RE: ISA Server is not a Firewall !!! http://www.kbalertz.com/Feedback_832659.aspx
- From: "Quillman Shawn (RBNA/CSA1)" <Shawn.Quillman@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 7 May 2004 11:33:33 -0400
I wish you guys wouldn't hold back so much. It'd be so much better if
you'd just speak your mind.
(hah)
I love this list!
-Shawn
-----Original Message-----
From: Thor [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Friday, May 07, 2004 11:31 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA Server is not a Firewall !!!
http://www.kbalertz.com/Feedback_832659.aspx
http://www.ISAserver.org
No, that is not what he is saying. He is saying that if one has enabled
IP
spoof detection, then it really does not do you any good to be notified
of
it as the traffic is being blocked and finding out that IP 192.168.1.1
spoofed you does not do you any good.
Further, he is saying that the possiblity of dropped packets is only an
issue when you have multiple ext inf's, which is not supported.
Lastly, even with spoof detection disabled, the packets would most
likely be
blocked anyway if they were actual attacks due to the nature of the
attack
(spoofed or not) unless you have selected the "Turn off ISA functions
and
convert this box into a router because I think it should be like that
la,
la, la" checkbox.
The bottom line here is "get over it."
t
----- Original Message -----
From: "Jay" <jschwarzkopf@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, May 07, 2004 5:34 AM
Subject: [isalist] RE: ISA Server is not a Firewall !!!
http://www.kbalertz.com/Feedback_832659.aspx
> http://www.ISAserver.org
>
> Do you mean that ISA blocks spoofed IP traffic, even if IP Spoof
Detection
> is disabled?
>
>
> ----- Original Message -----
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, May 07, 2004 8:00 AM
> Subject: [isalist] RE: ISA Server is not a Firewall !!!
> http://www.kbalertz.com/Feedback_832659.aspx
>
>
> http://www.ISAserver.org
>
> Hi Idan,
>
> This has been a known issues on the ISA Server message boards and by
me
> for at least three years. What I don't understand is why someone would
> configure multiple external interfaces in this fashion, since its an
> unsupported configuration. You can search Usenet and this mailing
list,
> as well as the ISAserver.org message boards for "multiple external
> interfaces" and you'll see NO NO NO NO NO. Why in the world would you
> have two NICs on the same network segment and have one for inbound and
> one for outbound? OK, NLB scenarios, in which case you might want to
> consider a real NLB solution like RainWall :-)
>
> However, why am I concerned about spoof detection? The spoofed packets
> are blocked anyhow, so what value is there to me knowing about it? I
get
> hundreds, thousands, tens of thousands of exploit packets send to my
> whimpy T1 and DSL connections here at my office. For the enterprise,
> they get millions of these exploits. Do you think they have time to
work
> up every exploit packet hitting the edge firewall? They don't have the
> time, nor do they need to spend the time.
>
> Sure, it would be nice if the spoof detection feature didn't act this
> way, but I don't see it as a signifcant, or even minor problem. It
would
> be a problem if I needed this information and if the lack of this
> information had a deleterious effect, but I don't see how it does. If
> you see a spoof detected on the external interface of your ISA
firewall,
> what are you going to do about it? Contact the ISP of the sender? ;-)
>
> Thanks!
> Tom
>
> Thomas W Shinder
> www.isaserver.org/shinder
> ISA 2004 Beta - Get it now!
> http://www.microsoft.com/isaserver/beta/default.asp
> ISA Server and Beyond: http://tinyurl.com/1jq1
> Configuring ISA Server: http://tinyurl.com/1llp
>
>
>
>
> -----Original Message-----
> From: Idan Plotnik [mailto:idan@xxxxxxxxxxxxxxx]
> Sent: Friday, May 07, 2004 6:46 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA Server is not a Firewall !!!
> http://www.kbalertz.com/Feedback_832659.aspx
>
>
> http://www.ISAserver.org
>
> Hi Thomas,
>
> Yesterday I came back from TechEd in Israel, I believe in the way
> Microsoft works and I am working a lot with Microsoft products, in
> additional I am doing some works for Microsoft, but this issue is not
> relevant to my work, I mean that this kind of Bugs must be discover
> before the product is going in to the market and not after 2 or 3
> years!!! Don't you agree with me? Tell me something else, do you think
> it reasonable to disable the IP Spoof Detection option on a
> FIREWALL???!!!!???!!!! To enable another function to work properly????
>
> And by the way!!! A good Firewall must include a good router
> functions!!! It's not a separate function, When I read your line "but
> since you've confused firewalls with routers" I laugh because it's not
a
> good way of thinking!!! There are a lot of people that thinks that
> Firewall just blocks ports or protocols and it's not true
>
> Thanks and have a good day.
>
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Friday, May 07, 2004 1:00 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA Server is not a Firewall !!!
> http://www.kbalertz.com/Feedback_832659.aspx
>
> http://www.ISAserver.org
>
> Hi Idan,
>
> It's a good thing no other firewalls have any issues :-\
>
> This is the first time I've done this on this list, but since you've
> confused firewalls with routers, I have to say PLONK.
>
> HTH,
> Tom
>
> Thomas W Shinder
> www.isaserver.org/shinder
> ISA 2004 Beta - Get it now!
> http://www.microsoft.com/isaserver/beta/default.asp
> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server:
> http://tinyurl.com/1llp
>
>
> -----Original Message-----
> From: Idan Plotnik [mailto:idan@xxxxxxxxxxxxxxx]
> Sent: Friday, May 07, 2004 5:57 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] ISA Server is not a Firewall !!!
> http://www.kbalertz.com/Feedback_832659.aspx
>
>
> http://www.ISAserver.org
>
> Hi all,
> I don't know if I need to laugh or to cry about this!!!
> This issue closed my opinion about ISA 2000, and my opinion about ISA
> 2000 is that its not a firewall !!!
> Someone has sometnig to say about this ?
> 832659 - The IP Spoof Detection feature in ISA Server 2000 may drop
> legal packets on systems that have multiple external interfaces
> Thanx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
thor@xxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
