|
Focus on Microsoft
ISA Server or Firewall Appliance? Nov 15 2005 04:58PM Marcos Marrero (mmarrero LLOYDSTSB-USA com) (1 replies) Re: ISA Server or Firewall Appliance? Nov 15 2005 09:28PM James Eaton-Lee (james mailing gmail com) (2 replies) Re: ISA Server or Firewall Appliance? Nov 16 2005 01:51AM Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa pacbell net) (3 replies) Re: ISA Server or Firewall Appliance? Nov 16 2005 05:37PM Abe Getchell (mailing list spooler gmail com) (1 replies) RE: ISA Server or Firewall Appliance? Nov 15 2005 11:35PM Nick Wells (nick clandestineresearch com) (1 replies) Re: ISA Server or Firewall Appliance? Nov 16 2005 10:56PM Abe Getchell (mailing list spooler gmail com) (1 replies) |
|
|
Privacy Statement |
misconfigured appliance firewalls. There's a lot of complexity out
there even in these dedicated devices.
I'm not convinced 'the vast majority of that complexity doesn't exist'
is a valid statement anymore in what we have going through our
firewalls these days and what we have installed.
I'm a SBSer so throw me out the best practices window anyway as I break
all of 'em ... but take a box [a], stick a secure.inf template on it or
run the Secure Configuration Wizard, I'm just not convinced that unless
you have folks that understand that firewall you can make such blanket
statements these days.
Cisco Router Security Recommendation Guides // National Security Agency //:
http://nsa2.www.conxion.com/cisco/
[a] and when I say ..take a box... that means Windows 2003 only, 2000
even with .inf's applied just isn't the same beast.
Abe Getchell wrote:
> Susan,
>
> ISA is a very flexible piece of software, as mentioned previously in
> this conversation. In technology, flexibility usually implies
> complexity. In this case, that implication is very true, as both ISA
> and Windows are extremely complex pieces of software. Complexity is
> not something you want in a firewall, under any circumstances, but
> especially not on the perimeter (given a "buffer" which usually exists
> in regards to an internal firewall). Complexity means more moving
> parts, more things to break, more things to misconfigure, more things
> to manage... With an appliance (or appliance-like) solution, the vast
> majority of that complexity doesn't exist. This theory is a simple
> "best practice" which many organizations follow, or should, if they
> don't.
>
> Another problem I have, personally, with ISA is the fact that it's
> (usually) tied into the same directory which an organization uses to
> manage the rest of their business systems. This functionality should
> be completely separate in theory (in accordance with "best practices"
> as well as what Microsoft has stated in numerous whitepapers), but in
> practice, it usually is not. Managing your perimeter firewall via the
> same directory you use to manage the print server which is on your
> internal network is NOT a good idea, for any number of reasons.
>
> Abe
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]