|
Focus on Microsoft
ISA Server or Firewall Appliance? Nov 15 2005 04:58PM Marcos Marrero (mmarrero LLOYDSTSB-USA com) (1 replies) Re: ISA Server or Firewall Appliance? Nov 15 2005 09:28PM James Eaton-Lee (james mailing gmail com) (2 replies) Re: ISA Server or Firewall Appliance? Nov 16 2005 01:51AM Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa pacbell net) (3 replies) RE: ISA Server or Firewall Appliance? Nov 15 2005 11:35PM Nick Wells (nick clandestineresearch com) (1 replies) Re: ISA Server or Firewall Appliance? Nov 16 2005 10:56PM Abe Getchell (mailing list spooler gmail com) (1 replies) |
|
|
Privacy Statement |
ISA is a very flexible piece of software, as mentioned previously in
this conversation. In technology, flexibility usually implies
complexity. In this case, that implication is very true, as both ISA and
Windows are extremely complex pieces of software. Complexity is not
something you want in a firewall, under any circumstances, but
especially not on the perimeter (given a "buffer" which usually exists
in regards to an internal firewall). Complexity means more moving parts,
more things to break, more things to misconfigure, more things to
manage... With an appliance (or appliance-like) solution, the vast
majority of that complexity doesn't exist. This theory is a simple "best
practice" which many organizations follow, or should, if they don't.
Another problem I have, personally, with ISA is the fact that it's
(usually) tied into the same directory which an organization uses to
manage the rest of their business systems. This functionality should be
completely separate in theory (in accordance with "best practices" as
well as what Microsoft has stated in numerous whitepapers), but in
practice, it usually is not. Managing your perimeter firewall via the
same directory you use to manage the print server which is on your
internal network is NOT a good idea, for any number of reasons.
Abe
--
Abe Getchell
abegetchell (at) gmail (dot) com [email concealed]
http://abegetchell.com/
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> The annoying SBSer with ISA on her box is going to challenge you on that
> one.
>
> What exactly doesn't feel quite right? Why does it not feel right?
>
> In my network I like it because it's on a platform that I can monitor
> easier. Control better. Patch easier. [WSUS will soon support ISA as a
> matter of fact]
>
> Isn't the same true for big networks?
>
> I think we all need to let go of our OS perceptions and look at the
> realities of operating systems these days and what not. If we can't
> control it...understand it...I'm not sure it's not helping in the
> security fabric of my network.
>
> Our firewalls are not our perimeters any more.
>
> http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=10322
86231&EventCategory=3&culture=en-US&CountryCode=US
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]