> -----Original Message----- > From: Mikael Olsson [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, April 16, 2002 17:56 > To: Noonan, Wesley > Cc: '[EMAIL PROTECTED]' > Subject: Re: Microsoft ISA server (Was: Re: Replacing my old PIX Classic) > > > > - It's a pretty decent caching server, reducing bandwidth needs. > > - It integrates tightly with existing windows networks > > - Tiered management that can be delegated at different levels to > > different users/groups > > Yes. In a mail that has yet to reach the list (?!?), I listed these
That has happened to me a few time of late... > On the second point: I'm not sure I want my firewall integrating > that tightly with windows boxes driven by ordinary lusers. Let me clarify, by that I meant things like using user security and not needing to maintain a separate database, etc. > > > It scales something fierce, both up and out. I've read reports of > > it scaling out to 32 nodes and over 1Gbps in bandwidth. > > I though you were listing "pro"s here? > I know of several firewalls that give you that performance with > a single box. And don't even get me started on the TCO for those > 32 boxes. What kind of box? The numbers I saw were on PIII 700's with 512MB of RAM. Point taken on the TCO (but then again, Solaris boxes don't always come cheap in a server form either... and we won't even get into what I have read about Checkpoint's incredible licensing fees... may be the only thing thing worse than ISA's per proc licensing agreement...) > > It is generally easier to manage for shops that already have an > investment > > in MS technologies and skillsets. > > I disagree. Substitute "generally" with "sometimes", and I'll agree. OK, consider it substituted. > Any "OS-less" firewall will be easier to get to point A than a > windows box, even for an experienced windows administrator. And I dunno, I have seen more than one place boot PIX for ISA because of specifically that. Now frankly, that perplexes me because I find the PIX to be infinitely easier to deal with than ISA (hell, I went and bought it even though I have the license and the hardware for ISA). > if said firewall has a management software running under windows, > the difference there is nil: in both cases, the admin needs to > learn a new management interface. Fair enough. I can see that. > > Built in VPN capabilities. > > Stateful packet inspection and application level proxying > > Native support for multiple interfaces > > While these are good points, I hardly think it is much of a > pro for ISA server, given the number of other firewalls that > also have these features. No, not pro's as much as "these are thing things that 'real' firewalls are supposed to do, and it does". When people make the flawed comparison to Proxy, I think the illumination they provide is relevant. > > Going on third party info here (may be wrong), but as of today it has > > experienced fewer vulnerabilities from the date it was shipped till now > than > > either the PIX or FW1, and no vulnerabilities have caused a security > > compromise (when it fails, it fails closed). > > You forgot to count the OS vulnerabilities. Actually, again to my knowledge ISA's exploits haven't allowed that. If you want to bring that point in though, it becomes true for *every* OS that is out there, BSD, Linux, Solaris, Xenix (or whatever it is called that runs Cisco under the covers), Windows, etc. In short, that point being "universal", it isn't really fair to attach it strictly to an ISA scenario. Besides, a good admin can and will kill a whole lot of those services, processes and bindings that are responsible for many of those vulnerabilities. > > It is highly extensible with a slew of third party add-ons for > > everything from access control to IDS to monitoring to hardening > > to logging and reporting. > > Hrm, I'm very tempted to say something acid-dripping about > the general security quality of even "top notch" windows- > based software. Not to mention a slew of it. I could do the same thing about the wealth of un-usable Unix apps. > I think you would have a somewhat different opinion of this > if you just knew how many windows drivers actually protect > their driver interfaces. (About one TOTAL in a normal install.) You assume somehow that I don't know this? > Not to mention the (IMHO) insane complexity of even setting > an ACL on a shared object. > > Even assuming that Microsoft got ISA server right, I'm not sure > that I'd want to be installing all those gadgets that actually > make it do what a firewall should do (i.e. log stuff the gets > dropped somewhere useful). You lose base here. Install what gadgets that actually make it do what a firewall should do? I feel like we are right back at where we started here... Wes _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
