Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion on firewall fairy tales article
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion on firewall fairy tales article - 29.Jun.2004 1:57:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by rickday:
I have found this to be a good article, and it has helped provide amunition to change an internal project from just "how do we update our old Check Point firewall to a new one" to "lets consider other options".
We have a 100Mb/s Internet connection, currently protected with an old Nokia/Check Point FW. I have suggested that we look at "rings of ISA2004 Firewalls" as per the Firewall Fairy Tales document, instead of a new Nokia/Check Point solution. A question has come up that I need help to answer.
"ISA2004 is in beta - why would we trust it"
I would appreciate any help you can provide.
Thanks
Rick Day
Hi Rick,
I agree, I would *not* put the beta product in production, I never put any beta product in production. But I know of several large company's, one with over 50,000 employees, that are using ISA 2004 firewalls as their edge firewalls, and they've had zero problems with Internet based or internal attacks on their firewalls.
HTH,
Tom
|
|
|
|
|
RE: Discussion on firewall fairy tales article - 30.Jun.2004 11:56:00 PM
|
|
|
Weskendall
Posts: 5
Joined: 18.Jun.2004
From: Charlotte, NC
Status: offline
|
Tom, how do you feel about the firewall appliances like the Watchguard Firebox or the Fortinet Fortigate that perform what they call "deep packet inspection"? Would you say that an appliance doing application-level inspection has the potential to be as secure as ISA?
- Wes
|
|
|
|
|
RE: Discussion on firewall fairy tales article - 1.Jul.2004 4:59:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Wes,
Definitely not. When they say "deep packet inspection" their talking layer 3 and stateful filtering, NOT stateful application layer inspection. You're get a full dose of marketing speak from them, and that's about it.
HTH,
Tom
|
|
|
|
|
RE: Discussion on firewall fairy tales article - 2.Jul.2004 11:13:00 AM
|
|
|
MarkPL
Posts: 1
Joined: 2.Jul.2004
Status: offline
|
Excellent article! In my previous job ISA 2000 was our main firewall product, and I never had a problem in trusting it.
In my current job, our main product is an INTY EX0server.
Your article mainly concentrates on ISA's place in a large, enterprise network. The company I work for is an IT support company mainly supporting smaller companies of an average size of between 10 to 25 users, with some clients going up to around 100 users. So, not a huge amount of traffic typically.
Typically then there is only one network segment, connected to the Internet. What role would you see for an ISA deployment in this, smaller scenario? Would you still recommend putting the ISA behind a simple packet filtering device?
|
|
|
|
|
RE: Discussion on firewall fairy tales article - 2.Jul.2004 3:58:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Mark,
In the smaller network scenario, I see no reason at all to put the ISA firewall behind a packet filter, unless you need to create a back to back DMZ. Because the lines to these small offices are likely cable or DSL, or T1, the packet filter is completely superfluous. However, in many cases the DSL or cable line will use a NAT device to connect to the ISP network. In that case, you can take advantage of any packet filtering that comes with the NAT device. For T1 and similar lines, you almost always have a integrated router/CSU/DSU in front of the ISA firewall, so you can use the packet filtering feature these if you want to. However, I always just open the routers wide open and forward everything to the ISA firewall.
Packet filters don't provide any level of real security, so why bother with them? Stick with the a blended, stateful filter and stateful application layer inspection firewall like ISA ![[Big Grin]](/image/smiles/biggrin.gif)
HTH,
Tom
|
|
|
|
|
RE: Discussion on firewall fairy tales article - 9.Jul.2004 12:22:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Coen,
Thanks! ISA 2004 is in process to be certified. I have no doubt it will be.
Thanks!
Tom
|
|
|
|
|
RE: Discussion on firewall fairy tales article - 12.Jul.2004 3:38:00 AM
|
|
|
BobW
Posts: 200
Joined: 27.Mar.2002
Status: offline
|
First I have been using ISA for a relatively long time (I'm member # 5653...what are we up to now?)and have been very happy with it.
Second I owe my job/house/car etc. to Microsoft and their products.
One point that no one has made is that ISA is an MS product. Not that I am implying that it is a bad/sloppy firewall.
Rather, I am concerned that Microsoft is getting into too many markets. Eventually they will/may be stopped by the legal system which could leave us all in a bad way.
I am SERIOUSLY looking forward to working with ISA 2004 as I enjoy this stuff, but from a political standpoint I find it to be a shame it is not a competitors product.
