the will to believe, but the will to find out, which is the exact opposite.

Bertrand Russell

I believe a lot of the criticism is founded on ignorance, which is evident from the discussion. I don't mean that term "ignorance" as an insult. I think it's clear that danielrm26 has not put as much effort into learning and understanding the product as is really necessary to gain confidence in it. This process is necessary to understand ISA's strengths and to exploit those while avoiding its weaknesses. As such, it is like any other solution.

I read elsewhere about someone who was using an OpenBSD firewall who had been repeatedly "owned." OpenBSD is readily recognized as more "secure" than Linux -- still, nothing substitutes for a competent administrator.

This criticism seems to come from exactly that perspective -- the idea that security is a product or a checkbox. Forget it. A product will never make you secure. Not ISA, not Linux, not OpenBSD, Solaris, not Checkpoint, not PIX.

It's up to YOU to secure your network. If you can't secure your network with ISA, do it with Linux. If you can't secure your network period -- then YOU suck -- not the product, because it's not the product's job. It's yours.

Again, I don't want anyone to think I'm insulting them or this thread's originator. If the reader feels I've described them when I wrote "you" then I hope they consider my statements constructively. Otherwhise, I hope they consider them hypothetically, and not as a flame directed at them personally.

The wizard simply applies security templates. Again, Microsoft could be criticized for not documenting the templates in an intuive way. However, it is quite easy to analyze the template settings against your current configuration or another template. In other words, you can analyze the templates and see exactly what changes they will make by using the Security Configuration and Analysis snap-in.

Upon performing this analyis, it should be recognized that the ISA templates do very little in terms of OS-hardening, and virtually nothing with respect to network security. The preconfigured templates with Windows are a little more useful -- for example the hisecdc template.

You can easily combine the settings from multiple templates in Sec Config and Anal. Try combining both the hisecdc template and the "dedicated" template that comes with ISA. For me, this was just a starting point.

I also recommend looking at each policy changed by these templates to see if the change is appropriate. There may be quite a few options to secure things that these templates don't affect. It's helpful to use a security analysis tool to help harden the Windows OS. I think the Webtrends NetIQ SA is good and very easy to use.

Other helpful resources I found were the white paper from Microsoft on the configuration of NT4 that met C2 security requirements, the NSA guide to securing Windows 2000, and of course, testing things with the same hacker tools that the bad guys use.

In any case, I hope people see that although the wizards are of limited help and may foul things up if you use them without understanding the result they effect, security templates in Windows can be a very useful tool.

I agree that the Security Templates are very helpful in the right hands, and we use them with modifications on other servers. But some of the things that happen on an ISA Server with a Security Template applied cannot be explained within the context of just understanding how they work.

For example, why does a security template whack the Content Download Service? I know there is a reason, but who know's what it is?

I believe that the Security Template give a false sense of security when applied blindly. What they are really meant for is to provide a "template" security policy that you can analyze and decide which settings will fit your own environment. HOWEVER, until there's adequate documentation on how the settings interact with ISA Server, who are you to know which ones should or should not be applied?

Of course, the Security Wizard is up front on its "Welcome" page and warns that some things won't work after you apply the template. As always, the key is always to test change in a test environment first before implementing them in a production environment.

Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!

I would like to respond to Ben, one of the people who posted above.

Let me tell you what is wrong with your comments when you consider that you are referring to the ISA product.

Essentially, your arguement is that I shouldn't be saying that this is a bad security product because security isn't about any particular product being good or bad. You are saying that true security people don't rely on "checkboxes" and the like and have a more comprehensive understanding of real security and don't make complaints like mine.

You went on to state that I was "ignorant", I know this was not a personal attack and I respect you for pointing that out, but allow me to retort.

Imagine for a second that someone put out a firewall based on microsoft word. When you install it it allows you to create documents and erect your firewall. You begin to configure rules and realize it doesn't work like it should. Then you realize that much of your traffic can't get out...and some traffic is getting in when it shouldn't.

