Re: Interesting Article Found In Linux Users & Developer
- From: "shane mullins" <tsmullins@xxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 14 Oct 2003 17:40:12 -0400
well said kenny. i like to think "use what works for you". i try not to
bash others work, and i don't worry about what everybody else is doing.
shane
----- Original Message -----
From: "Kenny Mann" <Kennymann@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, October 14, 2003 2:36 PM
Subject: [isalist] Re: Interesting Article Found In Linux Users & Developer
> AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS:
> http://www.isaserver.org/thawte/
> >Anyway... is ISA a fit for everybody? No. Is an Open Source=20
> >solution to ISA a fit for everybody? No.
>
> Well said. We have trucks for all those off-road people and
> fast cars for people that want to burn some rubber.
> Is one better than the other? Only in perception.
>
>
> >spite of all the MS bashing and security "Chicken Little's"=20
> >out there, ISA has stood its ground just fine.
>
> I started an admin as of a year and a half ago (roughly).
> I would have to say that ISA server, is somewhat easy to understand =
> (assuming you apply some common sense, or at least research before you =
> implement on a production server). I would have to say that my Microsoft =
> software hasn't fail me yet, OTOH neither has my Linux software at home =
> (I'm too poor to afford MS Win2K3 Server for personal use).
> For a noob admin, I would have to say that I am very impressed with ISA =
> Server. (I was very skeptical at first, but I'll give anything a fair =
> chance).
>
> >response on the OS side than I ever do with any MS product=20
> >with the exception of this group. And I sincerely mean that. =20
> >The ISA support list is truly awesome.
>
> Indeed. This list (and especially Tom and Jim) is probably one of the =
> few lists I am on that seems to be very effective, without being rude.
> I, for one, appreciate all your work and knowledge you have spread.
>
> Sincerely,
> Kenny Mann
>
>
> >-----Original Message-----
> >From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx]=20
> >Sent: Tuesday, October 14, 2003 12:35 PM
> >To: [ISAserver.org Discussion List]
> >Subject: [isalist] Re: Interesting Article Found In Linux=20
> >Users & Developer
> >
> >
> >AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS:=20
> >http://www.isaserver.org/thawte/
> >MS Hype vs. OS Hype
> >
> >Who wins? Depends on your point of view. I work with both MS=20
> >and OS products in my environment. I find ISA to have most of=20
> >the "problems" listed, but none of them have ever been acute=20
> >or chronic. My own personal experiences with Squid have been=20
> >reasonably pleasant, but I am a linux neophyte and do not=20
> >*yet* trust myself to properly run a secured linux based PC as=20
> >my border gateway. On the other hand, I have been running=20
> >dual-homed NT boxes for years with no problems whatsoever. =20
> >You can DDOS them to death, but you can't traverse them unless=20
> >you've done something really silly which applies to any=20
> >product. There have been plenty of attempts. I know this=20
> >because we use Snort (open source) to detect intrusion=20
> >attempts. The email from the ISA list was scanned by=20
> >SpamAssassin, another excellent open source spam detection=20
> >product, which runs in conjunction with Postfix, an open source MTA.
> >
> >Does this mean I am Anti-MS? Not at all. I am certainly in=20
> >NO rush to start replacing desktops with Lindows, or any=20
> >variant thereof. ISA does what we need to to do. In a=20
> >"typical" medium to small business that is probably all MS=20
> >desktops anyway, ISA is probably a very good fit. But in=20
> >mixed environments, such as mine, with mixed linux, unix, Mac,=20
> >and MS based PC's, ISA's appeal starts to fade. But I have=20
> >certainly found certain niches within my IT structure where OS=20
> >is a very good fit.
> >
> >Frankly I am sick-to-death of having to reboot production MS=20
> >servers after hours all the freakin time for the exploit de'=20
> >jour. On my linux boxes, I simply recompile the binary and=20
> >restart the service and I'm done. I can do it any time and=20
> >almost always do so without the users having a clue it was done.
> >
> >As far as tech support goes, I typically get better and faster=20
> >response on the OS side than I ever do with any MS product=20
> >with the exception of this group. And I sincerely mean that. =20
> >The ISA support list is truly awesome. Which, quite frankly,=20
> >is one of the compelling reasons why I have not been in a=20
> >hurry to try anything else.
> >
> >Then there is the learning curve of setting up an OS solution.=20
> > You have to gather all the components together, and hope that=20
> >somebody has written a "how-to" that is actually legible, and=20
> >without important steps missing (The how-to's have a bad habit=20
> >of assuming you know certain things and leaving out critical=20
> >tweaks to the operating system or which file permissions need=20
> >to be set, etc.). And so now you have a working system, but=20
> >you really don't understand how or why it works because the=20
> >entire project was just a "paint by numbers" from somebody=20
> >else's experience. (This was the most frustrating part for me=20
> >when setting up SpamAssassin. But I had no budget and we were=20
> >suddenly getting over 30,000 spam a month.)
> >
> >But a "dyed in the wool" unix person would probably find=20
> >setting up ISA just as frustrating.
> >
> >From a security standpoint, which is what it really all boils=20
> >down to, I have never read about, or heard about, a properly=20
> >configured ISA box that has been broken into or through. In=20
> >spite of all the MS bashing and security "Chicken Little's"=20
> >out there, ISA has stood its ground just fine.
> >
> >Anyway... is ISA a fit for everybody? No. Is an Open Source=20
> >solution to ISA a fit for everybody? No.
> >
> >----- Original Message -----
> >From: "Paul Crisp" <PCrisp@xxxxxxxxxxxxxxxxx>
> >To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> >Sent: Tuesday, October 14, 2003 8:34 AM
> >Subject: [isalist] Interesting Article Found In Linux Users & Developer
> >
> >
> >> AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS:=20
> >> http://www.isaserver.org/thawte/ Any comments ??
> >>
> >> >From a personal experience I find MS ISA brilliant, does=20
> >everything I
> >want
> >> and more, and I haven't had all these troubles they mention in this
> >article
> >> Apologies for quality, just quickly OCR'd it.
> >>
> >>
> >>
> >> OPEN FOR BUSINESS
> >> Had enough of Microsoft? Open For Business is our monthly=20
> >look at how=20
> >> any business can replace proprietary software with open source=20
> >> alternatives Replacing ISA B
> >> y adopting open source software you can slash costs, vastly=20
> >improve speed
> >> and reliability and, perhaps even more importantly, wrest=20
> >control back
> >from
> >> proprietary IT suppliers.
> >> In this month's column we look at providing secure, fast and=20
> >reliable=20
> >> Internet access for your business. We will be replacing a=20
> >widely used,=20
> >> yet heavily criticised Microsoft product, Internet Security and=20
> >> Acceleration server (ISA). It elucidates on the case study=20
> >of Aquatint=20
> >> Printing on page 44, where much the same task was=20
> >undertaken. ISA LOAD=20
> >> OF TROUBLE ISA refers to Internet Security and Acceleration server.=20
> >> Replacing it with an open source alternative is not only simple and=20
> >> easy to do - it will
> >also
> >> save your business a huge amount of money and save your IT staff's=20
> >> time
> >and
> >> stress levels.
> >> Add in vastly improved business functionality, performance,=20
> >speed and=20
> >> reliability, and there's no reason not to change over. Microsoft=20
> >> describe ISA as "an extensible, multilayer, enterprise firewall and=20
> >> Web cache that helps provide secure, fast, and manageable Internet=20
> >> connectivity". Sounds great doesn't it? Unfortunately, the reality=20
> >> does not match the marketing. Let's be kind and leave aside how=20
> >> expensive deploying ISA is. However, a simple Google search=20
> >brings up=20
> >> a huge list of reported
> >problems,
> >> problems that any honest systems administrator will=20
> >instantly confirm.
> >They
> >> include:
> >> These release notes contain the most up-to-date information about=20
> >> installation, documentation, support, and other known issues.=20
> >> Microsoft's Internet Security and Acceleration server has been known=20
> >> to drive people mad - open source provides a much-needed alternative=20
> >> Read Installation Guide
> >>
> >> Register I A Server
> >> * Installation problems
> >> * Spurious reboots needed to fix cranky behaviour
> >> * Traffic redirected to the wrong websites
> >> * Classic Microsoft reformat and reinstall needed for fixes
> >> * Reports not generated
> >> * Authentication problems
> >> * Poor performance and worse scalability * Users not being able to=20
> >> connect when they should ... and more!
> >> ISA also locks you into a Microsoft-only infrastructure.=20
> >That's fine if
> >you
> >> trust their future plans for your business and are happy with the=20
> >> amount you're paying in license and compliance fees. But if=20
> >you would=20
> >> like to get off that treadmill, open source is the only way to go.=20
> >> What's involved Providing Internet access for a network is quite=20
> >> different from providing
> >it
> >> for a single machine. On a single machine you attach a modem. For a
> >network
> >> you have to have a dedicated machine (called a proxy server)=20
> >that goes=20
> >> online on behalf of any machine on the network. It grabs the=20
> >requested=20
> >> content and then passes it to the machine that asked for it.=20
> >Most good=20
> >> proxy servers will also save a local copy of the content (known
> >> as'caching') so that only changes to the content need be=20
> >downloaded in=20
> >> future. If your users look at some sites frequently, caching=20
> >gives big=20
> >> savings on your bandwidth needs whilst also dramatically improving
> >browsing
> >> speeds.
> >> Providing secure access for a network is generally done with a=20
> >> firewall. Firewall is a hugely misunderstood and ambiguous term - it=20
> >> can trigger religious wars amongst security experts. You'll be=20
> >> relieved to hear that
> >for
> >> the sake of this article we're not going to join in and merely=20
> >> understand
> >it
> >> to be a box you plug in to protect your network from bad things out=20
> >> there
> >on
> >> the Internet.
> >> THIS MIGHT BE GREAT BUSINESS FOR MICROSOFT AND INTEL BUT=20
> >EXPENSIVE FOR
> >YOU.
> >> THOSE DAYS ARE NOW GONE!
> >> Open source
> >> We'll use Linux as our underlying operating system. On top of this=20
> >> we'll
> >be
> >> layering some of the open source world's leading projects,=20
> >all best of=20
> >> breed, and all included in the unbeatable purchase price (zero!) of=20
> >> your Linux system. The proxying and caching is provided by Squid.=20
> >> Squid is almost certainly what your own ISP uses (ask them!). Why?=20
> >> Because it's the best. It's
> >hugely
> >> reliable, tunable, and faster than anything else out there.=20
> >It will do=20
> >> distributed and hierarchical caching (that is, several machines=20
> >> running Squid co-operate and share cached content) both within your=20
> >> network and/or with any of the global community of Squid users. Its=20
> >> scalability is superb-serving a network of a thousand users=20
> >will take=20
> >> four or five ISA servers. Squid needs just one, or two if=20
> >you want to=20
> >> go
> >way
> >> over the top on resilience.
> >> The firewall is provided by netfilter, Linux's=20
> >next-generation packet=20
> >> filtering and stateful inspection engine. That mouthful of jargon=20
> >> simply means it inspects incoming and outgoing information=20
> >and decides=20
> >> whether to pass it on or not- thus protecting your business from=20
> >> unauthorised access, illegal attacks (including well known=20
> >attacks on=20
> >> Run ISA Server Enterprise Initialization Install ISA Server
> >> ad About igrat!nq to ISA er
> >>
> >>
> >>
> >> =A9=AE LinuxUser&Developer/33
> >> FIREWALL IS A HUGELY MISUNDERSTOOD AND AMBIGUOUS TERM - IT=20
> >CAN TRIGGER=20
> >> RELIGIOUS WARS AMONGST SECURITY EXPERTS
> >>
> >> your other Microsoft software), worms, trojans, etc.
> >> In fact whatever you've read a proprietary firewall can do, netfilter
> >does,
> >> and then some more. Better than this, it has an open, modular
> >architecture.
> >> Modules for pretty much any security feature you can think of are
> >available
> >> (such as application-layer filtering, load-balancing,.etc), enabling=20
> >> you
> >to
> >> intercept, analyse or modify any protocol over any port.
> >> Your Open Source Security & Internet Access server (as we're=20
> >going to=20
> >> call
> >> it) is completed with the addition of SpamAssassin for email=20
> >filtering,
> >> snort for intrusion detection, ntop for reporting, and Webmin for
> >> any-platform GUI administration.
> >> You now have a system that beats Microsoft ISA on every score with no
> >> purchase costs or extortionate licensing fees every year.=20
> >And it's future
> >> proof. When the next version is available, you simply update=20
> >the modules
> >you
> >> need. You don't need to do the Microsoft thing and buy it all again=20
> >> and
> >also
> >> buy a new, faster, bigger machine to run it on. This might be great
> >business
> >> for Microsoft and Intel
> >> but expensive and disruptive for you. Those days are now gone!
> >>
> >> ISA vs OPEN SOURCE
> >> Microsoft ISA Linux
> >> Easy GUI Configuration J J
> >> .
> >> J J
> >> Access Control
> >> *..
> >> Content Caching J r
> >> Email Filtering J ,/
> >> .-.- .
> >> X J
> >> Free Upgrades
> >> Firewall Firmware Based X X
> >> Speed/Reliability/Scalability Poor Good
> >> -.0.
> >> CAL Cost/User **=A368.64 =A30
> >> * Approximate purchase price for W2K Advanced Server plus Microsoft=20
> >> Internet Security & Acceleration Server 2000 Enterprise Edition
> >> ** Lowest per desktop price from Microsoft UK recommended
> >> online store (wwwwstore.co.uk). Based on Open Subscription
> >> Licence for 100
> >> Mark Taylor is a Lead Consultant with Sirius. An early and continuing
> >> contributor to a wide spectrum of open source development=20
> >projects, Mark
> >> actively works on wide-scale deployments of open source=20
> >technologies in a
> >> variety of business environments. Sirius have help and documentation
> >> covering ISA migration on its website - www.siriusit.co.uk/=20
> >ofb/isa-begone
> >> <http://www.siriusit.co.uk/ofb/isa-begone> .
> >> Mark is happy to reply to specific questions or queries=20
> >raised by Open For
> >> Business. He can be contacted at mark.taylor@xxxxxxxxxxxxxx
> >> <mailto:mark.taylor@xxxxxxxxxxxxxx>
> >>
> >>
> >> Paul Crisp
> >> Snr Network Support Analyst
> >> t: 020 7 827 5201
> >> f: 020 7 827 5266
> >>
> >>
> >>
> >> Get Thawte's New Step-by-Step SSL Guide for MSIIS
> >> Find out how to test, purchase, and install a Thawte Digital=20
> >> Certificate
> >on your MSIIS web server:
> >> http://www.isaserver.org/thawte/
> >>
> >> ------------------------------------------------------
> >> You are currently subscribed to this ISAserver.org=20
> >Discussion List as:
> >rdzek@xxxxxxxxxxxxxxx
> >> To unsubscribe send a blank email to=20
> >> $subst('Email.Unsub')
> >
> >
> >Get Thawte's New Step-by-Step SSL Guide for MSIIS
> >Find out how to test, purchase, and install a Thawte Digital=20
> >Certificate on your MSIIS web server:=20
> >http://www.isaserver.org/thawte/
> >
> >------------------------------------------------------
> >You are currently subscribed to this ISAserver.org Discussion=20
> >List as: kennymann@xxxxxxxxxxx To unsubscribe send a blank=20
> >email to $subst('Email.Unsub')
> >
>
> Get Thawte's New Step-by-Step SSL Guide for MSIIS
> Find out how to test, purchase, and install a Thawte Digital Certificate
on your MSIIS web server:
> http://www.isaserver.org/thawte/
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
tsmullins@xxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>
Other related posts:
