Greets all,
Thought I would chime in on this.
On Thu, 2005-05-26 at 18:46, Bryan Bain wrote:
On what do you base this opinion? As a firewall, ISA 2004 is exceptional.
Please review the Bugtraq archive and reference the dozen plus
vulnerabilities listed for the product. You'll notice two reoccurring
themes:
1) Poor bounds checking
2) Poor data scrubbing
Not exactly what I would refer to as "exceptional", especially given the
limited deployment of the product. Granted some of the exploits are
based on ISA 2000, but you are talking the same code base. I'm guessing
that if ISA ever saw the market share of a FW-1 or PIX <shudder> these
numbers would be much higher. From what I've seen its barely a blip on
the radar.
* Multi-layer firewall protection with packet, circuit and application level
filtering with deep content inspection.
In other words, its a proxy. This means it has open ports exposed to the
Internet which permit people to interact with code running on the box.
There is zero sand boxing or code isolation as there is in similar
products (IMHO Sidewinder is an excellent example of how to do this
right), so the threat to the firewall itself is high. If the firewall is
compromised then all bets are off.
* High performance Web proxy and caching for fast, secure Internet access
I'm sorry but this sounds like it was yanked from the marketing
material. Pull stats on an outbound proxy and you will see that a ton of
sites now set the no cache option due to load balancing, scrolling
banner ads, and other similar "features". This means that the
performance benefits of an outbound proxy has greatly diminished over
the years. 5 years ago you would see a performance boost, today from
what I've seen in the field they actually slow down the "typical"
Internet link.
* Integrated firewall/VPN that offers a higher level of security than a
standalone RAS VPN,
So your claim is that terminating the VPN on the firewall is safer than
running a secondary termination point? I would greatly appreciate it if
you could publish the stats to back up this claim as everything I've
seen in the field indicates otherwise.
If everything is on one box, than whacking that box compromises the
entire perimeter. If they are separate, you get some strong defense
in-depth benefits like not needing to open listening ports on the
primary firewall, monitoring traffic both in and out of the VPN gateway
from a separate box, and the list goes on.
* Firewall-level spam control with deep content inspection, along with IP,
domain, and keyword filtering and attachment blocking
This is fine for tiny sites but probably a bad idea for the typical
organization. If you later decide to change firewall products, you are
also migrating to a new AV/spam/etc. solution as well since
implementations are not functional across multiple firewall products.
You are better off with a dedicated gateway.
* Integration with Windows® Active Directory® services also enables
administrators to apply user-level policy and authentication
This is a bad idea when it comes to VPN's. Consider what you have just
done. Prior to installing the VPN one of your defense in-depth layers
was the physical security of your facility. Even if you have insecure
wireless AP's, your physical location provides some level of security as
an attacker has to be near you to perform an attack.
If you integrate VPN authentication with your single sign-on solution,
you have just made the statement "I trust the physical security of the
entire Internet as much as I trust the physical security of my
facility". In other words, you have removed the physical security
component as a defense in-depth layer and have not replaced it with
anything. Just because a feature exists that does not mean its a good
idea to use it.
This ease of use makes ISA 2004 an ideal solution for helping to secure
Windows Server(tm) 2003 networks.
First, "ease of use" and "secure" are two entirely different things.
Also, the above statement makes it sound like you feel a single firewall
product is a good fit for any environment that meets but a single
criterion (running Win2003). Its been my experience that every
environment is different and therefore has a different set of
requirements. One size does not fit all. This is one of the reasons we
are blessed with a pretty diverse firewall market.
* Advanced inspection at the application protocol layer allows ISA to inspect
the proprietary RPC interfaces used by Microsoft applications.
Humm, so you think passing a a proprietary application across a firewall
is actually a good thing????
To illustrate the value of this unique capability, ISA 2004's ability to
enforce RPC security policy empowers an organization to take full advantage
of Exchange productivity features without fear of a rogue RPC exploit
compromising the messaging infrastructure.
This assumes proper bounds checking has been performed. See my first
comment. ;-)
Consider your logic here. You care claiming that this is secure because
the company that wrote the application also wrote the firewall. If they
had the Kung Fu to do that, then why didn't they just write RPC to be
secure in the first place? If your logic was correct there would be no
need to proxy the application because it would already be secure.
ISA 2004 is a much better product than was ISA 2000. It is not just for
proxy-server any longer.
ISA 2004 is still just a tool. No more, no less. Yes it has things that
it is good at (outbound authentication of a Windows environment,
internal firewall when the threat level is low, just to name a few). I'm
certainly not saying that the product does not have its merits. You need
to think long and hard however before exposing it to direct Internet
access. The architecture design is less than optimal and the product
does not exactly have the best track history.
HTH,
Chris
