RE: Need help with a small problem

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Sat, 18 Feb 2006 14:23:53 -0600

Hi Dave,

Thanks for the kind words about my contributions. :)

But I hope I've never given the impression that the "rip and replace"
methodology is the only one. I don't think I've ever written that is the
way to go, and have often written, like in my articles about PIX+ISA and
Netscreen+ISA that using the ISA firewall in concert with these other
firewalls is a viable solution.

What chaps my hide is the unihomed ISA firewall situations. They are
almost always due to Cisco dolts/bigots who are over their heads when it
comes to network security. I would never represent myself as having a
CCIE's understand of networking and routing and their understanding of
the underlying protocols, but that understanding often stops at layer 4,
and the security problems we're encountering now are at layers 5 and
above.

Tom 


Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Dave May [mailto:dave.may@xxxxxxxxxxx] 
Sent: Saturday, February 18, 2006 1:11 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Need help with a small problem

http://www.ISAserver.org

First off I must agree with Ara that your contributions to the ISA
community
could never be overstated.  I have learned much over the years lurking
on
this list and digesting the vast amount of information on isaserver.org.
But I must disagree with the notion that having PIX'en as an edge
firewall
and an ISA server in outbound firewall client/cache-only mode relegates
the
admin to a "moron" and a "pirate".

Consider this scenario.

2 PIX 515E's in a redundant configuration are setup a few years ago as a
firewall solution to replace what was originally an early rev IOS ACL
based
Cisco 1605R router solution.  Definite improvement in every sense, but
logging is still IP based and is not able to track usernames.

Add an ISA2000SE server to the mix as an outbound proxy solution behind
the
PIX'en and you gain an enormous amount of control over where specific
users
can go, and logging as to where they actually went.  After spending
$15K-$20K upfront plus SmartNET each year on the PIX config though, you
can
understand why we were unwilling to spend an additional $5K per
processor to
switch over to a redundant ISA EE configuration when a single SE server
would suffice.

ISA dies, internal users can't surf.  PIX'en die, customers can't get
in.  I
can count on 0 fingers how many times either of the PIX'en have died
(let
alone both), but I don't have enough fingers to count how many times
over
the past 4 years I've needed to reboot the ISA server during business
hours
(24x7 with a 4am - 6am downwindow) because something went belly up (ISA
or
Windows, doesn't matter, services are down).

On the other hand, I have had it up to here with trying to deal with RPC
on
the PIX.  Seems to me that an ideal scenario for us would be to let the
PIX'en continue to be a front-end firewall to take care of the majority
of
the scanning/etc type attacks (and not lose the value of the
investment),
and create an ISA2004EE pair as a back-end firewall.  We would then have
a
solution for DMZ->Inside traffic which understands RPC and eliminates
the
need for registry hacks and allowing large ranges of ports to be wide
open
just to get a COM+ component in the DMZ to be able to talk to the inside
network (no, we're not using .NET Remoting or Web Services yet which
would
make this much easier - believe me I'm trying).  Not to mention it would
be
the perfect way to publish an upcoming Exchange 2003 OWA site.  But it
would
also require purchasing at least an additional $10K of licensing
(depending
on the # of procs), plus either additional hardware or a firm commitment
to
virtual machines.

I very much value your knowledge and opinions, Tom, but sometimes I
think
you get a bit too zealous about ISA only configurations.  In any case I
don't believe it is fair to dismiss other products outright (either as
part
of an ISA solution or independent) as being inferior without taking in
to
account individual situations.  A fully redundant ISA configuration as
your
sole means of protection is neither a cheap nor simple investment,
especially when considering the infrastructure that may already be in
place.
Not to mention that you aren't doing anything to increase your "defense
in
depth" when you have a homogenous firewall solution...

Dave.

-----Original Message-----
From: Ara Avvali [mailto:ara.avvali@xxxxxxxxxxxxx] 
Sent: Saturday, February 18, 2006 12:45 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Need help with a small problem

http://www.ISAserver.org

Hi Tom,
You have done a lot for people around here so no apology is required
specially me :). Peace :)

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Friday, February 17, 2006 9:31 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Need help with a small problem

http://www.ISAserver.org

Hi Ara,

You're right, and I was over the top there. I just hit my limit
regarding the Web proxy only issue. I hear some many morons consider a
PIX or netscreen as a network security solution and relegate the ISA
firewall to Web proxy.

Please accept my sincere apology.

Tom 


Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Ara Avvali [mailto:ara.avvali@xxxxxxxxxxxxx] 
Sent: Friday, February 17, 2006 6:11 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Need help with a small problem

http://www.ISAserver.org

Tom,
I think your statement is offensive about stealing. Not every one who
needs a cache only server is a pirate. It is what they have on hand so
it's up to them if you use it or not. 
Thanks 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Friday, February 17, 2006 12:35 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Need help with a small problem

http://www.ISAserver.org

Please deploy the firewall correctly.
Only those who steal the software do web proxy only.

Sent via ISA firewall protected Exchange 2003 Windows Mobile


-----Original Message-----
From: "MJ"<mjtech@xxxxxxxxx>
Sent: 2/17/06 2:17:56 PM
To: "[ISAserver.org Discussion List]"<isalist@xxxxxxxxxxxxx>
Subject: [isalist] Need help with a small problem

http://www.ISAserver.org

Hi all,

We are running ISA server 2004 Standard edition as a proxy. I understand
that if you try to play a media online with Windows Media Player 9 you
could get a prompt for a user and a password, but I thought that has
nothing to do with version 10.

I am working on it and gooling it, but please if some one have had this
issue before and got it fixed, let me know the fix.

Thanks a lot

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ara.avvali@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ara.avvali@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dave.may@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Need help with a small problem
• » RE: Need help with a small problem
• » RE: Need help with a small problem
• » RE: Need help with a small problem
• » RE: Need help with a small problem
• » RE: Need help with a small problem
• » RE: Need help with a small problem
• » RE: Need help with a small problem
• » RE: Need help with a small problem
• » RE: Need help with a small problem
• » RE: Need help with a small problem
• » RE: Need help with a small problem
• » RE: Need help with a small problem

1. Home
2. isalist
3. Archive
4. 02-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---