ISA 2004 CD still sitting on my desk so I won't count the errors at this point :) I do like, however, the reference to Acceleration. I guess he's not all that up on caching... -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CSA1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-6969 (F) shawn.quillman@xxxxxxxxxxxx _____ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, September 28, 2004 11:10 AM To: [ISAserver.org Discussion List] Subject: [isalist] FW: ISA Server 2004 is a pleasant security surprise http://www.ISAserver.org http://www.ISAserver.org I'll send a free copy of our new ISA 2004 book to the person who can come up with the most errors in this review. This is the kind of guy who thinks firewalling is about "opening ports" Have fun, Tom -----Original Message----- From: USEast News Service [mailto:USEastNewsService@xxxxxxxxxx] Sent: Tuesday, September 28, 2004 8:27 AM To: USEast News Service Subject: ISA Server 2004 is a pleasant security surprise ENTERPRISE WINDOWS: OLIVER RIST Monday, September 27, 2004 ISA Server 2004 is a pleasant security surprise Not known for getting security right, Microsoft seems to have done well this time By Oliver Rist <mailto:oliver_rist@xxxxxxxxxxxxx> September 24, 2004 I take a snip <http://newsletter.infoworld.com/t?ctl=8F4851:1F62787> here, make a snide remark <http://newsletter.infoworld.com/t?ctl=8F4850:1F62787> there, even endure a cheap shot <http://newsletter.infoworld.com/t?ctl=8F4852:1F62787> every so often, but for the most part, nothing happens. Microsoft and security are two things that simply don't want to mix. Such is the life of the Microsoft pundit. But just when I'm ready to start writing about Gameboys, I get a chance to check out something new. A buddy installed Internet Security and Acceleration (ISA) Server 2004 <http://newsletter.infoworld.com/t?ctl=8F484F:1F62787> at one of his sites. Knowing that I was nigh upon a depressive episode due to Redmond's rank security reputation, he invited me over to grope and fondle the thing for a while, luring me there with a series of comments on how pleasantly surprised he was. OK. I'm a practical man, and ISA has never been what I'd call a practical firewall, but what the heck. Worst case, he's buying beers afterward. Well, worst case it wasn't, which is a pleasant surprise all by itself. I wasn't around for the install, but the bud said it went smoothly. What got me were the new configuration screens. Administering firewall rules is right up there with tax preparation on my list of favorite things to do, but once again, Microsoft does what it seems to do best: Concentrate on the user interface. There's a set of configuration wizards that are so simple, it's almost comical. Choose your basic network topology from a drop-down list, fill in the appropriate addressing information, and then you can open a really slick and highly visual rules editor that lets you very quickly define even complex rules based on specific users, groups, traffic types, or destination addresses among other variables. InfoWorld's had me looking at a whole <http://newsletter.infoworld.com/t?ctl=8F484B:1F62787> bunch of <http://newsletter.infoworld.com/t?ctl=8F4854:1F62787> firewalls <http://newsletter.infoworld.com/t?ctl=8F484D:1F62787> this past year, and I've got to give credit where credit is due: This is one of the easiest and slickest firewall configuration wizards I've ever seen. For remote offices, there's even a VPN wizard that lets remote users configure their own VPN connections as long as they have just a little basic information first. That's a big load off the central IT staff when it comes to VPN configuration, although woe unto you if some of that basic information gets out into the wild. SharePoint Portal and Exchange are still fully supported, including their Web-based access modules. Nothing really new here, other than configuration is a mite simpler. Active Directory is still ISA's preferred AAA source server, but the software does include hooks to outside RADIUS servers should something like Funk Steel-Belted RADIUS be more to your liking. And for those that don't know what the "Acceleration" stands for, Redmond has actually placed some functionality in ISA that makes the inclusion of the word apt: The company has sped up ISA's payload inspection, which enables the solution to peek into a payload and decide whether the content is genuine. The capability is still limited, although it's more than what the average firewall offers. Lots of others will turn a blind eye to things like encrypted packets as long as they pass a header inspection. I'd very much like to test ISA against something with real content-filtering chops, such as CheckPoint's SmartDefense <http://newsletter.infoworld.com/t?ctl=8F4853:1F62787> line, and see who has better success. Unfortunately, my beer-buying buddy wasn't keen on me infecting his production network for the sake of my column, so we'll need to wait on that until the editors here give me the go-ahead. That's not my only point of concern, however. The price tag is another problem. We're talking $1,500 per CPU for this thing, and it doesn't even include anti-spam or anti-virus modules. That's a serious setback when compared against something dedicated, such as a ServGate EdgeForce Plus or Check Point Safe@Office. I'm using those two as examples because big chunks of their customers are SMBs and the standard edition of ISA 2004 certainly seems aimed at the SMB market. The wizards are great, but any larger corporation will have too much network complexity to fit neatly enough into those dropdown parameters. They say that the enterprise edition has more flexibility muscle, but final word on that will have to wait for a real lab test. I think ISA is an excellent SMB firewall provided you've already got an anti-spam and anti-virus solution. And you'll also need a fairly deep wallet because ISA is most likely to cost you about $3,000 for the software and another $2,800 to $4,000 for the hardware. Then again, for an IT admin who's harried for time, those wizards and tight AD integration may make every penny worthwhile. Oliver Rist <mailto:oliver_rist@xxxxxxxxxxxxx;letters@xxxxxxxxxxxxx> is a senior contributing editor at InfoWorld. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=alist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?typeúQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=alist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=alist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?typeúQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=alist Report abuse to listadmin@xxxxxxxxxxxxx