[isalist] Re: ASA 5500 in front of ISA 2006

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Sat, 8 Sep 2007 09:48:59 -0500

http://www.ISAserver.org
-------------------------------------------------------

Tim,

In general you're right. We used to be a lot more tolerant of a wide
variety of questions and I know personally that I've gotten a lot more
short fused on a number of subjects, so I'll keep that in mind in the
future.

However, it was interesting in this *specific* circumstance what was
going on  here. Ray tried to hose us for being ISA only and "rip and
replace" which isn't any of our objectives. In fact, I'm on record in
many many places stating that rip and replace isn't the best way go to
-- if you have something that works, why not use it until it stops
working?

However, when we asked *why* the ASA was even there, we learned that an
ignorant (we know he's ignorant because we know now that NO regulations
require or suggest that a "hardware" FW be in front of the ISA Firewall)
or potentially corrupt auditor (we don't know if he's corrupt yet, just
a lot of circumstantial evidence) was the reason for bringing the
dreaded ASA into the ISA Firewall environment where no ASA was required
or even needed. So now I can argue two things:

* Why should I help line the pockets of an ignorant and possibly corrupt
auditor just so that he can further terrorize other customers so that
they waste money on hardware they don't require
* Bob came to use with an honest question about a problem that he's
actually having to deal with -- it wasn't Bob who was hapless and it
wasn't Bob who fell pray to the ignorant and possibly corrupt auditor,
so we should give him all the help we can and hope the ASA motherboard
dies ASAP before something bad happens.

Given the two choices, the second is best, since that's the charter of
the list.

Dude, your new girlfriend is making you more kinder and gentler all the
time. Better marry her before get she away :)

NW,
GMT






> Dude, you KNOW *I* understand, but the other side of the 
> context is that
> even if it is a police forum, and even if we're all packing DE's, that
> doesn't mean that a Derringer won't kill you dead on the spot 
> - it's not
> if the tombstone says "Killed by DE" or "Killed by 
> Derringer," it's that
> you've got a tombstone at all...
> 
> What I walked away with from Ray's comment is that we could 
> all be a bit
> more tolerant of others coming to this forum where mixed vendors and
> mixed technologies are concerned, and where our replies are "you're an
> idiot for doing that" as opposed to "here's how you would go 
> about doing
> that, however, bear in mind that the basis for your goals (in 
> our view)
> may be flawed because of X,Y, and Z."
> 
> That's all.  But, let me get some brown liquor in me and I'll probably
> be right on board with the rest of you crusty bastards ;)
> 
> t
> 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > Sent: Friday, September 07, 2007 12:37 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > 
> > http://www.ISAserver.org
> > -------------------------------------------------------
> > 
> > But consider the context, OK?
> > 
> > It's like someone coming into a police forum and saying:
> > 
> > "I have a derringer at the front door (ASA) and I wonder 
> how to use it
> > with my Desert Eagle .50 (ISA Firewall) in my bedroom"
> > 
> > What do you think the response is going to be?
> > 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thor (Hammer of God)
> > Sent: Friday, September 07, 2007 2:06 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > 
> > http://www.ISAserver.org
> > -------------------------------------------------------
> > 
> > That's why you can't communicate!!! ;)
> > 
> > t
> > 
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: Friday, September 07, 2007 10:55 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > Well, that was how I tried to respond, but I guess 
> interpretation ==
> > > reality.
> > >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Thor (Hammer of God)
> > > Sent: Friday, September 07, 2007 10:43 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > That's not his point... his point is the "attitude" of the
> > > conversation,
> > > not the discussion of the perception of a "hardware firewall" vs a
> > > "software firewall."  And I have to say, his points are valid as
> > stated
> > > IMO.
> > >
> > > I don't think my loyalty to ISA can be questioned, yet I've got a
> > > Netgear FVX538 in front of everything here.  Not because I think a
> > > "hardware firewall" is "better," but because it works for my
> > > environment, and allows me to do things I want a little 
> differently
> > > than
> > > what I could do otherwise, even though there are aspects of its
> > > configuration that drive me crazy.
> > >
> > > You're absolutely right about the security of any device in any
> given
> > > configuration, but we don't have conversations like that, do we?
> > > t
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > Sent: Friday, September 07, 2007 10:30 AM
> > > > To: isalist@xxxxxxxxxxxxx
> > > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > > >
> > > > http://www.ISAserver.org
> > > > -------------------------------------------------------
> > > >
> > > > The response you get is based on having to deal with 
> the "hardware
> > is
> > > > more secure", "DMZ is more secure" and "more layers is more
> secure"
> > > > mentality that is espoused without regard to traffic profiles or
> > any
> > > > "real" security need or threat mitigation (such as you yourself
> > > > described).
> > > >
> > > > The point of adding a CisPixJuniBluSquid device simply on the
> basis
> > > of
> > > > "that adds security" is false on the face of it.  All devices or
> > > > software solutions are equally prone to deployment and 
> management
> > > > fubars
> > > > as the rest.
> > > >
> > > > -----Original Message-----
> > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > > bounce@xxxxxxxxxxxxx]
> > > > On Behalf Of Ray Dzek
> > > > Sent: Friday, September 07, 2007 9:59 AM
> > > > To: isalist@xxxxxxxxxxxxx
> > > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > > >
> > > > http://www.ISAserver.org
> > > > -------------------------------------------------------
> > > >
> > > > When I see posts like this, it just proves that you all have
> > > > degenerated
> > > > to the same level as the "ISA sucks" crowd.  I would think that
> you
> > > all
> > > > would be tired of typing the same response whenever anybody asks
> > > about
> > > > configuring ISA in a multi-firewall environment.  Maybe you all
> > have
> > > > just created a mail rule that auto generates the "How dare you
> > > > integrate
> > > > any other firewall with ISA.  Nothing else is worthy.  
> Get rid of
> > the
> > > > other firewall, it sucks."
> > > >
> > > > Everybody has the hardware and environment they have to 
> deal with.
> > > It
> > > > is what it is.  I have to deal with ISA, ASA, and Sonicwall.  I
> > like
> > > > features and performance aspects of each.  There are also plenty
> of
> > > > things I can't stand about each.
> > > >
> > > > When I started with this list we had MS Proxy Server.  It was a
> > > > different attitude.  You all have become grumpy, jaded, and yet
> > more
> > > > immature than ever in your old age.  Congratulations...  You are
> > now
> > > > just like any other hardware firewall e-mail list.
> > > >
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
> > > > > Sent: Thursday, September 06, 2007 4:14 PM
> > > > > To: ISA Mailing List
> > > > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > > > >
> > > > > http://www.ISAserver.org
> > > > > -------------------------------------------------------
> > > > >
> > > > > Beat me to it...
> > > > >
> > > > > -----Original Message-----
> > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > > > bounce@xxxxxxxxxxxxx]
> > > > > On Behalf Of Thomas W Shinder
> > > > > Sent: Thursday, September 06, 2007 6:57 PM
> > > > > To: ISA Mailing List
> > > > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > > > >
> > > > > http://www.ISAserver.org
> > > > > -------------------------------------------------------
> > > > >
> > > > > I was wondering what the ASA bug box was doing there 
> too. Adding
> > a
> > > > > level
> > > > > of complexity to help increase the risk of misconfiguration?
> > > > >
> > > > > Thomas W Shinder, M.D.
> > > > > Site: www.isaserver.org
> > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > Book: http://tinyurl.com/3xqb7
> > > > > MVP -- Microsoft Firewalls (ISA)
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: isalist-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim
> Harrison
> > > > > > Sent: Thursday, September 06, 2007 3:40 PM
> > > > > > To: isalist@xxxxxxxxxxxxx
> > > > > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > > > > >
> > > > > > http://www.ISAserver.org
> > > > > > -------------------------------------------------------
> > > > > >
> > > > > > Make it easy for yourself.
> > > > > > Lose the Cisco or sell it to some unsuspecting victim.
> > > > > > Add another NIC to ISA and create a third-leg DMZ.
> > > > > > This way, only ISA has access to the traffic between these
> > > > networks.
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: isalist-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > > > > On Behalf Of Robert Wolff
> > > > > > Sent: Thursday, September 06, 2007 1:27 PM
> > > > > > To: isalist@xxxxxxxxxxxxx
> > > > > > Subject: [isalist] ASA 5500 in front of ISA 2006
> > > > > >
> > > > > > All,
> > > > > >
> > > > > >
> > > > > >
> > > > > > Does anyone know any tricks or have any experience with
> > > > > > configuration in
> > > > > > the following scenario:
> > > > > >
> > > > > >
> > > > > >
> > > > > > Inet Router => Cisco ASA firewall => DMZ => ISA 
> 2006 Firewall
> > > > > > =>Internal
> > > > > > network
> > > > > >
> > > > > >
> > > > > >
> > > > > > The current network layout is just a single ISA 
> 2006 firewall.
> > > I'm
> > > > > > looking to create a new DMZ segment between the ISA and ASA
> for
> > > > > future
> > > > > > web, DNS, and email servers.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Inet Router => ISA 2006 Firewall => Internal Network
> > > > > >
> > > > > >
> > > > > >
> > > > > > One of the last problems I have is getting OWA to 
> work.  I can
> > > get
> > > > > the
> > > > > > initial login screen to appear, but after logon I get page
> > cannot
> > > > be
> > > > > > displayed after several seconds of waiting.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > -Bob-
> > > > > >
> > > > > >
> > > > > > All mail to and from this domain is GFI-scanned.
> > > > ------------------------------------------------------
> > > > List Archives: //www.freelists.org/archives/isalist/
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server Articles and Tutorials:
> > > > http://www.isaserver.org/articles_tutorials/
> > > > ISA Server Blogs: http://blogs.isaserver.org/
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > >
> > > > All mail to and from this domain is GFI-scanned.
> > > >
> > > > ------------------------------------------------------
> > > > List Archives: //www.freelists.org/archives/isalist/
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server Articles and Tutorials:
> > > > http://www.isaserver.org/articles_tutorials/
> > > > ISA Server Blogs: http://blogs.isaserver.org/
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials:
> > > http://www.isaserver.org/articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials:
> > > http://www.isaserver.org/articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> > 
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> 
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials: 
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> 
> 
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

• Follow-Ups:
  • [isalist] Re: ASA 5500 in front of ISA 2006
    • From: Robert Wolff

Other related posts:

• » [isalist] ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006

1. Home
2. isalist
3. Archive
4. 09-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---