Great! That's the kind of info I was wanting to gather... Just let me correct a few things I wrote: 1) I think I have to read more about the ISA clients. I was confounding SecureNAT clients with Firewall clients. As I'm aiming toward ISA certification, I hope I can get the concept properly and understand the limitations and advantages of the solution. 2) From what I read, ISA is able to detect only 6 types of attacks. Somebody also said to me that MS licensed technology from ISS to work with intrusion detection in ISA. Compared to what FW1 AI can do this is very limited... I don't know if there is something else with the product, but I could not find very detailed documentation on ISA's intrusion detection features... maybe somebody can say something else about it... 3) I understand performance as something that the software and the hardware can do together for a reasonable price. Of course you can use an ES7000 (hey, let me sell Unisys here! ;)) with 32 processors and a W2K Datacenter to support your firewall, but that will cost you loads of dollars. I think in this case a benchmark and a list price is the best thing to clear our minds from any doubts. 4) I agree that Windows is as secure as any other OS (Solaris, Linux, etc...), but you have to be more careful using it in a border network element. This is because most of the vulnerabilities that are discovered out there are in Microsoft's OSs. Of course this is not related to poor programming, but to extra hacker's work on debugging Windows. This also cause the need for faster threat response, since exploits for this vulnerabilities usually comes out faster... admins should also test this "fixes" before applying them... that means more work for the admin. Either way my comment was not related to linux or solaris, but to IPSO, secureplatform and Cisco PIX IOS... these are customized OSs for the firewall applications, and tend to be more robust by design than using a general purpose OS (Windows, Linux or Solaris) as a base for any security system. I understand that because this is a discussion list about ISA, most of you like the product. But I would like to also understand the disadvantages of the software. As I'm a consultant I like to explain to my customers the weak and strong points of any tool I'm recommending. Can you please also add your dislikes and concerns about ISA? Thank you again, I can see that I'll like this list very much.. ;) Regards Daniel -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: quarta-feira, 30 de julho de 2003 14:55 To: [ISAserver.org Discussion List] Subject: [isalist] RE: New to the list and new to ISA - comparison http://www.ISAserver.org Hi Daniel, I'll add my 2 cents to John's :-) 1) Need to install client software for some protocol support (including ICMP); >>You do not need to install the Firewall client application unless you want to get the features that no other firewall can provide -- granular outbound access control for ALL PROTOCOL on a per user or per group basis. The SecureNAT client configuration is the same as any other simple packet filtering firewall, like the pix. You configure the routing infrastrucutre and default gateway of the client to support your Internet access scheme. The nice thing about the Firewall client is that it makes the client Internet access scheme transparent to your routing infrastrucutre, because the firewall client remotes requests to the ISA Server firewall. I'd like to see another firewall do that for ALL PROTOCOLS. Like any other firewall that NAT's between the internal and external networks, you need an application filter or NAT editor to handle protocols that require secondary connections. This is not specific to ISA, its true for *all* firewalls. No client software is required to access ICMP or GRE -- non-TCP/UDP protocols are routed and not remoted to the ISA Server firewall. 2) Limited attack detection (especially for an Application Layer Gateway); >>There is a built in intrustion detection system. You can certainly install snort and make the IDS on the ISA Server firewall as robust as you like. 3) Performance; >>ISA Server firewalls do top out at around 400Mb/sec. Do, if you have an OC768 line you need to support, you might want to drop in addition ISA Server firewalls. 4) It does not run over a customized OS. (Let's get real... Windows is the worst OS to run security applications...) >>I'm not aware of any network compromises based on a succesfully attack of an ISA Server firewall. Windows is as secure as any Linux/Unix/OSX/whatever OS when its correctly configured. Media hype and SANS prejudice to the contrary notwithstanding. 1) Price (VERY CHEAP compared to most firewalls) >>very cheap given the SSL to SSL bridging feature, the Exchange RPC filter, the built-in H.323 Gatekeeper, no license fees required for VPN connections, no license costs for firewall connections, built in DNS server, built in certificate server, no extra costs to use triple DES or AEP when the add-on becomes available. Free Feature pack 1 support SecurID and delegated basic authentication, and a free SMTP server that can be used as a spam-whacking SMTP relay. 2) AD Integration Yes! And if you don't want to join the firewall to the domain, then use RADIUS for VPN client connections and SecureNAT clients on the internal network or mirror the domain user accounts on the firewall and you can use the Firewall and Web Proxy client setup too! 3) Easy management and installation >>very easy compared to pix, netscreen and FW-1 or NG 4) Supports most HA, Loadsharing, VPN, H.323 and lot's of other "cool features". >>yes! HTH< Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Accioly, Daniel [mailto:daniel.accioly@xxxxxxxxxxxxx] Sent: Wednesday, July 30, 2003 12:06 PM To: [ISAserver.org Discussion List] Subject: [isalist] New to the list and new to ISA - comparison http://www.ISAserver.org Hello everybody, I'm new to ISA but experienced on other firewalls like checkpoint and stonegate. While I was trying to get familiar with it I was compelled to compare ISA with PIX and Checkpoint, as well as other respectable products. I think most of you had already the chance to do this comparison, so I would like to ask you to share your opinions. From my thoughts I could see the following problems with ISA: 1) Need to install client software for some protocol support (including ICMP); 2) Limited attack detection (especially for an Application Layer Gateway); 3) Performance; 4) It does not run over a customized OS. (Let's get real... Windows is the worst OS to run security applications...) ... I also can see these advantages: 1) Price (VERY CHEAP compared to most firewalls) 2) AD Integration 3) Easy management and installation 4) Supports most HA, Loadsharing, VPN, H.323 and lot's of other "cool features". ... Thank you! Daniel Accioly Rosa, CISSP Consultant Global Infrastructure Services Phone :55+(21) 3804-5110 UNISYS Imagine it. Done. > This message, including its attachments, is confidential and its contents > are restricted to the addressee. If you have received this message by > accident, please discard its contents by removing it from your mailbox. > Any unauthorized use of this message, replication or dissemination is > expressly prohibited. Unisys is not responsible for the content or > reliability of this information.. > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: daniel.accioly@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')