Re: Interesting Article Found In Linux Users & Developer
- From: "Bakari Allen" <ballen@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 14 Oct 2003 13:52:26 -0400
Ray - I am breathless!!! Very well said . . . couldn't have done better myself.
On another note . . . I am having the exact same experience with SpamAssassin
here. I have followed the how-to on at least three different releases of RedHat
and still can't get it to work correctly. I am using Postfix, SpamAssassin, and
Razor but just can't get EVERYTHING to work correctly.
Did you happen to document your successful project? If so, would you be willing
to share those results - offline of course since it would be slightly off-topic.
TIA,
Bakari Allen
ballen@xxxxxxxxx
-----Original Message-----
From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx]
Sent: Tuesday, October 14, 2003 1:35 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Interesting Article Found In Linux Users &
Developer
AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS:
http://www.isaserver.org/thawte/
MS Hype vs. OS Hype
Who wins? Depends on your point of view. I work with both MS and OS
products in my environment. I find ISA to have most of the "problems"
listed, but none of them have ever been acute or chronic. My own personal
experiences with Squid have been reasonably pleasant, but I am a linux
neophyte and do not *yet* trust myself to properly run a secured linux based
PC as my border gateway. On the other hand, I have been running dual-homed
NT boxes for years with no problems whatsoever. You can DDOS them to death,
but you can't traverse them unless you've done something really silly which
applies to any product. There have been plenty of attempts. I know this
because we use Snort (open source) to detect intrusion attempts. The email
from the ISA list was scanned by SpamAssassin, another excellent open source
spam detection product, which runs in conjunction with Postfix, an open
source MTA.
Does this mean I am Anti-MS? Not at all. I am certainly in NO rush to
start replacing desktops with Lindows, or any variant thereof. ISA does
what we need to to do. In a "typical" medium to small business that is
probably all MS desktops anyway, ISA is probably a very good fit. But in
mixed environments, such as mine, with mixed linux, unix, Mac, and MS based
PC's, ISA's appeal starts to fade. But I have certainly found certain
niches within my IT structure where OS is a very good fit.
Frankly I am sick-to-death of having to reboot production MS servers after
hours all the freakin time for the exploit de' jour. On my linux boxes, I
simply recompile the binary and restart the service and I'm done. I can do
it any time and almost always do so without the users having a clue it was
done.
As far as tech support goes, I typically get better and faster response on
the OS side than I ever do with any MS product with the exception of this
group. And I sincerely mean that. The ISA support list is truly awesome.
Which, quite frankly, is one of the compelling reasons why I have not been
in a hurry to try anything else.
Then there is the learning curve of setting up an OS solution. You have to
gather all the components together, and hope that somebody has written a
"how-to" that is actually legible, and without important steps missing (The
how-to's have a bad habit of assuming you know certain things and leaving
out critical tweaks to the operating system or which file permissions need
to be set, etc.). And so now you have a working system, but you really
don't understand how or why it works because the entire project was just a
"paint by numbers" from somebody else's experience. (This was the most
frustrating part for me when setting up SpamAssassin. But I had no budget
and we were suddenly getting over 30,000 spam a month.)
But a "dyed in the wool" unix person would probably find setting up ISA just
as frustrating.
From a security standpoint, which is what it really all boils down to, I
have never read about, or heard about, a properly configured ISA box that
has been broken into or through. In spite of all the MS bashing and
security "Chicken Little's" out there, ISA has stood its ground just fine.
Anyway... is ISA a fit for everybody? No. Is an Open Source solution to
ISA a fit for everybody? No.
----- Original Message -----
From: "Paul Crisp" <PCrisp@xxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, October 14, 2003 8:34 AM
Subject: [isalist] Interesting Article Found In Linux Users & Developer
> AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS:
> http://www.isaserver.org/thawte/
> Any comments ??
>
> >From a personal experience I find MS ISA brilliant, does everything I
want
> and more, and I haven't had all these troubles they mention in this
article
> Apologies for quality, just quickly OCR'd it.
>
>
>
> OPEN FOR BUSINESS
> Had enough of Microsoft? Open For Business is our monthly look at how any
> business can replace proprietary software with open source alternatives
> Replacing ISA
> B
> y adopting open source software you can slash costs, vastly improve speed
> and reliability and, perhaps even more importantly, wrest control back
from
> proprietary IT suppliers.
> In this month's column we look at providing secure, fast and reliable
> Internet access for your business. We will be replacing a widely used, yet
> heavily criticised Microsoft product, Internet Security and Acceleration
> server (ISA). It elucidates on the case study of Aquatint Printing on page
> 44, where much the same task was undertaken.
> ISA LOAD OF TROUBLE
> ISA refers to Internet Security and Acceleration server. Replacing it with
> an open source alternative is not only simple and easy to do - it will
also
> save your business a huge amount of money and save your IT staff's time
and
> stress levels.
> Add in vastly improved business functionality, performance, speed and
> reliability, and there's no reason not to change over.
> Microsoft describe ISA as "an extensible, multilayer, enterprise firewall
> and Web cache that helps provide secure, fast, and manageable Internet
> connectivity".
> Sounds great doesn't it? Unfortunately, the reality does not match the
> marketing. Let's be kind and leave aside how expensive deploying ISA is.
> However, a simple Google search brings up a huge list of reported
problems,
> problems that any honest systems administrator will instantly confirm.
They
> include:
> These release notes contain the most up-to-date information about
> installation, documentation, support, and other known issues.
> Microsoft's Internet Security and Acceleration server has been known to
> drive people mad - open source provides a much-needed alternative
> Read Installation Guide
>
> Register I A Server
> * Installation problems
> * Spurious reboots needed to fix cranky behaviour
> * Traffic redirected to the wrong websites
> * Classic Microsoft reformat and reinstall needed for fixes
> * Reports not generated
> * Authentication problems
> * Poor performance and worse scalability * Users not being able to connect
> when they should
> ... and more!
> ISA also locks you into a Microsoft-only infrastructure. That's fine if
you
> trust their future plans for your business and are happy with the amount
> you're paying in license and compliance fees. But if you would like to get
> off that treadmill, open source is the only way to go.
> What's involved
> Providing Internet access for a network is quite different from providing
it
> for a single machine. On a single machine you attach a modem. For a
network
> you have to have a dedicated machine (called a proxy server) that goes
> online on behalf of any machine on the network. It grabs the requested
> content and then passes it to the machine that asked for it.
> Most good proxy servers will also save a local copy of the content (known
> as'caching') so that only changes to the content need be downloaded in
> future. If your users look at some sites frequently, caching gives big
> savings on your bandwidth needs whilst also dramatically improving
browsing
> speeds.
> Providing secure access for a network is generally done with a firewall.
> Firewall is a hugely misunderstood and ambiguous term - it can trigger
> religious wars amongst security experts. You'll be relieved to hear that
for
> the sake of this article we're not going to join in and merely understand
it
> to be a box you plug in to protect your network from bad things out there
on
> the Internet.
> THIS MIGHT BE GREAT BUSINESS FOR MICROSOFT AND INTEL BUT EXPENSIVE FOR
YOU.
> THOSE DAYS ARE NOW GONE!
> Open source
> We'll use Linux as our underlying operating system. On top of this we'll
be
> layering some of the open source world's leading projects, all best of
> breed, and all included in the unbeatable purchase price (zero!) of your
> Linux system.
> The proxying and caching is provided by Squid. Squid is almost certainly
> what your own ISP uses (ask them!). Why? Because it's the best. It's
hugely
> reliable, tunable, and faster than anything else out there. It will do
> distributed and hierarchical caching (that is, several machines running
> Squid co-operate and share cached content) both within your network and/or
> with any of the global community of Squid users.
> Its scalability is superb-serving a network of a thousand users will take
> four or five ISA servers. Squid needs just one, or two if you want to go
way
> over the top on resilience.
> The firewall is provided by netfilter, Linux's next-generation packet
> filtering and stateful inspection engine. That mouthful of jargon simply
> means it inspects incoming and outgoing information and decides whether to
> pass it on or not- thus protecting your business from unauthorised access,
> illegal attacks (including well known attacks on
> Run ISA Server Enterprise Initialization
> Install ISA Server
> ad About igrat!nq to ISA er
>
>
>
> (c)(r) LinuxUser&Developer/33
> FIREWALL IS A HUGELY MISUNDERSTOOD AND AMBIGUOUS TERM - IT CAN TRIGGER
> RELIGIOUS WARS AMONGST SECURITY EXPERTS
>
> your other Microsoft software), worms, trojans, etc.
> In fact whatever you've read a proprietary firewall can do, netfilter
does,
> and then some more. Better than this, it has an open, modular
architecture.
> Modules for pretty much any security feature you can think of are
available
> (such as application-layer filtering, load-balancing,.etc), enabling you
to
> intercept, analyse or modify any protocol over any port.
> Your Open Source Security & Internet Access server (as we're going to call
> it) is completed with the addition of SpamAssassin for email filtering,
> snort for intrusion detection, ntop for reporting, and Webmin for
> any-platform GUI administration.
> You now have a system that beats Microsoft ISA on every score with no
> purchase costs or extortionate licensing fees every year. And it's future
> proof. When the next version is available, you simply update the modules
you
> need. You don't need to do the Microsoft thing and buy it all again and
also
> buy a new, faster, bigger machine to run it on. This might be great
business
> for Microsoft and Intel
> but expensive and disruptive for you. Those days are now gone!
>
> ISA vs OPEN SOURCE
> Microsoft ISA Linux
> Easy GUI Configuration J J
> .
> J J
> Access Control
> *..
> Content Caching J r
> Email Filtering J ,/
> .-.- .
> X J
> Free Upgrades
> Firewall Firmware Based X X
> Speed/Reliability/Scalability Poor Good
> -.0.
> CAL Cost/User **£68.64 £0
> * Approximate purchase price for W2K Advanced Server plus
> Microsoft Internet Security & Acceleration Server 2000
> Enterprise Edition
> ** Lowest per desktop price from Microsoft UK recommended
> online store (wwwwstore.co.uk). Based on Open Subscription
> Licence for 100
> Mark Taylor is a Lead Consultant with Sirius. An early and continuing
> contributor to a wide spectrum of open source development projects, Mark
> actively works on wide-scale deployments of open source technologies in a
> variety of business environments. Sirius have help and documentation
> covering ISA migration on its website - www.siriusit.co.uk/ ofb/isa-begone
> <http://www.siriusit.co.uk/ofb/isa-begone> .
> Mark is happy to reply to specific questions or queries raised by Open For
> Business. He can be contacted at mark.taylor@xxxxxxxxxxxxxx
> <mailto:mark.taylor@xxxxxxxxxxxxxx>
>
>
> Paul Crisp
> Snr Network Support Analyst
> t: 020 7 827 5201
> f: 020 7 827 5266
>
>
>
> Get Thawte's New Step-by-Step SSL Guide for MSIIS
> Find out how to test, purchase, and install a Thawte Digital Certificate
on your MSIIS web server:
> http://www.isaserver.org/thawte/
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
rdzek@xxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
Get Thawte's New Step-by-Step SSL Guide for MSIIS
Find out how to test, purchase, and install a Thawte Digital Certificate on
your MSIIS web server:
http://www.isaserver.org/thawte/
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bakari.allen@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
