Re: Interesting Article Found In Linux Users & Developer
- From: "jlyon" <jlyon@xxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 14 Oct 2003 17:45:34 -0400
Well, It's like the old saying....trust someone till they give you a reason
not to. It just depends on you decide to trust to begin with and stick with
them till you have reason not to.
John
http://www.aquesthosting.com
Premium .Net Hosting Services
----- Original Message -----
From: "shane mullins" <tsmullins@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, October 14, 2003 5:40 PM
Subject: [isalist] Re: Interesting Article Found In Linux Users & Developer
> AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS:
> http://www.isaserver.org/thawte/
> well said kenny. i like to think "use what works for you". i try not to
> bash others work, and i don't worry about what everybody else is doing.
>
>
>
> shane
>
> ----- Original Message -----
> From: "Kenny Mann" <Kennymann@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Tuesday, October 14, 2003 2:36 PM
> Subject: [isalist] Re: Interesting Article Found In Linux Users &
Developer
>
>
> > AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS:
> > http://www.isaserver.org/thawte/
> > >Anyway... is ISA a fit for everybody? No. Is an Open Source=20
> > >solution to ISA a fit for everybody? No.
> >
> > Well said. We have trucks for all those off-road people and
> > fast cars for people that want to burn some rubber.
> > Is one better than the other? Only in perception.
> >
> >
> > >spite of all the MS bashing and security "Chicken Little's"=20
> > >out there, ISA has stood its ground just fine.
> >
> > I started an admin as of a year and a half ago (roughly).
> > I would have to say that ISA server, is somewhat easy to understand =
> > (assuming you apply some common sense, or at least research before you =
> > implement on a production server). I would have to say that my Microsoft
=
> > software hasn't fail me yet, OTOH neither has my Linux software at home
=
> > (I'm too poor to afford MS Win2K3 Server for personal use).
> > For a noob admin, I would have to say that I am very impressed with ISA
=
> > Server. (I was very skeptical at first, but I'll give anything a fair =
> > chance).
> >
> > >response on the OS side than I ever do with any MS product=20
> > >with the exception of this group. And I sincerely mean that. =20
> > >The ISA support list is truly awesome.
> >
> > Indeed. This list (and especially Tom and Jim) is probably one of the =
> > few lists I am on that seems to be very effective, without being rude.
> > I, for one, appreciate all your work and knowledge you have spread.
> >
> > Sincerely,
> > Kenny Mann
> >
> >
> > >-----Original Message-----
> > >From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx]=20
> > >Sent: Tuesday, October 14, 2003 12:35 PM
> > >To: [ISAserver.org Discussion List]
> > >Subject: [isalist] Re: Interesting Article Found In Linux=20
> > >Users & Developer
> > >
> > >
> > >AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS:=20
> > >http://www.isaserver.org/thawte/
> > >MS Hype vs. OS Hype
> > >
> > >Who wins? Depends on your point of view. I work with both MS=20
> > >and OS products in my environment. I find ISA to have most of=20
> > >the "problems" listed, but none of them have ever been acute=20
> > >or chronic. My own personal experiences with Squid have been=20
> > >reasonably pleasant, but I am a linux neophyte and do not=20
> > >*yet* trust myself to properly run a secured linux based PC as=20
> > >my border gateway. On the other hand, I have been running=20
> > >dual-homed NT boxes for years with no problems whatsoever. =20
> > >You can DDOS them to death, but you can't traverse them unless=20
> > >you've done something really silly which applies to any=20
> > >product. There have been plenty of attempts. I know this=20
> > >because we use Snort (open source) to detect intrusion=20
> > >attempts. The email from the ISA list was scanned by=20
> > >SpamAssassin, another excellent open source spam detection=20
> > >product, which runs in conjunction with Postfix, an open source MTA.
> > >
> > >Does this mean I am Anti-MS? Not at all. I am certainly in=20
> > >NO rush to start replacing desktops with Lindows, or any=20
> > >variant thereof. ISA does what we need to to do. In a=20
> > >"typical" medium to small business that is probably all MS=20
> > >desktops anyway, ISA is probably a very good fit. But in=20
> > >mixed environments, such as mine, with mixed linux, unix, Mac,=20
> > >and MS based PC's, ISA's appeal starts to fade. But I have=20
> > >certainly found certain niches within my IT structure where OS=20
> > >is a very good fit.
