RE: Anti-virus on Exchange
- From: Danny <nocmonkey@xxxxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
- Date: Tue, 15 Feb 2005 21:12:28 -0500
On Tue, 15 Feb 2005 17:08:17 -0600, Thomas W Shinder
<tshinder@xxxxxxxxxxx> wrote:
> http://www.MSExchange.org/
>
> Hi Danny,
>
> Where is the:
>
> -- RADIUS based pre-authetication for OWA/OMA/ActiveSync/RPC over HTTP
> access?
RADIUS, yes. The rest is probably possible.
> -- Where is the SSL to SSL bridging feature that prevents exploits from
> being tunneled inside an SSL tunnel?
If your ISA Windows box is compromised (just last week, MS released
patches for over 60 vulnerabilities - ouch!), valid SSL sessions could
be read.
> -- Where is the forms-based authentication that generates the form at
> the firewall, so as to allow for pre-authentication, session limits and
> attachment control?
Haven't looked into it. Attachment control? We block all executables.
> -- Where is the per user/per group, per protocol, per server, per time
> of day, stateful filtering and stateful application layer inspection for
> VPN remote access client connections?
Done and done.
> -- Where is the stateful application layer support for Secure Exchange
> RPC publishing, so that your entire organization doesn't have to upgrade
> to OL2003, and even if they did, where is the RPC scrubbing for the
> de-tunneled connections?
What do you expect from a $500 firewall? My initial comparison was
the BASE model Fortigate firewall.
> In addition to that, ISA does have:
>
> -Anti-malware (virus, worms, etc.) protection (HTTP, POP3, SMTP, etc.)
> as part of its HTTP Security Filter at NO extra cost or licensing
> restriction
Out-of-the-box, ISA 2004 scans for brand new and old viruses? Which
engine does it use?
> -Grayware protection
> ISA does have this, as part of its built-in and add only suites of
> application layer inspection filters
Add-on, then? Who provides updates to grayware and spyware definitions?
> -Signature and custom Intrusion Prevention and Protection
> I can use the built-in ISA firewall's IDS/IPS, add-on 3rd party IDS/IPS
> or use Snort.
Who updates ISA's IDS/IPS signatures?
> -Anti-spam - RBL, content, etc.
> You can add this on to the ISA firewall, and includes basic SMTP
> filtering and inspection right out of the box with its SMTP Filter and
> SMTP Message Screener.
A.K.A Add-on...
> -Email content and attachment blocking/filtering
> The ISA firewall has this right out of the box.
'bout time.
> -ActiveX, java, cookie, protection
> Again, the ISA firewall has this right out of the box. Just configure
> it!
Cool.
> -Web URL and content filtering
> The ISA firewall has this right out of the box.
Cool.
> -End-to-end VPN (IPSec, PPTP, L2TP, and multiple encryption level
> options) solution
> This ISA firewall also has this right out of the box, and also has VPN
> Quaratine support right out of the box.
Sweet. How about AES256?
> -Client VPN software which includes firewall and anti-virus component
> Why use proprietary VPN client software when *every version of Windows*
> has a VPN client built-in. Best of all, no finger pointing when
> something goes haywire! :)
Microsoft has built-in anti-virus, egress and ingress stateful
firewall, and IPSec VPN support in *every version of Windows*?
> -Traffic shaping
> Not included with the ISA firewall :(
Uh oh.
> -Syslog output
> ISA includes right out of the box, text logging, MDSE logging and SQL
> logging. Can get it to work with MySQL and Access if you like.
I output to syslog running a FreeBSD box.
> -Protocol authentication
> Not sure what you mean, but I'll bet its not as comprehensive as ISA's,
> if you mean that you can control user/group access to ALL protocols
> through the miracle of the Firewall client (the generic Winsock Proxy
> client)
LDAP, RADIUS, etc. authentication for specific protocol-based (HTTP,
etc.) access.
> -VLAN support
> ISA supports this right out of the box, we're using in a couple places
> in product now.
Awesome.
> -HTTPS and SSH admin access
> ISA supports FIPS compliant encrypted RDP -- much more secure!
SSH2 works well here.
> -Support & Maintenance includes virus and attack definitions
> Same when we install GFI add-ons
No add-ons necessary here. Second year maintenance is cheap; less than
half the price of unit.
> -NAT or transparent mode
> The ISA firewall supports both NAT and Route relationships. No
> transparent mode though, MAC exploits are too problematic from my point
> of view to want support for this.
Fortinet has this covered in the least with IPS.
Defense in depth: NAT firewall, then a transparent one logically
behind it. Ohhh man I love it.
> You can also purchase the ISA firewall as a hardware appliance from
> Network Engines, RimApp and Celestix. In fact, not even Microsoft PSS
> can break into the Network Engines ISA hardware firewall, even when they
> have console access!
Do we have to bring up how many Microsoft software vulnerabilities
were exposed just last week? And I want my border firewall running on
what? Microsoft software?
ISA is a great product, but for my current environments is too
expensive up-front and in the long-term from a cost point of view and
a risk point of view.
> Fortigate does cost less, but you don't get as much either.
RPC(oh boy, ask the security experts about good ol' RPC)/HTTP/OWA
integrations aside, the Fortigate is not comparable in cost.
Respectfully,
...D
Other related posts:
