Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ISA Server or Firewall Appliance?

from [Abe Getchell] Network Security [Permanent Link]
Subject: Re: ISA Server or Firewall Appliance?
Date: Wed, 16 Nov 2005 13:22:26 -0500 
Hi Susan,

You bring up a good point concerning misconfiguration (of course it's possible to misconfigure an appliance firewall), but with an appliance solution there's simply less to misconfigure in the first place; either the component simply doesn't exist or the administrator isn't given (direct) access to screw it up.

However, that being said, having people who understand firewalls and can manage them appropriately isn't at question here, that's an HR issue. What is at question here is which piece of technology, that the original posted described, is better suited to be a perimeter firewall. We're talking pure technology here, as is usually implied when asking a "which is better" question on a technology mailing list. We just assume that regardless of the solution it will be managed competently (though we shouldn't... we really, really, shouldn't).

Simply going through the basic build/configuration/management process and comparing the steps/processes involved will give you a clear picture as to why appliance solutions (such as Check Point's SPLAT or Cisco's PIX) are much less complex than a "general purpose" solution (such as Windows/ISA or Linux/IPTables). I'll spare you (and everyone else) the lengthy e-mail (unless you really, really, want it) and let you go through that exercise on your own, if you choose.

Abe

--
Abe Getchell
abegetchell@gmail.com
http://abegetchell.com/

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
I've seen/read the CISCO security guides on NSA... I've seen misconfigured appliance firewalls. There's a lot of complexity out there even in these dedicated devices.

I'm not convinced 'the vast majority of that complexity doesn't exist' is a valid statement anymore in what we have going through our firewalls these days and what we have installed.

I'm a SBSer so throw me out the best practices window anyway as I break all of 'em ... but take a box [a], stick a secure.inf template on it or run the Secure Configuration Wizard, I'm just not convinced that unless you have folks that understand that firewall you can make such blanket statements these days.



Cisco Router Security Recommendation Guides // National Security Agency //:
http://nsa2.www.conxion.com/cisco/

[a] and when I say ..take a box... that means Windows 2003 only, 2000 even with .inf's applied just isn't the same beast. 

---------------------------------------------------------------------------
---------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: ISA Server or Firewall Appliance?, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Next by Date:  Re: ISA Server or Firewall Appliance?, Thor (Hammer of God)
Previous by Thread:  Re: ISA Server or Firewall Appliance?, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Next by Thread:  Re: ISA Server or Firewall Appliance?, John Kinsella
Indexes:  [Date] [Thread] [Top] [All Lists]