On Fri, 2005-11-18 at 11:39 -0800, Jim Harrison (ISA) wrote:
To tell the truth, I'm surprised at the lack of ISA / MS bashing in this
thread. Is it an indication of MS' place in the general security
community, a general lack of interest in ISA or the holiday season
approaching? The world may never know...
Well, we are on a microsoft-specific mailing list - in my experience,
those who have no productive points to make about microsoft products
(and still think that recent iterations of windows suffer from all of
the same problems as windows 95) tend to be those who don't actually
work with them, and therefore have little interest in taking part in
mailing lists targeted specifically at microsoft products - I'm sure
that if you're looking for some completely unfounded criticism, some of
inhabitants of some of the more generally-focused mailing lists would be
happy to oblige! :D
Actually, I was trying to be just that specific.
As was agreed to earlier in this thread, all modern firewalls can be
accurately oversimplified as "applications running on operating
systems".
All of those OS's have been compromised to some degree, and so obviates
this contextual "joining of church & state".
Good points.
Following this context, we then examine the exploits and compromises
each firewall product *itself* has experienced; i.e, that attack that
succeeded in the context of the firewall code itself.
It's in this context where I state that ISA has experienced no reported
compromises.
Again, a worthwhile comparison - my point is really that in pursuing
this it's important to distinguish between 'firewalling' and 'platform'
exploits for other firewalling solutions, which I didn't see any direct
evidence of.
I brought up netfilter as an example of this - although linux has had
plenty of advisories and exploits released for it, practically none of
these have been netfilter related. I've actually found one advisory
targetting a very specific configuration of netfilter/iptables which
allowed a malicious attacker to add a firewalling rule to allow them to
access certain hosts on a network, but I don't see any evidence of any
'exploit' or actual targetting of this, because it is quite specific.
Also, ISA (and to be fair; the aforementioned competitors) is far more
than a simple "firewalling stack". What separates ISA from the others
is the fact that ISA has and continues to "lead the pack" in L4+
inspection.
Indeed - it's hard to summarise what ISA does in two pages, let alone
two words! As I've said before, I work with and deploy ISA in a variety
of configurations, and I really do think it's a great product - it's
just worthwhile discussing and clarifying these issues!
On another note, I think the misunderstanding which ISA enjoys is
possibly to some extent responsible for the low profile it has,
security-wise - very few wintel guys I meet who haven't directly and
specifically worked with ISA have a particularly good understanding of
what it does, and (as mentioned above) non-wintel people particularly
don't understand, and have misconceptions about, ISA.
I'd hazard a guess that one large factor responsible for the
(admittedly) good security track record ISA has is simply the small
number of guys out there looking for holes in it - even the best code
suffers from bugs, and one would expect a firewall such as ISA to have
such holes found.
I could be wrong, though - this is just speculation!
Thanks for your reply!
- James.
Hope that clarifies things a bit...
Jim Harrison
Security Platform Group (ISA SE)
If We Can't Fix It - It Ain't Broke!
-----Original Message-----
From: James Eaton-Lee [mailto:james.mailing@gmail.com]
Sent: Friday, November 18, 2005 9:23 AM
To: Jim Harrison (ISA)
Cc: John Kinsella; focus-ms@securityfocus.com
Subject: RE: ISA Server or Firewall Appliance?
Jim,
On Thu, 2005-11-17 at 13:28 -0800, Jim Harrison (ISA) wrote:
Your statements are fine as far as they go, but there is real (as
opposed to anecdotal) data that directly contradicts your stated
concerns.
There are *lots* of Enterprise networks running ISA 2000 and/or ISA
2004
on the edge.
Several of these customers have also consented to public case studies
which are (proudly) posted on the microosft.com/isaserver pages.
Short story - no one has offered anything more than "ancient history"
to
counter the facts offered in ISA's favor.
Not to be flippant, but I tried - I wasn't really trying to ISA bash,
but I disagreed with you when you said on Tuesday that:
I know it sounds like marketing spew, but the simple fact is; in 5+
years of service on anything from an SBS server, OEM appliance to HUGE
enterprise deployments, ISA server has the distinction of not having
been the recipient of one single exploit in the wild.
and then that...
I know it sounds like marketing spew, but the simple fact is; in 5+
years of service on anything from an SBS server, OEM appliance to HUGE
enterprise deployments, ISA server has the distinction of not having
been the recipient of one single exploit in the wild.
..more specifically, the bulk of my point was that you weren't comparing
like with like, you were comparing a whole firewall platform
(IOS/Juniper) with something (ISA) which is just a firewalling stack
which necessarily has pre-requisite software which it's combined with to
make up the whole firewall, and ignoring the platform (windows) which it
was running on top of.
So far I haven't had a reply.. ;)
If you want to discuss this, I'd be more than happy to re-send my
original post on this topic to the list, as this is really a
bastardisation of what I was originally trying to say!
- James.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
