"Noonan, Wesley" wrote:
>
> [on ISA server advantages]
>
> - It's a pretty decent caching server, reducing bandwidth needs.
> - It integrates tightly with existing windows networks
> - Tiered management that can be delegated at different levels to
> different users/groups
Yes. In a mail that has yet to reach the list (?!?), I listed these
as reasons as to why ISA server could be good for restricting
outbound connections in a microsoft-centric shop, and as a web
cache.
On the second point: I'm not sure I want my firewall integrating
that tightly with windows boxes driven by ordinary lusers.
> It scales something fierce, both up and out. I've read reports of
> it scaling out to 32 nodes and over 1Gbps in bandwidth.
I though you were listing "pro"s here?
I know of several firewalls that give you that performance with
a single box. And don't even get me started on the TCO for those
32 boxes.
> It is generally easier to manage for shops that already have an investment
> in MS technologies and skillsets.
I disagree. Substitute "generally" with "sometimes", and I'll agree.
Any "OS-less" firewall will be easier to get to point A than a
windows box, even for an experienced windows administrator. And
if said firewall has a management software running under windows,
the difference there is nil: in both cases, the admin needs to
learn a new management interface.
(No, the ISA admin interface popping up out of MMC isn't a valid
counterpoint. I can start devstudio out of MMC; that doesn't mean
that every windows admin can code.)
> Built in VPN capabilities.
> Stateful packet inspection and application level proxying
> Native support for multiple interfaces
While these are good points, I hardly think it is much of a
pro for ISA server, given the number of other firewalls that
also have these features.
> Going on third party info here (may be wrong), but as of today it has
> experienced fewer vulnerabilities from the date it was shipped till now than
> either the PIX or FW1, and no vulnerabilities have caused a security
> compromise (when it fails, it fails closed).
You forgot to count the OS vulnerabilities.
> It is highly extensible with a slew of third party add-ons for
> everything from access control to IDS to monitoring to hardening
> to logging and reporting.
Hrm, I'm very tempted to say something acid-dripping about
the general security quality of even "top notch" windows-
based software. Not to mention a slew of it.
I think you would have a somewhat different opinion of this
if you just knew how many windows drivers actually protect
their driver interfaces. (About one TOTAL in a normal install.)
Not to mention the (IMHO) insane complexity of even setting
an ACL on a shared object.
Even assuming that Microsoft got ISA server right, I'm not sure
that I'd want to be installing all those gadgets that actually
make it do what a firewall should do (i.e. log stuff the gets
dropped somewhere useful).
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
