It is 60 vulnerabilities and not 60 patches. ---- Original message ---- >Date: Tue, 15 Feb 2005 21:53:59 -0500 >From: "Andrew English" <andrew@xxxxxxxxxxxxxxxxxxxxxx> >Subject: [exchangelist] RE: Anti-virus on Exchange >To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx> > >http://www.MSExchange.org/ > >Danny, > >Can you confirm these 60 patches for ISA server that were released last >week because there is no mention of it on www.microsoft.com/isaserver > >Thanks >Andrew > > >-----Original Message----- >From: Danny [mailto:nocmonkey@xxxxxxxxx] >Sent: Tuesday, February 15, 2005 9:12 PM >To: [ExchangeList] >Subject: [exchangelist] RE: Anti-virus on Exchange > >http://www.MSExchange.org/ > >On Tue, 15 Feb 2005 17:08:17 -0600, Thomas W Shinder ><tshinder@xxxxxxxxxxx> wrote: >> http://www.MSExchange.org/ >> >> Hi Danny, >> >> Where is the: >> >> -- RADIUS based pre-authetication for OWA/OMA/ActiveSync/RPC over HTTP >> access? > >RADIUS, yes. The rest is probably possible. > >> -- Where is the SSL to SSL bridging feature that prevents exploits >from >> being tunneled inside an SSL tunnel? > >If your ISA Windows box is compromised (just last week, MS released >patches for over 60 vulnerabilities - ouch!), valid SSL sessions could >be read. > >> -- Where is the forms-based authentication that generates the form at >> the firewall, so as to allow for pre-authentication, session limits >and >> attachment control? > >Haven't looked into it. Attachment control? We block all executables. > >> -- Where is the per user/per group, per protocol, per server, per time >> of day, stateful filtering and stateful application layer inspection >for >> VPN remote access client connections? > >Done and done. > >> -- Where is the stateful application layer support for Secure Exchange >> RPC publishing, so that your entire organization doesn't have to >upgrade >> to OL2003, and even if they did, where is the RPC scrubbing for the >> de-tunneled connections? > >What do you expect from a $500 firewall? My initial comparison was >the BASE model Fortigate firewall. > >> In addition to that, ISA does have: >> >> -Anti-malware (virus, worms, etc.) protection (HTTP, POP3, SMTP, etc.) >> as part of its HTTP Security Filter at NO extra cost or licensing >> restriction > >Out-of-the-box, ISA 2004 scans for brand new and old viruses? Which >engine does it use? > >> -Grayware protection >> ISA does have this, as part of its built-in and add only suites of >> application layer inspection filters > >Add-on, then? Who provides updates to grayware and spyware definitions? > >> -Signature and custom Intrusion Prevention and Protection >> I can use the built-in ISA firewall's IDS/IPS, add-on 3rd party >IDS/IPS >> or use Snort. > >Who updates ISA's IDS/IPS signatures? > >> -Anti-spam - RBL, content, etc. >> You can add this on to the ISA firewall, and includes basic SMTP >> filtering and inspection right out of the box with its SMTP Filter and >> SMTP Message Screener. > >A.K.A Add-on... > >> -Email content and attachment blocking/filtering >> The ISA firewall has this right out of the box. > >'bout time. > > >> -ActiveX, java, cookie, protection >> Again, the ISA firewall has this right out of the box. Just configure >> it! > >Cool. > >> -Web URL and content filtering >> The ISA firewall has this right out of the box. > >Cool. > >> -End-to-end VPN (IPSec, PPTP, L2TP, and multiple encryption level >> options) solution >> This ISA firewall also has this right out of the box, and also has VPN >> Quaratine support right out of the box. > >Sweet. How about AES256? > >> -Client VPN software which includes firewall and anti- virus component >> Why use proprietary VPN client software when *every version of >Windows* >> has a VPN client built-in. Best of all, no finger pointing when >> something goes haywire! :) > >Microsoft has built-in anti-virus, egress and ingress stateful >firewall, and IPSec VPN support in *every version of Windows*? > >> -Traffic shaping >> Not included with the ISA firewall :( > >Uh oh. > >> -Syslog output >> ISA includes right out of the box, text logging, MDSE logging and SQL >> logging. Can get it to work with MySQL and Access if you like. > >I output to syslog running a FreeBSD box. > >> -Protocol authentication >> Not sure what you mean, but I'll bet its not as comprehensive as >ISA's, >> if you mean that you can control user/group access to ALL protocols >> through the miracle of the Firewall client (the generic Winsock Proxy >> client) > >LDAP, RADIUS, etc. authentication for specific protocol- based (HTTP, >etc.) access. > >> -VLAN support >> ISA supports this right out of the box, we're using in a couple places >> in product now. > >Awesome. > >> -HTTPS and SSH admin access >> ISA supports FIPS compliant encrypted RDP -- much more secure! > >SSH2 works well here. > >> -Support & Maintenance includes virus and attack definitions >> Same when we install GFI add-ons > >No add-ons necessary here. Second year maintenance is cheap; less than >half the price of unit. > >> -NAT or transparent mode >> The ISA firewall supports both NAT and Route relationships. No >> transparent mode though, MAC exploits are too problematic from my >point >> of view to want support for this. > >Fortinet has this covered in the least with IPS. > >Defense in depth: NAT firewall, then a transparent one logically >behind it. Ohhh man I love it. > >> You can also purchase the ISA firewall as a hardware appliance from >> Network Engines, RimApp and Celestix. In fact, not even Microsoft PSS >> can break into the Network Engines ISA hardware firewall, even when >they >> have console access! > >Do we have to bring up how many Microsoft software vulnerabilities >were exposed just last week? And I want my border firewall running on >what? Microsoft software? > >ISA is a great product, but for my current environments is too >expensive up-front and in the long-term from a cost point of view and >a risk point of view. > > >> Fortigate does cost less, but you don't get as much either. > >RPC(oh boy, ask the security experts about good ol' RPC)/HTTP/OWA >integrations aside, the Fortigate is not comparable in cost. > >Respectfully, > >...D > >------------------------------------------------------ >List Archives: http://www.webelists.com/cgi/lyris.pl? enter=exchangelist >Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp >Exchange FAQ: http://www.msexchange.org/pages/larticle.asp? type=FAQ >------------------------------------------------------ >Other Internet Software Marketing Sites: >World of Windows Networking: http://www.windowsnetworking.com >Leading Network Software Directory: http://www.serverfiles.com >No.1 ISA Server Resource Site: http://www.isaserver.org >Windows Security Resource Site: http://www.windowsecurity.com/ >Network Security Library: http://www.secinf.net/ >Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com >------------------------------------------------------ >You are currently subscribed to this MSEXchange.org Discussion List as: >andrew@xxxxxxxxxxxxxxxxxxxxxx >To unsubscribe visit >http://www.webelists.com/cgi/lyris.pl?enter=exchangelist >Report abuse to listadmin@xxxxxxxxxxxxxx > >------------------------------------------------------ >List Archives: http://www.webelists.com/cgi/lyris.pl? enter=exchangelist >Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp >Exchange FAQ: http://www.msexchange.org/pages/larticle.asp? type=FAQ >------------------------------------------------------ >Other Internet Software Marketing Sites: >World of Windows Networking: http://www.windowsnetworking.com >Leading Network Software Directory: http://www.serverfiles.com >No.1 ISA Server Resource Site: http://www.isaserver.org >Windows Security Resource Site: http://www.windowsecurity.com/ >Network Security Library: http://www.secinf.net/ >Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com >------------------------------------------------------ >You are currently subscribed to this MSEXchange.org Discussion List as: ssgill@xxxxxxxxxxxxxxxxxxxx >To unsubscribe visit http://www.webelists.com/cgi/lyris.pl? enter=exchangelist >Report abuse to listadmin@xxxxxxxxxxxxxx Sarbjit Singh Gill ssgill@xxxxxxxxxxxxxxxxxxxx