Re: FW: ISA Server 2004 is a pleasant security surprise

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 28 Sep 2004 08:58:54 -0700

He's also the sort of guy who believes that UI = functionality.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!

----- Original Message ----- 
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, September 28, 2004 08:09
Subject: [isalist] FW: ISA Server 2004 is a pleasant security surprise


I'll send a free copy of our new ISA 2004 book to the person who can
come up with the most errors in this review.
 
This is the kind of guy who thinks firewalling is about "opening ports"

Have fun,
Tom
 
 -----Original Message-----
From: USEast News Service [mailto:USEastNewsService@xxxxxxxxxx] 
Sent: Tuesday, September 28, 2004 8:27 AM
To: USEast News Service
Subject: ISA Server 2004 is a pleasant security surprise


ENTERPRISE WINDOWS: OLIVER RIST 
Monday, September 27, 2004 
ISA Server 2004 is a pleasant security surprise
Not known for getting security right, Microsoft seems to have done well
this time


By  Oliver Rist <mailto:oliver_rist@xxxxxxxxxxxxx>  September 24,
2004   

I take a snip <http://newsletter.infoworld.com/t?ctl=8F4851:1F62787>
here, make a snide remark
<http://newsletter.infoworld.com/t?ctl=8F4850:1F62787>  there, even
endure a cheap shot
<http://newsletter.infoworld.com/t?ctl=8F4852:1F62787>  every so often,
but for the most part, nothing happens. Microsoft and security are two
things that simply don't want to mix. Such is the life of the Microsoft
pundit. But just when I'm ready to start writing about Gameboys, I get a
chance to check out something new. 

A buddy installed Internet Security and Acceleration (ISA) Server 2004
<http://newsletter.infoworld.com/t?ctl=8F484F:1F62787>  at one of his
sites. Knowing that I was nigh upon a depressive episode due to
Redmond's rank security reputation, he invited me over to grope and
fondle the thing for a while, luring me there with a series of comments
on how pleasantly surprised he was. OK. I'm a practical man, and ISA has
never been what I'd call a practical firewall, but what the heck. Worst
case, he's buying beers afterward. 

Well, worst case it wasn't, which is a pleasant surprise all by itself.
I wasn't around for the install, but the bud said it went smoothly. What
got me were the new configuration screens. Administering firewall rules
is right up there with tax preparation on my list of favorite things to
do, but once again, Microsoft does what it seems to do best: Concentrate
on the user interface. 

There's a set of configuration wizards that are so simple, it's almost
comical. Choose your basic network topology from a drop-down list, fill
in the appropriate addressing information, and then you can open a
really slick and highly visual rules editor that lets you very quickly
define even complex rules based on specific users, groups, traffic
types, or destination addresses among other variables. InfoWorld's had
me looking at a whole
<http://newsletter.infoworld.com/t?ctl=8F484B:1F62787>  bunch of
<http://newsletter.infoworld.com/t?ctl=8F4854:1F62787>  firewalls
<http://newsletter.infoworld.com/t?ctl=8F484D:1F62787>  this past year,
and I've got to give credit where credit is due: This is one of the
easiest and slickest firewall configuration wizards I've ever seen. 

For remote offices, there's even a VPN wizard that lets remote users
configure their own VPN connections as long as they have just a little
basic information first. That's a big load off the central IT staff when
it comes to VPN configuration, although woe unto you if some of that
basic information gets out into the wild. 

SharePoint Portal and Exchange are still fully supported, including
their Web-based access modules. Nothing really new here, other than
configuration is a mite simpler. Active Directory is still ISA's
preferred AAA source server, but the software does include hooks to
outside RADIUS servers should something like Funk Steel-Belted RADIUS be
more to your liking. 

And for those that don't know what the "Acceleration" stands for,
Redmond has actually placed some functionality in ISA that makes the
inclusion of the word apt: The company has sped up ISA's payload
inspection, which enables the solution to peek into a payload and decide
whether the content is genuine. The capability is still limited,
although it's more than what the average firewall offers. Lots of others
will turn a blind eye to things like encrypted packets as long as they
pass a header inspection. 

I'd very much like to test ISA against something with real
content-filtering chops, such as CheckPoint's SmartDefense
<http://newsletter.infoworld.com/t?ctl=8F4853:1F62787>  line, and see
who has better success. Unfortunately, my beer-buying buddy wasn't keen
on me infecting his production network for the sake of my column, so
we'll need to wait on that until the editors here give me the go-ahead. 

That's not my only point of concern, however. The price tag is another
problem. We're talking $1,500 per CPU for this thing, and it doesn't
even include anti-spam or anti-virus modules. That's a serious setback
when compared against something dedicated, such as a ServGate EdgeForce
Plus or Check Point Safe@Office. 

I'm using those two as examples because big chunks of their customers
are SMBs and the standard edition of ISA 2004 certainly seems aimed at
the SMB market. The wizards are great, but any larger corporation will
have too much network complexity to fit neatly enough into those
dropdown parameters. They say that the enterprise edition has more
flexibility muscle, but final word on that will have to wait for a real
lab test. 

I think ISA is an excellent SMB firewall provided you've already got an
anti-spam and anti-virus solution. And you'll also need a fairly deep
wallet because ISA is most likely to cost you about $3,000 for the
software and another $2,800 to $4,000 for the hardware. Then again, for
an IT admin who's harried for time, those wizards and tight AD
integration may make every penny worthwhile. 

Oliver Rist <mailto:oliver_rist@xxxxxxxxxxxxx;letters@xxxxxxxxxxxxx>  is
a senior contributing editor at InfoWorld.

Other related posts:

• » FW: ISA Server 2004 is a pleasant security surprise
• » RE: FW: ISA Server 2004 is a pleasant security surprise
• » RE: FW: ISA Server 2004 is a pleasant security surprise
• » RE: FW: ISA Server 2004 is a pleasant security surprise
• » RE: FW: ISA Server 2004 is a pleasant security surprise
• » RE: FW: ISA Server 2004 is a pleasant security surprise
• » Re: FW: ISA Server 2004 is a pleasant security surprise
• » RE: FW: ISA Server 2004 is a pleasant security surprise
• » RE: FW: ISA Server 2004 is a pleasant security surprise

1. Home
2. isalist
3. Archive
4. 09-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---