Im not the skirt wearin' nancy boy :p Hows the big apple? Greg Mulholland Clear IT Level 10, 530 Little Collins Street Melbourne, VIC 3000 Ph: (03) 99097411 Fax: (03) 99097091 -----Original Message----- From: Steve Moffat [mailto:steve@xxxxxxxxxx] Sent: Wednesday, 1 June 2005 11:38 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: RES: RE: ISA 2004 - professional opinion http://www.ISAserver.org Have you forwarded it on to him yet wimpo?? -----Original Message----- From: Greg Mulholland [mailto:gmulholland@xxxxxxxxxxxxxx] Sent: Tuesday, May 31, 2005 8:56 PM To: ISA Mailing List Subject: [isalist] RE: RES: RE: ISA 2004 - professional opinion http://www.ISAserver.org Revenge of the shind!! Tom, I showed you the personal email describing his reasons didn't i? basically stating arguments which I can come up with myself and providing no actual proof, merely an opinion. Whats funny is these type of people don't state that in their email. They try to get everyone to believe that for some magical reason they must be right. If people want my opinion I give it to them straight whether its good or bad. But like Jim said, you cant fight bias!! Too true Greg Mulholland Clear IT Level 10, 530 Little Collins Street Melbourne, VIC 3000 Ph: (03) 99097411 Fax: (03) 99097091 -----Original Message----- From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] Sent: Wednesday, 1 June 2005 9:48 AM To: [ISAserver.org Discussion List] Subject: [isalist] RES: RE: ISA 2004 - professional opinion http://www.ISAserver.org Tech Wars!!!! Tiago de Aviz SoftSell - Curitiba (41) 340-2363 www.softsell.com.br Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem por engano, queira por favor retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável pelo conteúdo ou a veracidade desta informação. -----Mensagem original----- De: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Enviada em: terça-feira, 31 de maio de 2005 20:20 Para: [ISAserver.org Discussion List] Cc: [ISAserver.org Discussion List] Assunto: [isalist] RE: ISA 2004 - professional opinion http://www.ISAserver.org Inline... -----Original Message----- From: Chris Brenton [mailto:cbrenton@xxxxxxxxxxxxxxxx] Sent: Tuesday, May 31, 2005 6:34 AM To: firewalls@xxxxxxxxxxxxxxxxx Subject: RE: ISA 2004 - professional opinion Greets all, Thought I would chime in on this. On Thu, 2005-05-26 at 18:46, Bryan Bain wrote: > > On what do you base this opinion? As a firewall, ISA 2004 is exceptional. Please review the Bugtraq archive and reference the dozen plus vulnerabilities listed for the product. You'll notice two reoccurring themes: 1) Poor bounds checking 2) Poor data scrubbing Not exactly what I would refer to as "exceptional", especially given the limited deployment of the product. Granted some of the exploits are based on ISA 2000, but you are talking the same code base. I'm guessing that if ISA ever saw the market share of a FW-1 or PIX <shudder> these numbers would be much higher. From what I've seen its barely a blip on the radar. TOM>>You are referring to ISA 2000 issues, which was a rewrite of the Proxy 2.0 Proxy, although much closer to a firewall than Proxy 2.0, which was only a Web and Winsock proxy. When you say "some", that implies a minority -- which clearly isn't the case when discussing the ISA firewall (2004). Also, why do you assume the "same codebase"? Do you know the difference between the Firewall service and the firewall engine? What parts are loaded in user mode v. kernel mode? At what point the firewall engine is loaded versus the firewall service? Do you know if the Windows TCP/IP stack is loaded before the ISA firewall components? Market share is related to a misunderstanding of what the ISA firewall is, which most "open a port" firewall admins assume is a proxy server, which clearly isn't the whole story and is a canard at best. Sort of "flat earth" thinking. Also, are you aware of a single case where an ISA firewall, properly configured, as been "owned"? > * Multi-layer firewall protection with packet, circuit and application level filtering with deep content inspection. In other words, its a proxy. This means it has open ports exposed to the Internet which permit people to interact with code running on the box. There is zero sand boxing or code isolation as there is in similar products (IMHO Sidewinder is an excellent example of how to do this right), so the threat to the firewall itself is high. If the firewall is compromised then all bets are off. TOM>>Uh, NO. It's a stateful packet inspection and application layer inspection firewall, so it fits into the blended proxy/packet filter firewall class. No matter how many times people who don't understand the ISA firewall say it, they're never going to make the ISA firewall "just a proxy". Just like muttering "but it runs on Windows" doesn't make it inherently unsecure. > * High performance Web proxy and caching for fast, secure Internet > access I'm sorry but this sounds like it was yanked from the marketing material. Pull stats on an outbound proxy and you will see that a ton of sites now set the no cache option due to load balancing, scrolling banner ads, and other similar "features". This means that the performance benefits of an outbound proxy has greatly diminished over the years. 5 years ago you would see a performance boost, today from what I've seen in the field they actually slow down the "typical" Internet link. TOM:>> That's interesting, because I find bandwidth savings of 5-10% across all the ISA firewall deployments, which is really impressive given the number of sites that do not support caching proxies. But there are many many more deployment options for caching firewalls than just Internet caching. One example is branch office deployments. > * Integrated firewall/VPN that offers a higher level of security than > a standalone RAS VPN, So your claim is that terminating the VPN on the firewall is safer than running a secondary termination point? I would greatly appreciate it if you could publish the stats to back up this claim as everything I've seen in the field indicates otherwise. TOM>>What have you *exactly* seen in the field regarding the ISA firewall's VPN? Can you give an example of how this subverted your security posture *in practice*? Or, is this just another "I'm not going to get out of bed this AM because a piece from a falling airplane might fall on my head"? What is your experience with the ISA firewall's VPN service and its capabilities? If everything is on one box, than whacking that box compromises the entire perimeter. If they are separate, you get some strong defense in-depth benefits like not needing to open listening ports on the primary firewall, monitoring traffic both in and out of the VPN gateway from a separate box, and the list goes on. TOM>>I would hope there is defense in depth, and also fail over and fault tolerance, all of which the ISA firewall supports. This "open port" approach to firewalls is like the application of mercurials and arsenicals in medicine of yesteryear. What is the real advantage of putting a stateful inspection-only firewall in front of the ISA firewall, which performs stateful inspection itself? I hear this over and over again, but ISA firewalls can perform the same packet inspection as other popular firewalls. However, speed may be an issue, so using a packet inspection only firewall in front of mutiple perimeter firewalls is a good choke point options. > * Firewall-level spam control with deep content inspection, along with > IP, domain, and keyword filtering and attachment blocking This is fine for tiny sites but probably a bad idea for the typical organization. If you later decide to change firewall products, you are also migrating to a new AV/spam/etc. solution as well since implementations are not functional across multiple firewall products. You are better off with a dedicated gateway. TOM:>>Why would you need only one ISA firewall? For what you'd pay for "big iron" "hardware" firewalls, I can deploy a fault tolerant, load balanced array of 5-6 ISA firewalls and beat any uptime the 50K box would give you. > * Integration with Windows(r) Active Directory(r) services also enables > administrators to apply user-level policy and authentication This is a bad idea when it comes to VPN's. Consider what you have just done. Prior to installing the VPN one of your defense in-depth layers was the physical security of your facility. Even if you have insecure wireless AP's, your physical location provides some level of security as an attacker has to be near you to perform an attack. TOM:>>Do you have real life examples, or even a proof of concept on how to do this? I hear this said often, but when challenged to show me how to do it, they can't. Even a proof of concept of such an attack against a properly configured ISA firewall would get me to change my mind on this. So, terminate the VPN on an ISA firewall located behind another ISA firewall, and now you "fixed" something that really wasn't broken in the first place. If you integrate VPN authentication with your single sign-on solution, you have just made the statement "I trust the physical security of the entire Internet as much as I trust the physical security of my facility". In other words, you have removed the physical security component as a defense in-depth layer and have not replaced it with anything. Just because a feature exists that does not mean its a good idea to use it. TOM>>Defense in depth is good. No arguments there. But you have to ask yourself what real security are you adding if you just "open a port" to the back end ISA firewall VPN server/gateway? None. You just put a bank vault door in front of the ISA firewall, but it still will terminate at the ISA firewall/VPN server. And since there's no demonstrated attack that you can leverage against the ISA firewall by terminating VPN connections to it, then I don't see where the *real* issues are. Again, this is all "what if" stuff, which is a game we can play with any firewall. > This ease of use makes ISA 2004 an ideal solution for helping to secure Windows Server(tm) 2003 networks. First, "ease of use" and "secure" are two entirely different things. Also, the above statement makes it sound like you feel a single firewall product is a good fit for any environment that meets but a single criterion (running Win2003). Its been my experience that every environment is different and therefore has a different set of requirements. One size does not fit all. This is one of the reasons we are blessed with a pretty diverse firewall market. TOM>>The ISA firewall isn't the best firewall in the world, and its not the worst, and whether it is best or worst is related to the requirements of the business,not the FUD and misconceptions people have about it. I think it's the ideal solution for Microsoft shops, and adds virtually nothing for non-Microsoft shops. > * Advanced inspection at the application protocol layer allows ISA to inspect the proprietary RPC interfaces used by Microsoft applications. Humm, so you think passing a a proprietary application across a firewall is actually a good thing???? TOM>>Its impossible to secure any service against all attacks. Even *ix services can be and are attacked. So, adding defense in depth at the firewall for these protocols is a good thing, including the Exchange RPC and other RPC services. > To illustrate the value of this unique capability, ISA 2004's ability to enforce RPC security policy empowers an organization to take full advantage of Exchange productivity features without fear of a rogue RPC exploit compromising the messaging infrastructure. This assumes proper bounds checking has been performed. See my first comment. ;-) TOM:>>I haven't seen the KB on the ISA 2004 firewall's RPC filter not performing proper bounds checking. Checking http://www.google.com/search?hl=en&lr=&q=%22Bounds+checking%22+%22ISA+se rver+2004%22 shows plenty of Linux bounds checking issues, and the ISA Server 2000 H.323 issue, but I don't see anything related to the 2004 ISA firewall. Consider your logic here. You care claiming that this is secure because the company that wrote the application also wrote the firewall. If they had the Kung Fu to do that, then why didn't they just write RPC to be secure in the first place? If your logic was correct there would be no need to proxy the application because it would already be secure. TOM:>>Again, the ISA firewall provides defense in depth and allows you to control what RPC communications move through the ISA firewall. RPC filtering does have value, but it does take time to understand how its used on Microsoft Networks and how different servers and services utilize RPCs. When and if you take time to learn about the ISA firewall, check out the RPC filter and how you can customize what RPC communications move through the ISA firewall. Very good feature that you can use on the edge, or on any of the perimeters demarcating corporate security zones. > ISA 2004 is a much better product than was ISA 2000. It is not just for proxy-server any longer. ISA 2004 is still just a tool. No more, no less. Yes it has things that it is good at (outbound authentication of a Windows environment, internal firewall when the threat level is low, just to name a few). I'm certainly not saying that the product does not have its merits. You need to think long and hard however before exposing it to direct Internet access. The architecture design is less than optimal and the product does not exactly have the best track history. TOM>>All firewalls are just tools, and the 2004 ISA firewall is a much better tool than the ISA Server 2000 firewall. Its good to hear that you think the product has its merits. I can tell you that none of the over 100 deployments of ISA firewalls I've managed as edge firewalls ever suffered from "edge-itis" Maybe because the ISA firewall is just a machine so it isn't hampered by misconceptions about itself :-)) Also, I think you're misjudging the ISA firewall based on what you know about ISA Server 2000. They are not the same, or even similar. It has a rock solid firewall architecture and there isn't yet a report that I'm aware of an ISA firewall that has been compromised when properly configured. The point of all this isn't to say that it's the best firewall in the world, but it's a pretty good one, esp. for Microsoft shops, and that it fits on the perimeter as well as just about any firewall, depending on bandwidth requirements and what hardware the ISA firewall is installed on. Are there other great firewalls? You bet. But I never cease to be amazed by the FUD, misinformation, and downright wrong thinking people have about the ISA firewall. I guess that's why its fun to work with it. Sort of like demonstrating to people that the Earth isn't flat, and that if someone is already bleeding, they probably don't need leeches :-)) HTH, Tom HTH, Chris ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tiago@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmulholland@xxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this network has been scanned for viruses ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: isalist@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx The correct technical term for haggis stalking is "havering". ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmulholland@xxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this network has been scanned for viruses