Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion on firewall fairy tales article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> RE: Discussion on firewall fairy tales article Page: <<   < prev  1 [2] 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Discussion on firewall fairy tales article - 20.Jun.2004 7:59:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi George,

Excellent analysis! Indeed, I am convinced that people who have bought into the so-called "hardware" firewall myth are so vehement in their defense of their firewalls because they have spent so much money. It would be very difficult for them to defend their purchases if they admitted that an ISA firewall could provide superior protection for a fraction of the price.

Thanks!
Tom

(in reply to tshinder)
Post #: 21
RE: Discussion on firewall fairy tales article - 20.Jun.2004 9:17:00 PM   
George_Ou

 

Posts: 31
Joined: 20.Jun.2004
From: Sunnyvale
Status: offline 		It's quite normal that perception lags behind reality. A lot of people simply don't ever do the research and don't know what they're talking about whenever they start talking about "hardware" devices. I personally like to keep my options open and I've worked with just about every Enterprise firewall platform there is from CheckPoint to PIX to Firewall IOS to NetScreen. I think that gives me an objective look on all of the platforms. I think a bigger factor in justifying existing platforms is not just the money that they spent, but the time that they spent getting their certifications for their specific platform.

I think that ISA 2004 is the first ISA version that can be used in an Enterprise configuration as a stand alone firewall. As you have said, ISA 2000 was a good product but was a little lacking in some features that would keep me from using it in a standalone configuration.

(in reply to tshinder)
Post #: 22
RE: Discussion on firewall fairy tales article - 21.Jun.2004 1:01:00 AM   
George_Ou

 

Posts: 31
Joined: 20.Jun.2004
From: Sunnyvale
Status: offline 		Hi Tom,

One configuration that I am using now is a Load Balancer behind a PIX. The Load Balancer serves as a reverse proxy when it's doing load balancing and failover duties. Although it's not meant or marketed as an Application Firewall and probably doesn't have anywhere near the application filtering capabilities of an ISA 2004, it is at least doing reverse proxy. Another benefit of doing this type of a configuration is that the load balancer is also leveraged as an HSM for all of the servers behind it. This means if you're using a FIPS 140 Level 3 crypto card in your 2 redundant load balancers, it beats the hell out of trying to shove a $7000 HSM in to each of your 100 servers. All of your sites will being proxied and load balanced will become Level 3 by proxy.

Now obviously, you can leverage the same HSMs in your ISA 2004 boxes, but I don't think it has load distribution capabilities like an F5 box(correct me if I'm wrong). If such a thing was possible with ISA 2004 and there is no reason it can't be built with F5 BigIP capabilities, then that would truly be an awesome device. Right now, I'd have to put the ISA2004 box in front of the F5 box.

(in reply to tshinder)
Post #: 23
RE: Discussion on firewall fairy tales article - 21.Jun.2004 2:07:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by George Ou:
It's quite normal that perception lags behind reality. A lot of people simply don't ever do the research and don't know what they're talking about whenever they start talking about "hardware" devices. I personally like to keep my options open and I've worked with just about every Enterprise firewall platform there is from CheckPoint to PIX to Firewall IOS to NetScreen. I think that gives me an objective look on all of the platforms. I think a bigger factor in justifying existing platforms is not just the money that they spent, but the time that they spent getting their certifications for their specific platform.

I think that ISA 2004 is the first ISA version that can be used in an Enterprise configuration as a stand alone firewall. As you have said, ISA 2000 was a good product but was a little lacking in some features that would keep me from using it in a standalone configuration.
Hi George,

That's why I really appreciate your observations on the ISA v. "hardware" firewall debate. You've got tons of experience with just about every platform and you know the pros and cons first hand. I'm sure when you get keep into your ISA setups, you'll really appreciate the flexility of access control it brings to the table.

