Danny, Can you confirm these 60 patches for ISA server that were released last week because there is no mention of it on www.microsoft.com/isaserver Thanks Andrew -----Original Message----- From: Danny [mailto:nocmonkey@xxxxxxxxx] Sent: Tuesday, February 15, 2005 9:12 PM To: [ExchangeList] Subject: [exchangelist] RE: Anti-virus on Exchange http://www.MSExchange.org/ On Tue, 15 Feb 2005 17:08:17 -0600, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: > http://www.MSExchange.org/ > > Hi Danny, > > Where is the: > > -- RADIUS based pre-authetication for OWA/OMA/ActiveSync/RPC over HTTP > access? RADIUS, yes. The rest is probably possible. > -- Where is the SSL to SSL bridging feature that prevents exploits from > being tunneled inside an SSL tunnel? If your ISA Windows box is compromised (just last week, MS released patches for over 60 vulnerabilities - ouch!), valid SSL sessions could be read. > -- Where is the forms-based authentication that generates the form at > the firewall, so as to allow for pre-authentication, session limits and > attachment control? Haven't looked into it. Attachment control? We block all executables. > -- Where is the per user/per group, per protocol, per server, per time > of day, stateful filtering and stateful application layer inspection for > VPN remote access client connections? Done and done. > -- Where is the stateful application layer support for Secure Exchange > RPC publishing, so that your entire organization doesn't have to upgrade > to OL2003, and even if they did, where is the RPC scrubbing for the > de-tunneled connections? What do you expect from a $500 firewall? My initial comparison was the BASE model Fortigate firewall. > In addition to that, ISA does have: > > -Anti-malware (virus, worms, etc.) protection (HTTP, POP3, SMTP, etc.) > as part of its HTTP Security Filter at NO extra cost or licensing > restriction Out-of-the-box, ISA 2004 scans for brand new and old viruses? Which engine does it use? > -Grayware protection > ISA does have this, as part of its built-in and add only suites of > application layer inspection filters Add-on, then? Who provides updates to grayware and spyware definitions? > -Signature and custom Intrusion Prevention and Protection > I can use the built-in ISA firewall's IDS/IPS, add-on 3rd party IDS/IPS > or use Snort. Who updates ISA's IDS/IPS signatures? > -Anti-spam - RBL, content, etc. > You can add this on to the ISA firewall, and includes basic SMTP > filtering and inspection right out of the box with its SMTP Filter and > SMTP Message Screener. A.K.A Add-on... > -Email content and attachment blocking/filtering > The ISA firewall has this right out of the box. 'bout time. > -ActiveX, java, cookie, protection > Again, the ISA firewall has this right out of the box. Just configure > it! Cool. > -Web URL and content filtering > The ISA firewall has this right out of the box. Cool. > -End-to-end VPN (IPSec, PPTP, L2TP, and multiple encryption level > options) solution > This ISA firewall also has this right out of the box, and also has VPN > Quaratine support right out of the box. Sweet. How about AES256? > -Client VPN software which includes firewall and anti-virus component > Why use proprietary VPN client software when *every version of Windows* > has a VPN client built-in. Best of all, no finger pointing when > something goes haywire! :) Microsoft has built-in anti-virus, egress and ingress stateful firewall, and IPSec VPN support in *every version of Windows*? > -Traffic shaping > Not included with the ISA firewall :( Uh oh. > -Syslog output > ISA includes right out of the box, text logging, MDSE logging and SQL > logging. Can get it to work with MySQL and Access if you like. I output to syslog running a FreeBSD box. > -Protocol authentication > Not sure what you mean, but I'll bet its not as comprehensive as ISA's, > if you mean that you can control user/group access to ALL protocols > through the miracle of the Firewall client (the generic Winsock Proxy > client) LDAP, RADIUS, etc. authentication for specific protocol-based (HTTP, etc.) access. > -VLAN support > ISA supports this right out of the box, we're using in a couple places > in product now. Awesome. > -HTTPS and SSH admin access > ISA supports FIPS compliant encrypted RDP -- much more secure! SSH2 works well here. > -Support & Maintenance includes virus and attack definitions > Same when we install GFI add-ons No add-ons necessary here. Second year maintenance is cheap; less than half the price of unit. > -NAT or transparent mode > The ISA firewall supports both NAT and Route relationships. No > transparent mode though, MAC exploits are too problematic from my point > of view to want support for this. Fortinet has this covered in the least with IPS. Defense in depth: NAT firewall, then a transparent one logically behind it. Ohhh man I love it. > You can also purchase the ISA firewall as a hardware appliance from > Network Engines, RimApp and Celestix. In fact, not even Microsoft PSS > can break into the Network Engines ISA hardware firewall, even when they > have console access! Do we have to bring up how many Microsoft software vulnerabilities were exposed just last week? And I want my border firewall running on what? Microsoft software? ISA is a great product, but for my current environments is too expensive up-front and in the long-term from a cost point of view and a risk point of view. > Fortigate does cost less, but you don't get as much either. RPC(oh boy, ask the security experts about good ol' RPC)/HTTP/OWA integrations aside, the Fortigate is not comparable in cost. Respectfully, ...D ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: andrew@xxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx