> The thing is, "hardware" firewalls are pretty weak when it comes to true > firewalling. The hardware firewall fans are still thinking of "opening > ports" when the port based approach is no longer valid when it comes to > protecting the network. You need stateful application layer inspection, > strong user/group based authentication for all inbound and outbound > connections, and the ability to adapt to threats based on more than the > dumb*ss approach of "closing a port (like the moron ISP's are using to > DoS legitimate secure Exchange RPC connections by blocking TCP 135). Absolutely true. However, for a business that for whatever reason can not afford the costs associated with the top-o-the-line best firewall that ISA is, a dedicated hardware firewall is 2nd best, especially depending on what the usage will be. Example, I just replaced an aging SonicWall Pro at a client with a new SonicWall Pro 2040. For around $1.7K, they get an easy to administer solid firewall with VPNs and easy logging with out 3rd party software. For another $1K, they can get failover ISP and VPN support. This is a new feature, that if the primary line goes down, the remote units will automatticcly failover the active VPN tunnel to the secondary connection and the remote users never new that a problem occurred. To equip a ISA server with similar features will be closer $4.5K or better, and with a higher administration cost. Now, I think everyone here knows were I stand on ISA. It is simply the top-o-the-line firewall there is. However, you do not buy a Jaguar to pull a horse trailer around a cattle ranch in the winter time. Yes, I know a while back we were able to come up with a ISA box at a penny under $2K, but that was a basic model. John Tolmachoff Engineer/Consultant/Owner eServices For You