Hi Susan, I think you misunderstood what they were trying to communicate during that Webcast, and the presenters didn't do a really good job at explicating their positions.
Many people think that there is no more perimeter (or edge), or that the perimeter (or edge) somehow magically changed to the end point on the corporate network. Neither assertion is true or believable. Sure, there is a more heterogenous set of security zones that need to be segmented from one another, but to say that there is no more "perimeter" or no more "edge" is ridiculous at best, delusional at worst (sort of like saying that SBS doesn't represent a security compromise). Try this experiment to prove this fact: deploy an ISA firewall (not on SBS but in a real firewall configuration)on the edge of the network. Lock down the System Policy and create well designed, thoughtful and functional firewall policy that controls both inbound and outbound access through the ISA firewall. Make sure you deploy both the Web proxy and Firewall client so you get comprehensive user information in the log files that you can use for comprehensive reporting later. Let that run for a month and see what the effects are on network performance and the overall security position of all host hosts on all network segments on the corporate network that require Internet access. Now, try this: Assign all your network hosts public addresses and put a router (a real router, not a NAT device) on the edge and allow everything in and everything out. Don't change anything on your clients -- don't upgrade the Oss don't install any new software other than what you have now -- just like the ISA firewall test. (no fair cheating by installing local host firewalls, NIDS, upgradeing OSs, etc to make up for the problems that you know will result from this test). Now compare the results of your network performance metrics and overall security situation with that you had with the ISA firewall in place. OK. Now, tell me -- its there a "edge" or "perimeter" or whatever you want to call it and has it disappeared? Is the DMZ dead? Are the endpoints the only things we need to "firewall"? I'm really afraid that Microsoft's push for NAP (which is what all this stuff is about) is confusing Microsoft networking folks and making them think that NAP somehow obviates the need for a network firewalls, both at the edge and at all security perimeters. PS -- what do you mean that WSUS will support ISA? HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] > [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 15, 2005 7:52 PM > To: James Eaton-Lee > Cc: Marcos Marrero; [email protected] > Subject: Re: ISA Server or Firewall Appliance? > > The annoying SBSer with ISA on her box is going to challenge > you on that > one. > > What exactly doesn't feel quite right? Why does it not feel right? > > In my network I like it because it's on a platform that I can monitor > easier. Control better. Patch easier. [WSUS will soon > support ISA as a > matter of fact] > > Isn't the same true for big networks? > > I think we all need to let go of our OS perceptions and look at the > realities of operating systems these days and what not. If we can't > control it...understand it...I'm not sure it's not helping in the > security fabric of my network. > > Our firewalls are not our perimeters any more. > > http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?Eve ntID=1032286231&EventCategory=3&culture=en-US&CountryCode=US > > > > > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
