• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Roll up link for Blog posts up to 10-28-2005

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Misc.] >> Tom's ISA Firewall Blog Discussion >> Roll up link for Blog posts up to 10-28-2005 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Roll up link for Blog posts up to 10-28-2005 - 24.Oct.2005 4:59:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Use this thread to talk about blog posts dated from 10/24 to 10/28/2005

Thanks!
Tom
Post #: 1
RE: Roll up link for Blog posts up to 10-28-2005 - 24.Oct.2005 3:30:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

I think that the info you provided in your blog http://spaces.msn.com/members/drisa/Blog/cns!1p9yz6owxXl-uIlyqIZXkCrg!257.entry concerning Firewall Client Whacks Active (PORT) Mode FTP Connections through the ISA Firewall is somewhat outdated. As far as I know, the fix mentioned in KB 884580 was already included in ISA 2004 SP1 ( http://download.microsoft.com/download/3/0/2/30242226-ac76-4a91-b854-6cc3c12a1d28/ readme.htm ).

However, check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=20;t=002693 if you want to learn about a new FTP bug I found with ISA 2004 SP1. According to my info it sounds to be a rule engine bug! There is no fix yet, but there are some possible workarounds. [Wink]

HTH,
Stefaan

[ October 24, 2005, 03:37 PM: Message edited by: spouseele ]

(in reply to tshinder)
Post #: 2
RE: Roll up link for Blog posts up to 10-28-2005 - 24.Oct.2005 11:59:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Stefaan,

Ha! You are right! The KB article has a date of Sept 29 2005, so I thought this was new information.

I need to update the blog to reflect this.

Thanks for the heads up on the new FTP bug!

Tom

(in reply to tshinder)
Post #: 3
RE: Roll up link for Blog posts up to 10-28-2005 - 25.Oct.2005 12:24:00 AM   
ababinchak

 

Posts: 195
Joined: 16.Aug.2005
From: Michigan
Status: offline
Tom,

You're right on about Jesper Johansson. I was CC'd in on the flurry of messages that went back and forth about his installation of ISA on SBS. Somehow he managed to avoid lambasting me. I was the useless one, that couldn't figure out from his emails exactly what is was he was trying to do. Have a laptop in the house, not be part of the domain and then have it VPN in and edit a website using Frontpage? Oh and he wants ISA to only allow non-local admins Internet access. Huh?At one point, I just said I'm lost.

No small business in it's right mind would ever attempt to configure a network like that. I hope his comments don't get far.

(in reply to tshinder)
Post #: 4
RE: Roll up link for Blog posts up to 10-28-2005 - 25.Oct.2005 12:30:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Amy,

Wow. The situation sounds even more egregious from a network security perspective than I even imagined. But I have to say that I'm not entirely surprised. I've seen his demonstrations of some sort of SQL attack, and the entire configuration was based on misconfigured, poorly configured, or absent network firewalls. I think I saw this presentation at last years MVP security conference and mentioned it to the other ISA MVPs, and they agreed that in order to accept the demo, you had to suspend disbelief.

It was surprising, because I'm sure there are exploits that can get past a correctly configured ISA firewall -- but then the presenter would have to understand the company's own network security product in order to:

1. Demonstrate the exploit in a competently configured firewall environment

2. And more importantly, demonstrate how a MS network security firewall product can stop these exploits with proper configuration.

Thanks!
Tom

[ October 25, 2005, 12:31 AM: Message edited by: tshinder ]

(in reply to tshinder)
Post #: 5
RE: Roll up link for Blog posts up to 10-28-2005 - 25.Oct.2005 5:57:00 AM   
Guest
Tom, I am very puzzled by this rant. First, I completely agree with your not-definition of a firewall. No argument there. Second, "firewall configuration by cartoon" is (a) not a denigration but rather a compliment at reducing a very complex problem to a simple starting configuration, and (b) an attempt to add a little levity to an otherwise dry topic. If you missed the joke, sorry. I certainly did not mean to imply that was all you ever needed to do to configure your firewall was click the right picture and be done with it.

