WHY NOT TO BUY ISA SERVER. (Full Version)

All Forums >> [ISA 2006 General] >> Installation and Planning



Message


zuit -> WHY NOT TO BUY ISA SERVER. (30.Aug.2008 4:31:26 AM)

The products that Microsoft has been releasing lately have been fantastic. Feature full, relatively stable, fully supported, and well documented. Exchange sever 2007 is one of those shining examples of a great Microsoft product. But for everything that Ex2k7 and Server 2003 R2 does to polish the Microsoft Image, ISA makes up for it in it's undocumented disappointments;
 
No. 1 COMPLETE AND UTTER LACK OF SUPPORT FOR MORE THAN ONE INTERNAL SUBNET. (good luck expanding your IP Block.)
 
No. 2. The logging feature is extremely limited. Any other packet sniffer, such as open source Ethereal, has a far more user friendly and detailed interface. The functionality of the logging feature in ISA is worthless if you have any quantity of traffic to view or categorize.  
 
No. 3. If you have more than a few rules, you better label them alphabetically. There are no searching features for your rule set. Remember the server you wanted to modify rules for? Better take a short lunch so you can browse for it in the ISA rule list.
 
No. 4. Modification of a rule priority is something you're assistant has to do. Want to move it from rule number 70, to rule number 5? Better get your assistant to click "Move rule up” 60+ times unless you're a masochist for carpal tunnel.
 
No. 5. So you like the idea of publishing reports? So do I. It's a shame the reports are coded incorrectly for publishing off server, and remove all the images markup tags. If Microsoft ISA Team can't figure out a basic  HTML markup tag like img src=”image.gif” are you really going to trust their SSL / PKI certificate manager?
 
No. 6. THE SERVER IS LIMITED TO 100MBPS EVEN IF YOUR HARDWARE SUPPORTS A HIGHER THOUGHPUT. Or, at least that's answer I got after spending $300 to open a Microsoft support case asking one question; "Can I achieve higher throughput than 100Mbps?” Answer: No.
 
 No. 6.1. The bandwidth graph reads 0-100Mbps, so even if you do figure it out.. You've got bugs.
 
No. 7. I couldn't find any SSL based VPN or ActiveX control that comes with ISA Server. I ended up using open source VPN software because ISA doesn't provide one, but maybe I was just spoiled into expecting a nice Graphical interface.
 
No. 8 When you realize that you made a drastic mistake, you're not going to get your money back when you ebay your gently used, year 2006, low mile, ISA server licenses.
 

P.S.
In pen tests, I was able to chew through all of my multi-homed GigE ISA Server 2006's C2 Interrupts without disrupting my IP Phone or my bit torrent download of FreeBSD when attacking from my 20Mbps Home-office internet connection.




ptlinva -> RE: WHY NOT TO BUY ISA SERVER. (30.Aug.2008 12:47:50 PM)

I'm not an expert but there's something that I have to disagree with...

Your logic of creating html code and comparing it to SSL certificate features is flawed.  For example...

Moving rule 70 to rule 5 is easy.  Hightlight rule 5 through rule 69 and move it down.  Three mouse clicks and you're done!

If we were to use your logic, then we can safely assume that you don't know what you're doing and that most of your other comments are flawed as well.
-Paul




paulo.oliveira -> RE: WHY NOT TO BUY ISA SERVER. (30.Aug.2008 10:13:26 PM)

Hi,

do not agree with some of your points either [:D]
quote:

No. 1 COMPLETE AND UTTER LACK OF SUPPORT FOR MORE THAN ONE INTERNAL SUBNET. (good luck expanding your IP Block.)

There's no problem about creating more then one ISA Internal Network. You can also create other types of networks, VPN site-to-site, Extenal and perimeter.
quote:

No. 2. The logging feature is extremely limited. Any other packet sniffer, such as open source Ethereal, has a far more user friendly and detailed interface. The functionality of the logging feature in ISA is worthless if you have any quantity of traffic to view or categorize.

Of course ISA logging feature doesn't beat a sniffer tool. This feature is just to help you to see the traffic passing through ISA and not to see inside the packets.
You can install Microsoft Network Monitor to do it for you. [;)]
quote:

No. 3. If you have more than a few rules, you better label them alphabetically. There are no searching features for your rule set. Remember the server you wanted to modify rules for? Better take a short lunch so you can browse for it in the ISA rule list.

Agree with you there's no search tool.
quote:

No. 7. I couldn't find any SSL based VPN or ActiveX control that comes with ISA Server. I ended up using open source VPN software because ISA doesn't provide one, but maybe I was just spoiled into expecting a nice Graphical interface.

