RE: New to the list and new to ISA - comparison
- From: "Accioly, Daniel" <daniel.accioly@xxxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 30 Jul 2003 14:06:06 -0500
Great!
That's the kind of info I was wanting to gather...
Just let me correct a few things I wrote:
1) I think I have to read more about the ISA clients. I was confounding
SecureNAT clients with Firewall clients. As I'm aiming toward ISA
certification, I hope I can get the concept properly and understand the
limitations and advantages of the solution.
2) From what I read, ISA is able to detect only 6 types of attacks. Somebody
also said to me that MS licensed technology from ISS to work with intrusion
detection in ISA. Compared to what FW1 AI can do this is very limited... I
don't know if there is something else with the product, but I could not find
very detailed documentation on ISA's intrusion detection features... maybe
somebody can say something else about it...
3) I understand performance as something that the software and the hardware
can do together for a reasonable price. Of course you can use an ES7000
(hey, let me sell Unisys here! ;)) with 32 processors and a W2K Datacenter
to support your firewall, but that will cost you loads of dollars. I think
in this case a benchmark and a list price is the best thing to clear our
minds from any doubts.
4) I agree that Windows is as secure as any other OS (Solaris, Linux,
etc...), but you have to be more careful using it in a border network
element. This is because most of the vulnerabilities that are discovered out
there are in Microsoft's OSs. Of course this is not related to poor
programming, but to extra hacker's work on debugging Windows. This also
cause the need for faster threat response, since exploits for this
vulnerabilities usually comes out faster... admins should also test this
"fixes" before applying them... that means more work for the admin.
Either way my comment was not related to linux or solaris, but to IPSO,
secureplatform and Cisco PIX IOS... these are customized OSs for the
firewall applications, and tend to be more robust by design than using a
general purpose OS (Windows, Linux or Solaris) as a base for any security
system.
I understand that because this is a discussion list about ISA, most of you
like the product. But I would like to also understand the disadvantages of
the software. As I'm a consultant I like to explain to my customers the weak
and strong points of any tool I'm recommending. Can you please also add your
dislikes and concerns about ISA?
Thank you again, I can see that I'll like this list very much.. ;)
Regards
Daniel
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: quarta-feira, 30 de julho de 2003 14:55
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: New to the list and new to ISA - comparison
http://www.ISAserver.org
Hi Daniel,
I'll add my 2 cents to John's :-)
1) Need to install client software for some protocol support (including
ICMP);
>>You do not need to install the Firewall client application unless you
want to get the features that no other firewall can provide -- granular
outbound access control for ALL PROTOCOL on a per user or per group
basis. The SecureNAT client configuration is the same as any other
simple packet filtering firewall, like the pix. You configure the
routing infrastrucutre and default gateway of the client to support your
Internet access scheme. The nice thing about the Firewall client is that
it makes the client Internet access scheme transparent to your routing
infrastrucutre, because the firewall client remotes requests to the ISA
Server firewall. I'd like to see another firewall do that for ALL
PROTOCOLS.
Like any other firewall that NAT's between the internal and
external networks, you need an application filter or NAT editor to
handle protocols that require secondary connections. This is not
specific to ISA, its true for *all* firewalls.
No client software is required to access ICMP or GRE --
non-TCP/UDP protocols are routed and not remoted to the ISA Server
firewall.
2) Limited attack detection (especially for an Application Layer
Gateway);
>>There is a built in intrustion detection system. You can certainly
install snort and make the IDS on the ISA Server firewall as robust as
you like.
3) Performance;
>>ISA Server firewalls do top out at around 400Mb/sec. Do, if you have
an OC768 line you need to support, you might want to drop in addition
ISA Server firewalls.
4) It does not run over a customized OS. (Let's get real... Windows is
the
worst OS to run security applications...)
>>I'm not aware of any network compromises based on a succesfully attack
of an ISA Server firewall. Windows is as secure as any
Linux/Unix/OSX/whatever OS when its correctly configured. Media hype and
SANS prejudice to the contrary notwithstanding.
1) Price (VERY CHEAP compared to most firewalls)
>>very cheap given the SSL to SSL bridging feature, the Exchange RPC
filter, the built-in H.323 Gatekeeper, no license fees required for VPN
connections, no license costs for firewall connections, built in DNS
server, built in certificate server, no extra costs to use triple DES or
AEP when the add-on becomes available. Free Feature pack 1 support
SecurID and delegated basic authentication, and a free SMTP server that
can be used as a spam-whacking SMTP relay.
2) AD Integration
Yes! And if you don't want to join the firewall to the domain, then use
RADIUS for VPN client connections and SecureNAT clients on the internal
network or mirror the domain user accounts on the firewall and you can
use the Firewall and Web Proxy client setup too!
3) Easy management and installation
>>very easy compared to pix, netscreen and FW-1 or NG
4) Supports most HA, Loadsharing, VPN, H.323 and lot's of other "cool
features".
>>yes!
HTH<
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Accioly, Daniel [mailto:daniel.accioly@xxxxxxxxxxxxx]
Sent: Wednesday, July 30, 2003 12:06 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] New to the list and new to ISA - comparison
http://www.ISAserver.org
Hello everybody,
I'm new to ISA but experienced on other firewalls like checkpoint and
stonegate. While I was trying to get familiar with it I was compelled
to
compare ISA with PIX and Checkpoint, as well as other respectable
products.
I think most of you had already the chance to do this comparison, so I
would
like to ask you to share your opinions.
From my thoughts I could see the following problems with ISA:
1) Need to install client software for some protocol support (including
ICMP);
2) Limited attack detection (especially for an Application Layer
Gateway);
3) Performance;
4) It does not run over a customized OS. (Let's get real... Windows is
the
worst OS to run security applications...)
...
I also can see these advantages:
1) Price (VERY CHEAP compared to most firewalls)
2) AD Integration
3) Easy management and installation
4) Supports most HA, Loadsharing, VPN, H.323 and lot's of other "cool
features".
...
Thank you!
Daniel Accioly Rosa, CISSP
Consultant
Global Infrastructure Services
Phone :55+(21) 3804-5110
UNISYS Imagine it. Done.
> This message, including its attachments, is confidential and its
contents
> are restricted to the addressee. If you have received this message by
> accident, please discard its contents by removing it from your
mailbox.
> Any unauthorized use of this message, replication or dissemination is
> expressly prohibited. Unisys is not responsible for the content or
> reliability of this information..
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
daniel.accioly@xxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