The thing that puzzles me the most though is that you think I am denigrating a Microsoft product. I am not clear why you think so. I was simply trying to point out how to address a couple of things that I found were causing me problems, and may affect others as well, in addition to providing a very useful security feature - to block local administrators from surfing the web. That is something that ISA has the ability to do, and can do really well. I am well aware of ISAs problems in the market place and I thought that pointing out something very useful that you can do with it would be helpful, not hurtful, especially if I told people how to make it work.

I fail to see how that is denigrating the products. However, your statement that ISA on SBS is a compromise by definition is a denigration of SBS Premium, which is actually what I used, but of course, you are free to make a statement like that.

As for why TechRepublic highlighted this post (which was made in my blog at MS) is a puzzle to me. I don't control them.

(in reply to tshinder)
  Post #: 6
RE: Roll up link for Blog posts up to 10-28-2005 - 25.Oct.2005 11:01:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jesper,

Good that we agree on a non-definition of a firewall. Starting from a place of agreement is the best point of departure.

I didn't get the joke. It's hard to get the joke when it seems like the product struggles for recognition not only in the marketplace, but also internally and across many different product groups. So, when what appears to be belittling statements are made about the product are made, in public, it makes it harder to fight against the supernaturalisms who have an almost religious fervor in their trust and belief in "hardware firewall" security.

OK, you had a somewhat unusual security requirement, since the ISA firewall doesn't really care about local admins, unless you've mirrored those user accounts on the ISA firewall. I'm not really sure what it was you were trying to accomplish, but that doesn't matter in the context of this conversation. What matters is the title of the post and how it reflects on the product "how to stop all useful traffic". Combine that with "cartoon interface" and it sounds more like a requiem for a dead product rather than "hey, here's an unusual set of network use requirements and here's what I did that did work and didn't work"

SBS is a security compromise by definition:
"Something accepted rather than wanted."
"something that somebody accepts because what was wanted is unattainable"

I wasn't trying to be funny or denigrating -- you're making a compromise by using SBS rather than a full, industry standard deployment of the services. I think you're misinterpreting the meaning of compromise and thinking of it in the context of exploit, rather than the more common usage of the work compromise.

Finally, please understand the context of my response. For the last five years I've been a very active member of the ISA firewall community and have had the opportunity to meet many people from the ISA Server PG. They are really great people and they really don't understand why folks externally and INTERNALLY don't "get it" when it comes to the ISA firewall. If they would get it, if they would recognize it as a great platform to help create application layer filters to help provide secure access to their own PGs technologies, the product could earn the moniker of MS's flagship security product.

But this isn't happening, and blog posts from MS employees, who travel the world to promote the MS security story to legions of current and potential MS sec acolytes, doesn't help ISA get traction internally or externally.

In addition, we've have to deal with the "open a port", "create a pinhole", "NAT devices are firewalls", "hardware firewalls are more secure" ninnies every day, for over five years. Even worse, we have to deal with the corollary belief that firewalls are "easy network access devices", when the truth is they are designed to make network access as difficult as possible for the uninitiated.

I don't know why TechRepublic did what they did either. I could be entirely automated, but I think they do give preference to MS employee posts because they're interpreted to be more oracular, regardless of the original intention of the author.

HTH,
Tom

(in reply to tshinder)
Post #: 7
RE: Roll up link for Blog posts up to 10-28-2005 - 25.Oct.2005 4:37:00 PM   
sbsguru

 

Posts: 1
Joined: 25.Oct.2005
Status: offline
Come on Tom - please STOP denegrating SBS yourself. Sure Security is a comprimise, but do you have to go about slamming the product as if it should never have shipped? If we all subscribe to your way of thinking then Small Business Owners would NEVER have gotten out of the stoneage. They would NEVER have put in place something like SBS. Rumour has it that SBS is one of the key ways ISA is getting out there into the public face...

I took Jesper's post and comments about Cartoons as a joke - surely most people got the joke.

Lay off it Tom - your loosing the respect of the SBS community en masse!

(in reply to tshinder)
Post #: 8
RE: Roll up link for Blog posts up to 10-28-2005 - 25.Oct.2005 4:59:00 PM   
Guest
It seems that as all this goes on, out here in the real world, real businesses are doing real business every day with SBS Premium.

That's how a product gets traction.

Nothing that is said or done in the confines of a narrowly focused ISA - based view of the world will change that ;-).

Les Connor [SBS MVP]

(in reply to tshinder)
  Post #: 9
RE: Roll up link for Blog posts up to 10-28-2005 - 25.Oct.2005 11:28:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by sbsguru:
Come on Tom - please STOP denegrating SBS yourself. Sure Security is a comprimise, but do you have to go about slamming the product as if it should never have shipped? If we all subscribe to your way of thinking then Small Business Owners would NEVER have gotten out of the stoneage. They would NEVER have put in place something like SBS. Rumour has it that SBS is one of the key ways ISA is getting out there into the public face...

I took Jesper's post and comments about Cartoons as a joke - surely most people got the joke.

Lay off it Tom - your loosing the respect of the SBS community en masse!

Hi SBSguru,

I think I'm going to return to my previous denial of the existance of SBS. Just about every time I get invovled with that product, all I get is pain in return. I'll leave the current SBS articles up on the site that I've already done, but the rest of the series might end up in a book or in the round file. We'll leave the SBS forums up on the site, because they serve a larger community, but I won't get involved with them. If someone from the SBS MVP community *ever* chooses to contribute an article to the site, we'll be glad to post those too. But I'm outta this game.

I appreciate your post though, because it did put me over an edge that I'd been walking on for a while now, but wasn't sure if it was the right thing to do.

Tom

[ October 25, 2005, 11:37 PM: Message edited by: tshinder ]

(in reply to tshinder)
Post #: 10
RE: Roll up link for Blog posts up to 10-28-2005 - 26.Oct.2005 10:25:00 AM   
ababinchak

 

Posts: 195
Joined: 16.Aug.2005
From: Michigan
Status: offline
Well now, isn't this a turn of events. I really don't understand why you folks are so defensive when it comes to SBS. The days when you had to justify your existance are gone; SBS RULES THE WORLD!(almost) Isn't that validation enough? The implementation of ISA on SBS could be tighter if you don't know that then you don't know much about ISA. Tom can be a great asset to this community if you'll just keep your tempers in check.

What are guys going to do about it? Where are your aticles? Les, where are your posts to the SBS ISA board? I get emails almost every day from SBSers on Tom's mailing list looking for ISA SBS help. If you want to do something productive then this is the place. If you want to do some distructive, keep in on Yahoo.

(in reply to tshinder)
Post #: 11
RE: Roll up link for Blog posts up to 10-28-2005 - 26.Oct.2005 12:04:00 PM   
Jim Harrison

 

Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
Nice going, folks.

You've just managed to shitcan the single best ISA-knowledgeable, non-MS wordsmith from the SBS field.

First, let's drop the dendgration garbage; opinions are like a$$soles; everyone has one and they all stink. 'nuff said...

Second, anyone who believes that SBS is anything *but* a compromise in security for the benefit of functionality is simply ignoring basic facts.

Third, The fact that SBS PE combines the firewall with the core domain services *in no way* justifies Joe User attempting the same feat. The SBS team literally spends years defining their own Windows build and tweaking the whole package (not to mention wizarding it to ^death^) to produce the best **compromise** between functionality and security.

In short (too late), get off it. SBS is great for the target5 is serves and *that's all*.

..and now we return you to your regularly scheduled denial.

(in reply to tshinder)
Post #: 12
RE: Roll up link for Blog posts up to 10-28-2005 - 27.Oct.2005 11:40:00 PM   
Guest
It's really a matter of perspective, I guess.

I've been an end user of SBS in a non-IT related business for a while. I like what it provides, and it's very good for my business.

I've also been managing SBS networks in other peoples' businesses for a few years. They too like what SBS provides, and it's good for their businesses.

I don't focus on ISA. If it's there, I make use of it in the SBS context. If it's not there, that's fine too.

The networks aren't crashing or burning, with or without ISA.

I guess the point I'm trying to make is that I view ISA through the eyes of SBS. If you're an ISA guru, perhaps you view SBS through the eyes of ISA. The ISA folks don't seem to like their view - the SBS folks don't mind theirs. But when the ISA folks say SBS is trash because ISA can't be implemented in *such and such a way*, then that's a case of the tail wagging the dog so far as some SBS persons are concerned. So some kind of reaction might be expected.

I don't dislike ISA. I don't denegrate the folks or the product. I see no reason why ISA folks feel they should denegrate SBS, or those of us who use and support it. And it really doesn't bother me much, as SBS is still good for my business :-).

Les Connor [SBS MVP]

(in reply to tshinder)
  Post #: 13
RE: Roll up link for Blog posts up to 10-28-2005 - 28.Oct.2005 8:19:00 AM   
Guest
quote:
Les, where are your posts to the SBS ISA board?
Les is too modest to say this, but I will-> You can tell them to go over the MS newsgroups where he has more than 1500+ on ISA alone...

Google Search for Les + ISA on MS NGs

(in reply to tshinder)
  Post #: 14
RE: Roll up link for Blog posts up to 10-28-2005 - 28.Oct.2005 10:19:00 AM   
Guest
Unfortunately, there are only so many forums one can reasonably get to. My choice is to focus on the MS public SBS2k3 newsgroup. Others elect to focus elsewhere, and that's great - there are lots of great forums, this one included.

As I mentioned, I don't focus on ISA at all. I focus on SBS, and sometimes ISA is part of that environment. So I think it's best I just stick to my knitting.

I hope after everyone chills out a bit, we can put things back in perspective.

SBS is a compromise. What isn't? SBS is better with ISA than it is without. ISA is better off the SBS box. I think we can all accept this.

But given that ISA is on the SBS box, let's work within the design constraints that are handed to us all, and do the best we can.

Les Connor [SBS MVP]

(in reply to tshinder)
  Post #: 15
RE: Roll up link for Blog posts up to 10-28-2005 - 1.Nov.2005 11:18:00 PM   
TDanner3

 

Posts: 5
Joined: 30.Jun.2005
Status: offline
Hello To All
I have been waiting for the rest of Dr. Tom's trek through SBS 2003 SP1. And now you people have truned him off of it! You know my grandmother had a saying that if you could not say any thing good about some one then shut up! Well If you can not say some thing good about Dr. Tom's way of doing things then just shut up and go away! There are some of use out here that want to here what he has to say!

please Dr. Tom finish your trek through SBS 2003 SP1 we will be waiting with open minds!

Thank you
Thomas

(in reply to tshinder)
Post #: 16
RE: Roll up link for Blog posts up to 10-28-2005 - 4.Nov.2005 1:27:00 AM   
Guest
If you want real world SBS and ISA guidance I'd recommend Amy Babinchek's blog and her upcoming chapters on ISA in SBS Unleashed.

She supports ISA on SBS in the real world with real clients.

Your grandmother could also say that people who buy SBS choose it and are quite safe and secure on it.

(in reply to tshinder)
  Post #: 17
RE: Roll up link for Blog posts up to 10-28-2005 - 4.Nov.2005 1:34:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Yes, I highly recommend Amy's work. She comes from an enterprise networking and admin background and her perspective closely mirrors mine. You'll get a lot of insight from her work.

I'm looking foward to reading her chapters!

Tom

(in reply to tshinder)
Post #: 18

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Misc.] >> Tom's ISA Firewall Blog Discussion >> Roll up link for Blog posts up to 10-28-2005 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts