> -----Original Message----- > From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] > [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 15, 2005 8:52 PM > To: James Eaton-Lee > Cc: Marcos Marrero; focus-ms@securityfocus.com > Subject: Re: ISA Server or Firewall Appliance? > > The annoying SBSer with ISA on her box is going to challenge > you on that one. > > What exactly doesn't feel quite right? Why does it not feel right? > > In my network I like it because it's on a platform that I can > monitor easier. Control better. Patch easier. [WSUS will > soon support ISA as a matter of fact] > > Isn't the same true for big networks? > > I think we all need to let go of our OS perceptions and look > at the realities of operating systems these days and what > not. If we can't control it...understand it...I'm not sure > it's not helping in the security fabric of my network. > > Our firewalls are not our perimeters any more. > > http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?Eve > ntID=1032286231&EventCategory=3&culture=en-US&CountryCode=US >
I'll add my two cents - I've never used ISA (or Cisco, Juniper, WatchGuard, etc.), in fact I've only ever used netfilter on Debian Linux, with no GUI and as few packages installed as necessary. I believe in deploying servers with the minimum number of services required for it to function as intended. I don't need a GUI to configure my firewall, nor do I need Remote Desktop or IIS or a JVM or DCOM or wallpaper or Windows startup sounds or a certification from Cisco. However, I did need to spend a lot of time learning how network protocols, NAT, connection tracking and netfilter work. I think it was well worth the investment. Performance-wise, I believe Netfilter is adequate: 200,000 pps/20,000 new requests per second, with filtering, connection tracking, and NAT on an Opteron-based system (Intel was significantly slower). I think it depends on whether you need something to work now, securely, or whether you can trade off time for a minimal installation, which is theoretically more secure than one which brings the trappings of a user-oriented operating system, like Windows or Red Had/SUSE. Derick Anderson --------------------------------------------------------------------------- ---------------------------------------------------------------------------
