Hi Shawn, Good points, but from what I understand, the overwhelming majority of firewall-related security fubars are related to misconfiguration. It's a lot easier to fubar different systems because it takes a lot more effort to get intimate with all of them. If you have a single platform, you can focus your learning efforts on it. However, I do the need for "hardware" devices at the Internet edge that can do fast filtering. If I have a fat pipe on the Internet edge, I don't want ISA there, because its not fast enough. Its a much more effiicient design to put a cisco something at the edge, because its so effective as passing exploits at lightening speed :-) Put the ISA's on the edge of the divisional LANs and use the gateway to gateway VPN configs to join the these LANs. This division of labor allows the Internet gateway to do basic packet filtering (FWIW) and distribute the responsibility for the intelligent firewalling at the LAN edges. Centralization is efficient, but that efficiency becomes an Achille's Heel. Distributed systems are hard to bring down completely. Centralized systems can be brought down with a single blow. :-) IMHO, Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: Quillman Shawn (RBNA/CIT1.1) * [mailto:Shawn.Quillman@xxxxxxxxxxxx] Sent: Friday, August 29, 2003 12:14 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Connection Issue Due to obvious security issues I won't discuss the configuration of our corporate firewalls. However, there is quite an advantage to having a multiple-system firewall. A vulnerability of one system is typically not going to be a vulnerability in another system so your protection against attack is greatly increased with mixed systems. ISA can handle itself, I agree. But if/when something does get through ISA another wall behind it would give admins more time to react to the breach before the internal network is compromised. Same reason they built castles with an outer wall. The biggest question then is how willing is your company to throw the required resources at a multiple-system firewall? More systems require more money and they add a great deal of complexity to the solution. From a pure security standpoint it is the best solution. You just have to weigh it against your purse and your corporate culture. -Shawn