RE: Connection Issue
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 29 Aug 2003 12:45:36 -0500
Hi Shawn,
Good points, but from what I understand, the overwhelming majority of
firewall-related security fubars are related to misconfiguration. It's a
lot easier to fubar different systems because it takes a lot more effort
to get intimate with all of them. If you have a single platform, you can
focus your learning efforts on it.
However, I do the need for "hardware" devices at the Internet edge that
can do fast filtering. If I have a fat pipe on the Internet edge, I
don't want ISA there, because its not fast enough. Its a much more
effiicient design to put a cisco something at the edge, because its so
effective as passing exploits at lightening speed :-)
Put the ISA's on the edge of the divisional LANs and use the gateway to
gateway VPN configs to join the these LANs. This division of labor
allows the Internet gateway to do basic packet filtering (FWIW) and
distribute the responsibility for the intelligent firewalling at the LAN
edges.
Centralization is efficient, but that efficiency becomes an Achille's
Heel. Distributed systems are hard to bring down completely. Centralized
systems can be brought down with a single blow.
:-)
IMHO,
Tom
Thomas W Shinder
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
<http://tinyurl.com/1llp>
-----Original Message-----
From: Quillman Shawn (RBNA/CIT1.1) *
[mailto:Shawn.Quillman@xxxxxxxxxxxx]
Sent: Friday, August 29, 2003 12:14 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Connection Issue
Due to obvious security issues I won't discuss the configuration
of our corporate firewalls. However, there is quite an advantage to
having a multiple-system firewall. A vulnerability of one system is
typically not going to be a vulnerability in another system so your
protection against attack is greatly increased with mixed systems. ISA
can handle itself, I agree. But if/when something does get through ISA
another wall behind it would give admins more time to react to the
breach before the internal network is compromised. Same reason they
built castles with an outer wall. The biggest question then is how
willing is your company to throw the required resources at a
multiple-system firewall? More systems require more money and they add
a great deal of complexity to the solution. From a pure security
standpoint it is the best solution. You just have to weigh it against
your purse and your corporate culture.
-Shawn
Other related posts:
