[isalist] Re: ASA 5500 in front of ISA 2006
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 7 Sep 2007 21:44:37 -0500
http://www.ISAserver.org
-------------------------------------------------------
Same goes for you :)
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Greg Mulholland
Sent: Friday, September 07, 2007 4:09 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ASA 5500 in front of ISA 2006
http://www.ISAserver.org
-------------------------------------------------------
I agree with Ray and also Thor. Whilst my loyalty is there I am
currently
and have been in the past involved in networks that have a significant
investment in other firewall/vpn devices. The simple reality is that
it's
just not possible to pull up stumps and re-deploy the whole front edge
of
the network without considerable planning, testing and work. Ray is not
necessarily a new kid on the block (NKOTB) around here so I think we
should
cut him some slack. Allot of people who pop up here are at times asking
our
advice on how they could utilise ISA in the current setup. I think that
shows a smart approach and we are almost preaching to the converted
there.
We should be happy and proud that people who come from the "other side
of
the tracks" as It were are able to find a place for ISA in their
network. I
know people who have expressed to me that they really like the 2006
version
of product and if they had their time over would use it in more
extensively,
but in global organisations that process doesn't happen or change
overnight.
Jim I'm not sure you intended it the way it came out or way people
interpretted so I don't need to poke you in the side but this was a
general
statement.
Greg
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On
Behalf Of Thor (Hammer of God)
Sent: Saturday, 8 September 2007 3:43 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ASA 5500 in front of ISA 2006
http://www.ISAserver.org
-------------------------------------------------------
That's not his point... his point is the "attitude" of the conversation,
not the discussion of the perception of a "hardware firewall" vs a
"software firewall." And I have to say, his points are valid as stated
IMO.
I don't think my loyalty to ISA can be questioned, yet I've got a
Netgear FVX538 in front of everything here. Not because I think a
"hardware firewall" is "better," but because it works for my
environment, and allows me to do things I want a little differently than
what I could do otherwise, even though there are aspects of its
configuration that drive me crazy.
You're absolutely right about the security of any device in any given
configuration, but we don't have conversations like that, do we?
t
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Friday, September 07, 2007 10:30 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: ASA 5500 in front of ISA 2006
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> The response you get is based on having to deal with the "hardware is
> more secure", "DMZ is more secure" and "more layers is more secure"
> mentality that is espoused without regard to traffic profiles or any
> "real" security need or threat mitigation (such as you yourself
> described).
>
> The point of adding a CisPixJuniBluSquid device simply on the basis of
> "that adds security" is false on the face of it. All devices or
> software solutions are equally prone to deployment and management
> fubars
> as the rest.
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx]
> On Behalf Of Ray Dzek
> Sent: Friday, September 07, 2007 9:59 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: ASA 5500 in front of ISA 2006
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> When I see posts like this, it just proves that you all have
> degenerated
> to the same level as the "ISA sucks" crowd. I would think that you
all
> would be tired of typing the same response whenever anybody asks about
> configuring ISA in a multi-firewall environment. Maybe you all have
> just created a mail rule that auto generates the "How dare you
> integrate
> any other firewall with ISA. Nothing else is worthy. Get rid of the
> other firewall, it sucks."
>
> Everybody has the hardware and environment they have to deal with. It
> is what it is. I have to deal with ISA, ASA, and Sonicwall. I like
> features and performance aspects of each. There are also plenty of
> things I can't stand about each.
>
> When I started with this list we had MS Proxy Server. It was a
> different attitude. You all have become grumpy, jaded, and yet more
> immature than ever in your old age. Congratulations... You are now
> just like any other hardware firewall e-mail list.
>
>
>
>
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
> > Sent: Thursday, September 06, 2007 4:14 PM
> > To: ISA Mailing List
> > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > Beat me to it...
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thomas W Shinder
> > Sent: Thursday, September 06, 2007 6:57 PM
> > To: ISA Mailing List
> > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > I was wondering what the ASA bug box was doing there too. Adding a
> > level
> > of complexity to help increase the risk of misconfiguration?
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> >
> >
> >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: Thursday, September 06, 2007 3:40 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > Make it easy for yourself.
> > > Lose the Cisco or sell it to some unsuspecting victim.
> > > Add another NIC to ISA and create a third-leg DMZ.
> > > This way, only ISA has access to the traffic between these
> networks.
> > >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Robert Wolff
> > > Sent: Thursday, September 06, 2007 1:27 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] ASA 5500 in front of ISA 2006
> > >
> > > All,
> > >
> > >
> > >
> > > Does anyone know any tricks or have any experience with
> > > configuration in
> > > the following scenario:
> > >
> > >
> > >
> > > Inet Router => Cisco ASA firewall => DMZ => ISA 2006 Firewall
> > > =>Internal
> > > network
> > >
> > >
> > >
> > > The current network layout is just a single ISA 2006 firewall.
I'm
> > > looking to create a new DMZ segment between the ISA and ASA for
> > future
> > > web, DNS, and email servers.
> > >
> > >
> > >
> > > Inet Router => ISA 2006 Firewall => Internal Network
> > >
> > >
> > >
> > > One of the last problems I have is getting OWA to work. I can get
> > the
> > > initial login screen to appear, but after logon I get page cannot
> be
> > > displayed after several seconds of waiting.
> > >
> > >
> > >
> > > Thanks,
> > >
> > > -Bob-
> > >
> > >
> > > All mail to and from this domain is GFI-scanned.
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
