RE: Connection Issue

• From: "Quillman Shawn (RBNA/CIT1.1) *" <Shawn.Quillman@xxxxxxxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 29 Aug 2003 12:51:37 -0500

"... intimate with all of them."
 
Precisely my point in the discussion of resources.  The best security design
includes multiple levels of defence, but that's where the folks at the top
come in and have the opportunity say "That's just way to costly for what we
have".  All falls into checks and balances, weighing the risks against the
gains, <insert business buzzphrase here>.
 
-Shawn
 

----- 
Shawn R. Quillman 
Robert Bosch Corporation RBNA/CIT1.1 
38000 Hills Tech Drive 
Farmington Hills, MI  48331 
(248) 553-1164 (P)     (248) 848-2855 (F) 
shawn.quillman@xxxxxxxxxxxx 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Friday, August 29, 2003 1:46 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Connection Issue


http://www.ISAserver.org


Hi Shawn,
 
Good points, but from what I understand, the overwhelming majority of
firewall-related security fubars are related to misconfiguration. It's a lot
easier to fubar different systems because it takes a lot more effort to get
intimate with all of them. If you have a single platform, you can focus your
learning efforts on it.
 
However, I do the need for "hardware" devices at the Internet edge that can
do fast filtering. If I have a fat pipe on the Internet edge, I don't want
ISA there, because its not fast enough. Its a much more effiicient design to
put a cisco something at the edge, because its so effective as passing
exploits at lightening speed :-)
 
Put the ISA's on the edge of the divisional LANs and use the gateway to
gateway VPN configs to join the these LANs. This division of labor allows
the Internet gateway to do basic packet filtering (FWIW) and distribute the
responsibility for the intelligent firewalling at the LAN edges. 
 
Centralization is efficient, but that efficiency becomes an Achille's Heel.
Distributed systems are hard to bring down completely. Centralized systems
can be brought down with a single blow.
 
:-)
 
IMHO,
Tom
 
 
Thomas W Shinder
 <http://www.isaserver.org/shinder> www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> 
Configuring ISA Server:  <http://tinyurl.com/1llp> http://tinyurl.com/1llp

 

-----Original Message-----
From: Quillman Shawn (RBNA/CIT1.1) * [mailto:Shawn.Quillman@xxxxxxxxxxxx] 
Sent: Friday, August 29, 2003 12:14 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Connection Issue


Due to obvious security issues I won't discuss the configuration of our
corporate firewalls.  However, there is quite an advantage to having a
multiple-system firewall.  A vulnerability of one system is typically not
going to be a vulnerability in another system so your protection against
attack is greatly increased with mixed systems.  ISA can handle itself, I
agree.  But if/when something does get through ISA another wall behind it
would give admins more time to react to the breach before the internal
network is compromised.  Same reason they built castles with an outer wall.
The biggest question then is how willing is your company to throw the
required resources at a multiple-system firewall?  More systems require more
money and they add a great deal of complexity to the solution.  From a pure
security standpoint it is the best solution.  You just have to weigh it
against your purse and your corporate culture.
 
-Shawn
 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

Other related posts:

• » Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue
• » RE: Connection Issue

1. Home
2. isalist
3. Archive
4. 08-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---