You right, ISA doesn't have this feature. This will come with IAG (Intelligent Application Gateway).
quote:

No. 8 When you realize that you made a drastic mistake, you're not going to get your money back when you ebay your gently used, year 2006, low mile, ISA server licenses.

ISA has an 180-day trial, from my point of view this is enough time to test the product. [;)]

ISA is for sure one of the best firewalls in the market! It has no security vulnerability since ISA 2004 and got amazing features.
I know we all have all favorites and my for sure is ISA. [;)]

PS: do not work for Microsoft [:(]. Just a happy sysadmin. [:D]

Regards,
Paulo Oliveira.




zuit -> RE: WHY NOT TO BUY ISA SERVER. (8.Sep.2008 2:20:44 PM)

quote:

ORIGINAL: ptlinva

I'm not an expert but there's something that I have to disagree with...

Your logic of creating html code and comparing it to SSL certificate features is flawed.  For example...

Moving rule 70 to rule 5 is easy.  Hightlight rule 5 through rule 69 and move it down.  Three mouse clicks and you're done!

If we were to use your logic, then we can safely assume that you don't know what you're doing and that most of your other comments are flawed as well.
-Paul



Paul,
 
I can’t test the dragging and dropping of ISA rules to modify their priority because I ripped out all the ISA servers and replaced them with a packet filter that doesn’t cripple under DoS attacks, but I believe the ability to drag and drop rules. This, however, is the only thing you’ve corrected in my reasons not to buy ISA 2006.
 
Good luck selling ISA’s problems with it’s ability to drag and drop rule priorities.

 
-Brian
 

P.S.
Your comment acknowledging the html code flaw and comparing it to an SSL certificate feature, while fleeting away to describe how I must be wrong about everything, because I’m wrong about highlighting, has nothing to do with ISA’s piss poor design or HTML Publishing flaws. ISA is truly a bad "enterprise" product and it’s ability to drag and drop doesn’t mean I’m wrong, or that you should buy ISA. Please keep your arguments rational.




zuit -> RE: WHY NOT TO BUY ISA SERVER. (8.Sep.2008 2:54:08 PM)

It looks like you agree with the other reasons I claim you shouldn’t buy ISA, except for two. Let’s clarify your two comments.
 

I state:
No. 1 COMPLETE AND UTTER LACK OF SUPPORT FOR MORE THAN ONE INTERNAL SUBNET. (good luck expanding your IP Block.)

 
You state: "There's no problem about creating more then one ISA Internal Network." and you don’t know what you’re talking about. Let’s say you have ISA 2006 in a load balanced configuration, you have an external block of 1.1.1.x and an internal block of 192.168.1.x, 10.10.10.x, 10.10.1.x, and 172.16.0.x

 
You can’t route all blocks through ISA without separate NIC cards for each subnet! Microsoft Windows Routing and remote access, and Microsoft Network Load Balancing both support this configuration. However, ISA 2006 does not. ISA will kick our your configuration as soon as you configure it in the windows routing table. The true nappy headed hoe of ISA comes out when you run external IP blocks, like you would in a production environment or data center. Now you’ve got a set of ISA servers with a million NIC cards in them, or you end up putting a router behind ISA.
 

In which case, if a router or other single point of failure has to be in front of ISA, and another behind ISA, just as well ditch ISA and use the routers. SAGE!!
 

Your lame response to my No. 2 argument of reasons why not to buy ISA is that I should just use a third party Packet sniffer that actually categorizes traffic and make a congested network possible to dissect. Such as the features in Wireshark, or Ethereal. But, I don’t see if you’re agreeing with me or disagreeing here.. I can’t put 1 instance of Ethereal on two separate instances of ISA 2006 server with Network Load Balancing.
 

I would need to put separate instances on each server, as Network Load Balancing will permit the traffic to hit either ISA host, and basically nullify any attempt at clarity provided by the packet sniffing utility. ISA should do this natively.
 

I can respect your defense of ISA Server, and appreciate your support in the user forums. You’re obviously a big help around here with your 620+ posts. But, as far as your response is concerned, you couldn’t be more wrong if your name was Mr. Wrongin Wronger. Wrongenstien.





pwindell -> RE: WHY NOT TO BUY ISA SERVER. (8.Sep.2008 4:22:35 PM)

First, ...this is just a Troll, plain and simple, so I don't feel I have to show this post any more due respect than it is showing the rest of us here....  No sensible idiot would write something like this here for any productive reason,...heck even a regular idiot probably wouldn't.

quote:

No. 1 COMPLETE AND UTTER LACK OF SUPPORT FOR MORE THAN ONE INTERNAL SUBNET. (good luck expanding your IP Block.)


That is nonsense. I have three subnets plus 3 remote office subnets all runing perfectly behind the ISA.

quote:

You can’t route all blocks through ISA without separate NIC cards for each subnet!


Yep! That's right. By design. It is no accident. You just ain't supposed to use to that way.  Go buy a LAN Router.

quote:

 
No. 2. The logging feature is extremely limited. Any other packet sniffer, such as open source Ethereal, has a far more user friendly and detailed interface. The functionality of the logging feature in ISA is worthless if you have any quantity of traffic to view or categorize.  


It logs everything.  The Reporting features are what is limited.  There are third-party companies that stay in business writing products to handle the reporting.  MS would probably be sued for "monopolistic practices" after they put those companies out of business to give you what you want.

quote:

No. 3. If you have more than a few rules, you better label them alphabetically. There are no searching features for your rule set. Remember the server you wanted to modify rules for? Better take a short lunch so you can browse for it in the ISA rule list.


Nonsense.  The order of the rules in the list are not for your personal convienience.  The order they appear is the order they are processed in,...which is the same with just about every other simplar product right down to the ACLs on the old Cisco Routers.

If you plan and design your Rules sensably you won't have as many and you can still arrange the order in certain ways without messing up the rule processing.

quote:

No. 4. Modification of a rule priority is something you're assistant has to do. Want to move it from rule number 70, to rule number 5? Better get your assistant to click "Move rule up” 60+ times unless you're a masochist for carpal tunnel.


More nonsense. 
First you wouldn't do it to begin with because it would change the rule
processing order.
Secondly,...if you did need to do it you would "shift-click" Rule #6 through Rule #69 and click "down" ONCE.

quote:

No. 6. THE SERVER IS LIMITED TO 100MBPS EVEN IF YOUR HARDWARE SUPPORTS A HIGHER THOUGHPUT. Or, at least that's answer I got after spending $300 to open a Microsoft support case asking one question; "Can I achieve higher throughput than 100Mbps?” Answer: No.
 
 No. 6.1. The bandwidth graph reads 0-100Mbps, so even if you do figure it out.. You've got bugs.


So you have more than 100mbps WAN connection to the Internet???  How much are you paying for that connection?   If you have that much traffic and that fast of a line you should be running the Enterpise edition with an Array (100mbps x each Array memeber).

100mbps slow for a LAN Router?  Fine,...it is a Firewall Product,...it is not meant to be a full featured LAN Router,..never was intended to be,...doesn't to Dynamic Routing Protocols either,...get over it,...go buy a LAN Router.

quote:

No. 7. I couldn't find any SSL based VPN or ActiveX control that comes with ISA Server. I ended up using open source VPN software because ISA doesn't provide one, but maybe I was just spoiled into expecting a nice Graphical interface.


Isn't suposed to havc such,..was never intended to have such.  That is part of IAG.  Both IAG and IAS are part of the larget more comprehensive security suite called Forefront.  You want all the goodies,...then go buy all the goodies.

quote:

In pen tests, I was able to chew through all of my multi-homed GigE ISA Server 2006's C2 Interrupts without disrupting my IP Phone or my bit torrent download of FreeBSD when attacking from my 20Mbps Home-office internet connection.


That is just a load of B.S.  Plain and simple.
20mbps "home connection"?,..yea right.

Chewed through your "multi-homed GigE ISA Server 2006's C2 Interrupts"??  Well, I guess you need to find somebody that knows how to setup your "multi-homed GigE ISA Server 2006's C2 Interrupts" properly next time.

Yea, I can get a little excited in some of my posts, I know, and this one is no exception obviously.  So if anyone if offended, I appologise, but putting up with a Trolling Rant like this based on the person's inability to operate and configure the ISA correctly (and blaming everyone else for it) just makes me want to "slap the snot" out of somebody. [:D]

So,..... sorry...




Jim Harrison -> RE: WHY NOT TO BUY ISA SERVER. (8.Sep.2008 4:39:29 PM)

Zuit

First, let's examine the motivation of posting to an ISA -focused group with all the hateful things the ISA product team did just to p155 you off (it took them awhile to identify them all, but it seems they succeeded); did you used to post to the isalist as "Med" in a previous life, perhaps?

Second, let's examine your inability to read the help and the plethora of articles, blogs and general "here's how" for ISA Server across the Internet. 

Third, we'll talk about your apparent inability to express your problems with nothing more than angry dissemination. 

Here's what probably happened;
1. you dumped ISA 2006 on a server and immediately set about trying to make it do things according to how you thought they should work based on an indeterminate amount of experience as a firewall administrator. 
2. not happy with the results, you called CSS with a random set of complaints, which they tried their best to answer.
3. not happy with the "it doesn't work that way" answers to your inane complaints, you decided to post here and provide giggle-fodder for the many users which use this web site.

We all thank you for your contribution to our collective "you wouldn't believe what one guy did..." stories collection...  If you ever feel like providing another public display of your "immense skillz", please feel free to post here any time.

Thanx!




pwindell -> RE: WHY NOT TO BUY ISA SERVER. (8.Sep.2008 4:58:15 PM)

Like ol' Marlin Perkins used to say on Wild Kindom when the critter showed up:

"Get'eem Jim!"




zuit -> RE: WHY NOT TO BUY ISA SERVER. (9.Sep.2008 5:44:45 AM)

 
Phillip Windell,

Looks like you don't address any of the issues ISA actually has, and try to make the attacks personal, instead of addressing or retorting to my statements about ISA's production worthiness.

I'm not new to ISA, nor have I ever posted under any other handle. I toughly read, strategized, and designed ISA to fit our environment. It dazzles with nifty publishing features, but does not fit the bill for an "enterprise" deployment.

All of our WAN networks are 100Mbps, and most drops are at 1Gbps, this isn't an uncommon production situation. We're not talking about LAN's and DSL routers, we're talking about enterprise ISA 2006, with Load Balanced arrays, distributed across multiple sites and unable to fit the bill.

As one poster commented, "buy a LAN router." and I think it deserves a retort; "THEN WHY BUY ISA SERVER?"

Face it, I've named several reasons why your product sucks, none of which you've been able to argue with the exception of the drag & drop rule priorities. The product your defending isn't capable of hanging with an enterprise need for security, stability, or flood prevention.

And just so your smart mouth is corrected, there is, indeed a 20 megabit drop in my home from Cogent CO. My loft happens to be cogent lit, and I can upgrade to a 100Mbps burstable for pennies.. So if you're a petter puffer, just ask.. I'll send some fire your way and help you learn what I had to learn about ISA, the hard way.


Swallow your pride, retort the points, and stop blindly defending this product suited for home users.

-Zuit

P.S.
Phillip, do let me know when I can assist you in testing your flood mitigation settings. I’m sure you’ll find my testing most disheartening.
 




tshinder -> RE: WHY NOT TO BUY ISA SERVER. (9.Sep.2008 8:58:30 AM)

Hi Zuit,
In the ISAserver.org spirit of good faith, I figured I'd try to answer your questions and comment on your findings. First, I have to disagree with you regarding Exchange 2007 -- I think it's user interface sucks and that it's a steaming pile of offal :)  So, now that you know that I'm not a MS shill [:D], let's tackle your concerns.

No. 1 COMPLETE AND UTTER LACK OF SUPPORT FOR MORE THAN ONE INTERNAL SUBNET. (good luck expanding your IP Block.)
TOM: You can use all the internal subnets you like. There is no limitation for the network of network IDs you can put behind any ISA firewall NIC. However, you will need a gateway behind the ISA firewall to handle this, or take advantage of 802.1q VLAN tagging if you want to do this without putting a router behind the firewall.
 
No. 2. The logging feature is extremely limited. Any other packet sniffer, such as open source Ethereal, has a far more user friendly and detailed interface. The functionality of the logging feature in ISA is worthless if you have any quantity of traffic to view or categorize.  
TOM: I think the logging and diagnostics included with ISA 2006 SP1 is probably better than any other firewall on the market today. If you need a free packet sniffer to supplement the comprehensive logging, then check out NetMon 3.2, I think you'll be impressed.
 
No. 3. If you have more than a few rules, you better label them alphabetically. There are no searching features for your rule set. Remember the server you wanted to modify rules for? Better take a short lunch so you can browse for it in the ISA rule list.
TOM: Yes, rule searching has been a DCR for some time. Hopefully this is something that will be fixed in the future. I believe there are 3rd party plug ins that will allow you to do this.
 
No. 4. Modification of a rule priority is something you're assistant has to do. Want to move it from rule number 70, to rule number 5? Better get your assistant to click "Move rule up” 60+ times unless you're a masochist for carpal tunnel.
TOM: Another poster mentioned an easy workaround for this. I agree that there should be easier ways to do this, but I haven't had too many problems managing large rulesets in spite of this.
 
No. 5. So you like the idea of publishing reports? So do I. It's a shame the reports are coded incorrectly for publishing off server, and remove all the images markup tags. If Microsoft ISA Team can't figure out a basic  HTML markup tag like img src=”image.gif” are you really going to trust their SSL / PKI certificate manager?
TOM: Not sure what the report coding format has to do with SSL and PKI. Also, I'm not aware of the problem that you're talking about. But if it is a problem, let the ISA dev team know about it so they can get it fixed.
 
No. 6. THE SERVER IS LIMITED TO 100MBPS EVEN IF YOUR HARDWARE SUPPORTS A HIGHER THOUGHPUT. Or, at least that's answer I got after spending $300 to open a Microsoft support case asking one question; "Can I achieve higher throughput than 100Mbps?” Answer: No.
TOM: I don't know why they would say that. I know that the Web Proxy filter can go around 350Mbps, and the stateful packet inspection engine supports over 2Gbps.
  
 No. 6.1. The bandwidth graph reads 0-100Mbps, so even if you do figure it out.. You've got bugs.
TOM: Ha! I haven't seen the bandwidth graph work at all since ISA 2006 was released [:)]  If I need to know my network utilization, I just use PerMon and look at that. I save that counter to my ISA Performance console.
 
No. 7. I couldn't find any SSL based VPN or ActiveX control that comes with ISA Server. I ended up using open source VPN software because ISA doesn't provide one, but maybe I was just spoiled into expecting a nice Graphical interface.
TOM: ISA doesn't have an SSL VPN. [:(]  The next version will likely support SSTP, but if you need a SSL VPN portal type solution, then IAG is the way to go.
 
No. 8 When you realize that you made a drastic mistake, you're not going to get your money back when you ebay your gently used, year 2006, low mile, ISA server licenses.
TOM: Certainly there is a way to redeploy your ISA firewall so that you can take advantage of it. Maybe it doesn't fit your network's requirements, but there is still simple outbound or inbound Web Proxy, or SMTP publishing using Thor's country based computer sets. Those alone make a tremendous different in the amount of spam my spam filters have to handle.
 

P.S.
In pen tests, I was able to chew through all of my multi-homed GigE ISA Server 2006's C2 Interrupts without disrupting my IP Phone or my bit torrent download of FreeBSD when attacking from my 20Mbps Home-office internet connection.
TOM: Can you describe your Pen Test scenario? I'd like to replicate it and see if I find the same results.
Thanks!
Tom




SteveMoffat -> RE: WHY NOT TO BUY ISA SERVER. (9.Sep.2008 12:09:52 PM)

This guy is obviously a noob without any firewall experience. I was going to expand, but Tom beat me to it.

Definatelyt a candidate for maroon of the year......




justmee -> RE: WHY NOT TO BUY ISA SERVER. (9.Sep.2008 3:00:18 PM)

Hi Brian,
Although Tom answered your findings, I would like to add a few words, without directly answer anything.
You have to decide yourself if you want to start a forward thinking discussion, or just to express your anger, or maybe just to amuse yourself[;)].
I do understand that you are nervous, since you had a frustrating experience with ISA(the first impression is the one people often relate to(natural human behavior), and hence they just try to "believe" it must be so, even if it may not be quite so), but I do not see how would we get somewhere, assuming you want to get somewhere.
Maybe ISA is not perfect, personal I do not know what firewall out there is, nor who said that ISA is perfect.
ISA has a baseline price, and some default features.
Other firewalls have other features, that the default ISA does not have, but different prices.
You can add those features to ISA through third part add-ons, and evaluate the loaded version of ISA vs firewalls made by other vendors, in terms of price or whatever you would like.

You demand people to prove that you are wrong, but you did not prove anything after all, have you thought about that ?
An angry affirmation may trigger an angry answer or a funny one, people amusing about the situation, Christopher Columbus "discovered" America. What would you expect ?
Just put yourself for a moment in someone's shoes who's reading your original statements, and think how many of them are sustainable.
Maybe ISA is not "enterprise ready", but whose enterprise, what is the definition of this enterprise, apart of the "firewall giga throughput"(which is meaningless and just an old story, as it boils down to what exactly is filtered and how is filtered, and only after that if ISA can be a part of the equation) and the "internal expansion" feature(meaningless as well, as it lacks context, first you need to define the "internal network", which may vary during enterprise networks, then ISA's role, if any).
You did not gave us a clue, how ISA or Microsoft "cheated" you making you to buy ISA, what document or documents state that ISA does something or that would fit into your scenario(unclear scenario too), and you found out that it does not do so, and Microsoft simply ignored you and your findings.
You say you did some pen tests, however no one knows what you did, because you did not say, except of some fancy words, so why someone may believe you. I've got a 20+ Mps at home too. If that's relevant, place it in the right context.
Yes, a lot of people keep answering that question regarding rules, an that is something interesting I would say, maybe it proves that was something very easy to figure....
Keeping in mind that, someone may presume that your other observations may be flawed too. This is natural behavior, as you claim you have documented and analyze in depth ISA. So, obviously someone may wonder how have you missed something so basic.
Maybe some answers are flawed, the users here are not payed to answer your questions, so you would have to take them the way they are, good or bad, useful or not. Since you posted here, is you the one directly looking for something, and not the ones that answer, as they may do that indirectly.
You've got a web site, you can document carefully your findings, and post the links here, forward them to Microsoft, and post Microsoft's answers. But, for someone to take you into serious, you need to put the original documentation provided to Microsoft, original questions and original answers.
If you are correct, then there is nothing new or extraordinary, just another bad vendor, but people may find useful that info. If you are wrong, nothing new as well...

