RE: Kind of OT: Software-based vs. Hardware-based Firewall
- From: "Han Valk" <Han.Valk@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 19 Oct 2004 16:19:24 +0200
Hi Thomas,
Since you seem to possess the ultimate wisdom on the subject, please educate
me.
What do you mean with:
"Note that I put publish in quotes. ISA Server 2004 firewall policy provides
two methods you can use to control traffic moving through the firewall:
Access Rules and Publishing Rules. Access Rules can participate in a route or
NAT relationship. Publishing Rules always NAT the connection, even if you're
using a public address segment and have a route relationship between the
source and destination host."
"Even though we are using public IP addresses, NAT is performed because we're
using a publishing rule. This allows the Internet host to connect to the IP
address on the external interface of the ISA Server 2004 firewall and
effectively hides the IP address of the DMZ host. This NAT hiding is a common
security measure for publicly available servers."
"Before finishing out this discussion, I should mention that you do lose a
amount of security for certain scenarios when you decide to use Access Rules
instead of publishing rules to allow access to your DMZ hosts, to the extent
where the ISA Server 2004 provides little more security than a PIX or
Netscreen device."
"Server publishing rules expose incoming connections to the application layer
filters dedicated to protecting specific services. Examples include the SMTP
filter that blocks buffer overflow attacks, the DNS filter which blocks a
number of DNS exploits, and the POP3 filter which blocks POP3 buffer
overflows. If you use Access Rules to publish the public address DMZ hosts,
the application layer filters will not protect you against these exploits."
I think it say's that unless I want to NAT important application layer
filters are _not_ available (except HTTP).
I'm sorry that I have a few points of criticism on ISA2004. I didn't know
that was forbidden. And for your information no I'm not an employee of Cisco
or any other firewall manufacturer. I've been working with and certified on
Proxy 2.0 and ISA2000.
On the other hand being a list member for quite long I must say I'm not
impressed with your social skills.
Han.
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Tuesday, October 19, 2004 12:12
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] RE: Kind of OT: Software-based vs.
Hardware-based Firewall
Hi Han,
If you'll pardon my French, what the f**k are you talking about?
You on the Cristo or Netscream payroll or something? Are you
confusing firewalls with routers?
You can choose a Route or NAT relationship between any two networks.
If you want a dumb, low level, over priced device, you're welcome to spend
the $36K for the Netscream -- I guess you're willing to pay that premium for
NetBEUI support? You'd think for that price they would have completed MS's
work to get JetBEUI in the box too.
Tom
________________________________
From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx]
Sent: Tue 10/19/2004 2:15 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Kind of OT: Software-based vs. Hardware-based
Firewall
http://www.ISAserver.org
I'm very disapointed at ISA2004. I thought Microsoft would have build
in the
possibility to disable the #%$&$ NAT which they didn't at least not
at the
cost of loosing filtering at the higher levels. Therefore in my
opinion it
makes ISA2004 less suitable as an edge firewall in a scenario that
uses a DMZ
between 2 firewalls. That so called routed is still NAT. I don't like
the
argument that in the 'routed' scenario the ip-adresses are 'hidden'
from the
internet, that is security by obscurity which is poor man's security.
Han.
> -----Original Message-----
> From: Ara.A [mailto:ara@xxxxxxxxxx]
> Sent: Tuesday, October 19, 2004 00:17
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Kind of OT: Software-based vs.
> Hardware-based Firewall
>
> http://www.ISAserver.org
>
> Wow. Nice article Tom
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: October 18, 2004 11:30 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Kind of OT: Software-based vs.
Hardware-based
> Firewall
>
> http://www.ISAserver.org
>
> Hi Nef,
>
> Tell you boss to read it an weep :-)
>
> http://isaserver.org/articles/2004tales.html
>
> HTH,
>
>
> Tom
> www.isaserver.org/shinder
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
> -----Original Message-----
> From: nperez@xxxxxxxxxxxxxxx [mailto:nperez@xxxxxxxxxxxxxxx]
> Sent: Monday, October 18, 2004 11:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Kind of OT: Software-based vs. Hardware-based
> Firewall
>
> http://www.ISAserver.org
>
> I'm trying to answer my boss' argument that hardware based
firewalls
> (such
> as Cisco and Watchguard) have no real advantage over a software
based
> firewall, such as ISA. My opinion (and this is just my
> opinion!) is that
> hardware based firewalls do have an advantage in terms of security
and
> speed. It is more scalable, better throughput, faster then
> most software
> solutions, and no OS (Windows) which can have holes & bugs! We have
a
> remote site that we connect to and I think implementing a
> hardware based
> firewall will enhance our security and throughput. We
> currently have it
> setup ISA to ISA on both ends.
>
> I know there will be some bias here - after all this is an ISA
forum!
> But
> can anyone shed some light on this? Or direct me to some good
> resources?
> I
> didn't find much on isaserver.org.
>
> Thanks!
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List
as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List
as:
> ara@xxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: han.valk@xxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List
as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