In this scenario an unbiased person with an interest in the product's capabilities might conclude that the product didn't do well. Furthermore, they might be a bit bothered when someone does their best to explain to them that they simply hadn't worked with it enough to see how good it really is. Try to understand this, my friend. You shouldn't have to MAKE it work through crazy tweaks not available anywhere in documentation. You shouldn't have to form a network of people who have been victimized by the software in order to get it to do what it is supposed to do. Guess what? That is what this forum is. Take a look at the posts. They are not for the most part about advanced features and special confurations. They are instead about getting the thing to work at all.

So, I stand by my statements. I also would ask you to reconsider your calling me ignorant. I tell you that a product is not a good firewall and you tell me that I should learn about security. It's like if you were to hand me an old shoe and tell me to secure my network with it. I take a look at it and say that I can't do much with it, and you smile while telling me that I should take some security classes.

In closing let me ask you this. Why use a firewall with major problems when there are others available that work great?

Regards,

Daniel

------------------
What is wanted is not the will to believe, but the will to find out, which is the exact opposite.

Bertrand Russell

Is there ANYBODY out there who is using the http content group filtering and still able to browse https sites?

[This message has been edited by MB (edited 13 September 2001).]

Getting back to the problem , what was the specific issue you had with HTTPS sites? Is it that when you Deny an HTTPS site with a path, the entire server is denied?

Thanks!

Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!

I'll take back calling you ignorant, although that's not what I intended in the first place. What I can't help but think is that you just haven't found creative uses for ISA. You say it's an old shoe, but I can honestly testify that I've put ISA to use in ways that go well beyond recycling a piece of junk I've been victimized by.

Also, consider the fact that the overwhelming majority of people here haven't paid Microsoft for ISA - or at least I'd be surprised if they had considering the availability of it without cost. I'm not saying there isn't an obligation to pay -- but try getting a PIX box at no cost for evaluation. Of course, you're comparing it to Linux which might only have the same server hardware costs associated with ISA.

However, does a Linux-based firewall you can recommend do the following:

web-publish with SSL-HTTP bridging
passive, active, forward, and reverse HTTP caching
H.323 gateway
Live WMT stream-splitting
"SecureNAT" (NAT with HTTP-redirector proxy making proxy possible with no client configuration)

Some of these things I could do with additional products like SSL accelerators, Cisco Content Engines, media servers, Cisco's call manager, and so on, but the combined cost of all that would be 10 times what ISA has cost me to do the same -- on a scale that's more appropriate for my network.

You have approached the argument in a very nice way, and I respect you for that.

I do agree that ISA has a line of features that is very stout. The problem with that line of features is they don't work under normal circumstances. I equate this to Exchange 2000, which is my absolute favorite mail server. Guess what I run for my mission critical server? Linux. I ran Exchange and took constant flack because of the machine being down. Constant restarts needed, inconsistant performance, features not working...all symtoms of running one of my favorite Microsoft products. So I download and install a FREE linux distro made for email servers and I haven't had to do anything to the box since. That was almost a year ago. I don't have to reboot. I don't have to answer phone calls or emails from my boss saying it doesn't work...it just does exactly what it is supposed to do. Recognize that this happened the very first time after a 10 minute install. I have a secure web based administration interface, I can backup and restore a complete machine with hundreds of users in minutes on a FRESH machine. It is amazing. Now, because I love the product I am putting up another Exchange machine right now. I have installed the service pack and the hotfixes but guess what? It isn't working. I am sure there is some strange string of fixes that need to be done in order to get the thing to work, let alone to get the advanced features to work.

This is the same as with ISA. It simply doesn't do what it is supposed to do out of the box. Not anywhere near it. I understand that you have gotten the product to work for you but let me compliment you by saying that you are probably something of a guru with the product perhaps both via study and experience. That should NOT be a prerequisite to making the product do what it is supposed to do.

Furthermore, try to understand that I love Microsoft. If we could get the *nix stability coupled with the MS features we would be in business.

Anyway, I enjoyed our discussion. Good luck in all that you do.

Regards,

Daniel

------------------
What is wanted is not the will to believe, but the will to find out, which is the exact opposite.

Bertrand Russell

I am not as good of a writer as some of those that have posted. But I am a MCSE and have been for awhile. I can also tell you that I earnd my cert and did not buy it, I am NOT a paper MCSE. Now that that is out of the way. I have tryed to use ISA for a long time. We where tesing it in Beta. I keep having hope for a unified platform. Microsoft has let me down to this point. Now I can be the first to tell you openBSD is tighter thatn any OS out of the box. But you guys are correct in that it is up to the admin. But when I install a firewall (something I do to pay the bills)in a "mission critical enviornment" I DEMAND that the IDS work with the firewall. One is no good with out the other. I also DEMAND that when I pass a port it is passed but shut down in the case of a scan or attack. If it can not or does not do that it does not need to call its self a firewall. Now I am seeing alot of FUD about linux. The linux firewalls that Dan is talking about are not hard to learn. You do not need to know anythign about linux at all to use them or install them. If you tuen your back on them with out a REAL test you are losing. How do I know this, How do I know what works and what does not. I am a member of the CdC.

My current issue with Microsoft (case SRX010807605006) deals (I think) with the standard Site and Content rule. It's currently wide open (any request to any site for all http content groups). It's the content groups tab that doesn't appear to work properly. For starters, if I check the 'Selected content groups' button and then check every goup (or 'select all'), and bounce the services, then I get NO https browsing. The documentation explicitly states that this tab has NO effect on https traffic. Microsoft last said this is 'by design' and sent me an unpublished Q article which is pasted below:

---------------------------------------------

The information in this article applies to:

- Microsoft Internet Security and Acceleration Server 2000

-------------------------------------------------------------------------------

SYMPTOMS

========

Independent of the application protocol used, all requests from internal

SecureNAT or Firewall Clients are denied by ISA Server 2000. Outgoing HTTPS

(SSL) requests passing through the Web Proxy Service are also denied.

You can however connect to HTTP or FTP sites from Web Browsers that are

configured to use the Web Proxy Service. You may also be able to connect to HTTP

or FTP sites from SecureNAT or Firewall Clients if the HTTP Redirector

Application Filter is enabled and configured to "Redirect to local Web Proxy

service".

CAUSE

=====

This may happen if you create a Site and Content rule configured to only allow

"Selected content groups" instead of "All content groups".

Site and Content rules that only allow "Selected Content Groups" applies only to

traffic that are processed by the Web Proxy service. Because there is no Site

and Content allow rule that apply for other types of requests, traffic coming

from SecureNAT or Firewall Clients will be denied.

RESOLUTION

==========

If you want to restrict certain Content Groups in a Site and Content rule and at

the same time allow traffic from SecureNAT or Firewall Clients, you must create

a Site and Content deny rule logic that denies the Content Groups you do not

want to allow through the Web Proxy Service.
---------------------------------------------

Most all clients are NAT, Firewall, AND web proxy enabled. And the web redirector is enabled. I don't see how this should categorically deny all https traffic. Any workaround?

Secondly, no links from Yahoo (very popular home page for my users) work. They apparently don't return a content type in their headers, so it's naturally blocked. Is there a registry workaround for this?

These, to me, are real-world out-of-the-box standard configuration issues that A) Were suggested in Microsoft's class, B) Should work as they intuitively appear, C) Shouldn't have such negative ramifications, and D) Underscore my assertion that the product doesn't work as advertised.

I did all this, I have a DMZ with a few boxes on it (applicaion servers using IIOP/CORBA protocols) and a few published servers on the private network. I have an e-mail server (Exchange 5.5) running on the private network as well.

You see, I'm not a security expert. I am a software developer who wears many hats. One of them happens to be security. Perhaps you have too many preconceived notions about how it should be configured. Go buy some books and do what they recommend. The product does work! If I can do it, you, the security experts, should be able to as well.

Regards,

-Mike

It doesn't really matter which product one uses. I can't figure out people who buy any cars other than honda's, but those crazies driving around in pontiac's seem happy to do so. Whatever floats your boat.

In parting I will add I think what MS is trying to sell in all their products is intuitive ease of use. Daniel raises a good point; Have they done it? Does the extra $1400 or so that a basic isa firewall costs well spent compared to the competition? You be the judge.

Either way this debate is pretty meaningless since none of us except for developer stud (above) can do anything to change isa for the better (you go girl ).

It is what it is. Not like it is going to make me a frozen yogurt or something really neat. Man now that would be a firewall.

blah

John