Bob
BTW I don't see myself switching firewalls anytime soon!
|
|
|
|
|
RE: Discussion on firewall fairy tales article - 12.Jul.2004 3:41:00 AM
|
|
|
BobW
Posts: 200
Joined: 27.Mar.2002
Status: offline
|
Being a single person IT dept in a small office, One of the strong points of ISA that I use to argue for a budget is the ability to rebuild it with basic components from a shop down the block (or a spare workstation!)
The folks I work for don't care about packet filtering, application filtering, etc. and leave that fun stuff up to me...
Bob
[ July 12, 2004, 05:29 PM: Message edited by: BobW ]
|
|
|
|
|
RE: Discussion on firewall fairy tales article - 18.Jul.2004 8:37:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by BobW:
First I have been using ISA for a relatively long time (I'm member # 5653...what are we up to now?)and have been very happy with it.
Second I owe my job/house/car etc. to Microsoft and their products.
One point that no one has made is that ISA is an MS product. Not that I am implying that it is a bad/sloppy firewall.
Rather, I am concerned that Microsoft is getting into too many markets. Eventually they will/may be stopped by the legal system which could leave us all in a bad way.
I am SERIOUSLY looking forward to working with ISA 2004 as I enjoy this stuff, but from a political standpoint I find it to be a shame it is not a competitors product.
Bob
BTW I don't see myself switching firewalls anytime soon!
Hi Bob,
I don't think this is going to be a problem for MS. The major influence the ISA 2004 firewall will have will be in the appliance market, so they are providing a strong firewall platform for these vendors. The ISA firewall has a long way to go before MS can have any kind of "monopoly" in the firewall market!
Thanks!
Tom
|
|
|
|
|
RE: Discussion on firewall fairy tales article - 18.Jul.2004 8:38:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by BobW:
Being a single person IT dept in a small office, One of the strong points of ISA that I use to argue for a budget is the ability to rebuild it with basic components from a shop down the block (or a spare workstation!)
The folks I work for don't care about packet filtering, application filtering, etc. and leave that fun stuff up to me...
Bob
Hi Bob,
Absolutely right! You don't have to beg the hardware vendor for a new stick of RAM, a new hard disk, or a fix to their bugged up flash module. You can take care of all of that yourself when using the ISA firewall and you won't have to pay and arm and a leg for the fixes.
Thanks!
Tom
|
|
|
|
RE: Discussion on firewall fairy tales article - 19.Jul.2004 10:03:00 PM
|
|
|
stormin
Posts: 6
Joined: 19.Jul.2004
Status: offline
|
Great article, Tom! You have solidified my feelings about ISA Server 2004.
Please pardon my ignorance, but I have a dilemma. I already have a Cisco PIX 515 "protecting" my network. For several reasons, I am going to deploy ISA Server 2004. However, I doubt that I will be allowed to just get rid of our PIX since it's less than a year old. Can anyone share their thoughts on using the PIX to provide me with a DMZ or maybe leaving the PIX as an additional line of defense (and deploying ISA behind the PIX)?
Thanks,
Norman
|
|
|
|
|
RE: Discussion on firewall fairy tales article - 20.Jul.2004 2:43:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Norman,
Thanks! You can still leave the PIX packet filter in front of the ISA firewall. Like the article said, you put your strongest defenses closest to the protected resources, so the ISA firewall goes in the back of a back to back DMZ config. Then configure the ISA firewall to use the internal interface of the PIX as its default gateway.
HTH,
Tom
[ July 20, 2004, 02:43 AM: Message edited by: tshinder ]
|
|
|
|
|
RE: Discussion on firewall fairy tales article - 15.Dec.2004 4:06:00 PM
|
|
|
ilya_f
Posts: 19
Joined: 22.Feb.2002
Status: offline
|
Can anyone recommend appropriate software for host-based security? I am going to install something like ôpersonal firewallö at unihomed servers inside my network.
I donÆt what to make fake network loopback card and install ISA on internal servers, especially on servers carrying network infrastructure, like DC or WINS/DNS.
My knowledge of personal firewalls market is poor. It seems all of them are pretty good, but I need most usable and approved oneà Something like Trend Micro in antivirus marketà
BTW, all my servers are W2K servers.
Thank you,
Ilya.
|
|
|
|
|
RE: Discussion on firewall fairy tales article - 16.Dec.2004 2:15:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Ilya,
For servers, IPSec policy might be a better choice than personal firewalls. Depending on your setup.
HTH,
Tom
|
|
|
|
|
RE: Discussion on firewall fairy tales article - 16.Dec.2004 9:31:00 PM
|
|
|
aqib khan
Posts: 231
Joined: 12.Aug.2004
From: pakistan
Status: offline
|
simply the best work.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
