[isalist] Re: ASA 5500 in front of ISA 2006

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Sat, 8 Sep 2007 13:20:40 -0500

http://www.ISAserver.org
-------------------------------------------------------

A true Lothario...

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

 

> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor 
> (Hammer of God)
> Sent: Saturday, September 08, 2007 12:24 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> Having a "good woman" has nothing whatsoever to do with my kind and
> gentle demeanor. I've always been a "people person" and 
> humanitarian at
> heart, all on my own thank you. 
> 
> Now if you'll excuse me, I'm going to go draw her a bubble bath, pour
> her a cup of tea, and play guitar for her while she soaks and
> contemplates man's inhumanity to man.
> 
> t
> 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Saturday, September 08, 2007 8:06 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > 
> > http://www.ISAserver.org
> > -------------------------------------------------------
> > 
> > I have to disagree; if Bob hadn't come to this list for help and
> > advice,
> > we'd never have had the opportunity to wax tiresome about 
> our general
> > dislike for the same prejudicial responses offered by much 
> of the ISA
> > competition.
> > 
> > Bob; you should be ashamed of yourself for expecting a professional
> > response from such a group.
> > Go ahead, Amy - add your "what; you never listen to me?!?" 
> in there -
> > you have it coming.
> > :-p
> > 
> > I do agree with Tom on one point; Tim is ever so much nicer since a
> > good
> > woman took hold.
> > 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thomas W Shinder
> > Sent: Saturday, September 08, 2007 7:56 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > 
> > http://www.ISAserver.org
> > -------------------------------------------------------
> > 
> > Greg,
> > 
> > I think that misses the point. No one here advocates rip 
> and replace.
> > We
> > do advocate that you get an ISA Firewall and use it with 
> your existing
> > one if you want, but I've never recommended rip and replace anyless
> > you're talking about a Blue Coat, but that's another story :)
> > 
> > The points here, and the ones that got lost were:
> > 
> > * There was an ISA Firewall already in place
> > * An ASA was brought it
> > * Bob asked how to make the ASA work with the ISA Firewall
> > * We asked why would they need a dreaded ASA when they 
> already had an
> > imminently secure firewall
> > * We found out that a defintiely ignorant and potentially corrupt
> > auditor told them to buy unnessessary hardware
> > * We ragged on the ignorant and potentially corrupt auditor 
> and called
> > the boss a moron (or something similar)
> > * Ray thought we were taking a rip and replace attitude because he
> > missed the the part about the ignorant and potentially 
> corrupt auditor
> > and focused on our unwillingness to help
> > * We forgot about our job to help our colleages because we 
> got lost in
> > the ignorance and corruption out there regarding competitors to the
> ISA
> > Firewall
> > 
> > So, I think everyone here screwed up a bit, except for Bob, who was
> > just
> > looking for a little help :)
> > 
> > IMHO,
> > Tom
> > 
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> > 
> > 
> > 
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
> > > Sent: Friday, September 07, 2007 4:09 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > I agree with Ray and also Thor. Whilst my loyalty is there I
> > > am currently
> > > and have been in the past involved in networks that have a
> > significant
> > > investment in other firewall/vpn devices. The simple reality
> > > is that it's
> > > just not possible to pull up stumps and re-deploy the whole
> > > front edge of
> > > the network without considerable planning, testing and work.
> > > Ray is not
> > > necessarily a new kid on the block (NKOTB) around here so I
> > > think we should
> > > cut him some slack. Allot of people who pop up here are at
> > > times asking our
> > > advice on how they could utilise ISA in the current setup. I
> > > think that
> > > shows a smart approach and we are almost preaching to the
> > > converted there.
> > > We should be happy and proud that people who come from the
> > > "other side of
> > > the tracks" as It were are able to find a place for ISA in
> > > their network. I
> > > know people who have expressed to me that they really like
> > > the 2006 version
> > > of product and if they had their time over would use it in
> > > more extensively,
> > > but in global organisations that process doesn't happen or
> > > change overnight.
> > >
> > > Jim I'm not sure you intended it the way it came out or way people
> > > interpretted so I don't need to poke you in the side but this
> > > was a general
> > > statement.
> > >
> > > Greg
> > >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> > > Behalf Of Thor (Hammer of God)
> > > Sent: Saturday, 8 September 2007 3:43 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > That's not his point... his point is the "attitude" of the
> > > conversation,
> > > not the discussion of the perception of a "hardware firewall" vs a
> > > "software firewall."  And I have to say, his points are valid
> > > as stated
> > > IMO.
> > >
> > > I don't think my loyalty to ISA can be questioned, yet I've got a
> > > Netgear FVX538 in front of everything here.  Not because I think a
> > > "hardware firewall" is "better," but because it works for my
> > > environment, and allows me to do things I want a little
> > > differently than
> > > what I could do otherwise, even though there are aspects of its
> > > configuration that drive me crazy.
> > >
> > > You're absolutely right about the security of any device in any
> given
> > > configuration, but we don't have conversations like that, do we?
> > > t
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > Sent: Friday, September 07, 2007 10:30 AM
> > > > To: isalist@xxxxxxxxxxxxx
> > > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > > >
> > > > http://www.ISAserver.org
> > > > -------------------------------------------------------
> > > >
> > > > The response you get is based on having to deal with the
> > > "hardware is
> > > > more secure", "DMZ is more secure" and "more layers is more
> secure"
> > > > mentality that is espoused without regard to traffic profiles or
> > any
> > > > "real" security need or threat mitigation (such as you yourself
> > > > described).
> > > >
> > > > The point of adding a CisPixJuniBluSquid device simply on
> > > the basis of
> > > > "that adds security" is false on the face of it.  All devices or
> > > > software solutions are equally prone to deployment and 
> management
> > > > fubars
> > > > as the rest.
> > > >
> > > > -----Original Message-----
> > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > > bounce@xxxxxxxxxxxxx]
> > > > On Behalf Of Ray Dzek
> > > > Sent: Friday, September 07, 2007 9:59 AM
> > > > To: isalist@xxxxxxxxxxxxx
> > > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > > >
> > > > http://www.ISAserver.org
> > > > -------------------------------------------------------
> > > >
> > > > When I see posts like this, it just proves that you all have
> > > > degenerated
> > > > to the same level as the "ISA sucks" crowd.  I would think that
> you
> > > all
> > > > would be tired of typing the same response whenever anybody
> > > asks about
> > > > configuring ISA in a multi-firewall environment.  Maybe you all
> > have
> > > > just created a mail rule that auto generates the "How dare you
> > > > integrate
> > > > any other firewall with ISA.  Nothing else is worthy.  Get
> > > rid of the
> > > > other firewall, it sucks."
> > > >
> > > > Everybody has the hardware and environment they have to
> > > deal with.  It
> > > > is what it is.  I have to deal with ISA, ASA, and Sonicwall.  I
> > like
> > > > features and performance aspects of each.  There are also plenty
> of
> > > > things I can't stand about each.
> > > >
> > > > When I started with this list we had MS Proxy Server.  It was a
> > > > different attitude.  You all have become grumpy, jaded, and yet
> > more
> > > > immature than ever in your old age.  Congratulations...  You are
> > now
> > > > just like any other hardware firewall e-mail list.
> > > >
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
> > > > > Sent: Thursday, September 06, 2007 4:14 PM
> > > > > To: ISA Mailing List
> > > > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > > > >
> > > > > http://www.ISAserver.org
> > > > > -------------------------------------------------------
> > > > >
> > > > > Beat me to it...
> > > > >
> > > > > -----Original Message-----
> > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > > > > bounce@xxxxxxxxxxxxx]
> > > > > On Behalf Of Thomas W Shinder
> > > > > Sent: Thursday, September 06, 2007 6:57 PM
> > > > > To: ISA Mailing List
> > > > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > > > >
> > > > > http://www.ISAserver.org
> > > > > -------------------------------------------------------
> > > > >
> > > > > I was wondering what the ASA bug box was doing there 
> too. Adding
> > a
> > > > > level
> > > > > of complexity to help increase the risk of misconfiguration?
> > > > >
> > > > > Thomas W Shinder, M.D.
> > > > > Site: www.isaserver.org
> > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > Book: http://tinyurl.com/3xqb7
> > > > > MVP -- Microsoft Firewalls (ISA)
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: isalist-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim
> Harrison
> > > > > > Sent: Thursday, September 06, 2007 3:40 PM
> > > > > > To: isalist@xxxxxxxxxxxxx
> > > > > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > > > > >
> > > > > > http://www.ISAserver.org
> > > > > > -------------------------------------------------------
> > > > > >
> > > > > > Make it easy for yourself.
> > > > > > Lose the Cisco or sell it to some unsuspecting victim.
> > > > > > Add another NIC to ISA and create a third-leg DMZ.
> > > > > > This way, only ISA has access to the traffic between these
> > > > networks.
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: isalist-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > > > > On Behalf Of Robert Wolff
> > > > > > Sent: Thursday, September 06, 2007 1:27 PM
> > > > > > To: isalist@xxxxxxxxxxxxx
> > > > > > Subject: [isalist] ASA 5500 in front of ISA 2006
> > > > > >
> > > > > > All,
> > > > > >
> > > > > >
> > > > > >
> > > > > > Does anyone know any tricks or have any experience with
> > > > > > configuration in
> > > > > > the following scenario:
> > > > > >
> > > > > >
> > > > > >
> > > > > > Inet Router => Cisco ASA firewall => DMZ => ISA 
> 2006 Firewall
> > > > > > =>Internal
> > > > > > network
> > > > > >
> > > > > >
> > > > > >
> > > > > > The current network layout is just a single ISA 
> 2006 firewall.
> > > I'm
> > > > > > looking to create a new DMZ segment between the ISA and ASA
> for
> > > > > future
> > > > > > web, DNS, and email servers.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Inet Router => ISA 2006 Firewall => Internal Network
> > > > > >
> > > > > >
> > > > > >
> > > > > > One of the last problems I have is getting OWA to work.
> > >  I can get
> > > > > the
> > > > > > initial login screen to appear, but after logon I get
> > > page cannot
> > > > be
> > > > > > displayed after several seconds of waiting.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > -Bob-
> > > > > >
> > > > > >
> > > > > > All mail to and from this domain is GFI-scanned.
> > > > ------------------------------------------------------
> > > > List Archives: //www.freelists.org/archives/isalist/
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server Articles and Tutorials:
> > > > http://www.isaserver.org/articles_tutorials/
> > > > ISA Server Blogs: http://blogs.isaserver.org/
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > >
> > > > All mail to and from this domain is GFI-scanned.
> > > >
> > > > ------------------------------------------------------
> > > > List Archives: //www.freelists.org/archives/isalist/
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server Articles and Tutorials:
> > > > http://www.isaserver.org/articles_tutorials/
> > > > ISA Server Blogs: http://blogs.isaserver.org/
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials:
> > > http://www.isaserver.org/articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials:
> > > http://www.isaserver.org/articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials: 
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> 
> 
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » [isalist] ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006
• » [isalist] Re: ASA 5500 in front of ISA 2006

1. Home
2. isalist
3. Archive
4. 09-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---