BTW -- if you're interested in writing for ISAserver.org, let me know. I'll get you set up as a site author and take care of the formatting stuff for you. We don't pay as much as TechRepublic, but you don't have to wait very long before your stuff goes up on the site. [Big Grin]

Thanks!
Tom

(in reply to tshinder)
Post #: 24
RE: Discussion on firewall fairy tales article - 21.Jun.2004 2:09:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by George Ou:
Hi Tom,

One configuration that I am using now is a Load Balancer behind a PIX. The Load Balancer serves as a reverse proxy when it's doing load balancing and failover duties. Although it's not meant or marketed as an Application Firewall and probably doesn't have anywhere near the application filtering capabilities of an ISA 2004, it is at least doing reverse proxy. Another benefit of doing this type of a configuration is that the load balancer is also leveraged as an HSM for all of the servers behind it. This means if you're using a FIPS 140 Level 3 crypto card in your 2 redundant load balancers, it beats the hell out of trying to shove a $7000 HSM in to each of your 100 servers. All of your sites will being proxied and load balanced will become Level 3 by proxy.

Now obviously, you can leverage the same HSMs in your ISA 2004 boxes, but I don't think it has load distribution capabilities like an F5 box(correct me if I'm wrong). If such a thing was possible with ISA 2004 and there is no reason it can't be built with F5 BigIP capabilities, then that would truly be an awesome device. Right now, I'd have to put the ISA2004 box in front of the F5 box.
Hi George,

This is one area where the ISA 2004 firewall needs some help. You can get comparable features with ISA 2004 if you have the RainWall/RainConnect combo on the box. I figure you'll be able to get something like this in a appliance form factor (rack mount, etc) and Web interface for about $5-6K per box.

How would that compare with your F5 solution you're using now?

Thanks!
Tom

(in reply to tshinder)
Post #: 25
RE: Discussion on firewall fairy tales article - 21.Jun.2004 3:09:00 AM   
George_Ou

 

Posts: 31
Joined: 20.Jun.2004
From: Sunnyvale
Status: offline 		Tell me if I'm interpretting this right, Rainwall for ISA will allow you have a pool of say 8 HTTP/HTTPS application servers behind ISA/Rainwall appear as one HTTP/HTTPS server URL?

If this is correct, you would be able to put in some NCipher FIPS Level 3 HSM PCI cards in to your 2 ISA/Rainwall boxes to make all of your sites comply with FIPS Level 3 so no one will can ever harvest any of your RSA private keys.

If one of the 8 servers fail, the load will be evenly distributed among the remaining 7 servers seamlessly. I assume sticky sessions would have to be supported. Also, the ability to run scripts against each of the servers that check to see if the application is functioning correctly would also be essential.

Of course, ISP load ballancing would be supported for outbound at Layer 3, and inbound ISP redundancy would only be supported with Dynamic DNS. Note that for large enterprise shops, you would do BGP with your edge routers so that load ballancing and redundancy would be true layer 3 for inbound and outbound.

Is this a correct assessment of Rainwall for ISA? If it is, I think a pair of ISA2004/Rainwall boxes should do as good or better than a PIX and F5 combo.

(in reply to tshinder)
Post #: 26
RE: Discussion on firewall fairy tales article - 21.Jun.2004 3:43:00 AM   
George_Ou

 

Posts: 31
Joined: 20.Jun.2004
From: Sunnyvale
Status: offline
quote:
BTW -- if you're interested in writing for ISAserver.org, let me know. I'll get you set up as a site author and take care of the formatting stuff for you. We don't pay as much as TechRepublic, but you don't have to wait very long before your stuff goes up on the site.
Hey Tom,

Sure thing, I'd love to write for ISAServer.org.

Actually, I have an idea for an article already, more along the lines of building optimum hardware for an ISA 2004 1U box for a little over $1000.



The system would include dual Intel Gigabit capability so that you can 802.1q trunk the internal LAN interface for maximum throughput. The 3.2 GHz CPU on an 800 MHz FSB would deliver optimum price/performance ratio. Dual hotswap SATA hard drives would give you storage piece of mind.

I think this would be something different, but I think a lot of readers would be interested in building something like that. Actually, you wouldn't really need to build that much since the whole thing comes in a kit anyways. You just need to insert Disks, RAM and CPU.

Of course, I could include some performance benchmarks to demonstrate just how it stacks up against some of the "hardware" based solutions out there. Most people have a hard time believing me when I tell them that such a box would outperform a $30,000 VPN concentrator. This should put all doubts aside.

