• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: WHY NOT TO BUY ISA SERVER.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> RE: WHY NOT TO BUY ISA SERVER. Page: <<   < prev  1 [2]
Login
Message << Older Topic   Newer Topic >>
RE: WHY NOT TO BUY ISA SERVER. - 24.Oct.2008 7:26:34 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
Speaking about DoS, there is a nice aspect regarding ISA's application filters and TCP connections. For example, when you publish a server behind ISA, and an application filter exists for that protocol(assuming the correct server publishing rule was used), even if this server "has" a "sensible" backlog, and a crafted SYN flood is used "to fill" this backlog, the server will be protected.
When the application filter is bound to the server publishing rule, ISA "proxies" the TCP SYNs(either for a NAT or route network relationship), if we only focus on this aspect. Thus no SYNs will reach the back server if the "clients" are not able to complete the TCP three-way handshake. Too bad there aren't more application filters...
Others have implemented a form of TCP SYN-proxy(Cisco, Juniper or OpenBSD to name  few).
The fun stuff is that with ISA, the "SYN-proxy" is on by default if the correct server publishing rule is used. Their advantage is that they can apply "SYN-proxy" for TCP connections to any destination ports.
"Enabling" application layer filtering on other devices, may not translate into "SYN-proxy operations", an extra touch being required on those devices, to compensate the hybrid model.
Interesting, scrolling through those docs(various platforms), we can notice a lot of "firewall things" that ISA does by default, without requiring any user "input".
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Jim Harrison)
Post #: 21
RE: WHY NOT TO BUY ISA SERVER. - 28.Oct.2008 7:25:48 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Adrien,

Great info!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to adimcev)
Post #: 22

Page:   <<   < prev  1 [2] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> RE: WHY NOT TO BUY ISA SERVER. Page: <<   < prev  1 [2]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts