Bingo! Yes, I agree wholeheartedly. My wife, Debi Shinder is doing a comprehensive report (over 100 pages!) comparing ISA 2004 with so-called "hardware" firewalls and ISA 2004 is doing very well and exceeding the features and capabilities of all of them in the same price range. Really nice!
I do remember you. Hope you got the Nortel VPN client issue solved
Hi Dr. Shinder,
I am probably the newest member to this forum, but not so new to your books however. Much gratitude to you and your wife for sharing that knowledge.
Currently, I am very interested in ISA Server 2004's "deep inspection" stateful packet filtering abilities on the application layer. Can ISA Server handle the heavy stuff like Cross-Site Scripting, SQL injection, or Cryptographic Interception (forcing all traffic to be SSL encrypted) and the like?
I would be very greatful to any resource you or anyone can provide regarding ISA Server's ability to handle some of these issues...whether natively or via custom plugins.
Yes, ISA can prevent scumbags from hiding exploits within a tunnel because of its SSL to SSL bridging feature. This allows the ISA firewall's HTTP security filter to examine the contents of the SSL communication using SSL terminaion at the firewall and then initiation of a new SSL connection to the Web server. Cross site scripting is no brainer for ISA firewalls, won't happen!
SQL injection is very difficult to protect against because of the nature of the attack. I'm not aware of any firewall that can really protect against it, its more of a db design issue.
You bet! I'm seeing a ton of PIX and Sonicwall shops switching over to the ISA firewall. They realize that stateful packet inspection-only fireawlls just can't provide real security and I will fail them in my HIPAA compliance audits if they just use PIX.