> > >
> > >Frankly I am sick-to-death of having to reboot production MS=20
> > >servers after hours all the freakin time for the exploit de'=20
> > >jour. On my linux boxes, I simply recompile the binary and=20
> > >restart the service and I'm done. I can do it any time and=20
> > >almost always do so without the users having a clue it was done.
> > >
> > >As far as tech support goes, I typically get better and faster=20
> > >response on the OS side than I ever do with any MS product=20
> > >with the exception of this group. And I sincerely mean that. =20
> > >The ISA support list is truly awesome. Which, quite frankly,=20
> > >is one of the compelling reasons why I have not been in a=20
> > >hurry to try anything else.
> > >
> > >Then there is the learning curve of setting up an OS solution.=20
> > > You have to gather all the components together, and hope that=20
> > >somebody has written a "how-to" that is actually legible, and=20
> > >without important steps missing (The how-to's have a bad habit=20
> > >of assuming you know certain things and leaving out critical=20
> > >tweaks to the operating system or which file permissions need=20
> > >to be set, etc.). And so now you have a working system, but=20
> > >you really don't understand how or why it works because the=20
> > >entire project was just a "paint by numbers" from somebody=20
> > >else's experience. (This was the most frustrating part for me=20
> > >when setting up SpamAssassin. But I had no budget and we were=20
> > >suddenly getting over 30,000 spam a month.)
> > >
> > >But a "dyed in the wool" unix person would probably find=20
> > >setting up ISA just as frustrating.
> > >
> > >From a security standpoint, which is what it really all boils=20
> > >down to, I have never read about, or heard about, a properly=20
> > >configured ISA box that has been broken into or through. In=20
> > >spite of all the MS bashing and security "Chicken Little's"=20
> > >out there, ISA has stood its ground just fine.
> > >
> > >Anyway... is ISA a fit for everybody? No. Is an Open Source=20
> > >solution to ISA a fit for everybody? No.
> > >
> > >----- Original Message -----
> > >From: "Paul Crisp" <PCrisp@xxxxxxxxxxxxxxxxx>
> > >To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > >Sent: Tuesday, October 14, 2003 8:34 AM
> > >Subject: [isalist] Interesting Article Found In Linux Users & Developer
> > >
> > >
> > >> AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS:=20
> > >> http://www.isaserver.org/thawte/ Any comments ??
> > >>
> > >> >From a personal experience I find MS ISA brilliant, does=20
> > >everything I
> > >want
> > >> and more, and I haven't had all these troubles they mention in this
> > >article
> > >> Apologies for quality, just quickly OCR'd it.
> > >>
> > >>
> > >>
> > >> OPEN FOR BUSINESS
> > >> Had enough of Microsoft? Open For Business is our monthly=20
> > >look at how=20
> > >> any business can replace proprietary software with open source=20
> > >> alternatives Replacing ISA B
> > >> y adopting open source software you can slash costs, vastly=20
> > >improve speed
> > >> and reliability and, perhaps even more importantly, wrest=20
> > >control back
> > >from
> > >> proprietary IT suppliers.
> > >> In this month's column we look at providing secure, fast and=20
> > >reliable=20
> > >> Internet access for your business. We will be replacing a=20
> > >widely used,=20
> > >> yet heavily criticised Microsoft product, Internet Security and=20
> > >> Acceleration server (ISA). It elucidates on the case study=20
> > >of Aquatint=20
> > >> Printing on page 44, where much the same task was=20
> > >undertaken. ISA LOAD=20
> > >> OF TROUBLE ISA refers to Internet Security and Acceleration
server.=20
> > >> Replacing it with an open source alternative is not only simple
and=20
> > >> easy to do - it will
> > >also
> > >> save your business a huge amount of money and save your IT staff's=20
> > >> time
> > >and
> > >> stress levels.
> > >> Add in vastly improved business functionality, performance,=20
> > >speed and=20
> > >> reliability, and there's no reason not to change over. Microsoft=20
> > >> describe ISA as "an extensible, multilayer, enterprise firewall
and=20
> > >> Web cache that helps provide secure, fast, and manageable Internet=20
> > >> connectivity". Sounds great doesn't it? Unfortunately, the reality=20
> > >> does not match the marketing. Let's be kind and leave aside how=20
> > >> expensive deploying ISA is. However, a simple Google search=20
> > >brings up=20
> > >> a huge list of reported
> > >problems,
> > >> problems that any honest systems administrator will=20
> > >instantly confirm.
> > >They
> > >> include:
> > >> These release notes contain the most up-to-date information about=20
> > >> installation, documentation, support, and other known issues.=20
> > >> Microsoft's Internet Security and Acceleration server has been
known=20
> > >> to drive people mad - open source provides a much-needed
alternative=20
> > >> Read Installation Guide
> > >>
> > >> Register I A Server
> > >> * Installation problems
> > >> * Spurious reboots needed to fix cranky behaviour
> > >> * Traffic redirected to the wrong websites
> > >> * Classic Microsoft reformat and reinstall needed for fixes
> > >> * Reports not generated
> > >> * Authentication problems
> > >> * Poor performance and worse scalability * Users not being able to=20
> > >> connect when they should ... and more!
> > >> ISA also locks you into a Microsoft-only infrastructure.=20
> > >That's fine if
> > >you
> > >> trust their future plans for your business and are happy with the=20
> > >> amount you're paying in license and compliance fees. But if=20
> > >you would=20
> > >> like to get off that treadmill, open source is the only way to go.=20
> > >> What's involved Providing Internet access for a network is quite=20
> > >> different from providing
> > >it
> > >> for a single machine. On a single machine you attach a modem. For a
> > >network
> > >> you have to have a dedicated machine (called a proxy server)=20
> > >that goes=20
> > >> online on behalf of any machine on the network. It grabs the=20
> > >requested=20
> > >> content and then passes it to the machine that asked for it.=20
> > >Most good=20
> > >> proxy servers will also save a local copy of the content (known
> > >> as'caching') so that only changes to the content need be=20
> > >downloaded in=20
> > >> future. If your users look at some sites frequently, caching=20
> > >gives big=20
> > >> savings on your bandwidth needs whilst also dramatically improving
> > >browsing
> > >> speeds.
> > >> Providing secure access for a network is generally done with a=20
> > >> firewall. Firewall is a hugely misunderstood and ambiguous term -
it=20
> > >> can trigger religious wars amongst security experts. You'll be=20
> > >> relieved to hear that
> > >for
> > >> the sake of this article we're not going to join in and merely=20
> > >> understand
> > >it
> > >> to be a box you plug in to protect your network from bad things
out=20
> > >> there
> > >on
> > >> the Internet.
> > >> THIS MIGHT BE GREAT BUSINESS FOR MICROSOFT AND INTEL BUT=20
> > >EXPENSIVE FOR
> > >YOU.
> > >> THOSE DAYS ARE NOW GONE!
> > >> Open source
> > >> We'll use Linux as our underlying operating system. On top of this=20
> > >> we'll
> > >be
> > >> layering some of the open source world's leading projects,=20
> > >all best of=20
> > >> breed, and all included in the unbeatable purchase price (zero!)
of=20
> > >> your Linux system. The proxying and caching is provided by Squid.=20
> > >> Squid is almost certainly what your own ISP uses (ask them!). Why?=20
> > >> Because it's the best. It's
> > >hugely
> > >> reliable, tunable, and faster than anything else out there.=20
> > >It will do=20
> > >> distributed and hierarchical caching (that is, several machines=20
> > >> running Squid co-operate and share cached content) both within
your=20
> > >> network and/or with any of the global community of Squid users.
Its=20
> > >> scalability is superb-serving a network of a thousand users=20
> > >will take=20
> > >> four or five ISA servers. Squid needs just one, or two if=20
> > >you want to=20
> > >> go
> > >way
> > >> over the top on resilience.
> > >> The firewall is provided by netfilter, Linux's=20
> > >next-generation packet=20
> > >> filtering and stateful inspection engine. That mouthful of jargon=20
> > >> simply means it inspects incoming and outgoing information=20
> > >and decides=20
> > >> whether to pass it on or not- thus protecting your business from=20
> > >> unauthorised access, illegal attacks (including well known=20
> > >attacks on=20
> > >> Run ISA Server Enterprise Initialization Install ISA Server
> > >> ad About igrat!nq to ISA er
> > >>
> > >>
> > >>
> > >> =A9=AE LinuxUser&Developer/33
> > >> FIREWALL IS A HUGELY MISUNDERSTOOD AND AMBIGUOUS TERM - IT=20
> > >CAN TRIGGER=20
> > >> RELIGIOUS WARS AMONGST SECURITY EXPERTS
> > >>
> > >> your other Microsoft software), worms, trojans, etc.
> > >> In fact whatever you've read a proprietary firewall can do, netfilter
> > >does,
> > >> and then some more. Better than this, it has an open, modular
> > >architecture.
> > >> Modules for pretty much any security feature you can think of are
> > >available
> > >> (such as application-layer filtering, load-balancing,.etc),
enabling=20
> > >> you
> > >to
> > >> intercept, analyse or modify any protocol over any port.
> > >> Your Open Source Security & Internet Access server (as we're=20
> > >going to=20
> > >> call
> > >> it) is completed with the addition of SpamAssassin for email=20
> > >filtering,
> > >> snort for intrusion detection, ntop for reporting, and Webmin for
> > >> any-platform GUI administration.
> > >> You now have a system that beats Microsoft ISA on every score with no
> > >> purchase costs or extortionate licensing fees every year.=20
> > >And it's future
> > >> proof. When the next version is available, you simply update=20
> > >the modules
> > >you
> > >> need. You don't need to do the Microsoft thing and buy it all
again=20
> > >> and
> > >also
> > >> buy a new, faster, bigger machine to run it on. This might be great
> > >business
> > >> for Microsoft and Intel
> > >> but expensive and disruptive for you. Those days are now gone!
> > >>
> > >> ISA vs OPEN SOURCE
> > >> Microsoft ISA Linux
> > >> Easy GUI Configuration J J
> > >> .
> > >> J J
> > >> Access Control
> > >> *..
> > >> Content Caching J r
> > >> Email Filtering J ,/
> > >> .-.- .
> > >> X J
> > >> Free Upgrades
> > >> Firewall Firmware Based X X
> > >> Speed/Reliability/Scalability Poor Good
> > >> -.0.
> > >> CAL Cost/User **=A368.64 =A30
> > >> * Approximate purchase price for W2K Advanced Server plus
Microsoft=20
> > >> Internet Security & Acceleration Server 2000 Enterprise Edition
> > >> ** Lowest per desktop price from Microsoft UK recommended
> > >> online store (wwwwstore.co.uk). Based on Open Subscription
> > >> Licence for 100
> > >> Mark Taylor is a Lead Consultant with Sirius. An early and continuing
> > >> contributor to a wide spectrum of open source development=20
> > >projects, Mark
> > >> actively works on wide-scale deployments of open source=20
> > >technologies in a
> > >> variety of business environments. Sirius have help and documentation
> > >> covering ISA migration on its website - www.siriusit.co.uk/=20
> > >ofb/isa-begone
> > >> <http://www.siriusit.co.uk/ofb/isa-begone> .
> > >> Mark is happy to reply to specific questions or queries=20
> > >raised by Open For
> > >> Business. He can be contacted at mark.taylor@xxxxxxxxxxxxxx
> > >> <mailto:mark.taylor@xxxxxxxxxxxxxx>
> > >>
> > >>
> > >> Paul Crisp
> > >> Snr Network Support Analyst
> > >> t: 020 7 827 5201
> > >> f: 020 7 827 5266
> > >>
> > >>
> > >>
> > >> Get Thawte's New Step-by-Step SSL Guide for MSIIS
> > >> Find out how to test, purchase, and install a Thawte Digital=20
> > >> Certificate
> > >on your MSIIS web server:
> > >> http://www.isaserver.org/thawte/
> > >>
> > >> ------------------------------------------------------
> > >> You are currently subscribed to this ISAserver.org=20
> > >Discussion List as:
> > >rdzek@xxxxxxxxxxxxxxx
> > >> To unsubscribe send a blank email to=20
> > >> $subst('Email.Unsub')
> > >
> > >
> > >Get Thawte's New Step-by-Step SSL Guide for MSIIS
> > >Find out how to test, purchase, and install a Thawte Digital=20
> > >Certificate on your MSIIS web server:=20
> > >http://www.isaserver.org/thawte/
> > >
> > >------------------------------------------------------
> > >You are currently subscribed to this ISAserver.org Discussion=20
> > >List as: kennymann@xxxxxxxxxxx To unsubscribe send a blank=20
> > >email to $subst('Email.Unsub')
> > >
> >
> > Get Thawte's New Step-by-Step SSL Guide for MSIIS
> > Find out how to test, purchase, and install a Thawte Digital Certificate
> on your MSIIS web server:
> > http://www.isaserver.org/thawte/
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> tsmullins@xxxxxxxxxxxxxx
> > To unsubscribe send a blank email to
$subst('Email.Unsub')
> >
> >
> >
>
>
> Get Thawte's New Step-by-Step SSL Guide for MSIIS
> Find out how to test, purchase, and install a Thawte Digital Certificate
on your MSIIS web server:
> http://www.isaserver.org/thawte/
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jlyon@xxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
Other related posts:
