I don¹t mean this to be as crass as it might sound, but ³so what?² This is just an example of ³policy by fear.² Having a strict policy of ³6 months from publishing² to install software buys you nothing but assumption. Have the COO¹s cited some industry research that points out that most vulnerabilities in published software are reported and fixed within the first 6 months? And how long are other people waiting to install? What if others wait 8 months? Then the 6 month people are still ³guinea pigs.² If you don¹t know what others are doing, you can¹t even come up with a term. Then there is the flip side of things? what about vulnerabilities that exist in current deployments that are fixed in the new releases? Think Exchange 2k vs 2k3? there were a few SMTP issues with 2k that could be exploited anonymously where 2k3 required authentication. Look at SQL2000 vs 2005. There are several ways to ³leverage² the way SQL2000 works and operates that flat out don¹t work on 2005. Waiting 6 months could dramatically increase the risk of potential exploitation. Policies by way of hackneyed logic are worthless. The solution is to examine deployments on a product-by-product basis and to make intelligent decisions from available data, not from some ³head in the sand² my-way-or-the-highway policy. And I have to say, waiting six months to roll out XP SP2 was anything but ³prudent.² That¹s just plain dumb. I am personally aware of more exploitation of systems post-SP2 (where people didn¹t install it) than of any other definitive time frame I know of. Someone¹s not doing there job over there... t On 5/22/06 12:33 AM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx> spoketh to all: > Just to add some more oil to the fire. > > There a 2 small cooperates ( 200 - 300 employees each) here in Australia that > I have had an on going relationship with with several years, and they both > have a corporate policy, that NO software will go near their production LAN, > until at least 6 moths has passed after the official release. To break the > policy requires Chief operating officers approval. To date, no mater how > compelling the argument for an upgrade, neither COO has signed of on an early > upgrade. Neither company even rolled XPPSP2 out across the desktops until it > had been in the field for 6 months. > > Their approach is ":Let some other bunny find the problems". > > Cautious, but very prudent. > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Greg Mulholland > Sent: Monday, 22 May 2006 16:53 > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: SME LAN and ISA > > I get the point but ultimately you dont know if ISA is or isnt going to break > in Beta or even behave weirdly. regardless of ISA or Exchange or near > completion in the life cycle. My boss would tear me a new one if anything > happened and he knew that i was using Beta. Isa 2006 is beta software and > hence falls under the Beta "blanket" regardless of its "stance" in the > security world or record or reputation, Exchange and Bind would be the same, > just because ye olde version worked well doesn't mean the new one will and i'm > not about to find that out the hard way. I was always brought up not to do > testing in a production environment and from the reasons given and ones i have > seen i do not have enough persuasion to change my mind... > > I think it all depends on whether you think that the steps you take increase > the chance of risk to YOUR network and for that matter your job. Also whether > the need for the beta software is great at that point in time, that is to say > what improvements, security or functionally or otherwise is a factor in the > overall decision. For me there has never been a need to rush at beta software > in my environments (home excluded) all our testing of new products is done in > a lab environment to ascertain the best way to attack upgrades and asses > functionality etc etc. So i guess we can differ on this and i suspect the > gallery will be divided on this one. might be a good topic for a poll on > isaserver.org and lucky prize for one of the voters, remember we used to do > those!! > > > Greg Mulholland > > > From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God) > Sent: Mon 22/05/2006 2:32 PM > To: isalist@xxxxxxxxxxxxx; Glenn P. JOHNSTON > Subject: [isalist] Re: SME LAN and ISA > > We¹re talking about someone running it on their own LAN. Not sure where the > ³board² or ³business owner² stuff came in. I¹m not suggesting that a > professional network/security specialist install beta software on customer¹s > production networks. I¹m specifically talking about ISA 2006, as I stated > earlier. It¹s tight. I run it, I¹ve tested it (and trust me, I¹m made aware > of issues that MSFT sometimes never sees) and I have no problem with someone > who knows what they are doing running it on their own LAN. This isn¹t some > blanket statement about beta in general: I said, ³Don¹t listen to Greg. Use > ISA2006 all you want (if you know what you are doing.)