Hi Ray, Nice analysis and I especially appreciate the kind words about the list. The ISAServer.org Web site and boards are the same way. Lots of people there helping other people and flames are almost non-existant. I think if you have a primarily MS shop, and if you need to allow remote access to MS network services (Exchange, Sharepoint, VPN, etc) then ISA is the ideal firewall, whether its at the edge of the departmental LAN, or the edge of the entire network. If there is one thing that limits its overall general appeal is its LAT based architecture. However, if you practice good defense in depth, this is almost a non-issue. You're right about mixed environments. The firewall client is one of the most compelling reasons to use ISA because it gives you the greatest flexibility and control. The firewall client is also completely transparent and has never broken a single app I know of. However, DNS resolution issues are a real problem for those who don't understand them and the firewall client is dependent on name resolution. All in all, I like ISA and I like the people who work with it :-) Thanks! Tom www.isaserver.org/shinder -----Original Message----- From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx] Sent: Tuesday, October 14, 2003 12:35 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Interesting Article Found In Linux Users & Developer AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS: http://www.isaserver.org/thawte/ MS Hype vs. OS Hype Who wins? Depends on your point of view. I work with both MS and OS products in my environment. I find ISA to have most of the "problems" listed, but none of them have ever been acute or chronic. My own personal experiences with Squid have been reasonably pleasant, but I am a linux neophyte and do not *yet* trust myself to properly run a secured linux based PC as my border gateway. On the other hand, I have been running dual-homed NT boxes for years with no problems whatsoever. You can DDOS them to death, but you can't traverse them unless you've done something really silly which applies to any product. There have been plenty of attempts. I know this because we use Snort (open source) to detect intrusion attempts. The email from the ISA list was scanned by SpamAssassin, another excellent open source spam detection product, which runs in conjunction with Postfix, an open source MTA. Does this mean I am Anti-MS? Not at all. I am certainly in NO rush to start replacing desktops with Lindows, or any variant thereof. ISA does what we need to to do. In a "typical" medium to small business that is probably all MS desktops anyway, ISA is probably a very good fit. But in mixed environments, such as mine, with mixed linux, unix, Mac, and MS based PC's, ISA's appeal starts to fade. But I have certainly found certain niches within my IT structure where OS is a very good fit. Frankly I am sick-to-death of having to reboot production MS servers after hours all the freakin time for the exploit de' jour. On my linux boxes, I simply recompile the binary and restart the service and I'm done. I can do it any time and almost always do so without the users having a clue it was done. As far as tech support goes, I typically get better and faster response on the OS side than I ever do with any MS product with the exception of this group. And I sincerely mean that. The ISA support list is truly awesome. Which, quite frankly, is one of the compelling reasons why I have not been in a hurry to try anything else. Then there is the learning curve of setting up an OS solution. You have to gather all the components together, and hope that somebody has written a "how-to" that is actually legible, and without important steps missing (The how-to's have a bad habit of assuming you know certain things and leaving out critical tweaks to the operating system or which file permissions need to be set, etc.). And so now you have a working system, but you really don't understand how or why it works because the entire project was just a "paint by numbers" from somebody else's experience. (This was the most frustrating part for me when setting up SpamAssassin. But I had no budget and we were suddenly getting over 30,000 spam a month.) But a "dyed in the wool" unix person would probably find setting up ISA just as frustrating. From a security standpoint, which is what it really all boils down to, I have never read about, or heard about, a properly configured ISA box that has been broken into or through. In spite of all the MS bashing and security "Chicken Little's" out there, ISA has stood its ground just fine. Anyway... is ISA a fit for everybody? No. Is an Open Source solution to ISA a fit for everybody? No. ----- Original Message ----- From: "Paul Crisp" <PCrisp@xxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, October 14, 2003 8:34 AM Subject: [isalist] Interesting Article Found In Linux Users & Developer > AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS: > http://www.isaserver.org/thawte/ > Any comments ?? > > >From a personal experience I find MS ISA brilliant, does everything I want > and more, and I haven't had all these troubles they mention in this article > Apologies for quality, just quickly OCR'd it. > > > > OPEN FOR BUSINESS > Had enough of Microsoft? Open For Business is our monthly look at how > any business can replace proprietary software with open source > alternatives Replacing ISA B y adopting open source software you can > slash costs, vastly improve speed and reliability and, perhaps even > more importantly, wrest control back from > proprietary IT suppliers. > In this month's column we look at providing secure, fast and reliable > Internet access for your business. We will be replacing a widely used, > yet heavily criticised Microsoft product, Internet Security and > Acceleration server (ISA). It elucidates on the case study of Aquatint > Printing on page 44, where much the same task was undertaken. > ISA LOAD OF TROUBLE > ISA refers to Internet Security and Acceleration server. Replacing it > with an open source alternative is not only simple and easy to do - it > will also > save your business a huge amount of money and save your IT staff's > time and > stress levels. > Add in vastly improved business functionality, performance, speed and > reliability, and there's no reason not to change over. > Microsoft describe ISA as "an extensible, multilayer, enterprise > firewall and Web cache that helps provide secure, fast, and manageable > Internet connectivity". > Sounds great doesn't it? Unfortunately, the reality does not match the > marketing. Let's be kind and leave aside how expensive deploying ISA is. > However, a simple Google search brings up