RE: ISA Server is not a Firewall !!! http://www.kbalertz.com/Feedback_832659.aspx
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 7 May 2004 07:00:51 -0500
Hi Idan,
This has been a known issues on the ISA Server message boards and by me
for at least three years. What I don't understand is why someone would
configure multiple external interfaces in this fashion, since its an
unsupported configuration. You can search Usenet and this mailing list,
as well as the ISAserver.org message boards for "multiple external
interfaces" and you'll see NO NO NO NO NO. Why in the world would you
have two NICs on the same network segment and have one for inbound and
one for outbound? OK, NLB scenarios, in which case you might want to
consider a real NLB solution like RainWall :-)
However, why am I concerned about spoof detection? The spoofed packets
are blocked anyhow, so what value is there to me knowing about it? I get
hundreds, thousands, tens of thousands of exploit packets send to my
whimpy T1 and DSL connections here at my office. For the enterprise,
they get millions of these exploits. Do you think they have time to work
up every exploit packet hitting the edge firewall? They don't have the
time, nor do they need to spend the time.
Sure, it would be nice if the spoof detection feature didn't act this
way, but I don't see it as a signifcant, or even minor problem. It would
be a problem if I needed this information and if the lack of this
information had a deleterious effect, but I don't see how it does. If
you see a spoof detected on the external interface of your ISA firewall,
what are you going to do about it? Contact the ISP of the sender? ;-)
Thanks!
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA 2004 Beta - Get it now!
http://www.microsoft.com/isaserver/beta/default.asp
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Idan Plotnik [mailto:idan@xxxxxxxxxxxxxxx]
Sent: Friday, May 07, 2004 6:46 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA Server is not a Firewall !!!
http://www.kbalertz.com/Feedback_832659.aspx
http://www.ISAserver.org
Hi Thomas,
Yesterday I came back from TechEd in Israel, I believe in the way
Microsoft works and I am working a lot with Microsoft products, in
additional I am doing some works for Microsoft, but this issue is not
relevant to my work, I mean that this kind of Bugs must be discover
before the product is going in to the market and not after 2 or 3
years!!! Don't you agree with me? Tell me something else, do you think
it reasonable to disable the IP Spoof Detection option on a
FIREWALL???!!!!???!!!! To enable another function to work properly????
And by the way!!! A good Firewall must include a good router
functions!!! It's not a separate function, When I read your line "but
since you've confused firewalls with routers" I laugh because it's not a
good way of thinking!!! There are a lot of people that thinks that
Firewall just blocks ports or protocols and it's not true
Thanks and have a good day.
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Friday, May 07, 2004 1:00 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA Server is not a Firewall !!!
http://www.kbalertz.com/Feedback_832659.aspx
http://www.ISAserver.org
Hi Idan,
It's a good thing no other firewalls have any issues :-\
This is the first time I've done this on this list, but since you've
confused firewalls with routers, I have to say PLONK.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA 2004 Beta - Get it now!
http://www.microsoft.com/isaserver/beta/default.asp
ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server:
http://tinyurl.com/1llp
-----Original Message-----
From: Idan Plotnik [mailto:idan@xxxxxxxxxxxxxxx]
Sent: Friday, May 07, 2004 5:57 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA Server is not a Firewall !!!
http://www.kbalertz.com/Feedback_832659.aspx
http://www.ISAserver.org
Hi all,
I don't know if I need to laugh or to cry about this!!!
This issue closed my opinion about ISA 2000, and my opinion about ISA
2000 is that its not a firewall !!!
Someone has sometnig to say about this ?
832659 - The IP Spoof Detection feature in ISA Server 2000 may drop
legal packets on systems that have multiple external interfaces
Thanx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
idan@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
