[isalist] Re: ASA 5500 in front of ISA 2006

• From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Sat, 8 Sep 2007 10:23:52 -0700

http://www.ISAserver.org
-------------------------------------------------------

Having a "good woman" has nothing whatsoever to do with my kind and
gentle demeanor. I've always been a "people person" and humanitarian at
heart, all on my own thank you. 

Now if you'll excuse me, I'm going to go draw her a bubble bath, pour
her a cup of tea, and play guitar for her while she soaks and
contemplates man's inhumanity to man.

t

> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Saturday, September 08, 2007 8:06 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> 
> http://www.ISAserver.org
> -------------------------------------------------------
> 
> I have to disagree; if Bob hadn't come to this list for help and
> advice,
> we'd never have had the opportunity to wax tiresome about our general
> dislike for the same prejudicial responses offered by much of the ISA
> competition.
> 
> Bob; you should be ashamed of yourself for expecting a professional
> response from such a group.
> Go ahead, Amy - add your "what; you never listen to me?!?" in there -
> you have it coming.
> :-p
> 
> I do agree with Tom on one point; Tim is ever so much nicer since a
> good
> woman took hold.
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Saturday, September 08, 2007 7:56 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> 
> http://www.ISAserver.org
> -------------------------------------------------------
> 
> Greg,
> 
> I think that misses the point. No one here advocates rip and replace.
> We
> do advocate that you get an ISA Firewall and use it with your existing
> one if you want, but I've never recommended rip and replace anyless
> you're talking about a Blue Coat, but that's another story :)
> 
> The points here, and the ones that got lost were:
> 
> * There was an ISA Firewall already in place
> * An ASA was brought it
> * Bob asked how to make the ASA work with the ISA Firewall
> * We asked why would they need a dreaded ASA when they already had an
> imminently secure firewall
> * We found out that a defintiely ignorant and potentially corrupt
> auditor told them to buy unnessessary hardware
> * We ragged on the ignorant and potentially corrupt auditor and called
> the boss a moron (or something similar)
> * Ray thought we were taking a rip and replace attitude because he
> missed the the part about the ignorant and potentially corrupt auditor
> and focused on our unwillingness to help
> * We forgot about our job to help our colleages because we got lost in
> the ignorance and corruption out there regarding competitors to the
ISA
> Firewall
> 
> So, I think everyone here screwed up a bit, except for Bob, who was
> just
> looking for a little help :)
> 
> IMHO,
> Tom
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
> 
> 
> 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
> > Sent: Friday, September 07, 2007 4:09 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > I agree with Ray and also Thor. Whilst my loyalty is there I
> > am currently
> > and have been in the past involved in networks that have a
> significant
> > investment in other firewall/vpn devices. The simple reality
> > is that it's
> > just not possible to pull up stumps and re-deploy the whole
> > front edge of
> > the network without considerable planning, testing and work.
> > Ray is not
> > necessarily a new kid on the block (NKOTB) around here so I
> > think we should
> > cut him some slack. Allot of people who pop up here are at
> > times asking our
> > advice on how they could utilise ISA in the current setup. I
> > think that
> > shows a smart approach and we are almost preaching to the
> > converted there.
> > We should be happy and proud that people who come from the
> > "other side of
> > the tracks" as It were are able to find a place for ISA in
> > their network. I
> > know people who have expressed to me that they really like
> > the 2006 version
> > of product and if they had their time over would use it in
> > more extensively,
> > but in global organisations that process doesn't happen or
> > change overnight.
> >
> > Jim I'm not sure you intended it the way it came out or way people
> > interpretted so I don't need to poke you in the side but this
> > was a general
> > statement.
> >
> > Greg
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> > Behalf Of Thor (Hammer of God)
> > Sent: Saturday, 8 September 2007 3:43 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > That's not his point... his point is the "attitude" of the
> > conversation,
> > not the discussion of the perception of a "hardware firewall" vs a
> > "software firewall."  And I have to say, his points are valid
> > as stated
> > IMO.
> >
> > I don't think my loyalty to ISA can be questioned, yet I've got a
> > Netgear FVX538 in front of everything here.  Not because I think a
> > "hardware firewall" is "better," but because it works for my
> > environment, and allows me to do things I want a little
> > differently than
> > what I could do otherwise, even though there are aspects of its
> > configuration that drive me crazy.
> >
> > You're absolutely right about the security of any device in any
given
> > configuration, but we don't have conversations like that, do we?
> > t
> >
> >
> >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: Friday, September 07, 2007 10:30 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > The response you get is based on having to deal with the
> > "hardware is
> > > more secure", "DMZ is more secure" and "more layers is more
secure"
> > > mentality that is espoused without regard to traffic profiles or
> any
> > > "real" security need or threat mitigation (such as you yourself
> > > described).
> > >
> > > The point of adding a CisPixJuniBluSquid device simply on
> > the basis of
> > > "that adds security" is false on the face of it.  All devices or
> > > software solutions are equally prone to deployment and management
> > > fubars
> > > as the rest.
> > >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Ray Dzek
> > > Sent: Friday, September 07, 2007 9:59 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > When I see posts like this, it just proves that you all have
> > > degenerated
> > > to the same level as the "ISA sucks" crowd.  I would think that
you
> > all
> > > would be tired of typing the same response whenever anybody
> > asks about
> > > configuring ISA in a multi-firewall environment.  Maybe you all
> have
> > > just created a mail rule that auto generates the "How dare you
> > > integrate
> > > any other firewall with ISA.  Nothing else is worthy.  Get
> > rid of the
> > > other firewall, it sucks."
> > >
> > > Everybody has the hardware and environment they have to
> > deal with.  It
> > > is what it is.  I have to deal with ISA, ASA, and Sonicwall.  I
> like
> > > features and performance aspects of each.  There are also plenty
of
> > > things I can't stand about each.
> > >
> > > When I started with this list we had MS Proxy Server.  It was a
> > > different attitude.  You all have become grumpy, jaded, and yet
> more
> > > immature than ever in your old age.  Congratulations...  You are
> now
> > > just like any other hardware firewall e-mail list.
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > > bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
> > > > Sent: Thursday, September 06, 2007 4:14 PM
> > > > To: ISA Mailing List
> > > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > > >
> > > > http://www.ISAserver.org
> > > > -------------------------------------------------------
> > > >
> > > > Beat me to it...
> > > >
> > > > -----Original Message-----
> > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > > bounce@xxxxxxxxxxxxx]
> > > > On Behalf Of Thomas W Shinder
> > > > Sent: Thursday, September 06, 2007 6:57 PM
> > > > To: ISA Mailing List
> > > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > > >
> > > > http://www.ISAserver.org
> > > > -------------------------------------------------------
> > > >
> > > > I was wondering what the ASA bug box was doing there too. Adding
> a
> > > > level
> > > > of complexity to help increase the risk of misconfiguration?
> > > >
> > > > Thomas W Shinder, M.D.
> > > > Site: www.isaserver.org
> > > > Blog: http://blogs.isaserver.org/shinder/
> > > > Book: http://tinyurl.com/3xqb7
> > > > MVP -- Microsoft Firewalls (ISA)
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: isalist-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim
Harrison
> > > > > Sent: Thursday, September 06, 2007 3:40 PM
> > > > > To: isalist@xxxxxxxxxxxxx
> > > > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > > > >
> > > > > http://www.ISAserver.org
> > > > > -------------------------------------------------------
> > > > >
> > > > > Make it easy for yourself.
> > > > > Lose the Cisco or sell it to some unsuspecting victim.
> > > > > Add another NIC to ISA and create a third-leg DMZ.
> > > > > This way, only ISA has access to the traffic between these
> > > networks.
> > > > >
> > > > > -----Original Message-----
> > > > > From: isalist-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > > > On Behalf Of Robert Wolff
> > > > > Sent: Thursday, September 06, 2007 1:27 PM
> > > > > To: isalist@xxxxxxxxxxxxx
> > > > > Subject: [isalist] ASA 5500 in front of ISA 2006
> > > > >
> > > > > All,
> > > > >
> > > > >
> > > > >
> > > > > Does anyone know any tricks or have any experience with
> > > > > configuration in
> > > > > the following scenario:
> > > > >
> > > > >
> > > > >
> > > > > Inet Router => Cisco ASA firewall => DMZ => ISA 2006 Firewall
> > > > > =>Internal
> > > > > network
> > > > >
> > > > >
> > > > >
> > > > > The current network layout is just a single ISA 2006 firewall.
> > I'm
> > > > > looking to create a new DMZ segment between the ISA and ASA
for
> > > > future
> > > > > web, DNS, and email servers.
> > > > >
> > > > >
> > > > >
> > > > > Inet Router => ISA 2006 Firewall => Internal Network
> > > > >
> > > > >
> > > > >
> > > > > One of the last problems I have is getting OWA to work.
> >  I can get
> > > > the
> > > > > initial login screen to appear, but after logon I get
> > page cannot
> > > be
> > > > > displayed after several seconds of waiting.
> > > > >
> > > > >
> > > > >
> > > > > Thanks,
> > > > >
> > > > > -Bob-
> > > > >
> > > > >
> > > > > All mail to and from this domain is GFI-scanned.
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials:
> > > http://www.isaserver.org/articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials:
> > > http://www.isaserver.org/articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

• References:
  • [isalist] Re: ASA 5500 in front of ISA 2006
    • From: Thomas W Shinder
  • [isalist] Re: ASA 5500 in front of ISA 2006
    • From: Jim Harrison

Other related posts:

• » [isalist] ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006

1. Home
2. isalist
3. Archive
4. 09-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---