Although Tom answered your findings, I would like to add a few words, without directly answer anything.
You have to decide yourself if you want to start a forward thinking discussion, or just to express your anger, or maybe just to amuse yourself.
I do understand that you are nervous, since you had a frustrating experience with ISA(the first impression is the one people often relate to(natural human behavior), and hence they just try to "believe" it must be so, even if it may not be quite so), but I do not see how would we get somewhere, assuming you want to get somewhere.
Maybe ISA is not perfect, personal I do not know what firewall out there is, nor who said that ISA is perfect.
ISA has a baseline price, and some default features.
Other firewalls have other features, that the default ISA does not have, but different prices.
You can add those features to ISA through third part add-ons, and evaluate the loaded version of ISA vs firewalls made by other vendors, in terms of price or whatever you would like.
You demand people to prove that you are wrong, but you did not prove anything after all, have you thought about that ?
An angry affirmation may trigger an angry answer or a funny one, people amusing about the situation, Christopher Columbus "discovered" America. What would you expect ?
Just put yourself for a moment in someone's shoes who's reading your original statements, and think how many of them are sustainable.
Maybe ISA is not "enterprise ready", but whose enterprise, what is the definition of this enterprise, apart of the "firewall giga throughput"(which is meaningless and just an old story, as it boils down to what exactly is filtered and how is filtered, and only after that if ISA can be a part of the equation) and the "internal expansion" feature(meaningless as well, as it lacks context, first you need to define the "internal network", which may vary during enterprise networks, then ISA's role, if any).
You did not gave us a clue, how ISA or Microsoft "cheated" you making you to buy ISA, what document or documents state that ISA does something or that would fit into your scenario(unclear scenario too), and you found out that it does not do so, and Microsoft simply ignored you and your findings.
You say you did some pen tests, however no one knows what you did, because you did not say, except of some fancy words, so why someone may believe you. I've got a 20+ Mps at home too. If that's relevant, place it in the right context.
Yes, a lot of people keep answering that question regarding rules, an that is something interesting I would say, maybe it proves that was something very easy to figure....
Keeping in mind that, someone may presume that your other observations may be flawed too. This is natural behavior, as you claim you have documented and analyze in depth ISA. So, obviously someone may wonder how have you missed something so basic.
Maybe some answers are flawed, the users here are not payed to answer your questions, so you would have to take them the way they are, good or bad, useful or not. Since you posted here, is you the one directly looking for something, and not the ones that answer, as they may do that indirectly.
You've got a web site, you can document carefully your findings, and post the links here, forward them to Microsoft, and post Microsoft's answers. But, for someone to take you into serious, you need to put the original documentation provided to Microsoft, original questions and original answers.
If you are correct, then there is nothing new or extraordinary, just another bad vendor, but people may find useful that info. If you are wrong, nothing new as well...
Now let's make a journey, let's see if Microsoft cheats you:
Evaluation, 180 days:
ISA 2006 Std or EE:
TMG Beta 1, yes you can stay with it right from the early phases:
What that means: you do not have to pay anything, you do not have to enter any club, you do not have to be a VIP, in order to evaluate ISA or TMG. Just to have a machine for testing. You can do that in a virtual lab. How many enterprise firewalls out there offer you these possibilities ?
Documentation, just to link a few:
ISA's team blog:
ISA's Features at a glance:
ISA 2006 overview:
Forefront Edge Security home:
Technet ISA 2006 home:
ISA Server 2006 Firewall Core:
Forefront Edge Security and Access Demonstration Toolkit(you can jump right in, as things are pre-configured)
Hands on labs:
ISA best performance practice:
ISA Capacity planner:
ISA, IAG remote access VPN:
Evaluation Guide and Walkthroughs:
Microsoft Forefront Security products, page 7 info about ISA:
ISA's SSL VPN functionality, what exactly ISA offers and what not:
VLANS and ISA:
For example, Tom's ISA 2006 book clearly says that ISA 2006 does not offer SSL VPN.
For a couple of dollars you will have a full review of ISA.
www.isaserver.org, no presentation needed, as you are here.
ISA vendors' resources:
What's new in ISA Server 2006, an old presentation, for example check the DoS features, what ISA 2006 has new over ISA 2004:
Common Criteria Guidance Documentation Addendum forISA2006:
ICSA Labs, what they tested:
During security testing the Network Security Lab team uses commercial, in-house-created, and freely available testing tools to attack and probe the Candidate Firewall Product. The Network Security Lab team uses these tools to attempt to defeat or circumvent the security policy enforced on the Candidate
Firewall Product. Additionally, using trivial Denial-of-Service and fragmentation attacks the Network Security Lab team attempts to overwhelm or bypass the Candidate Firewall Product.
The Network Security Lab team confirmed that the ISA Server 2004 SP2 permitted the services in the Required Services Security Policy properly and that the configured services functioned correctly.
Furthermore, the product was not circumvented by the attacks launched inbound and outbound to and through the ISA Server 2004 SP2. Finally, the product was not defeated by trivial Denial-Of-Service and fragmentation attacks.
Circumstances of Spot-Check
The ISA Server 2006 was selected for spot-check testing when Microsoft Corporation released Internet Security and Acceleration Server 2006 version 5.0.5721.240.
Successful spot-check testing of the ISA 2006 indicated that the product continued to meet all the criteria elements in the Baseline and Corporate modules and therefore has retained ICSA Labs Firewall Certification.
The Internet Security and Acceleration (ISA) Server 2006 was successfully tested against the following modules from version 4.1a of The Modular Firewall Certification Criteria:
• Baseline module,
• Logging Update – version 4.1a,
Copyright © 2008 Cybertrust, Inc. All Rights Reserved. 2
• Required Services Security Policy – Corporate Category module,
ICSA Labs Firewall Testing - An In Depth Analysis
Trivial DoS Attacks Denial of Service (DoS) attacks – both distributed (DDoS) and otherwise – are essentially attacks on resources. Well-planned and executed DDoS attacks that consume all available network bandwidth or all of a firewall product's resources have caused significant problems to public organizations in the not-so-distant past. There is little a firewall can do when the bandwidth is gone. Unlike many DDoS attacks, firewalls can protect against the class of "trivial”
DoS attacks. We have been surprised by how effective older, trivial DoS attacks have been against the current generation of firewall products.
Years ago ICSA Labs relied more on the DoS attacks in vulnerability scanning tools like Nessus, CyberCop, ISS, etc. Over the past several years these tools are no longer the primary source for the DoS attacks used by the firewall testing team. Though we do continue to run the vulnerability scanners to provide additional testing assurance, today, the firewall testing team performs "hands-on” DoS testing. To do this we obtain or create the DoS source code. We then compile the code with any necessary modifications. Modifications help ensure that vendors address the root of what allowed a particular DoS to be successful, rather than engineering the product to be impervious to a specific form of the attack. These DoS attacks are then separately launched in all directions to and through the firewall.
When the testing team began conducting DoS attacks by hand, questions arose as to how we would determine a failure and how we would guarantee that network bandwidth consumption wasn't the cause of the failure. To avoid a criteria violation the testing team determined that during a DoS attack the firewall had to continue passing permitted traffic through the product in both directions, while enforcing the security policy and being administered from the primary administrative interface. Rate limiting the traffic from the attacking machine to 1.54 Mbit/s – the
ideal, if not the actual rate one would get with a T1 connection – ensured that bandwidth utilization was not a factor.
ICSA Labs firewall testing of DoS attacks attempts to stress the resources on the firewall under test rather than stressing the network bandwidth. And even with our modest expectations, firewall products – large and small, market-established and new-to-market – struggle to defend against DoS attacks including synflood, jolt2 and others.
The moral of the cert docs, is that ISA does what it says only when properly deployed and configured, in the correct place and environment.
Now, tell me how, assuming that someone would have been through some of the above(and there are more of them), *without* having to *pay anything*, and, although it may claim it has well documented the deployment scenario and knows what features it needs, will still buy ISA and find out that ISA does not meet its requirements ?
And icing on the cake, it blaims ISA or Microsoft for that.
Personal I can't figure that.
What counts more, is that you do not have to trust nobody, as you had access to a trial version of ISA, thus no one can trully lie to you, thus cheat you to buy ISA. If they still managed to cheat you, then, that's interesting I would say....
Maybe, at the time you bought ISA, some of the above documents were not available, however, we are talking at this moment, thus they do count.
There are many web sites and blogs on the Internet, where people discuss various ISA deployment scenarios. And also certain limitations of ISA.
Now, if you are kind enough to provide the needed documentation or whatever is required to argument your findings, maybe some would be kind enough to read them...
Until then, it would be "some say so and you say otherwise", which is meaningless anyway or just amusing for everybody except you and others like you(who had frustrating experiences with ISA), as you may feel a little better.... Or not, depending on what answers you will get in return....
< Message edited by justmee -- 9.Sep.2008 3:04:07 PM >