[isalist] Re: ASA 5500 in front of ISA 2006
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sat, 8 Sep 2007 09:56:11 -0500
http://www.ISAserver.org
-------------------------------------------------------
Greg,
I think that misses the point. No one here advocates rip and replace. We
do advocate that you get an ISA Firewall and use it with your existing
one if you want, but I've never recommended rip and replace anyless
you're talking about a Blue Coat, but that's another story :)
The points here, and the ones that got lost were:
* There was an ISA Firewall already in place
* An ASA was brought it
* Bob asked how to make the ASA work with the ISA Firewall
* We asked why would they need a dreaded ASA when they already had an
imminently secure firewall
* We found out that a defintiely ignorant and potentially corrupt
auditor told them to buy unnessessary hardware
* We ragged on the ignorant and potentially corrupt auditor and called
the boss a moron (or something similar)
* Ray thought we were taking a rip and replace attitude because he
missed the the part about the ignorant and potentially corrupt auditor
and focused on our unwillingness to help
* We forgot about our job to help our colleages because we got lost in
the ignorance and corruption out there regarding competitors to the ISA
Firewall
So, I think everyone here screwed up a bit, except for Bob, who was just
looking for a little help :)
IMHO,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
> Sent: Friday, September 07, 2007 4:09 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: ASA 5500 in front of ISA 2006
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> I agree with Ray and also Thor. Whilst my loyalty is there I
> am currently
> and have been in the past involved in networks that have a significant
> investment in other firewall/vpn devices. The simple reality
> is that it's
> just not possible to pull up stumps and re-deploy the whole
> front edge of
> the network without considerable planning, testing and work.
> Ray is not
> necessarily a new kid on the block (NKOTB) around here so I
> think we should
> cut him some slack. Allot of people who pop up here are at
> times asking our
> advice on how they could utilise ISA in the current setup. I
> think that
> shows a smart approach and we are almost preaching to the
> converted there.
> We should be happy and proud that people who come from the
> "other side of
> the tracks" as It were are able to find a place for ISA in
> their network. I
> know people who have expressed to me that they really like
> the 2006 version
> of product and if they had their time over would use it in
> more extensively,
> but in global organisations that process doesn't happen or
> change overnight.
>
> Jim I'm not sure you intended it the way it came out or way people
> interpretted so I don't need to poke you in the side but this
> was a general
> statement.
>
> Greg
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thor (Hammer of God)
> Sent: Saturday, 8 September 2007 3:43 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: ASA 5500 in front of ISA 2006
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> That's not his point... his point is the "attitude" of the
> conversation,
> not the discussion of the perception of a "hardware firewall" vs a
> "software firewall." And I have to say, his points are valid
> as stated
> IMO.
>
> I don't think my loyalty to ISA can be questioned, yet I've got a
> Netgear FVX538 in front of everything here. Not because I think a
> "hardware firewall" is "better," but because it works for my
> environment, and allows me to do things I want a little
> differently than
> what I could do otherwise, even though there are aspects of its
> configuration that drive me crazy.
>
> You're absolutely right about the security of any device in any given
> configuration, but we don't have conversations like that, do we?
> t
>
>
>
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Friday, September 07, 2007 10:30 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > The response you get is based on having to deal with the
> "hardware is
> > more secure", "DMZ is more secure" and "more layers is more secure"
> > mentality that is espoused without regard to traffic profiles or any
> > "real" security need or threat mitigation (such as you yourself
> > described).
> >
> > The point of adding a CisPixJuniBluSquid device simply on
> the basis of
> > "that adds security" is false on the face of it. All devices or
> > software solutions are equally prone to deployment and management
> > fubars
> > as the rest.
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx]
> > On Behalf Of Ray Dzek
> > Sent: Friday, September 07, 2007 9:59 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > When I see posts like this, it just proves that you all have
> > degenerated
> > to the same level as the "ISA sucks" crowd. I would think that you
> all
> > would be tired of typing the same response whenever anybody
> asks about
> > configuring ISA in a multi-firewall environment. Maybe you all have
> > just created a mail rule that auto generates the "How dare you
> > integrate
> > any other firewall with ISA. Nothing else is worthy. Get
> rid of the
> > other firewall, it sucks."
> >
> > Everybody has the hardware and environment they have to
> deal with. It
> > is what it is. I have to deal with ISA, ASA, and Sonicwall. I like
> > features and performance aspects of each. There are also plenty of
> > things I can't stand about each.
> >
> > When I started with this list we had MS Proxy Server. It was a
> > different attitude. You all have become grumpy, jaded, and yet more
> > immature than ever in your old age. Congratulations... You are now
> > just like any other hardware firewall e-mail list.
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
> > > Sent: Thursday, September 06, 2007 4:14 PM
> > > To: ISA Mailing List
> > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > Beat me to it...
> > >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Thomas W Shinder
> > > Sent: Thursday, September 06, 2007 6:57 PM
> > > To: ISA Mailing List
> > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > I was wondering what the ASA bug box was doing there too. Adding a
> > > level
> > > of complexity to help increase the risk of misconfiguration?
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- Microsoft Firewalls (ISA)
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: isalist-bounce@xxxxxxxxxxxxx
> > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > Sent: Thursday, September 06, 2007 3:40 PM
> > > > To: isalist@xxxxxxxxxxxxx
> > > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > > >
> > > > http://www.ISAserver.org
> > > > -------------------------------------------------------
> > > >
> > > > Make it easy for yourself.
> > > > Lose the Cisco or sell it to some unsuspecting victim.
> > > > Add another NIC to ISA and create a third-leg DMZ.
> > > > This way, only ISA has access to the traffic between these
> > networks.
> > > >
> > > > -----Original Message-----
> > > > From: isalist-bounce@xxxxxxxxxxxxx
> > > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > > On Behalf Of Robert Wolff
> > > > Sent: Thursday, September 06, 2007 1:27 PM
> > > > To: isalist@xxxxxxxxxxxxx
> > > > Subject: [isalist] ASA 5500 in front of ISA 2006
> > > >
> > > > All,
> > > >
> > > >
> > > >
> > > > Does anyone know any tricks or have any experience with
> > > > configuration in
> > > > the following scenario:
> > > >
> > > >
> > > >
> > > > Inet Router => Cisco ASA firewall => DMZ => ISA 2006 Firewall
> > > > =>Internal
> > > > network
> > > >
> > > >
> > > >
> > > > The current network layout is just a single ISA 2006 firewall.
> I'm
> > > > looking to create a new DMZ segment between the ISA and ASA for
> > > future
> > > > web, DNS, and email servers.
> > > >
> > > >
> > > >
> > > > Inet Router => ISA 2006 Firewall => Internal Network
> > > >
> > > >
> > > >
> > > > One of the last problems I have is getting OWA to work.
> I can get
> > > the
> > > > initial login screen to appear, but after logon I get
> page cannot
> > be
> > > > displayed after several seconds of waiting.
> > > >
> > > >
> > > >
> > > > Thanks,
> > > >
> > > > -Bob-
> > > >
> > > >
> > > > All mail to and from this domain is GFI-scanned.
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > All mail to and from this domain is GFI-scanned.
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
