RE: RES: RE: ISA 2004 - professional opinion
- From: "Greg Mulholland" <gmulholland@xxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 1 Jun 2005 11:46:54 +1000
Im not the skirt wearin' nancy boy :p
Hows the big apple?
Greg Mulholland
Clear IT
Level 10, 530 Little Collins Street
Melbourne, VIC 3000
Ph: (03) 99097411 Fax: (03) 99097091
-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx]
Sent: Wednesday, 1 June 2005 11:38 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RES: RE: ISA 2004 - professional opinion
http://www.ISAserver.org
Have you forwarded it on to him yet wimpo??
-----Original Message-----
From: Greg Mulholland [mailto:gmulholland@xxxxxxxxxxxxxx]
Sent: Tuesday, May 31, 2005 8:56 PM
To: ISA Mailing List
Subject: [isalist] RE: RES: RE: ISA 2004 - professional opinion
http://www.ISAserver.org
Revenge of the shind!!
Tom, I showed you the personal email describing his reasons didn't i? basically
stating arguments which I can come up with myself and providing no actual
proof, merely an opinion. Whats funny is these type of people don't state that
in their email. They try to get everyone to believe that for some magical
reason they must be right. If people want my opinion I give it to them straight
whether its good or bad. But like Jim said, you cant fight bias!! Too true
Greg Mulholland
Clear IT
Level 10, 530 Little Collins Street
Melbourne, VIC 3000
Ph: (03) 99097411 Fax: (03) 99097091
-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
Sent: Wednesday, 1 June 2005 9:48 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RES: RE: ISA 2004 - professional opinion
http://www.ISAserver.org
Tech Wars!!!!
Tiago de Aviz
SoftSell - Curitiba
(41) 340-2363
www.softsell.com.br
Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é
restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem
por engano, queira por favor retorná-la ao destinatário e apagá-la de seus
arquivos. Qualquer uso não autorizado, replicação ou disseminação desta
mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável
pelo conteúdo ou a veracidade desta informação.
-----Mensagem original-----
De: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Enviada em: terça-feira, 31
de maio de 2005 20:20
Para: [ISAserver.org Discussion List]
Cc: [ISAserver.org Discussion List]
Assunto: [isalist] RE: ISA 2004 - professional opinion
http://www.ISAserver.org
Inline...
-----Original Message-----
From: Chris Brenton [mailto:cbrenton@xxxxxxxxxxxxxxxx]
Sent: Tuesday, May 31, 2005 6:34 AM
To: firewalls@xxxxxxxxxxxxxxxxx
Subject: RE: ISA 2004 - professional opinion
Greets all,
Thought I would chime in on this.
On Thu, 2005-05-26 at 18:46, Bryan Bain wrote:
>
> On what do you base this opinion? As a firewall, ISA 2004 is
exceptional.
Please review the Bugtraq archive and reference the dozen plus vulnerabilities
listed for the product. You'll notice two reoccurring
themes:
1) Poor bounds checking
2) Poor data scrubbing
Not exactly what I would refer to as "exceptional", especially given the
limited deployment of the product. Granted some of the exploits are based on
ISA 2000, but you are talking the same code base. I'm guessing that if ISA ever
saw the market share of a FW-1 or PIX <shudder> these numbers would be much
higher. From what I've seen its barely a blip on the radar.
TOM>>You are referring to ISA 2000 issues, which was a rewrite of the
Proxy 2.0 Proxy, although much closer to a firewall than Proxy 2.0, which was
only a Web and Winsock proxy. When you say "some", that implies a minority --
which clearly isn't the case when discussing the ISA firewall (2004). Also, why
do you assume the "same codebase"? Do you know the difference between the
Firewall service and the firewall engine? What parts are loaded in user mode v.
kernel mode? At what point the firewall engine is loaded versus the firewall
service? Do you know if the Windows TCP/IP stack is loaded before the ISA
firewall components? Market share is related to a misunderstanding of what the
ISA firewall is, which most "open a port" firewall admins assume is a proxy
server, which clearly isn't the whole story and is a canard at best. Sort of
"flat earth" thinking. Also, are you aware of a single case where an ISA
firewall, properly configured, as been "owned"?
> * Multi-layer firewall protection with packet, circuit and application
level filtering with deep content inspection.
In other words, its a proxy. This means it has open ports exposed to the
Internet which permit people to interact with code running on the box.
There is zero sand boxing or code isolation as there is in similar products
(IMHO Sidewinder is an excellent example of how to do this right), so the
threat to the firewall itself is high. If the firewall is compromised then all
bets are off.
TOM>>Uh, NO. It's a stateful packet inspection and application layer
inspection firewall, so it fits into the blended proxy/packet filter firewall
class. No matter how many times people who don't understand the ISA firewall
say it, they're never going to make the ISA firewall "just a proxy". Just like
muttering "but it runs on Windows" doesn't make it inherently unsecure.
> * High performance Web proxy and caching for fast, secure Internet
> access
I'm sorry but this sounds like it was yanked from the marketing material. Pull
stats on an outbound proxy and you will see that a ton of sites now set the no
cache option due to load balancing, scrolling banner ads, and other similar
"features". This means that the performance benefits of an outbound proxy has
greatly diminished over the years. 5 years ago you would see a performance
boost, today from what I've seen in the field they actually slow down the
"typical"
Internet link.
TOM:>> That's interesting, because I find bandwidth savings of 5-10% across all
the ISA firewall deployments, which is really impressive given the number of
sites that do not support caching proxies. But there are many many more
deployment options for caching firewalls than just Internet caching. One
example is branch office deployments.
> * Integrated firewall/VPN that offers a higher level of security than
> a standalone RAS VPN,
So your claim is that terminating the VPN on the firewall is safer than running
a secondary termination point? I would greatly appreciate it if you could
publish the stats to back up this claim as everything I've seen in the field
indicates otherwise.
TOM>>What have you *exactly* seen in the field regarding the ISA
firewall's VPN? Can you give an example of how this subverted your security
posture *in practice*? Or, is this just another "I'm not going to get out of
bed this AM because a piece from a falling airplane might fall on my head"?
What is your experience with the ISA firewall's VPN service and its
capabilities?
If everything is on one box, than whacking that box compromises the entire
perimeter. If they are separate, you get some strong defense in-depth benefits
like not needing to open listening ports on the primary firewall, monitoring
traffic both in and out of the VPN gateway from a separate box, and the list
goes on.
TOM>>I would hope there is defense in depth, and also fail over and
fault tolerance, all of which the ISA firewall supports. This "open port"
approach to firewalls is like the application of mercurials and arsenicals in
medicine of yesteryear. What is the real advantage of putting a stateful
inspection-only firewall in front of the ISA firewall, which performs stateful
inspection itself? I hear this over and over again, but ISA firewalls can
perform the same packet inspection as other popular firewalls. However, speed
may be an issue, so using a packet inspection only firewall in front of mutiple
perimeter firewalls is a good choke point options.
> * Firewall-level spam control with deep content inspection, along with
> IP, domain, and keyword filtering and attachment blocking
This is fine for tiny sites but probably a bad idea for the typical
organization. If you later decide to change firewall products, you are also
migrating to a new AV/spam/etc. solution as well since implementations are not
functional across multiple firewall products.
You are better off with a dedicated gateway.
TOM:>>Why would you need only one ISA firewall? For what you'd pay for "big
iron" "hardware" firewalls, I can deploy a fault tolerant, load balanced array
of 5-6 ISA firewalls and beat any uptime the 50K box would give you.
> * Integration with Windows(r) Active Directory(r) services also
enables
> administrators to apply user-level policy and authentication
This is a bad idea when it comes to VPN's. Consider what you have just done.
Prior to installing the VPN one of your defense in-depth layers was the
physical security of your facility. Even if you have insecure wireless AP's,
your physical location provides some level of security as an attacker has to be
near you to perform an attack.
TOM:>>Do you have real life examples, or even a proof of concept on how to do
this? I hear this said often, but when challenged to show me how to do it, they
can't. Even a proof of concept of such an attack against a properly configured
ISA firewall would get me to change my mind on this. So, terminate the VPN on
an ISA firewall located behind another ISA firewall, and now you "fixed"
something that really wasn't broken in the first place.
If you integrate VPN authentication with your single sign-on solution, you have
just made the statement "I trust the physical security of the entire Internet
as much as I trust the physical security of my facility". In other words, you
have removed the physical security component as a defense in-depth layer and
have not replaced it with anything. Just because a feature exists that does not
mean its a good idea to use it.
TOM>>Defense in depth is good. No arguments there. But you have to ask
yourself what real security are you adding if you just "open a port" to the
back end ISA firewall VPN server/gateway? None. You just put a bank vault door
in front of the ISA firewall, but it still will terminate at the ISA
firewall/VPN server. And since there's no demonstrated attack that you can
leverage against the ISA firewall by terminating VPN connections to it, then I
don't see where the *real* issues are. Again, this is all "what if" stuff,
which is a game we can play with any firewall.
> This ease of use makes ISA 2004 an ideal solution for helping to
secure Windows Server(tm) 2003 networks.
First, "ease of use" and "secure" are two entirely different things.
Also, the above statement makes it sound like you feel a single firewall
product is a good fit for any environment that meets but a single criterion
(running Win2003). Its been my experience that every environment is different
and therefore has a different set of requirements. One size does not fit all.
This is one of the reasons we are blessed with a pretty diverse firewall market.
TOM>>The ISA firewall isn't the best firewall in the world, and its not
the worst, and whether it is best or worst is related to the requirements of
the business,not the FUD and misconceptions people have about it. I think it's
the ideal solution for Microsoft shops, and adds virtually nothing for
non-Microsoft shops.
> * Advanced inspection at the application protocol layer allows ISA to
inspect the proprietary RPC interfaces used by Microsoft applications.
Humm, so you think passing a a proprietary application across a firewall is
actually a good thing????
TOM>>Its impossible to secure any service against all attacks. Even *ix
services can be and are attacked. So, adding defense in depth at the firewall
for these protocols is a good thing, including the Exchange RPC and other RPC
services.
> To illustrate the value of this unique capability, ISA 2004's ability
to enforce RPC security policy empowers an organization to take full advantage
of Exchange productivity features without fear of a rogue RPC exploit
compromising the messaging infrastructure.
This assumes proper bounds checking has been performed. See my first comment.
;-) TOM:>>I haven't seen the KB on the ISA 2004 firewall's RPC filter not
performing proper bounds checking. Checking
http://www.google.com/search?hl=en&lr=&q=%22Bounds+checking%22+%22ISA+se
rver+2004%22 shows plenty of Linux bounds checking issues, and the ISA
Server 2000 H.323 issue, but I don't see anything related to the 2004 ISA
firewall.
Consider your logic here. You care claiming that this is secure because the
company that wrote the application also wrote the firewall. If they had the
Kung Fu to do that, then why didn't they just write RPC to be secure in the
first place? If your logic was correct there would be no need to proxy the
application because it would already be secure.
TOM:>>Again, the ISA firewall provides defense in depth and allows you to
control what RPC communications move through the ISA firewall. RPC filtering
does have value, but it does take time to understand how its used on Microsoft
Networks and how different servers and services utilize RPCs. When and if you
take time to learn about the ISA firewall, check out the RPC filter and how you
can customize what RPC communications move through the ISA firewall. Very good
feature that you can use on the edge, or on any of the perimeters demarcating
corporate security zones.
> ISA 2004 is a much better product than was ISA 2000. It is not just
for proxy-server any longer.
ISA 2004 is still just a tool. No more, no less. Yes it has things that it is
good at (outbound authentication of a Windows environment, internal firewall
when the threat level is low, just to name a few). I'm certainly not saying
that the product does not have its merits. You need to think long and hard
however before exposing it to direct Internet access. The architecture design
is less than optimal and the product does not exactly have the best track
history.
TOM>>All firewalls are just tools, and the 2004 ISA firewall is a much
better tool than the ISA Server 2000 firewall. Its good to hear that you think
the product has its merits. I can tell you that none of the over 100
deployments of ISA firewalls I've managed as edge firewalls ever suffered from
"edge-itis" Maybe because the ISA firewall is just a machine so it isn't
hampered by misconceptions about itself :-)) Also, I think you're misjudging
the ISA firewall based on what you know about ISA Server 2000. They are not the
same, or even similar. It has a rock solid firewall architecture and there
isn't yet a report that I'm aware of an ISA firewall that has been compromised
when properly configured.
The point of all this isn't to say that it's the best firewall in the
world, but it's a pretty good one, esp. for Microsoft shops, and that it fits
on the perimeter as well as just about any firewall, depending on bandwidth
requirements and what hardware the ISA firewall is installed on. Are there
other great firewalls? You bet. But I never cease to be amazed by the FUD,
misinformation, and downright wrong thinking people have about the ISA
firewall. I guess that's why its fun to work with it. Sort of like
demonstrating to people that the Earth isn't flat, and that if someone is
already bleeding, they probably don't need leeches :-)) HTH, Tom
HTH,
Chris
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading Network
Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tiago@xxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading Network
Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmulholland@xxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this network has been scanned for viruses
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading Network
Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
The correct technical term for haggis stalking is "havering".
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading Network
Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmulholland@xxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this network has been scanned for viruses
Other related posts:
