Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ISA Server or Firewall Appliance?

from [Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]] Network Security [Permanent Link]
Subject: Re: ISA Server or Firewall Appliance?
Date: Wed, 16 Nov 2005 09:50:48 -0800
I've seen/read the CISCO security guides on NSA... I've seen misconfigured appliance firewalls. There's a lot of complexity out there even in these dedicated devices.

I'm not convinced 'the vast majority of that complexity doesn't exist' is a valid statement anymore in what we have going through our firewalls these days and what we have installed.

I'm a SBSer so throw me out the best practices window anyway as I break all of 'em ... but take a box [a], stick a secure.inf template on it or run the Secure Configuration Wizard, I'm just not convinced that unless you have folks that understand that firewall you can make such blanket statements these days.



Cisco Router Security Recommendation Guides // National Security Agency //:
http://nsa2.www.conxion.com/cisco/

[a] and when I say ..take a box... that means Windows 2003 only, 2000 even with .inf's applied just isn't the same beast.

Abe Getchell wrote: 
Susan,

ISA is a very flexible piece of software, as mentioned previously in this conversation. In technology, flexibility usually implies complexity. In this case, that implication is very true, as both ISA and Windows are extremely complex pieces of software. Complexity is not something you want in a firewall, under any circumstances, but especially not on the perimeter (given a "buffer" which usually exists in regards to an internal firewall). Complexity means more moving parts, more things to break, more things to misconfigure, more things to manage... With an appliance (or appliance-like) solution, the vast majority of that complexity doesn't exist. This theory is a simple "best practice" which many organizations follow, or should, if they don't.

Another problem I have, personally, with ISA is the fact that it's (usually) tied into the same directory which an organization uses to manage the rest of their business systems. This functionality should be completely separate in theory (in accordance with "best practices" as well as what Microsoft has stated in numerous whitepapers), but in practice, it usually is not. Managing your perimeter firewall via the same directory you use to manage the print server which is on your internal network is NOT a good idea, for any number of reasons.

Abe


--
Letting your vendors set your risk analysis these days? http://www.threatcode.com


---------------------------------------------------------------------------
---------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Renaming Administrator account, Laura A. Robinson
Next by Date:  Re: ISA Server or Firewall Appliance?, Abe Getchell
Previous by Thread:  Re: ISA Server or Firewall Appliance?, Abe Getchell
Next by Thread:  Re: ISA Server or Firewall Appliance?, Abe Getchell
Indexes:  [Date] [Thread] [Top] [All Lists]