[isalist] Re: ASA 5500 in front of ISA 2006

From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: <isalist@xxxxxxxxxxxxx>
Date: Fri, 7 Sep 2007 10:54:49 -0700
http://www.ISAserver.org
-------------------------------------------------------
  
Well, that was how I tried to respond, but I guess interpretation ==
reality.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Friday, September 07, 2007 10:43 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ASA 5500 in front of ISA 2006

http://www.ISAserver.org
-------------------------------------------------------
  
That's not his point... his point is the "attitude" of the conversation,
not the discussion of the perception of a "hardware firewall" vs a
"software firewall."  And I have to say, his points are valid as stated
IMO.

I don't think my loyalty to ISA can be questioned, yet I've got a
Netgear FVX538 in front of everything here.  Not because I think a
"hardware firewall" is "better," but because it works for my
environment, and allows me to do things I want a little differently than
what I could do otherwise, even though there are aspects of its
configuration that drive me crazy. 

You're absolutely right about the security of any device in any given
configuration, but we don't have conversations like that, do we?
t



> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Friday, September 07, 2007 10:30 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> 
> http://www.ISAserver.org
> -------------------------------------------------------
> 
> The response you get is based on having to deal with the "hardware is
> more secure", "DMZ is more secure" and "more layers is more secure"
> mentality that is espoused without regard to traffic profiles or any
> "real" security need or threat mitigation (such as you yourself
> described).
> 
> The point of adding a CisPixJuniBluSquid device simply on the basis of
> "that adds security" is false on the face of it.  All devices or
> software solutions are equally prone to deployment and management
> fubars
> as the rest.
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx]
> On Behalf Of Ray Dzek
> Sent: Friday, September 07, 2007 9:59 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> 
> http://www.ISAserver.org
> -------------------------------------------------------
> 
> When I see posts like this, it just proves that you all have
> degenerated
> to the same level as the "ISA sucks" crowd.  I would think that you
all
> would be tired of typing the same response whenever anybody asks about
> configuring ISA in a multi-firewall environment.  Maybe you all have
> just created a mail rule that auto generates the "How dare you
> integrate
> any other firewall with ISA.  Nothing else is worthy.  Get rid of the
> other firewall, it sucks."
> 
> Everybody has the hardware and environment they have to deal with.  It
> is what it is.  I have to deal with ISA, ASA, and Sonicwall.  I like
> features and performance aspects of each.  There are also plenty of
> things I can't stand about each.
> 
> When I started with this list we had MS Proxy Server.  It was a
> different attitude.  You all have become grumpy, jaded, and yet more
> immature than ever in your old age.  Congratulations...  You are now
> just like any other hardware firewall e-mail list.
> 
> 
> 
> 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
> > Sent: Thursday, September 06, 2007 4:14 PM
> > To: ISA Mailing List
> > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > Beat me to it...
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thomas W Shinder
> > Sent: Thursday, September 06, 2007 6:57 PM
> > To: ISA Mailing List
> > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > I was wondering what the ASA bug box was doing there too. Adding a
> > level
> > of complexity to help increase the risk of misconfiguration?
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> >
> >
> >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: Thursday, September 06, 2007 3:40 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: ASA 5500 in front of ISA 2006
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > Make it easy for yourself.
> > > Lose the Cisco or sell it to some unsuspecting victim.
> > > Add another NIC to ISA and create a third-leg DMZ.
> > > This way, only ISA has access to the traffic between these
> networks.
> > >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Robert Wolff
> > > Sent: Thursday, September 06, 2007 1:27 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] ASA 5500 in front of ISA 2006
> > >
> > > All,
> > >
> > >
> > >
> > > Does anyone know any tricks or have any experience with
> > > configuration in
> > > the following scenario:
> > >
> > >
> > >
> > > Inet Router => Cisco ASA firewall => DMZ => ISA 2006 Firewall
> > > =>Internal
> > > network
> > >
> > >
> > >
> > > The current network layout is just a single ISA 2006 firewall.
I'm
> > > looking to create a new DMZ segment between the ISA and ASA for
> > future
> > > web, DNS, and email servers.
> > >
> > >
> > >
> > > Inet Router => ISA 2006 Firewall => Internal Network
> > >
> > >
> > >
> > > One of the last problems I have is getting OWA to work.  I can get
> > the
> > > initial login screen to appear, but after logon I get page cannot
> be
> > > displayed after several seconds of waiting.
> > >
> > >
> > >
> > > Thanks,
> > >
> > > -Bob-
> > >
> > >
> > > All mail to and from this domain is GFI-scanned.
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx
Follow-Ups:
- [isalist] Re: ASA 5500 in front of ISA 2006
  - From: Thor (Hammer of God)
References:
- [isalist] Re: ASA 5500 in front of ISA 2006
  - From: Thomas W Shinder
- [isalist] Re: ASA 5500 in front of ISA 2006
  - From: Steve Moffat
- [isalist] Re: ASA 5500 in front of ISA 2006
  - From: Ray Dzek
- [isalist] Re: ASA 5500 in front of ISA 2006
  - From: Jim Harrison
- [isalist] Re: ASA 5500 in front of ISA 2006
  - From: Thor (Hammer of God)
[isalist] Re: ASA 5500 in front of ISA 2006

Other related posts:
