RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer

  • From: Troy Radtke <TRadtke@xxxxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 29 Jul 2004 10:59:31 -0500

Just because there is no "just one right way" of doing something, does not
mean that you should comprimise with the "greater of two evils".  That would
be like going in for a broken toe to the doctor and leaving without both of
your legs.  Did it fix your problem? Yeah, not going to break your toe ever
again.  Is it worth it in the long run? No, I like to be able to walk once
in a while.

As far as "self-serving, elitiest rhetoric" goes, I'm lost as to what you
make reference against.  I have seen companies spend in the upwards of
$800,000+ in labor going over records and audit trails with 3 letter
government agencies.  Were they smart about how they had there stuff set up?
Maybe. Did it work correctly? No, apparently not.  Was it a Cisco device? A
few times.  Was it an ISA box? Yeah, a couple.  Was it the hardware/software
that was breached? I can confidently say no to both.  In each instance both
of them did EXACTLY what they were asked to do. In fact, one of the times a
service was used to breach into the network was located on the ISA box that
had absolutely NO REASON to be there.  Needless to say, the ISA box behind
it without that service not only stopped them dead in their tracks, but
weathered the veritable storm of hacks that were thrown at with with great
ease.

Last time I looked, a $750k+ ROI from adding a dedicated server is a good
thing.....  And that is how most of the real world runs, on money....
Secure, yes, fast, yes, cheap, yes...... 3 for 3 isn't bad at all....

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Tuesday, July 27, 2004 1:44 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 838376 - Cannot connect to a published service from
the external network when the published service is running dire ctly on the
ISA Server 2004 computer


http://www.ISAserver.org

Unscrew the top of your head and let some light in.
It's exactly this sort of self-serving, elitist rhetoric that causes folks
to feel like they "just can't do it".

There isn't and never will be "just one right way" to do something. There
are external factors that are not always controllable.

Security is and will always be a balancing act between requirements, money
and hardware resources. "Fast, Secure or cheap; choose two" is one of my
favorite quotes.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG  http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "Troy Radtke" <TRadtke@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, July 27, 2004 06:31
Subject: [isalist] RE: 838376 - Cannot connect to a published service from
the external network when the published service is 
running dire ctly on the ISA Server 2004 computer


http://www.ISAserver.org

Which is why you'll never see anyone in their right mind running SBS who
expects the same level of protection from a dedicated system.

I forwarded that e-mail from Tom to the guys at work, and the first thing
they did is say: Look at ISA! It's a piece of junk since you've gotta do a
work around just to make stuff even work on the box!  You never have that
problem with a PIX!

If you're boss won't look at the cost justification of buying a low end
desktop to run a service, all I have to say to any financial institution is
how much is the cost of an FDIC audit in terms of your labor?  Pulling 50%
of the IT staff into meetings with the FBI/FDIC/Secret Service (yes, the
secret service is involved in these types of audits) for 2 months along with
hiring a small army of people to produce all your audit trails for the past
7 years is by FAR more expensive than any server that I can think of....

What I was getting at in my first e-mail is that since you can't even
install services on a PIX, you'd need to purchase or use another server
anyways, which is why you should leave things off of an ISA box and just not
even open yourself up to an service exploit.....

Troy





Other related posts: