Looking for oppinions, but do you think with ISA 2004, MS will actually be considered a "player" in the firewall market? Will ISA certification mean anything? From my experience, most FW consulting firms still shy away from ISA because of the obvious security flaws in the base OS.
I think ISA 2004 will make a big difference, esp. with some upcoming system hardening features that you'll learn about in the near future.
Personally, I think wasting money on Checkpoint will be seen as a bad move in the future, and hardware firewalls with off-box appliation layer filtering is a real disadvantage because of the additional cost overhead. ISA 2004 will end up as secure as any hardware or software firewall at the same price point. Businesses that have existing MS networks will really benefit from ISA 2004 and do themselves a disservice by ignoring it!
just wanted to add this: in year 2002-2003 there were less almost 50% less security fixes to windows xp(not windows 2003 ofcourse:) thats even less) then any other software(suse,redhat,unix...)
and another thing as a former checkpoint fan i still think theri software is no.1 but in the overall isa 2004 according to estimates will "catch" 20% or more market share as a firewall in the next 2 years(thats alot)with isa 2000 it was 10%. and by the way checkpoint products run on windows nt 4.0/2000/2003 and according to them need no more configuration to make it secure ,i mean besides installing the software. (what most security experts do to the o.s. is not needed) one more thing:) more then 50% of all firewalls installed(no matter what product they are) suffer from lack of security caused by misconfiguration.
I get a little perturbed when I hear people use the term "hardware firewall" when describing devices like the Cisco PIX line etc. These devices are running an OS (IOS) on a box with multiple interfaces just like ISA does. I realize that they use more propietary hardware that allows some of the functions to be done at lower levels but they are hardly hardware firewalls. I don't mean to correct anybody here, I'm just venting in a general direction.
Thanks for listening.
By the way, I've been reading this site for ages just don't post much. Tom, I met you in Dallas at TechEd 2003. I was the Engineer running the CommNet network.
Bingo! Yes, I agree wholeheartedly. My wife, Debi Shinder is doing a comprehensive report (over 100 pages!) comparing ISA 2004 with so-called "hardware" firewalls and ISA 2004 is doing very well and exceeding the features and capabilities of all of them in the same price range. Really nice!
I do remember you. Hope you got the Nortel VPN client issue solved
RE: Certification ISA 2004 - 9.Mar.2004 1:38:00 AM
I've just got to disagree with what RandyM said about people comparing ISA to "Hardware Firewalls" like the Cisco Pix. The cisco Pix IS a hardware firewall. Yes, it may have an OS (how else would you configure it?), but how does that stop it from being a hardware firewall? ISA is a software firewall because it's installed...on a host OS. The PIX is a computer that's a firewall. I guess by your defination, anything that has a UI must be software based?
(Not picking a fight, just curious as to what you mean...)
This is a good discussion. I think the problem is that people consider any ASIC based firewall to be somehow inherent more secure than non-ASIC firewalls. The fact is that this is not true. In the past, the ASIC firewalls were faster than the non-ASIC firewalls, but with Pentium processors moving at 3+GHz, and multiprocessor systems with 3+GHz processors in them with encryption offload cards now make the archtectural limitation of ASIC (hardware) firewalls even more significant. That's why the flexibility and performance you see in a non-ASIC firewall like ISA is so important today for those of us who need to respond quickly to modern attacks. Pix just doesn't cut it anymore because its locked into an aging and increasingly rigid architecture.
I believe many people like "hardware" based firewall because the software is embeded into firmware allowing for a greater speed. I disagree with that. ISA offers great performance and scalability and its cost per MB leaves all other firewalls in the dust. A firewall is only as good as it is configured.
Yes, and they think this makes it more secure or stable. Both of those assumptions are being strongly challanged these days. Even embedding relatively simple functions such as encryption algorithms into the ASIC is losing its value as Intel builds the same into their own core processors. I suspect "hardware" firewalls and the ASIC fans are going to find themselves in hard times in the next few years, as the development costs for for creating new ASICs is prohibitive and ALF "blades" are a limited kludge at best.