RE: ISA Server or Firewall Appliance?

Your statements are fine as far as they go, but there is real (as
opposed to anecdotal) data that directly contradicts your stated
concerns.
There are *lots* of Enterprise networks running ISA 2000 and/or ISA 2004
on the edge.
Several of these customers have also consented to public case studies
which are (proudly) posted on the microosft.com/isaserver pages.

Short story - no one has offered anything more than "ancient history" to
counter the facts offered in ISA's favor.

I can guarantee that literally no one would be more interested in
hearing of a properly configured ISA server breach than I would.  The
fact is - it just hasn't happened.

Jim Harrison
Security Platform Group (ISA SE)
If We Can't Fix It - It Ain't Broke!


-----Original Message-----
From: John Kinsella [mailto:jlk@thrashyour.com] 
Sent: Wednesday, November 16, 2005 9:11 AM
To: focus-ms@securityfocus.com
Subject: Re: ISA Server or Firewall Appliance?

Susan et all... :)  I'll attempt to address from the other end...I
usually work with large clients on major networks.  One cavaet: While
quite familiar with Windows and it's positives/negatives, I haven't
personally used ISA yet...gotta get it up in my lab.

For me, I usually try to be OS-agnostic.  An OS is a tool; as long as
that tool meets my needs in an effective and efficient manner, I'm
happy.
In the environments I work in, network security is handled by network
teams - firewalls usually are Checkpoint, Cisco or Juniper/Netscreen.
They all have their pros and cons.

As a security professional, I became ok with the concept of Windows in
the infrastructure as a db/app/web server, as long as the OS is hardened
and the box is firewalled at least to layer 4.  Boxes that I recommend
as
firewalls have proven over time that they have a reliable network stack,
can provide fault-tolerance, can easily handle wire-speed attacks, and
use a command line which the network administrators[1] are familiar
with.
Windows has not demonstrated a reliable network stack to me, and while
it can be fairly reliable as an OS I can't comment on high-availability
designs of ISA since I haven't tested it.  Microsoft still isn't
providing
me with the level of satisfacation I'd want from a security vendor.

So, if you're a windows shop, with a small to medium size network,
ISA might just treat you fine, but personally that idea is scary as
all hell.  I'll always recommend firewalling windows servers, even
if they have firewall software on them.  For a larger shop that uses
managed switches, dynamic routing, multiple VLANs...They're just going
to be more comfortable with the CLIs.

My recommendation for a "small" firewall - check out Netscreen's 5GT -
sweet little box for a few hundred bucks.

Oh, last thing, regarding talking about NICs getting burned out in a PC
-
most PC firewalls I've seen in the last year or two have on-board NICs,
so if that gets smoked, you might be seeing more than just a NIC go up
in a poof.  Just something to keep in mind...

John
1: "Network Administrators" is being used in it's "real" definition -
people who administer networks.  This differs from "Windows
administrators" or "UNIX administrators."




---------------------------------------------------------------------------
---------------------------------------------------------------------------