"... intimate with all of them." Precisely my point in the discussion of resources. The best security design includes multiple levels of defence, but that's where the folks at the top come in and have the opportunity say "That's just way to costly for what we have". All falls into checks and balances, weighing the risks against the gains, <insert business buzzphrase here>. -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CIT1.1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-2855 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Friday, August 29, 2003 1:46 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Connection Issue http://www.ISAserver.org Hi Shawn, Good points, but from what I understand, the overwhelming majority of firewall-related security fubars are related to misconfiguration. It's a lot easier to fubar different systems because it takes a lot more effort to get intimate with all of them. If you have a single platform, you can focus your learning efforts on it. However, I do the need for "hardware" devices at the Internet edge that can do fast filtering. If I have a fat pipe on the Internet edge, I don't want ISA there, because its not fast enough. Its a much more effiicient design to put a cisco something at the edge, because its so effective as passing exploits at lightening speed :-) Put the ISA's on the edge of the divisional LANs and use the gateway to gateway VPN configs to join the these LANs. This division of labor allows the Internet gateway to do basic packet filtering (FWIW) and distribute the responsibility for the intelligent firewalling at the LAN edges. Centralization is efficient, but that efficiency becomes an Achille's Heel. Distributed systems are hard to bring down completely. Centralized systems can be brought down with a single blow. :-) IMHO, Tom Thomas W Shinder <http://www.isaserver.org/shinder> www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> Configuring ISA Server: <http://tinyurl.com/1llp> http://tinyurl.com/1llp -----Original Message----- From: Quillman Shawn (RBNA/CIT1.1) * [mailto:Shawn.Quillman@xxxxxxxxxxxx] Sent: Friday, August 29, 2003 12:14 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Connection Issue Due to obvious security issues I won't discuss the configuration of our corporate firewalls. However, there is quite an advantage to having a multiple-system firewall. A vulnerability of one system is typically not going to be a vulnerability in another system so your protection against attack is greatly increased with mixed systems. ISA can handle itself, I agree. But if/when something does get through ISA another wall behind it would give admins more time to react to the breach before the internal network is compromised. Same reason they built castles with an outer wall. The biggest question then is how willing is your company to throw the required resources at a multiple-system firewall? More systems require more money and they add a great deal of complexity to the solution. From a pure security standpoint it is the best solution. You just have to weigh it against your purse and your corporate culture. -Shawn ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')