(in reply to tshinder)
Post #: 27
RE: Discussion on firewall fairy tales article - 21.Jun.2004 3:43:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi George,
Can't say about the nCipher devices. I haven't worked with that product yet on an ISA 2004 box, so you'll know before I do [Smile]

RainWall is a NLB app that vastly improves on the Windows NLB. Check it out at http://www.rainfinity.com/products/ds_rainwall_platform.html

So, you can install an array of RainWall enabled ISA firewalls and have realtime transparent failover in the event that one of them goes down. I've worked with the ISA 2000 version of the product and its very nice and performance is impressive.

The RainConnect feature is of value for those orgs that don't want to deal with the complexities or politics of BGP. If you can get BGP working for your organization, then that's definitely the way to go, so RainConnect isn't required, although RainConnect does bandwidth aggregation and prioritization too, so that you can direct certain protocols preferentially to one link versus another.

Thanks!
Tom

(in reply to tshinder)
Post #: 28
RE: Discussion on firewall fairy tales article - 21.Jun.2004 4:00:00 AM   
George_Ou

 

Posts: 31
Joined: 20.Jun.2004
From: Sunnyvale
Status: offline 		I'm looking at Rainwall and I see a good add-on product for ISA server to achieve load-ballancing and redundancy for the ISA box itself, but I don't think it's a content switcher like a Cisco CSS or an F5 BigIP. I'm interested in having a pool of say 32 application servers behind a content switcher to make those 32 application servers appear as one server for load ballancing and failover of the published HTTP/HTTPS service. I'm not really talking about load ballancing and failover of the ISA+Rainwall box itself. Is there anyway to make ISA 2004 do content switching?

(in reply to tshinder)
Post #: 29
RE: Discussion on firewall fairy tales article - 21.Jun.2004 5:55:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi George,

If I'm understanding you correctly, you're looking for NLB for the back end servers, is that right? So that you expose a single address for the entire server farm behind the firewall?

Thanks!
Tom

[ June 21, 2004, 05:55 AM: Message edited by: tshinder ]

(in reply to tshinder)
Post #: 30
RE: Discussion on firewall fairy tales article - 21.Jun.2004 9:44:00 AM   
George_Ou

 

Posts: 31
Joined: 20.Jun.2004
From: Sunnyvale
Status: offline 		Hi Tom,

Bingo! You got it. That is exactly what I'm looking for. Load ballancing and failover is fine for the ISA+Rainwall box itself, but I wad that for the server farm that is being reverse proxied to the public Internet and running NLB for all of those servers is not an option beause many of them are not even Windows.

(in reply to tshinder)
Post #: 31
RE: Discussion on firewall fairy tales article - 21.Jun.2004 5:54:00 PM   
BrianB

 

Posts: 1
Joined: 21.Jun.2004
From: Michigan
Status: offline 		Thomas,

Nice article, but it would have better impact if it werenÆt for the grammatical, punctuation, and usage errors.

First sentence: ôàmaterial theyÆve received in 1997àö They received something in 1997; theyÆve received something since 1997.

First bullet:
"It is a good clean up update, but I won't say it is major. It doesn't all of a sudden make them a competitor to CheckPoint (http://www.infoworld.com/article/04/05/03/HNisaserver_1.html) [BTW -- this quote is our leader for 'clueless analyst comment of the year')

Two errors. There is no closing quote, and the name of the product is ôCheck Point,ö not ôCheckPoint.ö

Third bullet: Ditto. Check Point, not Checkpoint.

Fifth bullet: This is the only bullet with a period. It should be consistent in punctuation with all your other bullets.

Sentence following bullets: ôàmaterial theyÆve received in 1997àö They received something in 1997; theyÆve received something since 1997.

Next paragraph: ôpabulumö is ôa substance that gives nourishment; foodö; ôpablumö is ôtrite, insipid, or simplistic writing, speech, or conceptualization.ö Here you need the word ôpablum.ö

Defense in Depth section, 4th paragraph: the word Rings is written in quotes and capitalized. There is no need for it to be in upper case.

Defense in Depth section, 10th paragraph: ôIf the robber flies past the Fedàö In all other instances you wrote ôFeds.ö Should be consistent. ôFedö usually refers to the Federal Reserve Board.

ôStateö should not be upper case.

ôBankö should not be upper case.

Defense in Depth section, 11th paragraph, first sentence: Comma required after the word ôprotected.ö

Defense in Depth section, 14th paragraph, first sentence: ôàput itÆs most hardenedàö The contraction ôitÆsö stands for ôit is.ö ItÆs not the possessive of the pronoun ôit.ö

Defense in Depth section, 17th paragraph, you first use the abbreviation ôASICö without definition. Even though you define it later in the article, you should define it on first use.

Same paragraph: You write ôX, Y, and Zö. Standard American English rules of punctuation require the period inside the quote, so it should be written as ôX, Y, and Z.ö

Next paragraph: same error as above.

Defense in Depth section, 23rd paragraph: you write, æ"I wouldnÆt be comfortable without having a PIX or Checkpoint in front of the ISA firewall",Æ Same error as above. Should be written "I wouldnÆt be comfortable without having a PIX or Checkpoint in front of the ISA firewall,"

Also, ôCheck Point,ö not ôCheckPoint.ö

OK, I'm tired of typing, and I see over 20 additional errors past this point. Let me know if you'd like me to reply with more.

(in reply to tshinder)
Post #: 32
RE: Discussion on firewall fairy tales article - 21.Jun.2004 8:49:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Brian,

Want a job as a copy editor? [Big Grin]

Thanks!
Tom

(in reply to tshinder)
Post #: 33
RE: Discussion on firewall fairy tales article - 22.Jun.2004 6:11:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by George Ou:
quote:
BTW -- if you're interested in writing for ISAserver.org, let me know. I'll get you set up as a site author and take care of the formatting stuff for you. We don't pay as much as TechRepublic, but you don't have to wait very long before your stuff goes up on the site.
Hey Tom,

Sure thing, I'd love to write for ISAServer.org.

Actually, I have an idea for an article already, more along the lines of building optimum hardware for an ISA 2004 1U box for a little over $1000.



The system would include dual Intel Gigabit capability so that you can 802.1q trunk the internal LAN interface for maximum throughput. The 3.2 GHz CPU on an 800 MHz FSB would deliver optimum price/performance ratio. Dual hotswap SATA hard drives would give you storage piece of mind.

I think this would be something different, but I think a lot of readers would be interested in building something like that. Actually, you wouldn't really need to build that much since the whole thing comes in a kit anyways. You just need to insert Disks, RAM and CPU.

Of course, I could include some performance benchmarks to demonstrate just how it stacks up against some of the "hardware" based solutions out there. Most people have a hard time believing me when I tell them that such a box would outperform a $30,000 VPN concentrator. This should put all doubts aside.
Hi George,

That would be a fantastic article! I'll send a note to Stephen Chetcuti and we'll get you set up. You would be a tremendous asset to the ISAserver.org site!

Thanks!
Tom

(in reply to tshinder)
Post #: 34
RE: Discussion on firewall fairy tales article - 28.Jun.2004 12:30:00 PM   
Guest
 I was most interested in your article. However at my org we are repalcing an ISA server firewall arrangment I designed with a hardware firewall because the new boss says we need a proper secure certified firewall.

All the technical arguments in the world cant get passed that one, or can they?

(in reply to tshinder)
  Post #: 35
RE: Discussion on firewall fairy tales article - 28.Jun.2004 1:32:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi F,

The best thing you can do is document the conversation and when (not if) your organization is hacked or breached by an Internet worm, you can point out the methods that you could have put in place if you had an ISA firewall. I had a lot of fun with that one when all those PIX networks got whacked by Blaster and *none* of my ISA protected networks were touched.

Its happened before and it will happen again.

HTH,
Tom

(in reply to tshinder)
Post #: 36
RE: Discussion on firewall fairy tales article - 28.Jun.2004 9:31:00 PM   
tony8gj

 

Posts: 9
Joined: 13.Jun.2003
From: USA
Status: offline 		To help answer your question, I would ask your boss:

1. what hardware firewall is going to replace ISA
2. what applications the hardware firewall is going to protect: Web server, Exchange server, Sharepoint server?
3. what certifications the hardware firewall will have

Many thanks,

Tony.

(in reply to tshinder)
Post #: 37
RE: Discussion on firewall fairy tales article - 29.Jun.2004 8:40:00 AM   
George_Ou

 

Posts: 31
Joined: 20.Jun.2004
From: Sunnyvale
Status: offline
quote:
Originally posted by <FSimon>:
I was most interested in your article. However at my org we are repalcing an ISA server firewall arrangment I designed with a hardware firewall because the new boss says we need a proper secure certified firewall.

All the technical arguments in the world cant get passed that one, or can they?
The question is "certified by who"? Certified based on some obscure organization's standard that some salesman has shown you on a PowerPoint slide? The fact of the matter is, ISA server has some certifications of it's own. I probably would never use ISA 2000 as a standalone firewall but I would probably feel very comfortable in using an ISA2004 box in standalone configuration depending on the organization's needs.

As far as security is concerned, you're probably better off using an Application Layer firewall such as ISA2004. A hardware firewall such as a Cisco PIX definitely has it's benefits but it will not do a reverse proxy to your web servers. Opening a raw TCP 80 session to your Web Server will not be as secure as doing a reverse proxy to that server.

Using both a hardware box in front of an ISA2004 box is probably ideal in terms of performance and flexibility. That hardware stateful filter box in front of your ISA2004 box does not have to be a PIX, it can be your edge router running Cisco Firewall IOS with integrated IDS. This combo configuration can be cheaper and more effective than a mid-range PIX.

(in reply to tshinder)
Post #: 38
RE: Discussion on firewall fairy tales article - 29.Jun.2004 10:33:00 AM   
rickday

 

Posts: 10
Joined: 21.Jun.2004
From: Sydney, Australia
Status: offline 		I have found this to be a good article, and it has helped provide amunition to change an internal project from just "how do we update our old Check Point firewall to a new one" to "lets consider other options".

We have a 100Mb/s Internet connection, currently protected with an old Nokia/Check Point FW. I have suggested that we look at "rings of ISA2004 Firewalls" as per the Firewall Fairy Tales document, instead of a new Nokia/Check Point solution. A question has come up that I need help to answer.

"ISA2004 is in beta - why would we trust it"

I would appreciate any help you can provide.
Thanks
Rick Day

(in reply to tshinder)
Post #: 39
RE: Discussion on firewall fairy tales article - 29.Jun.2004 1:55:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by George Ou:
quote:
Originally posted by <FSimon>:
I was most interested in your article. However at my org we are repalcing an ISA server firewall arrangment I designed with a hardware firewall because the new boss says we need a proper secure certified firewall.

All the technical arguments in the world cant get passed that one, or can they?
The question is "certified by who"? Certified based on some obscure organization's standard that some salesman has shown you on a PowerPoint slide? The fact of the matter is, ISA server has some certifications of it's own. I probably would never use ISA 2000 as a standalone firewall but I would probably feel very comfortable in using an ISA2004 box in standalone configuration depending on the organization's needs.

As far as security is concerned, you're probably better off using an Application Layer firewall such as ISA2004. A hardware firewall such as a Cisco PIX definitely has it's benefits but it will not do a reverse proxy to your web servers. Opening a raw TCP 80 session to your Web Server will not be as secure as doing a reverse proxy to that server.

Using both a hardware box in front of an ISA2004 box is probably ideal in terms of performance and flexibility. That hardware stateful filter box in front of your ISA2004 box does not have to be a PIX, it can be your edge router running Cisco Firewall IOS with integrated IDS. This combo configuration can be cheaper and more effective than a mid-range PIX.
Hi George,

Ha! You bet! Maybe I should put together a "hardware firewall cert" program. I'd require that it perform static packet filtering so that all filters must be explicitly created. That should be plenty secure [Wink]

Right on regarding stateful application layer filtering. To quote the grand-daddy of Internet firewalls, Marcus Ranum:

"With the increasing focus on application layer attacks, the day
of packet-filters even being termed "firewalls" is pretty much over.
Packet filters were barely firewalls to begin with, but today, the
fight's mostly up in Layer 7 where they have no value.

Of course "we told you so" applies. [Wink]

mjr. "

Thanks!
Tom

(in reply to tshinder)
Post #: 40

Page:   <<   < prev  1 [2] 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> RE: Discussion on firewall fairy tales article Page: <<   < prev  1 [2] 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts