well said kenny. i like to think "use what works for you". i try not to bash others work, and i don't worry about what everybody else is doing. shane ----- Original Message ----- From: "Kenny Mann" <Kennymann@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, October 14, 2003 2:36 PM Subject: [isalist] Re: Interesting Article Found In Linux Users & Developer > AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS: > http://www.isaserver.org/thawte/ > >Anyway... is ISA a fit for everybody? No. Is an Open Source=20 > >solution to ISA a fit for everybody? No. > > Well said. We have trucks for all those off-road people and > fast cars for people that want to burn some rubber. > Is one better than the other? Only in perception. > > > >spite of all the MS bashing and security "Chicken Little's"=20 > >out there, ISA has stood its ground just fine. > > I started an admin as of a year and a half ago (roughly). > I would have to say that ISA server, is somewhat easy to understand = > (assuming you apply some common sense, or at least research before you = > implement on a production server). I would have to say that my Microsoft = > software hasn't fail me yet, OTOH neither has my Linux software at home = > (I'm too poor to afford MS Win2K3 Server for personal use). > For a noob admin, I would have to say that I am very impressed with ISA = > Server. (I was very skeptical at first, but I'll give anything a fair = > chance). > > >response on the OS side than I ever do with any MS product=20 > >with the exception of this group. And I sincerely mean that. =20 > >The ISA support list is truly awesome. > > Indeed. This list (and especially Tom and Jim) is probably one of the = > few lists I am on that seems to be very effective, without being rude. > I, for one, appreciate all your work and knowledge you have spread. > > Sincerely, > Kenny Mann > > > >-----Original Message----- > >From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx]=20 > >Sent: Tuesday, October 14, 2003 12:35 PM > >To: [ISAserver.org Discussion List] > >Subject: [isalist] Re: Interesting Article Found In Linux=20 > >Users & Developer > > > > > >AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS:=20 > >http://www.isaserver.org/thawte/ > >MS Hype vs. OS Hype > > > >Who wins? Depends on your point of view. I work with both MS=20 > >and OS products in my environment. I find ISA to have most of=20 > >the "problems" listed, but none of them have ever been acute=20 > >or chronic. My own personal experiences with Squid have been=20 > >reasonably pleasant, but I am a linux neophyte and do not=20 > >*yet* trust myself to properly run a secured linux based PC as=20 > >my border gateway. On the other hand, I have been running=20 > >dual-homed NT boxes for years with no problems whatsoever. =20 > >You can DDOS them to death, but you can't traverse them unless=20 > >you've done something really silly which applies to any=20 > >product. There have been plenty of attempts. I know this=20 > >because we use Snort (open source) to detect intrusion=20 > >attempts. The email from the ISA list was scanned by=20 > >SpamAssassin, another excellent open source spam detection=20 > >product, which runs in conjunction with Postfix, an open source MTA. > > > >Does this mean I am Anti-MS? Not at all. I am certainly in=20 > >NO rush to start replacing desktops with Lindows, or any=20 > >variant thereof. ISA does what we need to to do. In a=20 > >"typical" medium to small business that is probably all MS=20 > >desktops anyway, ISA is probably a very good fit. But in=20 > >mixed environments, such as mine, with mixed linux, unix, Mac,=20 > >and MS based PC's, ISA's appeal starts to fade. But I have=20 > >certainly found certain niches within my IT structure where OS=20 > >is a very good fit. > > > >Frankly I am sick-to-death of having to reboot production MS=20 > >servers after hours all the freakin time for the exploit de'=20 > >jour. On my linux boxes, I simply recompile the binary and=20 > >restart the service and I'm done. I can do it any time and=20 > >almost always do so without the users having a clue it was done. > > > >As far as tech support goes, I typically get better and faster=20 > >response on the OS side than I ever do with any MS product=20 > >with the exception of this group. And I sincerely mean that. =20 > >The ISA support list is truly awesome. Which, quite frankly,=20 > >is one of the compelling reasons why I have not been in a=20 > >hurry to try anything else. > > > >Then there is the learning curve of setting up an OS solution.=20 > > You have to gather all the components together, and hope that=20 > >somebody has written a "how-to" that is actually legible, and=20 > >without important steps missing (The how-to's have a bad habit=20 > >of assuming you know certain things and leaving out critical=20 > >tweaks to the operating system or which file permissions need=20 > >to be set, etc.). And so now you have a working system, but=20 > >you really don't understand how or why it works because the=20 > >entire project was just a "paint by numbers" from somebody=20 > >else's experience. (This was the most frustrating part for me=20 > >when setting up SpamAssassin. But I had no budget and we were=20 > >suddenly getting over 30,000 spam a month.) > > > >But a "dyed in the wool" unix person would probably find=20 > >setting up ISA just as frustrating. > > > >From a security standpoint, which is what it really all boils=20 > >down to, I have never read about, or heard about, a properly=20 > >configured ISA box that has been broken into or through. In=20 > >spite of all the MS bashing and security "Chicken Little's"=20 > >out there, ISA has stood its ground just fine. > > > >Anyway... is ISA a fit for everybody? No. Is an Open Source=20 > >solution to ISA a fit for everybody? No. > > > >----- Original Message ----- > >From: "Paul Crisp" <PCrisp@xxxxxxxxxxxxxxxxx> > >To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > >Sent: Tuesday, October 14, 2003 8:34 AM > >Subject: [isalist] Interesting Article Found In Linux Users & Developer > > > > > >> AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS:=20 > >> http://www.isaserver.org/thawte/ Any comments ?? > >> > >> >From a personal experience I find MS ISA brilliant, does=20 > >everything I > >want > >> and more, and I haven't had all these troubles they mention in this > >article > >> Apologies for quality, just quickly OCR'd it. > >> > >> > >> > >> OPEN FOR BUSINESS > >> Had enough of Microsoft? Open For Business is our monthly=20 > >look at how=20 > >> any business can replace proprietary software with open source=20 > >> alternatives Replacing ISA B > >> y adopting open source software you can slash costs, vastly=20 > >improve speed > >> and reliability and, perhaps even more importantly, wrest=20 > >control back > >from > >> proprietary IT suppliers. > >> In this month's column we look at providing secure, fast and=20 > >reliable=20 > >> Internet access for your business. We will be replacing a=20 > >widely used,=20 > >> yet heavily criticised Microsoft product, Internet Security and=20 > >> Acceleration server (ISA). It elucidates on the case study=20 > >of Aquatint=20 > >> Printing on page 44, where much the same task was=20 > >undertaken. ISA LOAD=20 > >> OF TROUBLE ISA refers to Internet Security and Acceleration server.=20 > >> Replacing it with an open source alternative is not only simple and=20 > >> easy to do - it will > >also > >> save your business a huge amount of money and save your IT staff's=20 > >> time > >and > >> stress levels. > >> Add in vastly improved business functionality, performance,=20 > >speed and=20 > >> reliability, and there's no reason not to change over. Microsoft=20 > >> describe ISA as "an extensible, multilayer, enterprise firewall and=20 > >> Web cache that helps provide secure, fast, and manageable Internet=20 > >> connectivity". Sounds great doesn't it? Unfortunately, the reality=20 > >> does not match the marketing. Let's be kind and leave aside how=20 > >> expensive deploying ISA is. However, a simple Google search=20 > >brings up=20 > >> a huge list of reported > >problems, > >> problems that any honest systems administrator will=20 > >instantly confirm. > >They > >> include: > >> These release notes contain the most up-to-date information about=20 > >> installation, documentation, support, and other known issues.=20 > >> Microsoft's Internet Security and Acceleration server has been known=20 > >> to drive people mad - open source provides a much-needed alternative=20 > >> Read Installation Guide > >> > >> Register I A Server > >> * Installation problems > >> * Spurious reboots needed to fix cranky behaviour > >> * Traffic redirected to the wrong websites > >> * Classic Microsoft reformat and reinstall needed for fixes > >> * Reports not generated > >> * Authentication problems > >> * Poor performance and worse scalability * Users not being able to=20 > >> connect when they should ... and more! > >> ISA also locks you into a Microsoft-only infrastructure.=20 > >That's fine if > >you > >> trust their future plans for your business and are happy with the=20 > >> amount you're paying in license and compliance fees. But if=20 > >you would=20 > >> like to get off that treadmill, open source is the only way to go.=20 > >> What's involved Providing Internet access for a network is quite=20 > >> different from providing > >it > >> for a single machine. On a single machine you attach a modem. For a > >network > >> you have to have a dedicated machine (called a proxy server)=20 > >that goes=20 > >> online on behalf of any machine on the network. It grabs the=20 > >requested=20 > >> content and then passes it to the machine that asked for it.=20 > >Most good=20 > >> proxy servers will also save a local copy of the content (known > >> as'caching') so that only changes to the content need be=20 > >downloaded in=20 > >> future. If your users look at some sites frequently, caching=20 > >gives big=20 > >> savings on your bandwidth needs whilst also dramatically improving > >browsing > >> speeds. > >> Providing secure access for a network is generally done with a=20 > >> firewall. Firewall is a hugely misunderstood and ambiguous term - it=20 > >> can trigger religious wars amongst security experts. You'll be=20 > >> relieved to hear that > >for > >> the sake of this article we're not going to join in and merely=20 > >> understand > >it > >> to be a box you plug in to protect your network from bad things out=20 > >> there > >on > >> the Internet. > >> THIS MIGHT BE GREAT BUSINESS FOR MICROSOFT AND INTEL BUT=20 > >EXPENSIVE FOR > >YOU. > >> THOSE DAYS ARE NOW GONE! > >> Open source > >> We'll use Linux as our underlying operating system. On top of this=20 > >> we'll > >be > >> layering some of the open source world's leading projects,=20 > >all best of=20 > >> breed, and all included in the unbeatable purchase price (zero!) of=20 > >> your Linux system. The proxying and caching is provided by Squid.=20 > >> Squid is almost certainly what your own ISP uses (ask them!). Why?=20 > >> Because it's the best. It's > >hugely > >> reliable, tunable, and faster than anything else out there.=20 > >It will do=20 > >> distributed and hierarchical caching (that is, several machines=20 > >> running Squid co-operate and share cached content) both within your=20 > >> network and/or with any of the global community of Squid users. Its=20 > >> scalability is superb-serving a network of a thousand users=20 > >will take=20 > >> four or five ISA servers. Squid needs just one, or two if=20 > >you want to=20 > >> go > >way > >> over the top on resilience. > >> The firewall is provided by netfilter, Linux's=20 > >next-generation packet=20 > >> filtering and stateful inspection engine. That mouthful of jargon=20 > >> simply means it inspects incoming and outgoing information=20 > >and decides=20 > >> whether to pass it on or not- thus protecting your business from=20 > >> unauthorised access, illegal attacks (including well known=20 > >attacks on=20 > >> Run ISA Server Enterprise Initialization Install ISA Server > >> ad About igrat!nq to ISA er > >> > >> > >> > >> =A9=AE LinuxUser&Developer/33 > >> FIREWALL IS A HUGELY MISUNDERSTOOD AND AMBIGUOUS TERM - IT=20 > >CAN TRIGGER=20 > >> RELIGIOUS WARS AMONGST SECURITY EXPERTS > >> > >> your other Microsoft software), worms, trojans, etc. > >> In fact whatever you've read a proprietary firewall can do, netfilter > >does, > >> and then some more. Better than this, it has an open, modular > >architecture. > >> Modules for pretty much any security feature you can think of are > >available > >> (such as application-layer filtering, load-balancing,.etc), enabling=20 > >> you > >to > >> intercept, analyse or modify any protocol over any port. > >> Your Open Source Security & Internet Access server (as we're=20 > >going to=20 > >> call > >> it) is completed with the addition of SpamAssassin for email=20 > >filtering, > >> snort for intrusion detection, ntop for reporting, and Webmin for > >> any-platform GUI administration. > >> You now have a system that beats Microsoft ISA on every score with no > >> purchase costs or extortionate licensing fees every year.=20 > >And it's future > >> proof. When the next version is available, you simply update=20 > >the modules > >you > >> need. You don't need to do the Microsoft thing and buy it all again=20 > >> and > >also > >> buy a new, faster, bigger machine to run it on. This might be great > >business > >> for Microsoft and Intel > >> but expensive and disruptive for you. Those days are now gone! > >> > >> ISA vs OPEN SOURCE > >> Microsoft ISA Linux > >> Easy GUI Configuration J J > >> . > >> J J > >> Access Control > >> *.. > >> Content Caching J r > >> Email Filtering J ,/ > >> .-.- . > >> X J > >> Free Upgrades > >> Firewall Firmware Based X X > >> Speed/Reliability/Scalability Poor Good > >> -.0. > >> CAL Cost/User **=A368.64 =A30 > >> * Approximate purchase price for W2K Advanced Server plus Microsoft=20 > >> Internet Security & Acceleration Server 2000 Enterprise Edition > >> ** Lowest per desktop price from Microsoft UK recommended > >> online store (wwwwstore.co.uk). Based on Open Subscription > >> Licence for 100 > >> Mark Taylor is a Lead Consultant with Sirius. An early and continuing > >> contributor to a wide spectrum of open source development=20 > >projects, Mark > >> actively works on wide-scale deployments of open source=20 > >technologies in a > >> variety of business environments. Sirius have help and documentation > >> covering ISA migration on its website - www.siriusit.co.uk/=20 > >ofb/isa-begone > >> <http://www.siriusit.co.uk/ofb/isa-begone> . > >> Mark is happy to reply to specific questions or queries=20 > >raised by Open For > >> Business. He can be contacted at mark.taylor@xxxxxxxxxxxxxx > >> <mailto:mark.taylor@xxxxxxxxxxxxxx> > >> > >> > >> Paul Crisp > >> Snr Network Support Analyst > >> t: 020 7 827 5201 > >> f: 020 7 827 5266 > >> > >> > >> > >> Get Thawte's New Step-by-Step SSL Guide for MSIIS > >> Find out how to test, purchase, and install a Thawte Digital=20 > >> Certificate > >on your MSIIS web server: > >> http://www.isaserver.org/thawte/ > >> > >> ------------------------------------------------------ > >> You are currently subscribed to this ISAserver.org=20 > >Discussion List as: > >rdzek@xxxxxxxxxxxxxxx > >> To unsubscribe send a blank email to=20 > >> $subst('Email.Unsub') > > > > > >Get Thawte's New Step-by-Step SSL Guide for MSIIS > >Find out how to test, purchase, and install a Thawte Digital=20 > >Certificate on your MSIIS web server:=20 > >http://www.isaserver.org/thawte/ > > > >------------------------------------------------------ > >You are currently subscribed to this ISAserver.org Discussion=20 > >List as: kennymann@xxxxxxxxxxx To unsubscribe send a blank=20 > >email to $subst('Email.Unsub') > > > > Get Thawte's New Step-by-Step SSL Guide for MSIIS > Find out how to test, purchase, and install a Thawte Digital Certificate on your MSIIS web server: > http://www.isaserver.org/thawte/ > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: tsmullins@xxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > >