RE: FW: Microsoft: Many Firewalls are leaking

  • From: Troy Radtke <TRadtke@xxxxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 6 Oct 2004 08:55:13 -0500

Hm, um, yeah..... A PIX has never been an touted to do that kind of work.
Just like ISA isn't touted to run mass quantity of packets.
 
Let's review once again:
 
Use the correct tool for the job!
 
Hardware based in front of software based.  First for speed, second for
control and powerful higher layer filtering.  You don't drag race with a
dump truck, you don't haul dirt with a race car......  I'd love to discuss
how we do home banking but unfortunately little pieces of legal paper stop
me from doing that... =?P

-----Original Message-----
From: Ara Avvali [mailto:ara@xxxxxxxxxx] 
Sent: Wednesday, October 06, 2004 8:40 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FW: Microsoft: Many Firewalls are leaking


http://www.ISAserver.org


So this follows my concern on forums that you can't just trust a single
Microsoft solution and has to be mixed with other protections

 

 


  _____  


From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: October 6, 2004 9:34 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] FW: Microsoft: Many Firewalls are leaking

 

http://www.ISAserver.org


  _____  


From: USEast News Service [mailto:USEastNewsService@xxxxxxxxxx] 
Sent: Wednesday, October 06, 2004 7:54 AM
To: USEast News Service
Subject: Microsoft: Many Firewalls are leaking

Microsoft: Many Firewalls are leaking
By Dan Ilett <mailto:>  ZDNet
<http://news.zdnet.com/redir?destUrl=http%3A%2F%2Fwww.zdnet.co.uk&edId=2&sit
eId=22&oId=2102-1009-5397525&ontId=1009> (UK) October 5, 2004, 11:18 AM PT
URL: http://news.zdnet.com/2100-1009-5397525.html
<http://news.zdnet.com/2100-1009-5397525.html> 

Speaking in London on Monday at a technical briefing on the need for next
generation firewalls, Microsoft security technology architect Fred Baumhardt
outlined some of the gaps that traditional firewalls are leaving open. 

"We are all bloody lucky that something hasn't obliterated IT on earth,"
said Baumhardt. "Firewalls are like retarded routers. They just look at the
ports, sources and destinations they like. If a train comes from Gare du
Nord [Paris] to Waterloo [London] via Eurostar you allow it to enter the
country because you trust it. That's what firewalls currently do. They don't
check to see if al-Quaeda is riding inside." 

Ports allow certain types of Internet traffic to travel if they correspond
with the correct port number. For example, HTTP runs on port 80 and is often
regarded as a trusted port, and left open. In the past firewalls have often
worked on this basis, without checking the content of traffic. But Baumhardt
called for IT professionals to ensure they had better equipment. "I don't
care which vendor you get it from," he said. "I just want to see [next
generation firewall] technology in front of your network." 

Baumhardt was demonstrating Microsoft's Internet Security and Acceleration
(ISA) Server 2004. He said that traditional firewalls were failing to scan
Internet traffic deeply enough to detect malicious traffic. 

"We trust traffic on ports that we think it should be on," said Baumhardt.
"But when you do that you relay control to the security vendor. You need to
understand the traffic you are trying to block." 

Baumhardt gave the example of how many hackers use port 80 to enter a
network because it is treated as trusted traffic. He added that it was also
important to protect the network internally, not just at the perimeter. 

"We don't place devices to protect from within the internal network. But if
you don't put firewalls on chokepoints [critical areas in the network] you
won't defend your internal network." 

The latest version of ISA Server has the ability to run 1.9-gigabit
throughput, said Baumhardt, and to scan port traffic at the application
layer, which could lead to better transparency. He said it also offers VPN
and port scanning technology. 

But Baumhardt added that it was unwise to use firewalls without the support
of other security technology: "Believe it or not, Microsoft is not the
be-all and end-all of everything. We could be a platform for other things to
run on. You buy ISA so that you can complement it with SurfControl or
McAfee." 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ara@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tradtke@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

Other related posts: