RES: RE: ISA 2004 - professional opinion

  • From: "Tiago de Aviz" <Tiago@xxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 31 May 2005 20:47:38 -0300

Tech Wars!!!!

Tiago de Aviz

SoftSell - Curitiba

(41) 340-2363

www.softsell.com.br

Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é 
restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem 
por engano, queira por favor retorná-la ao destinatário e apagá-la de seus 
arquivos. Qualquer uso não autorizado, replicação ou disseminação desta 
mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável 
pelo conteúdo ou a veracidade desta informação.

-----Mensagem original-----
De: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Enviada em: terça-feira, 31 de maio de 2005 20:20
Para: [ISAserver.org Discussion List]
Cc: [ISAserver.org Discussion List]
Assunto: [isalist] RE: ISA 2004 - professional opinion

http://www.ISAserver.org

Inline... 

-----Original Message-----
From: Chris Brenton [mailto:cbrenton@xxxxxxxxxxxxxxxx] 
Sent: Tuesday, May 31, 2005 6:34 AM
To: firewalls@xxxxxxxxxxxxxxxxx
Subject: RE: ISA 2004 - professional opinion

Greets all,

Thought I would chime in on this.

On Thu, 2005-05-26 at 18:46, Bryan Bain wrote:
>
> On what do you base this opinion?  As a firewall, ISA 2004 is
exceptional.

Please review the Bugtraq archive and reference the dozen plus
vulnerabilities listed for the product. You'll notice two reoccurring
themes:
1) Poor bounds checking
2) Poor data scrubbing

Not exactly what I would refer to as "exceptional", especially given the
limited deployment of the product. Granted some of the exploits are
based on ISA 2000, but you are talking the same code base. I'm guessing
that if ISA ever saw the market share of a FW-1 or PIX <shudder> these
numbers would be much higher. From what I've seen its barely a blip on
the radar.
TOM>>You are referring to ISA 2000 issues, which was a rewrite of the
Proxy 2.0 Proxy, although much closer to a firewall than Proxy 2.0,
which was only a Web and Winsock proxy. When you say "some", that
implies a minority -- which clearly isn't the case when discussing the
ISA firewall (2004). Also, why do you assume the "same codebase"? Do you
know the difference between the Firewall service and the firewall
engine? What parts are loaded in user mode v. kernel mode? At what point
the firewall engine is loaded versus the firewall service? Do you know
if the Windows TCP/IP stack is loaded before the ISA firewall
components? Market share is related to a misunderstanding of what the
ISA firewall is, which most "open a port" firewall admins assume is a
proxy server, which clearly isn't the whole story and is a canard at
best. Sort of "flat earth" thinking. Also, are you aware of a single
case where an ISA firewall, properly configured, as been "owned"?


> * Multi-layer firewall protection with packet, circuit and application
level filtering with deep content inspection.

In other words, its a proxy. This means it has open ports exposed to the
Internet which permit people to interact with code running on the box.
There is zero sand boxing or code isolation as there is in similar
products (IMHO Sidewinder is an excellent example of how to do this
right), so the threat to the firewall itself is high. If the firewall is
compromised then all bets are off.
TOM>>Uh, NO. It's a stateful packet inspection and application layer
inspection firewall, so it fits into the blended proxy/packet filter
firewall class. No matter how many times people who don't understand the
ISA firewall say it, they're never going to make the ISA firewall "just
a proxy". Just like muttering "but it runs on Windows" doesn't make it
inherently unsecure.




> * High performance Web proxy and caching for fast, secure Internet 
> access

I'm sorry but this sounds like it was yanked from the marketing
material. Pull stats on an outbound proxy and you will see that a ton of
sites now set the no cache option due to load balancing, scrolling
banner ads, and other similar "features". This means that the
performance benefits of an outbound proxy has greatly diminished over
the years. 5 years ago you would see a performance boost, today from
what I've seen in the field they actually slow down the "typical"
Internet link.
TOM:>> That's interesting, because I find bandwidth savings of 5-10%
across all the ISA firewall deployments, which is really impressive
given the number of sites that do not support caching proxies. But there
are many many more deployment options for caching firewalls than just
Internet caching. One example is branch office deployments.

 

> * Integrated firewall/VPN that offers a higher level of security than 
> a standalone RAS VPN,

So your claim is that terminating the VPN on the firewall is safer than
running a secondary termination point? I would greatly appreciate it if
you could publish the stats to back up this claim as everything I've
seen in the field indicates otherwise.
TOM>>What have you *exactly* seen in the field regarding the ISA
firewall's VPN? Can you give an example of how this subverted your
security posture *in practice*? Or, is this just another "I'm not going
to get out of bed this AM because a piece from a falling airplane might
fall on my head"? What is your experience with the ISA firewall's VPN
service and its capabilities?

 

If everything is on one box, than whacking that box compromises the
entire perimeter. If they are separate, you get some strong defense
in-depth benefits like not needing to open listening ports on the
primary firewall, monitoring traffic both in and out of the VPN gateway
from a separate box, and the list goes on.
TOM>>I would hope there is defense in depth, and also fail over and
fault tolerance, all of which the ISA firewall supports. This "open
port" approach to firewalls is like the application of mercurials and
arsenicals in medicine of yesteryear. What is the real advantage of
putting a stateful inspection-only firewall in front of the ISA
firewall, which performs stateful inspection itself? I hear this over
and over again, but ISA firewalls can perform the same packet inspection
as other popular firewalls. However, speed may be an issue, so using a
packet inspection only firewall in front of mutiple perimeter firewalls
is a good choke point options.



> * Firewall-level spam control with deep content inspection, along with

> IP, domain, and keyword filtering and attachment blocking

This is fine for tiny sites but probably a bad idea for the typical
organization. If you later decide to change firewall products, you are
also migrating to a new AV/spam/etc. solution as well since
implementations are not functional across multiple firewall products.
You are better off with a dedicated gateway.
TOM:>>Why would you need only one ISA firewall? For what you'd pay for
"big iron" "hardware" firewalls, I can deploy a fault tolerant, load
balanced array of 5-6 ISA firewalls and beat any uptime the 50K box
would give you.



> * Integration with Windows(r) Active Directory(r) services also
enables 
> administrators to apply user-level policy and authentication

This is a bad idea when it comes to VPN's. Consider what you have just
done. Prior to installing the VPN one of your defense in-depth layers
was the physical security of your facility. Even if you have insecure
wireless AP's, your physical location provides some level of security as
an attacker has to be near you to perform an attack.
TOM:>>Do you have real life examples, or even a proof of concept on how
to do this? I hear this said often, but when challenged to show me how
to do it, they can't. Even a proof of concept of such an attack against
a properly configured ISA firewall would get me to change my mind on
this. So, terminate the VPN on an ISA firewall located behind another
ISA firewall, and now you "fixed" something that really wasn't broken in
the first place.



If you integrate VPN authentication with your single sign-on solution,
you have just made the statement "I trust the physical security of the
entire Internet as much as I trust the physical security of my
facility". In other words, you have removed the physical security
component as a defense in-depth layer and have not replaced it with
anything. Just because a feature exists that does not mean its a good
idea to use it.
TOM>>Defense in depth is good. No arguments there. But you have to ask
yourself what real security are you adding if you just "open a port" to
the back end ISA firewall VPN server/gateway? None. You just put a bank
vault door in front of the ISA firewall, but it still will terminate at
the ISA firewall/VPN server. And since there's no demonstrated attack
that you can leverage against the ISA firewall by terminating VPN
connections to it, then I don't see where the *real* issues are. Again,
this is all "what if" stuff, which is a game we can play with any
firewall.



> This ease of use makes ISA 2004 an ideal solution for helping to
secure Windows Server(tm) 2003 networks. 

First, "ease of use" and "secure" are two entirely different things.
Also, the above statement makes it sound like you feel a single firewall
product is a good fit for any environment that meets but a single
criterion (running Win2003). Its been my experience that every
environment is different and therefore has a different set of
requirements. One size does not fit all. This is one of the reasons we
are blessed with a pretty diverse firewall market.
TOM>>The ISA firewall isn't the best firewall in the world, and its not
the worst, and whether it is best or worst is related to the
requirements of the business,not the FUD and misconceptions people have
about it. I think it's the ideal solution for Microsoft shops, and adds
virtually nothing for non-Microsoft shops.



> * Advanced inspection at the application protocol layer allows ISA to
inspect the proprietary RPC interfaces used by Microsoft applications.

Humm, so you think passing a a proprietary application across a firewall
is actually a good thing????
TOM>>Its impossible to secure any service against all attacks. Even *ix
services can be and are attacked. So, adding defense in depth at the
firewall for these protocols is a good thing, including the Exchange RPC
and other RPC services. 



> To illustrate the value of this unique capability, ISA 2004's ability
to enforce RPC security policy empowers an organization to take full
advantage of Exchange productivity features without fear of a rogue RPC
exploit compromising the messaging infrastructure.

This assumes proper bounds checking has been performed. See my first
comment. ;-) 
TOM:>>I haven't seen the KB on the ISA 2004 firewall's RPC filter not
performing proper bounds checking. Checking
http://www.google.com/search?hl=en&lr=&q=%22Bounds+checking%22+%22ISA+se
rver+2004%22 shows plenty of Linux bounds checking issues, and the ISA
Server 2000 H.323 issue, but I don't see anything related to the 2004
ISA firewall.



Consider your logic here. You care claiming that this is secure because
the company that wrote the application also wrote the firewall. If they
had the Kung Fu to do that, then why didn't they just write RPC to be
secure in the first place? If your logic was correct there would be no
need to proxy the application because it would already be secure.
TOM:>>Again, the ISA firewall provides defense in depth and allows you
to control what RPC communications move through the ISA firewall. RPC
filtering does have value, but it does take time to understand how its
used on Microsoft Networks and how different servers and services
utilize RPCs. When and if you take time to learn about the ISA firewall,
check out the RPC filter and how you can customize what RPC
communications move through the ISA firewall. Very good feature that you
can use on the edge, or on any of the perimeters demarcating corporate
security zones. 



> ISA 2004 is a much better product than was ISA 2000.  It is not just
for proxy-server any longer.

ISA 2004 is still just a tool. No more, no less. Yes it has things that
it is good at (outbound authentication of a Windows environment,
internal firewall when the threat level is low, just to name a few). I'm
certainly not saying that the product does not have its merits. You need
to think long and hard however before exposing it to direct Internet
access. The architecture design is less than optimal and the product
does not exactly have the best track history.
TOM>>All firewalls are just tools, and the 2004 ISA firewall is a much
better tool than the ISA Server 2000 firewall. Its good to hear that you
think the product has its merits. I can tell you that none of the over
100 deployments of ISA firewalls I've managed as edge firewalls ever
suffered from "edge-itis"  Maybe because the ISA firewall is just a
machine so it isn't hampered by misconceptions about itself :-)) Also, I
think you're misjudging the ISA firewall based on what you know about
ISA Server 2000. They are not the same, or even similar. It has a rock
solid firewall architecture and there isn't yet a report that I'm aware
of an ISA firewall that has been compromised when properly configured.
        The point of all this isn't to say that it's the best firewall
in the world, but it's a pretty good one, esp. for Microsoft shops, and
that it fits on the perimeter as well as just about any firewall,
depending on bandwidth requirements and what hardware the ISA firewall
is installed on. Are there other great firewalls? You bet. But I never
cease to be amazed by the FUD, misinformation, and downright wrong
thinking people have about the ISA firewall. I guess that's why its fun
to work with it. Sort of like demonstrating to people that the Earth
isn't flat, and that if someone is already bleeding, they probably don't
need leeches :-))
HTH,
Tom


HTH,
Chris





------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
tiago@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



Other related posts: