RE: Anti-virus on Exchange

  • From: "Andrew English" <andrew@xxxxxxxxxxxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 15 Feb 2005 21:53:59 -0500


Can you confirm these 60 patches for ISA server that were released last
week because there is no mention of it on


-----Original Message-----
From: Danny [mailto:nocmonkey@xxxxxxxxx] 
Sent: Tuesday, February 15, 2005 9:12 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Anti-virus on Exchange

On Tue, 15 Feb 2005 17:08:17 -0600, Thomas W Shinder
<tshinder@xxxxxxxxxxx> wrote:
> Hi Danny,
> Where is the:
> -- RADIUS based pre-authetication for OWA/OMA/ActiveSync/RPC over HTTP
> access?

RADIUS, yes. The rest is probably possible.

> -- Where is the SSL to SSL bridging feature that prevents exploits
> being tunneled inside an SSL tunnel?

If your ISA Windows box is compromised (just last week, MS released
patches for over 60 vulnerabilities - ouch!), valid SSL sessions could
be read.

> -- Where is the forms-based authentication that generates the form at
> the firewall, so as to allow for pre-authentication, session limits
> attachment control?

Haven't looked into it.  Attachment control? We block all executables.

> -- Where is the per user/per group, per protocol, per server, per time
> of day, stateful filtering and stateful application layer inspection
> VPN remote access client connections?

Done and done.

> -- Where is the stateful application layer support for Secure Exchange
> RPC publishing, so that your entire organization doesn't have to
> to OL2003, and even if they did, where is the RPC scrubbing for the
> de-tunneled connections?

What do you expect from a $500 firewall?  My initial comparison was
the BASE model Fortigate firewall.

> In addition to that, ISA does have:
> -Anti-malware (virus, worms, etc.) protection (HTTP, POP3, SMTP, etc.)
> as part of its HTTP Security Filter at NO extra cost or licensing
> restriction

Out-of-the-box, ISA 2004 scans for brand new and old viruses?  Which
engine does it use?

> -Grayware protection
> ISA does have this, as part of its built-in and add only suites of
> application layer inspection filters

Add-on, then? Who provides updates to grayware and spyware definitions?

> -Signature and custom Intrusion Prevention and Protection
> I can use the built-in ISA firewall's IDS/IPS, add-on 3rd party
> or use Snort.

Who updates ISA's IDS/IPS signatures?

> -Anti-spam - RBL, content, etc.
> You can add this on to the ISA firewall, and includes basic SMTP
> filtering and inspection right out of the box with its SMTP Filter and
> SMTP Message Screener.

A.K.A Add-on...

> -Email content and attachment blocking/filtering
> The ISA firewall has this right out of the box.

'bout time.

> -ActiveX, java, cookie, protection
> Again, the ISA firewall has this right out of the box. Just configure
> it!


> -Web URL and content filtering
> The ISA firewall has this right out of the box.


> -End-to-end VPN (IPSec, PPTP, L2TP, and multiple encryption level
> options) solution
> This ISA firewall also has this right out of the box, and also has VPN
> Quaratine support right out of the box.

Sweet. How about AES256?

> -Client VPN software which includes firewall and anti-virus component
> Why use proprietary VPN client software when *every version of
> has a VPN client built-in. Best of all, no finger pointing when
> something goes haywire! :)

Microsoft has built-in anti-virus, egress and ingress stateful
firewall, and IPSec VPN support in *every version of Windows*?

> -Traffic shaping
> Not included with the ISA firewall :(

Uh oh.

> -Syslog output
> ISA includes right out of the box, text logging, MDSE logging and SQL
> logging. Can get it to work with MySQL and Access if you like.

I output to syslog running a FreeBSD box. 

> -Protocol authentication
> Not sure what you mean, but I'll bet its not as comprehensive as
> if you mean that you can control user/group access to ALL protocols
> through the miracle of the Firewall client (the generic Winsock Proxy
> client)

LDAP, RADIUS, etc. authentication for specific protocol-based (HTTP,
etc.) access.

> -VLAN support
> ISA supports this right out of the box, we're using in a couple places
> in product now.


> -HTTPS and SSH admin access
> ISA supports FIPS compliant encrypted RDP -- much more secure!

SSH2 works well here.

> -Support & Maintenance includes virus and attack definitions
> Same when we install GFI add-ons

No add-ons necessary here. Second year maintenance is cheap; less than
half the price of unit.

> -NAT or transparent mode
> The ISA firewall supports both NAT and Route relationships. No
> transparent mode though, MAC exploits are too problematic from my
> of view to want support for this.

Fortinet has this covered in the least with IPS.

Defense in depth: NAT firewall, then a transparent one logically
behind it. Ohhh man I love it.

> You can also purchase the ISA firewall as a hardware appliance from
> Network Engines, RimApp and Celestix. In fact, not even Microsoft PSS
> can break into the Network Engines ISA hardware firewall, even when
> have console access!

Do we have to bring up how many Microsoft software vulnerabilities
were exposed just last week?  And I want my border firewall running on
what? Microsoft software?

ISA is a great product, but for my current environments is too
expensive up-front and in the long-term from a cost point of view and
a risk point of view.

> Fortigate does cost less, but you don't get as much either.

RPC(oh boy, ask the security experts about good ol' RPC)/HTTP/OWA
integrations aside, the Fortigate is not comparable in cost.



List Archives:
Exchange Newsletters:
Exchange FAQ:
Other Internet Software Marketing Sites:
World of Windows Networking:
Leading Network Software Directory:
No.1 ISA Server Resource Site:
Windows Security Resource Site:
Network Security Library:
Windows 2000/NT Fax Solutions:
You are currently subscribed to this Discussion List as:
To unsubscribe visit
Report abuse to listadmin@xxxxxxxxxxxxxx

Other related posts: