Susan et all... :) I'll attempt to address from the other end...I usually work with large clients on major networks. One cavaet: While quite familiar with Windows and it's positives/negatives, I haven't personally used ISA yet...gotta get it up in my lab.
For me, I usually try to be OS-agnostic. An OS is a tool; as long as that tool meets my needs in an effective and efficient manner, I'm happy. In the environments I work in, network security is handled by network teams - firewalls usually are Checkpoint, Cisco or Juniper/Netscreen. They all have their pros and cons. As a security professional, I became ok with the concept of Windows in the infrastructure as a db/app/web server, as long as the OS is hardened and the box is firewalled at least to layer 4. Boxes that I recommend as firewalls have proven over time that they have a reliable network stack, can provide fault-tolerance, can easily handle wire-speed attacks, and use a command line which the network administrators[1] are familiar with. Windows has not demonstrated a reliable network stack to me, and while it can be fairly reliable as an OS I can't comment on high-availability designs of ISA since I haven't tested it. Microsoft still isn't providing me with the level of satisfacation I'd want from a security vendor. So, if you're a windows shop, with a small to medium size network, ISA might just treat you fine, but personally that idea is scary as all hell. I'll always recommend firewalling windows servers, even if they have firewall software on them. For a larger shop that uses managed switches, dynamic routing, multiple VLANs...They're just going to be more comfortable with the CLIs. My recommendation for a "small" firewall - check out Netscreen's 5GT - sweet little box for a few hundred bucks. Oh, last thing, regarding talking about NICs getting burned out in a PC - most PC firewalls I've seen in the last year or two have on-board NICs, so if that gets smoked, you might be seeing more than just a NIC go up in a poof. Just something to keep in mind... John 1: "Network Administrators" is being used in it's "real" definition - people who administer networks. This differs from "Windows administrators" or "UNIX administrators." On Tue, Nov 15, 2005 at 05:51:30PM -0800, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: > The annoying SBSer with ISA on her box is going to challenge you on that > one. > > What exactly doesn't feel quite right? Why does it not feel right? > > In my network I like it because it's on a platform that I can monitor > easier. Control better. Patch easier. [WSUS will soon support ISA as a > matter of fact] > > Isn't the same true for big networks? > > I think we all need to let go of our OS perceptions and look at the > realities of operating systems these days and what not. If we can't > control it...understand it...I'm not sure it's not helping in the > security fabric of my network. > > Our firewalls are not our perimeters any more. > > http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032286231&EventCategory=3&culture=en-US&CountryCode=US > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
