Hi Danny, Where is the: -- RADIUS based pre-authetication for OWA/OMA/ActiveSync/RPC over HTTP access? -- Where is the SSL to SSL bridging feature that prevents exploits from being tunneled inside an SSL tunnel? -- Where is the forms-based authentication that generates the form at the firewall, so as to allow for pre-authentication, session limits and attachment control? -- Where is the per user/per group, per protocol, per server, per time of day, stateful filtering and stateful application layer inspection for VPN remote access client connections? -- Where is the stateful application layer support for Secure Exchange RPC publishing, so that your entire organization doesn't have to upgrade to OL2003, and even if they did, where is the RPC scrubbing for the de-tunneled connections? In addition to that, ISA does have: -Anti-malware (virus, worms, etc.) protection (HTTP, POP3, SMTP, etc.) as part of its HTTP Security Filter at NO extra cost or licensing restriction -Grayware protection ISA does have this, as part of its built-in and add only suites of application layer inspection filters -Signature and custom Intrusion Prevention and Protection I can use the built-in ISA firewall's IDS/IPS, add-on 3rd party IDS/IPS or use Snort. -Anti-spam - RBL, content, etc. You can add this on to the ISA firewall, and includes basic SMTP filtering and inspection right out of the box with its SMTP Filter and SMTP Message Screener. -Email content and attachment blocking/filtering The ISA firewall has this right out of the box. -ActiveX, java, cookie, protection Again, the ISA firewall has this right out of the box. Just configure it! -Web URL and content filtering The ISA firewall has this right out of the box. -End-to-end VPN (IPSec, PPTP, L2TP, and multiple encryption level options) solution This ISA firewall also has this right out of the box, and also has VPN Quaratine support right out of the box. -Client VPN software which includes firewall and anti-virus component Why use proprietary VPN client software when *every version of Windows* has a VPN client built-in. Best of all, no finger pointing when something goes haywire! :) -Traffic shaping Not included with the ISA firewall :( -Syslog output ISA includes right out of the box, text logging, MDSE logging and SQL logging. Can get it to work with MySQL and Access if you like. -Protocol authentication Not sure what you mean, but I'll bet its not as comprehensive as ISA's, if you mean that you can control user/group access to ALL protocols through the miracle of the Firewall client (the generic Winsock Proxy client) -VLAN support ISA supports this right out of the box, we're using in a couple places in product now. -HTTPS and SSH admin access ISA supports FIPS compliant encrypted RDP -- much more secure! -Support & Maintenance includes virus and attack definitions Same when we install GFI add-ons -NAT or transparent mode The ISA firewall supports both NAT and Route relationships. No transparent mode though, MAC exploits are too problematic from my point of view to want support for this. You can also purchase the ISA firewall as a hardware appliance from Network Engines, RimApp and Celestix. In fact, not even Microsoft PSS can break into the Network Engines ISA hardware firewall, even when they have console access! Fortigate does cost less, but you don't get as much either. Thanks! Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Danny [mailto:nocmonkey@xxxxxxxxx] Sent: Tuesday, February 15, 2005 4:28 PM To: [ExchangeList] Subject: [exchangelist] RE: Anti-virus on Exchange http://www.MSExchange.org/ On Tue, 15 Feb 2005 15:42:34 -0600, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: > http://www.MSExchange.org/ > > Hi Danny, > > I prefer to use an ISA based hardware firewall, I think I get better > protection and more secure remote access too! :) I respect your preference, however, I find it difficult for ISA running on a Windows server to provide better protection and more secure remote access than my deployed Fortigate firewalls, which provide some of the following at little or no impact to performance (if you match your network needs to the right model): -Anti-malware (virus, worms, etc.) protection (HTTP, POP3, SMTP, etc.) -Grayware protection -Signature and custom Intrusion Prevention and Protection -Anti-spam - RBL, content, etc. -Email content and attachment blocking/filtering -ActiveX, java, cookie, protection -Web URL and content filtering -End-to-end VPN (IPSec, PPTP, L2TP, and multiple encryption level options) solution -Client VPN software which includes firewall and anti-virus component -Traffic shaping -Syslog output -Protocol authentication -VLAN support -HTTPS and SSH admin access -Support & Maintenance includes virus and attack definitions -NAT or transparent mode ...etc. The Fortigate 60 for example, is well under $600 USD including the hardware and software; it's an appliance! (We are providing personal recommendations, and so have I in this case; I have no affiliation with Fortinet, in fact, a year ago I would not have recommended them.) ...D ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: tshinder@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx