Hm, um, yeah..... A PIX has never been an touted to do that kind of work. Just like ISA isn't touted to run mass quantity of packets. Let's review once again: Use the correct tool for the job! Hardware based in front of software based. First for speed, second for control and powerful higher layer filtering. You don't drag race with a dump truck, you don't haul dirt with a race car...... I'd love to discuss how we do home banking but unfortunately little pieces of legal paper stop me from doing that... =?P -----Original Message----- From: Ara Avvali [mailto:ara@xxxxxxxxxx] Sent: Wednesday, October 06, 2004 8:40 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FW: Microsoft: Many Firewalls are leaking http://www.ISAserver.org So this follows my concern on forums that you can't just trust a single Microsoft solution and has to be mixed with other protections _____ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: October 6, 2004 9:34 AM To: [ISAserver.org Discussion List] Subject: [isalist] FW: Microsoft: Many Firewalls are leaking http://www.ISAserver.org _____ From: USEast News Service [mailto:USEastNewsService@xxxxxxxxxx] Sent: Wednesday, October 06, 2004 7:54 AM To: USEast News Service Subject: Microsoft: Many Firewalls are leaking Microsoft: Many Firewalls are leaking By Dan Ilett <mailto:> ZDNet <http://news.zdnet.com/redir?destUrl=http%3A%2F%2Fwww.zdnet.co.uk&edId=2&sit eId=22&oId=2102-1009-5397525&ontId=1009> (UK) October 5, 2004, 11:18 AM PT URL: http://news.zdnet.com/2100-1009-5397525.html <http://news.zdnet.com/2100-1009-5397525.html> Speaking in London on Monday at a technical briefing on the need for next generation firewalls, Microsoft security technology architect Fred Baumhardt outlined some of the gaps that traditional firewalls are leaving open. "We are all bloody lucky that something hasn't obliterated IT on earth," said Baumhardt. "Firewalls are like retarded routers. They just look at the ports, sources and destinations they like. If a train comes from Gare du Nord [Paris] to Waterloo [London] via Eurostar you allow it to enter the country because you trust it. That's what firewalls currently do. They don't check to see if al-Quaeda is riding inside." Ports allow certain types of Internet traffic to travel if they correspond with the correct port number. For example, HTTP runs on port 80 and is often regarded as a trusted port, and left open. In the past firewalls have often worked on this basis, without checking the content of traffic. But Baumhardt called for IT professionals to ensure they had better equipment. "I don't care which vendor you get it from," he said. "I just want to see [next generation firewall] technology in front of your network." Baumhardt was demonstrating Microsoft's Internet Security and Acceleration (ISA) Server 2004. He said that traditional firewalls were failing to scan Internet traffic deeply enough to detect malicious traffic. "We trust traffic on ports that we think it should be on," said Baumhardt. "But when you do that you relay control to the security vendor. You need to understand the traffic you are trying to block." Baumhardt gave the example of how many hackers use port 80 to enter a network because it is treated as trusted traffic. He added that it was also important to protect the network internally, not just at the perimeter. "We don't place devices to protect from within the internal network. But if you don't put firewalls on chokepoints [critical areas in the network] you won't defend your internal network." The latest version of ISA Server has the ability to run 1.9-gigabit throughput, said Baumhardt, and to scan port traffic at the application layer, which could lead to better transparency. He said it also offers VPN and port scanning technology. But Baumhardt added that it was unwise to use firewalls without the support of other security technology: "Believe it or not, Microsoft is not the be-all and end-all of everything. We could be a platform for other things to run on. You buy ISA so that you can complement it with SurfControl or McAfee." ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ara@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tradtke@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx