True enough (and I do the same). What I should have said was "to the Internet". ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Mon 10/10/2005 1:30 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA smarter than Checkpoint http://www.ISAserver.org Hey Jim, How about multiple internal networks, where you've segmented the Networks physically using ISA? Works OK for me. Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Monday, October 10, 2005 3:24 PM To: [ISAserver.org Discussion List] Subject: RE: [isalist] ISA smarter than Checkpoint I hate to sound negative, but anyone allowing file shares or GPO access across a firewall deserves the heartache they get. There are just too many other options to this mechanism. ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Mon 10/10/2005 12:59 PM To: [ISAserver.org Discussion List] Subject: [isalist] ISA smarter than Checkpoint http://www.ISAserver.org I usually try not to compare ISA and Checkpoint, because CP is a darned good firewall, and you pay the price for it. Its not like the PIX, which is about as secure as the US Social Security system. But, thought you might want a nice ISA pat on the back on this one: ** Check Point Vulnerability Expanded By Russ Cooper * Hacking/Denial of Service - Check Point SecurePlatform NGX Firewall Rules Bypass Vulnerability (Intellishield ID: 9706): This warning has been reissued to add additional impacted products. Initially reported was Check Point SecurePlatform NGX R60 Build 244 and prior. Now added to that list: VPN-1/FireWall-1 versions NG AI, 4.1 and NG; VPN-1 VSX version NG AI; and Provider-1 versions NG AI and NG. The rule supplied with the Firewall product to handle "CIFS" traffic is equivalent to "ANY," in that it actually allows any traffic to/from the source/destination addresses added to the rule. CIFS is a file sharing protocol used by Windows systems which permits SMB over TCP. The rule permits CIFS as well as some legacy NetBIOS traffic. A proper CIFS rule should limit traffic to port 445. While no patch has yet been provided by Check Point, anyone needing this rule group can create a custom group of their own limiting what traffic is allowed. Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.