Now let's make a journey, let's see if Microsoft cheats you:
Evaluation, 180 days:
ISA 2006 Std or EE:
http://technet.microsoft.com/en-us/bb738392.aspx
Testing:
TMG Beta 1, yes you can stay with it right from the early phases:
http://technet.microsoft.com/en-us/evalcenter/cc339029.aspx
What that means: you do not have to pay anything, you do not have to enter any club, you do not have to be a VIP, in order to evaluate ISA or TMG. Just to have a machine for testing. You can do that in a virtual lab. How many enterprise firewalls out there offer you these possibilities ?

Documentation, just to link a few:
ISA's team blog:
http://blogs.technet.com/isablog/
ISA's Features at a glance:
http://www.microsoft.com/isaserver/prodinfo/features.mspx
ISA 2006 overview:
http://www.microsoft.com/isaserver/prodinfo/overview.mspx
Forefront Edge Security home:
http://technet.microsoft.com/en-us/forefront/edgesecurity/default.aspx
Technet ISA 2006 home:
http://technet.microsoft.com/en-us/library/bb898433.aspx
ISA Server 2006 Firewall Core:
http://download.microsoft.com/download/e/7/6/e76fdda3-5c2c-4fbb-9c6f-3bcd0ed4b8ef/Firewall_Corewp.doc
Forefront Edge Security and Access Demonstration Toolkit(you can jump right in, as things are pre-configured)
http://www.microsoft.com/downloads/details.aspx?FamilyId=EC908733-D480-46C1-BCBA-2B75219E2A28&displaylang=en
Virtual labs:
http://technet.microsoft.com/en-us/forefront/edgesecurity/bb499665.aspx
Hands on labs:
http://www.microsoft.com/downloads/details.aspx?FamilyID=99b06797-a502-4768-86c1-e6d52f9c2d86&displaylang=en
ISA VHD:
http://www.microsoft.com/downloads/details.aspx?FamilyID=234c9dda-5452-4946-9e2f-d4b64082814e&DisplayLang=en
ISA best performance practice:
http://technet.microsoft.com/en-us/library/cc302518.aspx
ISA Capacity planner:
http://www.microsoft.com/isaserver/capacityplanner.swf
ISA, IAG remote access VPN:
http://www.microsoft.com/forefront/edgesecurity/sra.mspx
Evaluation Guide and Walkthroughs:
http://www.microsoft.com/isaserver/prodinfo/guide.mspx
Microsoft Forefront Security products, page 7 info about ISA:
http://www.microsoft.com/forefront/prodinfo/whitepaper/default.mspx
ISA webcasts:
http://www.microsoft.com/technet/isa/community/sharpen.mspx
ISA's SSL VPN functionality, what exactly ISA offers and what not:
http://technet.microsoft.com/en-us/library/cc512659.aspx
IAG FAQs:
http://www.microsoft.com/forefront/edgesecurity/iag/en/us/faq.aspx
VLANS and ISA:
http://blogs.technet.com/isablog/archive/2006/10/04/802.1Q-and-ISA-Server.aspx

Foreign resources:
For example, Tom's ISA 2006 book clearly says that ISA 2006 does not offer SSL VPN.
http://www.amazon.com/Shinders-Server-2006-Migration-Guide/dp/1597491993/ref=pd_bbs_sr_2?ie=UTF8&s=books&qid=1199461646&sr=8-2
For a couple of dollars you will have a full review of ISA.

www.isaserver.org, no presentation needed, as you are here.
http://www.isaserver.org/tutorials/Advanced-ISA-Firewall-Configuration-Network-Behind-Network-Scenarios.html
http://www.isaserver.org/articles/2004netinnet.html
http://blogs.isaserver.org/shinder/2006/10/02/isa-firewall-deployment-scenarios/
http://blogs.isaserver.org/shinder/2006/10/04/does-the-isa-firewall-support-vlan-tagging/
http://www.isaserver.org/articles/What-is-ISA-2006-Firewall.html
http://www.isaserver.org/articles/White-Paper-Why-ISA-2006-Better-Solution-than-ISA-2000-2004.html

ISA vendors' resources:
http://www.nappliance.com/support/faq/faq-isa-or-iag-or-both.asp
http://www.nappliance.com/products/ISA-IAG-DeploymentScenarios.asp
http://www.nappliance.com/products/nGatewaymISAE.asp

http://www.celestix.com/products/msa/scenarios.html
http://www.celestix.com/products/msa/faqs.html
http://www.celestix.com/products/wsa/faqs.html

What's new in ISA Server 2006, an old presentation, for example check the DoS features, what ISA 2006 has new over ISA 2004:
http://www.mshk.com/hk/technet/teched2006/ppt/Day_2/Session_3/SEC304_Steve_Riley.ppt

Performance numbers:
http://www.celestix.com/products/msa/comparison.html
http://www.nappliance.com/pdfs/Compare/NetGateway_mISAE_Compare_Product_Datasheet.pdf

ISA's certifications:
Common Criteria Guidance Documentation Addendum forISA2006:
http://download.microsoft.com/download/2/9/8/2989d83b-c8fa-4012-9046-6a4dd67515f7/CC_Guidance_%20Documentation_%20Addendum_for_ISA_2006.pdf

ICSA Labs, what they tested:
http://www.icsalabs.com/icsa/docs/html/communities/firewalls/pdf/ISA2004.pdf
quote:

During security testing the Network Security Lab team uses commercial, in-house-created, and freely available testing tools to attack and probe the Candidate Firewall Product. The Network Security Lab team uses these tools to attempt to defeat or circumvent the security policy enforced on the Candidate
Firewall Product. Additionally, using trivial Denial-of-Service and fragmentation attacks the Network Security Lab team attempts to overwhelm or bypass the Candidate Firewall Product.
Results
The Network Security Lab team confirmed that the ISA Server 2004 SP2 permitted the services in the Required Services Security Policy properly and that the configured services functioned correctly.
Furthermore, the product was not circumvented by the attacks launched inbound and outbound to and through the ISA Server 2004 SP2. Finally, the product was not defeated by trivial Denial-Of-Service and fragmentation attacks.


http://www.icsalabs.com/icsa/docs/html/communities/firewalls/pdf/ISA2006.pdf
quote:

Circumstances of Spot-Check
The ISA Server 2006 was selected for spot-check testing when Microsoft Corporation released Internet Security and Acceleration Server 2006 version 5.0.5721.240.

Successful spot-check testing of the ISA 2006 indicated that the product continued to meet all the criteria elements in the Baseline and Corporate modules and therefore has retained ICSA Labs Firewall Certification.

The Internet Security and Acceleration (ISA) Server 2006 was successfully tested against the following modules from version 4.1a of The Modular Firewall Certification Criteria:
• Baseline module,
http://www.icsalabs.com/icsa/docs/html/communities/firewalls/pdf/4.1/baseline.pdf
• Logging Update – version 4.1a,
http://www.icsalabs.com/icsa/docs/html/communities/firewalls/pdf/4.1/4.1a_logging.pdf
Copyright © 2008 Cybertrust, Inc. All Rights Reserved. 2
• Required Services Security Policy – Corporate Category module,
http://www.icsalabs.com/icsa/docs/html/communities/firewalls/pdf/4.1/corporate.pdf


ICSA Labs Firewall Testing - An In Depth Analysis
http://www.icsalabs.com/icsa/docs/html/communities/firewalls/pdf/fwwhitepaper.pdf
quote:

Trivial DoS Attacks Denial of Service (DoS) attacks – both distributed (DDoS) and otherwise – are essentially attacks on resources. Well-planned and executed DDoS attacks that consume all available network bandwidth or all of a firewall product's resources have caused significant problems to public organizations in the not-so-distant past. There is little a firewall can do when the bandwidth is gone. Unlike many DDoS attacks, firewalls can protect against the class of "trivial”
DoS attacks. We have been surprised by how effective older, trivial DoS attacks have been against the current generation of firewall products.
Years ago ICSA Labs relied more on the DoS attacks in vulnerability scanning tools like Nessus, CyberCop, ISS, etc. Over the past several years these tools are no longer the primary source for the DoS attacks used by the firewall testing team. Though we do continue to run the vulnerability scanners to provide additional testing assurance, today, the firewall testing team performs "hands-on” DoS testing. To do this we obtain or create the DoS source code. We then compile the code with any necessary modifications. Modifications help ensure that vendors address the root of what allowed a particular DoS to be successful, rather than engineering the product to be impervious to a specific form of the attack. These DoS attacks are then separately launched in all directions to and through the firewall.
When the testing team began conducting DoS attacks by hand, questions arose as to how we would determine a failure and how we would guarantee that network bandwidth consumption wasn't the cause of the failure. To avoid a criteria violation the testing team determined that during a DoS attack the firewall had to continue passing permitted traffic through the product in both directions, while enforcing the security policy and being administered from the primary administrative interface. Rate limiting the traffic from the attacking machine to 1.54 Mbit/s – the
ideal, if not the actual rate one would get with a T1 connection – ensured that bandwidth utilization was not a factor.
ICSA Labs firewall testing of DoS attacks attempts to stress the resources on the firewall under test rather than stressing the network bandwidth. And even with our modest expectations, firewall products – large and small, market-established and new-to-market – struggle to defend against DoS attacks including synflood, jolt2 and others.


The moral of the cert docs, is that ISA does what it says only when properly deployed and configured, in the correct place and environment.

Now, tell me how, assuming that someone would have been through some of the above(and there are more of them), *without* having to *pay anything*, and, although it may claim it has well documented the deployment scenario and knows what features it needs, will still buy ISA and find out that ISA does not meet its requirements ?
And icing on the cake, it blaims ISA or Microsoft for that.
Personal I can't figure that.
What counts more, is that you do not have to trust nobody, as you had access to a trial version of ISA, thus no one can trully lie to you, thus cheat you to buy ISA. If they still managed to cheat you, then, that's interesting I would say....
Maybe, at the time you bought ISA, some of the above documents were not available, however, we are talking at this moment, thus they do count.
There are many web sites and blogs on the Internet, where people discuss various ISA deployment scenarios. And also certain limitations of ISA.

Now, if you are kind enough to provide the needed documentation or whatever is required to argument your findings, maybe some would be kind enough to read them...
Until then, it would be "some say so and you say otherwise", which is meaningless anyway or just amusing for everybody except you and others like you(who had frustrating experiences with ISA), as you may feel a little better.... Or not, depending on what answers you will get in return[;)]....

Take care,
J




SteveMoffat -> RE: WHY NOT TO BUY ISA SERVER. (9.Sep.2008 3:22:58 PM)

Excellent post.

S




pwindell -> RE: WHY NOT TO BUY ISA SERVER. (9.Sep.2008 5:46:29 PM)

quote:





SteveMoffat
Date 9.Sep.2008 3:22:58 PM


Excellent post.


Agreed.




justmee -> RE: WHY NOT TO BUY ISA SERVER. (9.Sep.2008 5:55:23 PM)

Thanks![:)]




paulo.oliveira -> RE: WHY NOT TO BUY ISA SERVER. (9.Sep.2008 6:22:38 PM)

Hi J,

I think you made the point of the most of people here. Every software has it´s limitations or project designs behaviour. None of them have all-in-one features.

BTW, those links are excellent!

Regards,
Paulo Oliveira.




tshinder -> RE: WHY NOT TO BUY ISA SERVER. (9.Sep.2008 8:07:45 PM)

Hi Justmee,

Fantastic post!

I appreciate the hard work you put in to put that comprehensive list of resources together.

THANKS!

Tom




justmee -> RE: WHY NOT TO BUY ISA SERVER. (10.Sep.2008 11:29:41 AM)

Thanks guys![:)]
Most of those links were put it before here anyway. And there are more of them around here too.
What I think is amazing is the fact, that although is seems an impressive list of ISA docs or ISA related docs, the above links are just a part of the overall ISA stuff available.
This is a true sign that ISA has gone a long way, and even some people like it or not, is here to stay as a firewall, either they will call it ISA or TMG.




Spiky -> RE: WHY NOT TO BUY ISA SERVER. (10.Sep.2008 1:51:12 PM)

Justmee

Awesome Post ! The documents provided are a great resource [:)]

I had been following this topic for a few days now and enjoyed the debate so far !
While I loved Tom's and Phillip's posts, Jim's post was a killer !!

Way to go !

Spiky




Jim Harrison -> RE: WHY NOT TO BUY ISA SERVER. (23.Sep.2008 7:50:55 PM)

wow..
..just...
wow...

I'm greatly impressed - that's an incredible amount of research you gathered to provide a world-class smackdown; and down didst thou smack! 




Page: [1] 2   next >   >>