Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ISA Server or Firewall Appliance?

from [Abe Getchell] Network Security [Permanent Link]
Subject: Re: ISA Server or Firewall Appliance?
Date: Wed, 16 Nov 2005 12:37:01 -0500 
Susan,

ISA is a very flexible piece of software, as mentioned previously in this conversation. In technology, flexibility usually implies complexity. In this case, that implication is very true, as both ISA and Windows are extremely complex pieces of software. Complexity is not something you want in a firewall, under any circumstances, but especially not on the perimeter (given a "buffer" which usually exists in regards to an internal firewall). Complexity means more moving parts, more things to break, more things to misconfigure, more things to manage... With an appliance (or appliance-like) solution, the vast majority of that complexity doesn't exist. This theory is a simple "best practice" which many organizations follow, or should, if they don't.

Another problem I have, personally, with ISA is the fact that it's (usually) tied into the same directory which an organization uses to manage the rest of their business systems. This functionality should be completely separate in theory (in accordance with "best practices" as well as what Microsoft has stated in numerous whitepapers), but in practice, it usually is not. Managing your perimeter firewall via the same directory you use to manage the print server which is on your internal network is NOT a good idea, for any number of reasons.

Abe

--
Abe Getchell
abegetchell@gmail.com
http://abegetchell.com/

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
The annoying SBSer with ISA on her box is going to challenge you on that one.

What exactly doesn't feel quite right?  Why does it not feel right?

In my network I like it because it's on a platform that I can monitor easier. Control better. Patch easier. [WSUS will soon support ISA as a matter of fact]

Isn't the same true for big networks?

I think we all need to let go of our OS perceptions and look at the realities of operating systems these days and what not. If we can't control it...understand it...I'm not sure it's not helping in the security fabric of my network.

Our firewalls are not our perimeters any more.

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032286231&EventCategory=3&culture=en-US&CountryCode=US 

---------------------------------------------------------------------------
---------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Renaming Administrator account, Dubber, Drew B
Next by Date:  RE: ISA Server or Firewall Appliance?, James Eaton-Lee
Previous by Thread:  Re: ISA Server or Firewall Appliance?, James Eaton-Lee
Next by Thread:  Re: ISA Server or Firewall Appliance?, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Indexes:  [Date] [Thread] [Top] [All Lists]