A sizable chuck of Cisco (don't know for sure on the PIX, but I know on their routers) runs an OS behind the scenes that is called Xenix, XNS, ZNS, or something along those lines (I really don't recall the actual name). IOS runs on top of that (is my understanding, kind of like how Banyan ran on top of Unix). My point was simply, if one is going to cast the "a firewall is only as strong as the underlying OS" stone, they need to be prepared to cast that stone at virtually every firewall out there. It is hardly a ISA specific issue (heck, FW1 runs on MS doesn't it?).
Wes Noonan [EMAIL PROTECTED] 281-208-8993 > -----Original Message----- > From: Clifford Thurber [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, April 17, 2002 08:48 > To: Noonan Wesley; 'Mikael Olsson' > Cc: '[EMAIL PROTECTED]' > Subject: RE: Microsoft ISA server (Was: Re: Replacing my old PIX Classic) > > What is the conection between Xenix and Cisco here: > > ...Xenix (or whatever it is called that runs > Cisco under the covers), Windows, etc. In > > > At 08:17 PM 4/16/2002 -0500, Noonan, Wesley wrote: > > > -----Original Message----- > > > From: Mikael Olsson [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, April 16, 2002 17:56 > > > To: Noonan, Wesley > > > Cc: '[EMAIL PROTECTED]' > > > Subject: Re: Microsoft ISA server (Was: Re: Replacing my old PIX > Classic) > > > > > > > > - It's a pretty decent caching server, reducing bandwidth needs. > > > > - It integrates tightly with existing windows networks > > > > - Tiered management that can be delegated at different levels to > > > > different users/groups > > > > > > Yes. In a mail that has yet to reach the list (?!?), I listed these > > > >That has happened to me a few time of late... > > > > > On the second point: I'm not sure I want my firewall integrating > > > that tightly with windows boxes driven by ordinary lusers. > > > >Let me clarify, by that I meant things like using user security and not > >needing to maintain a separate database, etc. > > > > > > > > > It scales something fierce, both up and out. I've read reports of > > > > it scaling out to 32 nodes and over 1Gbps in bandwidth. > > > > > > I though you were listing "pro"s here? > > > I know of several firewalls that give you that performance with > > > a single box. And don't even get me started on the TCO for those > > > 32 boxes. > > > >What kind of box? The numbers I saw were on PIII 700's with 512MB of RAM. > >Point taken on the TCO (but then again, Solaris boxes don't always come > >cheap in a server form either... and we won't even get into what I have > read > >about Checkpoint's incredible licensing fees... may be the only thing > thing > >worse than ISA's per proc licensing agreement...) > > > > > > It is generally easier to manage for shops that already have an > > > investment > > > > in MS technologies and skillsets. > > > > > > I disagree. Substitute "generally" with "sometimes", and I'll agree. > > > >OK, consider it substituted. > > > > > Any "OS-less" firewall will be easier to get to point A than a > > > windows box, even for an experienced windows administrator. And > > > >I dunno, I have seen more than one place boot PIX for ISA because of > >specifically that. Now frankly, that perplexes me because I find the PIX > to > >be infinitely easier to deal with than ISA (hell, I went and bought it > even > >though I have the license and the hardware for ISA). > > > > > if said firewall has a management software running under windows, > > > the difference there is nil: in both cases, the admin needs to > > > learn a new management interface. > > > >Fair enough. I can see that. > > > > > > Built in VPN capabilities. > > > > Stateful packet inspection and application level proxying > > > > Native support for multiple interfaces > > > > > > While these are good points, I hardly think it is much of a > > > pro for ISA server, given the number of other firewalls that > > > also have these features. > > > >No, not pro's as much as "these are thing things that 'real' firewalls > are > >supposed to do, and it does". When people make the flawed comparison to > >Proxy, I think the illumination they provide is relevant. > > > > > > Going on third party info here (may be wrong), but as of today it > has > > > > experienced fewer vulnerabilities from the date it was shipped till > now > > > than > > > > either the PIX or FW1, and no vulnerabilities have caused a security > > > > compromise (when it fails, it fails closed). > > > > > > You forgot to count the OS vulnerabilities. > > > >Actually, again to my knowledge ISA's exploits haven't allowed that. If > you > >want to bring that point in though, it becomes true for *every* OS that > is > >out there, BSD, Linux, Solaris, Xenix (or whatever it is called that runs > >Cisco under the covers), Windows, etc. In short, that point being > >"universal", it isn't really fair to attach it strictly to an ISA > scenario. > > > >Besides, a good admin can and will kill a whole lot of those services, > >processes and bindings that are responsible for many of those > >vulnerabilities. > > > > > > It is highly extensible with a slew of third party add-ons for > > > > everything from access control to IDS to monitoring to hardening > > > > to logging and reporting. > > > > > > Hrm, I'm very tempted to say something acid-dripping about > > > the general security quality of even "top notch" windows- > > > based software. Not to mention a slew of it. > > > >I could do the same thing about the wealth of un-usable Unix apps. > > > > > I think you would have a somewhat different opinion of this > > > if you just knew how many windows drivers actually protect > > > their driver interfaces. (About one TOTAL in a normal install.) > > > >You assume somehow that I don't know this? > > > > > Not to mention the (IMHO) insane complexity of even setting > > > an ACL on a shared object. > > > > > > Even assuming that Microsoft got ISA server right, I'm not sure > > > that I'd want to be installing all those gadgets that actually > > > make it do what a firewall should do (i.e. log stuff the gets > > > dropped somewhere useful). > > > >You lose base here. Install what gadgets that actually make it do what a > >firewall should do? I feel like we are right back at where we started > >here... > > > >Wes > >_______________________________________________ > >Firewalls mailing list > >[EMAIL PROTECTED] > >http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
