As usual, you delivered a decisive "beat down" on a "hardware" firewall devotee who clearly hasn't learned about which end eats. However, he does receive generous doeses of high margin BS from his hardware firewall sales reps and 20th century approach to network security
From: United Kingdom
Hunasthore...if you are a CCIE Security you are probably the most incompetent of them all...that being said....
Stating that "One thing to remember about Cisco, THEY ARE A ROUTER AND SWITCH COMPANY, first and foremost.".....is as good as stating that Microsoft PC software development company (and a crappy one to)
Please get your facts straight:
- The ASA VPN services are not ported from the VPN3000...it's a totaly new design (sure ISA is Proxy 2.0 ..???) - Cisco rarely improves anything...well can you tell me on which domains Juniper improved the NetScreen line..?...check out the ASA and get your facts straight
And please don't compare the ISA with a firewall...it does little justice to great firewall products...Checkpoint, Juniper, Fortinet...and yes Cisco ASA...
But hey...it might just be that you didn't pay attention during your CCIE course and are crap in configuring the ASA...or you're one of those blind addepts of Mr Shinder..aka...the most biased independent security expert
just my 2 cents..
What I don't understand is that the last post to this thread was nearly two years ago...did you specifically try and find something that old to reply to?
The way I look at it is this...Is McDonalds the best quality food restaurant to eat at in the world? No, probably not. Is it one of the most popular/widespread restaurants in the world? Yes, probably.
Continuing that analogy, just because Cisco PIX/ASA devices are widely deployed, this doesn't mean they are necessarily the best. If you are a food connousieur you will probably try to find a specialised fine-dining restaurant to serve a meal that you will most enjoy. If that meal happens to be "application-layer protection of Microsoft solutions" then a Cisco PIX/ASA restaurant is gonna always leave you very hungry and disappointed with the service!
If you think about the big picture, many people combine security solutions to provide defense in depth. This approach often includes tiered firewall solutions, where each tier has their own niche functionality and strengths. As adrian says, it is very common in these design to see an advanced application-layer firewall close to the applications servers they protect...more and more, this role is provided by ISA Server.
Comparing firewall X to firewall Y, in my opinion, shows a lack "big picture" security understanding and a somewhat narrow minded view...aka...the wannabe security expert.
Stefan, if you hate MS so much, why are you posting on a Microsoft ISA Server forum? Surely there are many Cisco forums upon which you could put your ASA knowledge to good use for the community?
I think that by posting Cisco is better than ISA, without providing any form of evidence or argument to back your claim - aren't you just appearing as a Cisco blind addept yourself?
< Message edited by Jason Jones -- 30.Jan.2009 11:09:40 AM >
First off i would like to say I am impressed with the preformance and capabilities in ISA 2006, I havent touched forefront yet but that is next on my agenda. At the same time I am Cisco CCNA Certified and I find it very interesting that someone can go all the way through and actually get the CCIE certification which takes not only a qualification exam but an 8 hour $1400.00(us) practical in very limited locations in the world would go through all of that and not even know what CCIE Stands for (Cisco Certified Internetwork Expert not engineer) and I doubt an actual CCIE would make that mistake.
If you want to badmouth a company thats one thing, but lets not pretend to be something were not, we are looking for real information on this site. I may be wrong but personally I would never put study time and money into a certification and not even know what it stands for.
As someone who has successfully penetrated PIX and ASA appliances as part of my job, I must say that they are extremely poor both in protection as well as throughput. My Linksys home firewall does a better job. Cisco's routers actually do a better job IMO.
As to ISA Server 2006 I have used it for several years and found it to be a very robust firewall. The only drawback is throughput and that is really due more to implementation errors than ISA itself. If you put ISA on a old single processor machine with 1GB of RAM and expect it to handle your 100 mb/s symmetric connection you will most likely be disappointed. Look at the TMG 2010 requirements as top end for what you would need in an enterprise deployment.
our network engineer wants to replace ISA vpn with a Cisco 5500 for the main reason that it can handle more vpn connections (i think the 750 connection model) how does this compare with 2006, or better yet, how does it compare with UAG. I really need as much hard evidence as i can get to get the UAG software in here, as its newer and not fully tested like the 5500 is.
Please, all critics and opinions welcome, just back it up with some links or experience
From: United Kingdom
You are comparing scale vs. security.
The application layer security abilities of ISA/TMG VPN are much better than the network layers security provided by Cisco. Scale can be accomodated using Enterprise edition array and NLB (or hardware load balancer). If you are using Windows SE below ISA you are limited to 1000 VPN connections I believe, but I think Windows Ent removes this limit. Not sure if this limit still exists with Windows 2008 and TMG, but doubt it...
UAG offers some great SSL VPN features and also DirectAccess which is a different technology approach. This is easily scalable to support a large number of connections by creating a UAG array of several servers and NLB; it can also be used with an advanced load balancer like the F5 BigIPs for maximum performance.
Well the Cisco ASA can also perform application layer security as well. Cisco has plugins for both app and ids. If i post this on the cisco forum they will say theiry product is better, you know how that goes. I am a ISA guru so i would rather manage what i know. i also use citrix netscalers as my LB choice...
From: United Kingdom
So, the ASA can provide granular reverse proxy functionality then? Including SSL bridging, pre-authentication, link translation, URL and path validation/redirection, forms based authentication, Keberos Contrained Delegation, single sign-on.....?
So, the ASA can provide granular user based access control for VPN which is directly based upon AD username or groups?
Just because a firewall claims to be "application aware" doesn't mean it has the same level of application depth as something specifically design to secure specific application servers.