Yes, and that's why you need the stocked liquor cabinet. Keeping all the configs functional and efficient is a paved road to cirrhosis of the liver. It adds to security, but only in requiring a larger set of exploits. Basically it buys you time. If you have a chain firewall there are multiple levels of defense you need to get through. Same as a castle. Castle defense starts with the moat and drawbridge, going back to the barbican, battlements, inner walls, etc. Configured correctly with proper logging and alerts you should be able to detect any intrusion attempts before they reach the heart of what you're trying to protect. Is that a strong enough argument to commit a big chunk of resources? Depends. The fact that ISA doesn't have any exploits out in the wild certainly is a credit to the product and to the product team, but I would not want to bank on that forever. Don't get me wrong, I'm not in the "bash Microsoft because they're Microsoft" camp. For me this holds true for any product. I'm more of a "bash technology because it's human-designed" kinda guy. No product is perfect, you'll have a hard time convincing me otherwise. I personally have a hard time trusting any one product as my sole line of defense. -Shawn -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Friday, June 11, 2004 9:51 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA & Cisco... http://www.ISAserver.org Hi Shawn, Exactly. The packet filter is used as a choke, which limits inbound access to "ports" (don't get me started :-) However, the ISA firewall with packet filtering enabled drops all connections not explicitly allowed, in the same way as the router with packet filters. So, from my point of view, the packet filter in front of the ISA firewall (which has its own meaty packet filter implementation) doesn't add to security in any way, but can reduce the overall volume of traffic that the ISA firewall needs to evaluate, which can improve performance on the ISA firewall. Thanks! Tom -----Original Message----- From: Quillman Shawn (RBNA/CSA1) * [mailto:Shawn.Quillman@xxxxxxxxxxxx] Sent: Friday, June 11, 2004 8:28 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA & Cisco... http://www.ISAserver.org When I use choke routers it's to provide one more level of defense between me and "them" and they tend to be of a different manufacturer than whatever else is in the mix. Mainly it means that you have to employ multiple exploits in order to get through and probably have to stop at each point to determine what to do next. I'm of the "put 5 different machines in the chain and let's see if you can get through that without me noticing" camp :) 'Course it helps to have a decent budget when desiging that type of system. Also helps to have a stocked liquor cabinet....... My thought about "I would not feel comfortable putting an ISA firewall in without ..." is merely bias against Microsoft in general. I'll admit, before I grew up, that I was anti-Microsoft. Then I began working with everything else and now I'm just anti-technology :) Seriously, everything has is strengths, everything has its weaknesses. It's just that not everything gets to be in the lime-light. -Shawn -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Friday, June 11, 2004 3:21 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA & Cisco... http://www.ISAserver.org Hi Don, I'm curious as to what kind of security you think the packet filter affords you? I see this assumption a lot, but no one has ever explained to me how a simple packet filter like a Cisco device actually perform any level of security for the ISA firewall? I'm asking this not to be confrontational, but in the sincere wish for a cogent answer, because I have never got one other than "I would not feel comfortable putting an ISA firewall in without putting a [fill in the blank] firewall". Which is just a restatement of the original statement they made. Thanks! Tom -----Original Message----- From: Don McCall [mailto:DMcCall@xxxxxxxxxx] Sent: Friday, June 11, 2004 2:12 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA & Cisco... http://www.ISAserver.org I would have to agree with that statment... at the same time I would be very reluctent to install a single device of either of these products... or for that matter any other... by the way I managed to get it working (NTP) for cisco routers that sit behind my ISA that sits behind a PIX that faces the world.... Have a good weekend Don -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Friday, 11 June 2004 3:27 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA & Cisco... http://www.ISAserver.org There's really no comparison between the two. The Cisco device is simply a router, ISA is a firewall. If they have a routed subnet coming from their ISP, then they can use it between the ISA and the ISP. If they don't then they can use it internally to segregate a couple of subnets. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Thu, 10 Jun 2004 22:22:45 -0400 "Marvin Cummings" <marvc@xxxxxxxxxxxxxxx> wrote: http://www.ISAserver.org I've seen topics mentioned here in the past and now I have one where a client wants to know if their Cisco 2501 router can be used in any way with ISA? I myself am not familiar enough with setting up Cisco devices or to answer that question therefore I suggested using ISA but I figured I'd try here for a 2nd opinion. Anyone have any docs on configuring this type of setup? I'm talking dummy proof with either pictures or detailed explanations of where everything would go. Any responses are appreciated. Thanks ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dmccall@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist This message is intended for the addressee named and may contain confidential information. If you are not the intended recipient, please delete it and notify the sender. Views expressed in this message are those of the individual sender, and are not necessarily the views of Baptist Community Services. 2 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist