ISA is priced somewhere around $3000 per processor (Microsoft's new
licensing model). This makes any statements of "it's mostly just a personal
firewall" not just misinformed, but wholly incorrect (I don't know about
you, but *I'm* not spending that kind of money for a personal firewall - we
will discount completely that it doesn't run on Windows 2000 Professional).
The NSA docs in question might be the ones located at
http://nsa1.www.conxion.com/
I had a discussion about this topic (is ISA viable) with a person who worked
on the courseware for the product. His statement to me, which I have not
bothered to go validate as it isn't really that important to me, is that ISA
has released 1 security related patch in the 9 months immediately following
it's release. During that same time frame, all of ISA's competitors released
more patches. Now that could mean a lot of things, and taking it as "see,
there's better security" would likely be as misinformed as disregarding ISA
out of hand. None the less, I think it is food for thought. He also said
that Microsoft is not aware of a single customer breach, and even the bug
they found was found internally, not in the wild.
One thing I find interesting is that the NSA has a security guide for ISA
server, but they don't have one for IPCHAINS or IPTABLES, nor do they have
one for Firewall-1. If one was interested in tossing out half thought out
comments about security and product viability, this alone might make one
wonder about the validity of those products.
No Ben, I don't think that evidence exists. Then again, I also don't happen
to think that things like facts and evidence are germane to the people who
are making those statements.
Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
[EMAIL PROTECTED]
http://www.bmc.com
-----Original Message-----
From: Ben Nagy [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 17, 2001 01:35
To: [EMAIL PROTECTED]
Subject: RE: MS ISA Server
People,
Can I make a small request - if you're going to refer to other stuff (eg
bugtraq posts or NSA documents) would you please include a solid reference
or some sort of link?
I'd be interested in dragging this discussion out a bit more. Does anyone
have evidence that's not just MS-bashing to suggest that ISA is unsuitable
as a competitor to the well-known Enterprise Firewalls?
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, September 15, 2001 12:58 AM
> To: Ron DuFresne
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Subject: Re: MS ISA Server
>
>
> Yeah, as Ron stated, check the NSA Document on the ISA Server,
> it is more of Proxy with some packetfiltering ability, and
> NSA only puts it in an scenario with eg FW-1 as outer
> perimeter, the DMZ in the middle and ISA as last line of
> defense between DMZ and LAN. DO NOT use it as 3homed FW stand alone!
>
> > Bewary if ISA server in this role. Consider it more of a 'personal
> > firewall' only able to 'monitor' what comes from the outside. You
> > have no control over what is sent out. M$ altered their
> web pages to
> > accomodate this. You might find an "ISA" query on the bugtraq
> > archives to be knowledge worthy.
> >
> > Thanks,
> >
> > Ron DuFresne
> >
> > On Thu, 13 Sep 2001, Chris Patterson wrote:
> >
> > > Is anyone here familiar with the new MS ISA Server?[...]
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