a huge list of reported problems, > problems that any honest systems administrator will instantly confirm. They > include: > These release notes contain the most up-to-date information about > installation, documentation, support, and other known issues. > Microsoft's Internet Security and Acceleration server has been known > to drive people mad - open source provides a much-needed alternative > Read Installation Guide > > Register I A Server > * Installation problems > * Spurious reboots needed to fix cranky behaviour > * Traffic redirected to the wrong websites > * Classic Microsoft reformat and reinstall needed for fixes > * Reports not generated > * Authentication problems > * Poor performance and worse scalability * Users not being able to > connect when they should ... and more! > ISA also locks you into a Microsoft-only infrastructure. That's fine > if you > trust their future plans for your business and are happy with the > amount you're paying in license and compliance fees. But if you would > like to get off that treadmill, open source is the only way to go. > What's involved > Providing Internet access for a network is quite different from > providing it > for a single machine. On a single machine you attach a modem. For a network > you have to have a dedicated machine (called a proxy server) that goes > online on behalf of any machine on the network. It grabs the requested > content and then passes it to the machine that asked for it. > Most good proxy servers will also save a local copy of the content > (known > as'caching') so that only changes to the content need be downloaded in > future. If your users look at some sites frequently, caching gives big > savings on your bandwidth needs whilst also dramatically improving browsing > speeds. > Providing secure access for a network is generally done with a firewall. > Firewall is a hugely misunderstood and ambiguous term - it can trigger > religious wars amongst security experts. You'll be relieved to hear > that for > the sake of this article we're not going to join in and merely > understand it > to be a box you plug in to protect your network from bad things out > there on > the Internet. > THIS MIGHT BE GREAT BUSINESS FOR MICROSOFT AND INTEL BUT EXPENSIVE FOR YOU. > THOSE DAYS ARE NOW GONE! > Open source > We'll use Linux as our underlying operating system. On top of this > we'll be > layering some of the open source world's leading projects, all best of > breed, and all included in the unbeatable purchase price (zero!) of > your Linux system. > The proxying and caching is provided by Squid. Squid is almost > certainly what your own ISP uses (ask them!). Why? Because it's the > best. It's hugely > reliable, tunable, and faster than anything else out there. It will do > distributed and hierarchical caching (that is, several machines > running Squid co-operate and share cached content) both within your > network and/or with any of the global community of Squid users. > Its scalability is superb-serving a network of a thousand users will > take four or five ISA servers. Squid needs just one, or two if you > want to go way > over the top on resilience. > The firewall is provided by netfilter, Linux's next-generation packet > filtering and stateful inspection engine. That mouthful of jargon > simply means it inspects incoming and outgoing information and decides > whether to pass it on or not- thus protecting your business from > unauthorised access, illegal attacks (including well known attacks on > Run ISA Server Enterprise Initialization Install ISA Server ad About > igrat!nq to ISA er > > > > ©® LinuxUser&Developer/33 > FIREWALL IS A HUGELY MISUNDERSTOOD AND AMBIGUOUS TERM - IT CAN TRIGGER > RELIGIOUS WARS AMONGST SECURITY EXPERTS > > your other Microsoft software), worms, trojans, etc. > In fact whatever you've read a proprietary firewall can do, netfilter does, > and then some more. Better than this, it has an open, modular architecture. > Modules for pretty much any security feature you can think of are available > (such as application-layer filtering, load-balancing,.etc), enabling > you to > intercept, analyse or modify any protocol over any port. > Your Open Source Security & Internet Access server (as we're going to > call > it) is completed with the addition of SpamAssassin for email > filtering, snort for intrusion detection, ntop for reporting, and > Webmin for any-platform GUI administration. > You now have a system that beats Microsoft ISA on every score with no > purchase costs or extortionate licensing fees every year. And it's > future proof. When the next version is available, you simply update > the modules you > need. You don't need to do the Microsoft thing and buy it all again > and also > buy a new, faster, bigger machine to run it on. This might be great business > for Microsoft and Intel > but expensive and disruptive for you. Those days are now gone! > > ISA vs OPEN SOURCE > Microsoft ISA Linux > Easy GUI Configuration J J > . > J J > Access Control > *.. > Content Caching J r > Email Filtering J ,/ > .-.- . > X J > Free Upgrades > Firewall Firmware Based X X > Speed/Reliability/Scalability Poor Good -.0. > CAL Cost/User **£68.64 £0 > * Approximate purchase price for W2K Advanced Server plus Microsoft > Internet Security & Acceleration Server 2000 Enterprise Edition > ** Lowest per desktop price from Microsoft UK recommended online store > (wwwwstore.co.uk). Based on Open Subscription Licence for 100 Mark > Taylor is a Lead Consultant with Sirius. An early and continuing > contributor to a wide spectrum of open source development projects, > Mark actively works on wide-scale deployments of open source > technologies in a variety of business environments. Sirius have help > and documentation covering ISA migration on its website - > www.siriusit.co.uk/ ofb/isa-begone <http://www.siriusit.co.uk/ofb/isa-begone> > . > Mark is happy to reply to specific questions or queries raised by Open > For Business. He can be contacted at mark.taylor@xxxxxxxxxxxxxx > <mailto:mark.taylor@xxxxxxxxxxxxxx> > > > Paul Crisp > Snr Network Support Analyst > t: 020 7 827 5201 > f: 020 7 827 5266 > > > > Get Thawte's New Step-by-Step SSL Guide for MSIIS Find out how to > test, purchase, and install a Thawte Digital Certificate on your MSIIS web server: > http://www.isaserver.org/thawte/ > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: rdzek@xxxxxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') Get Thawte's New Step-by-Step SSL Guide for MSIIS Find out how to test, purchase, and install a Thawte Digital Certificate on your MSIIS web server: http://www.isaserver.org/thawte/ ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')