RE: Anti-virus on Exchange

  • From: "William Lefkovics" <william@xxxxxxxxxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 15 Feb 2005 15:44:02 -0800

ISA is an excellent product.  
Not really better than all other solutions, but a good fit for lots of
enterprises.

The Fortigate appliance is also an excellent product and a better fit for
many enterprises.
Fortigate doesn't give you as much, but if you don't use it then why pay for
it?
And *most* of Tom's list can be accomplished with freeware.

Where ISA really fits is securing Microsoft-specific functionality like
Exchange RPC/HTTPS.

Hi Tom!  *smooch*


 

-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx] 
Sent: Tuesday, February 15, 2005 3:14 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Anti-virus on Exchange

http://www.MSExchange.org/

Is that all??

:)) 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Tuesday, February 15, 2005 7:08 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Anti-virus on Exchange

http://www.MSExchange.org/

Hi Danny,

Where is the:

-- RADIUS based pre-authetication for OWA/OMA/ActiveSync/RPC over HTTP
access?
-- Where is the SSL to SSL bridging feature that prevents exploits from
being tunneled inside an SSL tunnel?
-- Where is the forms-based authentication that generates the form at the
firewall, so as to allow for pre-authentication, session limits and
attachment control?
-- Where is the per user/per group, per protocol, per server, per time of
day, stateful filtering and stateful application layer inspection for VPN
remote access client connections?
-- Where is the stateful application layer support for Secure Exchange RPC
publishing, so that your entire organization doesn't have to upgrade to
OL2003, and even if they did, where is the RPC scrubbing for the de-tunneled
connections?

In addition to that, ISA does have:

-Anti-malware (virus, worms, etc.) protection (HTTP, POP3, SMTP, etc.) as
part of its HTTP Security Filter at NO extra cost or licensing restriction

-Grayware protection
ISA does have this, as part of its built-in and add only suites of
application layer inspection filters

-Signature and custom Intrusion Prevention and Protection I can use the
built-in ISA firewall's IDS/IPS, add-on 3rd party IDS/IPS or use Snort.

-Anti-spam - RBL, content, etc.
You can add this on to the ISA firewall, and includes basic SMTP filtering
and inspection right out of the box with its SMTP Filter and SMTP Message
Screener.

-Email content and attachment blocking/filtering The ISA firewall has this
right out of the box.

-ActiveX, java, cookie, protection
Again, the ISA firewall has this right out of the box. Just configure it!

-Web URL and content filtering
The ISA firewall has this right out of the box.

-End-to-end VPN (IPSec, PPTP, L2TP, and multiple encryption level
options) solution
This ISA firewall also has this right out of the box, and also has VPN
Quaratine support right out of the box.

-Client VPN software which includes firewall and anti-virus component Why
use proprietary VPN client software when *every version of Windows* has a
VPN client built-in. Best of all, no finger pointing when something goes
haywire! :)

-Traffic shaping
Not included with the ISA firewall :(

-Syslog output
ISA includes right out of the box, text logging, MDSE logging and SQL
logging. Can get it to work with MySQL and Access if you like.

-Protocol authentication
Not sure what you mean, but I'll bet its not as comprehensive as ISA's, if
you mean that you can control user/group access to ALL protocols through the
miracle of the Firewall client (the generic Winsock Proxy
client)

-VLAN support
ISA supports this right out of the box, we're using in a couple places in
product now.

-HTTPS and SSH admin access
ISA supports FIPS compliant encrypted RDP -- much more secure!

-Support & Maintenance includes virus and attack definitions Same when we
install GFI add-ons

-NAT or transparent mode
The ISA firewall supports both NAT and Route relationships. No transparent
mode though, MAC exploits are too problematic from my point of view to want
support for this.

You can also purchase the ISA firewall as a hardware appliance from Network
Engines, RimApp and Celestix. In fact, not even Microsoft PSS can break into
the Network Engines ISA hardware firewall, even when they have console
access!
 
Fortigate does cost less, but you don't get as much either.

Thanks!

Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Danny [mailto:nocmonkey@xxxxxxxxx]
Sent: Tuesday, February 15, 2005 4:28 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Anti-virus on Exchange

http://www.MSExchange.org/

On Tue, 15 Feb 2005 15:42:34 -0600, Thomas W Shinder <tshinder@xxxxxxxxxxx>
wrote:
> http://www.MSExchange.org/
> 
> Hi Danny,
> 
> I prefer to use an ISA based hardware firewall, I think I get better 
> protection and more secure remote access too! :)

I respect your preference, however, I find it difficult for ISA running on a
Windows server to provide better protection and more secure remote access
than my deployed Fortigate firewalls, which provide some of the following at
little or no impact to performance (if you match your network needs to the
right model):

-Anti-malware (virus, worms, etc.) protection (HTTP, POP3, SMTP, etc.)
-Grayware protection -Signature and custom Intrusion Prevention and
Protection -Anti-spam - RBL, content, etc.
-Email content and attachment blocking/filtering -ActiveX, java, cookie,
protection -Web URL and content filtering -End-to-end VPN (IPSec, PPTP,
L2TP, and multiple encryption level
options) solution
-Client VPN software which includes firewall and anti-virus component
-Traffic shaping -Syslog output -Protocol authentication -VLAN support
-HTTPS and SSH admin access -Support & Maintenance includes virus and attack
definitions -NAT or transparent mode ...etc.

The Fortigate 60 for example, is well under $600 USD including the hardware
and software; it's an appliance!

(We are providing personal recommendations, and so have I in this case; I
have no affiliation with Fortinet, in fact, a year ago I would not have
recommended them.)

...D

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
tshinder@xxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
ExchangeMailingList@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx

Like the T Rex - to which it is not often compared - the haggis has eyes
that react to movement. 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
william@xxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx



Other related posts: