What is the conection between Xenix and Cisco here: ...Xenix (or whatever it is called that runs Cisco under the covers), Windows, etc. In
At 08:17 PM 4/16/2002 -0500, Noonan, Wesley wrote: > > -----Original Message----- > > From: Mikael Olsson [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, April 16, 2002 17:56 > > To: Noonan, Wesley > > Cc: '[EMAIL PROTECTED]' > > Subject: Re: Microsoft ISA server (Was: Re: Replacing my old PIX Classic) > > > > > > - It's a pretty decent caching server, reducing bandwidth needs. > > > - It integrates tightly with existing windows networks > > > - Tiered management that can be delegated at different levels to > > > different users/groups > > > > Yes. In a mail that has yet to reach the list (?!?), I listed these > >That has happened to me a few time of late... > > > On the second point: I'm not sure I want my firewall integrating > > that tightly with windows boxes driven by ordinary lusers. > >Let me clarify, by that I meant things like using user security and not >needing to maintain a separate database, etc. > > > > > > It scales something fierce, both up and out. I've read reports of > > > it scaling out to 32 nodes and over 1Gbps in bandwidth. > > > > I though you were listing "pro"s here? > > I know of several firewalls that give you that performance with > > a single box. And don't even get me started on the TCO for those > > 32 boxes. > >What kind of box? The numbers I saw were on PIII 700's with 512MB of RAM. >Point taken on the TCO (but then again, Solaris boxes don't always come >cheap in a server form either... and we won't even get into what I have read >about Checkpoint's incredible licensing fees... may be the only thing thing >worse than ISA's per proc licensing agreement...) > > > > It is generally easier to manage for shops that already have an > > investment > > > in MS technologies and skillsets. > > > > I disagree. Substitute "generally" with "sometimes", and I'll agree. > >OK, consider it substituted. > > > Any "OS-less" firewall will be easier to get to point A than a > > windows box, even for an experienced windows administrator. And > >I dunno, I have seen more than one place boot PIX for ISA because of >specifically that. Now frankly, that perplexes me because I find the PIX to >be infinitely easier to deal with than ISA (hell, I went and bought it even >though I have the license and the hardware for ISA). > > > if said firewall has a management software running under windows, > > the difference there is nil: in both cases, the admin needs to > > learn a new management interface. > >Fair enough. I can see that. > > > > Built in VPN capabilities. > > > Stateful packet inspection and application level proxying > > > Native support for multiple interfaces > > > > While these are good points, I hardly think it is much of a > > pro for ISA server, given the number of other firewalls that > > also have these features. > >No, not pro's as much as "these are thing things that 'real' firewalls are >supposed to do, and it does". When people make the flawed comparison to >Proxy, I think the illumination they provide is relevant. > > > > Going on third party info here (may be wrong), but as of today it has > > > experienced fewer vulnerabilities from the date it was shipped till now > > than > > > either the PIX or FW1, and no vulnerabilities have caused a security > > > compromise (when it fails, it fails closed). > > > > You forgot to count the OS vulnerabilities. > >Actually, again to my knowledge ISA's exploits haven't allowed that. If you >want to bring that point in though, it becomes true for *every* OS that is >out there, BSD, Linux, Solaris, Xenix (or whatever it is called that runs >Cisco under the covers), Windows, etc. In short, that point being >"universal", it isn't really fair to attach it strictly to an ISA scenario. > >Besides, a good admin can and will kill a whole lot of those services, >processes and bindings that are responsible for many of those >vulnerabilities. > > > > It is highly extensible with a slew of third party add-ons for > > > everything from access control to IDS to monitoring to hardening > > > to logging and reporting. > > > > Hrm, I'm very tempted to say something acid-dripping about > > the general security quality of even "top notch" windows- > > based software. Not to mention a slew of it. > >I could do the same thing about the wealth of un-usable Unix apps. > > > I think you would have a somewhat different opinion of this > > if you just knew how many windows drivers actually protect > > their driver interfaces. (About one TOTAL in a normal install.) > >You assume somehow that I don't know this? > > > Not to mention the (IMHO) insane complexity of even setting > > an ACL on a shared object. > > > > Even assuming that Microsoft got ISA server right, I'm not sure > > that I'd want to be installing all those gadgets that actually > > make it do what a firewall should do (i.e. log stuff the gets > > dropped somewhere useful). > >You lose base here. Install what gadgets that actually make it do what a >firewall should do? I feel like we are right back at where we started >here... > >Wes >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