² > > Comparing ³full version public release² to ³beta² has absolutely no meaning > whatsoever unless you know what has been changed between releases. I > participate in many different beta programs? and I¹ve seen software go from > ³beta² to ³RC² to ³RTM² without a single bit being changed. > > If you know what you are doing, and know where the product is in the > development cycle, and are willing to be responsible for you own decisions in > regard to ISA 2006, then it is OK to deploy it. I do this, and am fine with > it. And I¹m somewhat confident that I won¹t be looking for another job should > an issue arise. > > We¹re professionals here. Let¹s not make blanket statements where they are > not applicable. > > t > > > On 5/21/06 6:43 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx> spoketh > to all: > >> From what I have seen of ISA2006 on my play LAN, it seems stable, works well >> and to date, I have found no issues, and while I have not done full speed >> tests, I have a gut feel that the performance is better. >> >> However, It's got nothing to do with skill set, being comfortable or >> anything like. >> >> Purely on principle, I would not put any beta, or pre lease software near a >> production LAN. This comes from 25 years supporting and developing systems >> in corporate environments. >> >> What about this situation; >> >> There is some small bug / hole in ISA2006, that, as yet is it undetected, it >> small, it's new and it's specific to ISA2006, it's obscure, but it's there. >> >> You put ISA2006 on a production LAN, and some one on the internet finds it, >> finds the bug / hole, makes use of it, and hacks in and a customer list find >> it's way onto the internet, or in the hands of a competitor. >> >> There is an investigation, possibly with law enforcement called in, the >> board finds out there was beta software on their production LAN, you're shot >> your self in the foot, you are in an indefensible position. >> >> Unlikely, yes. >> >> Is there any bug / holes in ISA2006, my suspicion is probably not, but the >> jury is still out deliberating on that one. >> >> Would it be OK on a production LAN, probably yes, it will work, and work >> without issues. >> >> But, if an issue does occur, will any board or business owner support using >> beta or pre release on their production system, not likely, more likely, >> you're looking for another job. There also could very well be legal issues, >> where you're exposed yourself to some liability claim. >> >> It's just not a position you want to be in, no matter how sure you are that >> every 'i' is dotted, and 't' crossed, you just don't want to be there in the >> the unlikely event of an issue. >> >> If it's full version public released software, the situation would be a lot >> different, with beta, you done like a dinner. >> >> >> >> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On >> Behalf Of Thor (Hammer of God) >> Sent: Monday, 22 May 2006 10:59 >> To: isalist@xxxxxxxxxxxxx >> Subject: [isalist] Re: SME LAN and ISA >> >> People who know what they are doing. If you are not comfortable with your >> skillset, then don¹t do it. But since you question our sanity, that means >> that you just know something we don¹t. Please give us a list of your >> specific issues with ISA2006 and the security vulnerabilities you have >> discovered. >> >> t >> >> >> On 5/21/06 5:50 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx> spoketh >> to all: >> >> >>> Who in there right mind would use a product beta on a production LAN ???? >>> >>> We have enough problems with the day to day stuff, and users, and business >>> needs , and......... >>> >>> Why make extra problems of our own making ! >>> >>> >>> >>> >>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] >>> On Behalf Of Thor (Hammer of God) >>> Sent: Monday, 22 May 2006 08:02 >>> To: isalist@xxxxxxxxxxxxx; Greg Mulholland >>> Subject: [isalist] Re: SME LAN and ISA >>> >>> Don¹t listen to Greg. Use ISA2006 all you want (if you know what you are >>> doing.) >>> >>> t >>> >>> >>> On 5/21/06 2:21 PM, "Greg Mulholland" <greg@xxxxxxxxxxxxxx> spoketh to >>> all: >>> >>> >>> >>>> and dont use isa 2006!! its beta.. use 2004.. >>>> >>>> Greg Mulholland >>>> >>>> >>>> >>>> >>>> >>>> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Egyptian Mind >>>> Sent: Mon 22/05/2006 1:45 AM >>>> To: isalist@xxxxxxxxxxxxx >>>> Cc: gen_sib@xxxxxxxxx >>>> Subject: [isalist] Re: SME LAN and ISA >>>> >>>> http://www.ISAserver.org >>>> ------------------------------------------------------- >>>> >>>> >>>> >>>> >>>> 1- install the ISA server after the adsl router and before the switch. >>>> >>>> 2- put two interface cards in the server >>>> >>>> 3- attach one interface with the adsl router ( outside ) and the other >>>> to the unmanged switch ( inside ) >>>> >>>> 4- assign an IP from your local lan to the inside interface >>>> >>>> 5- assign any IP of the range that given from the ISP ( after the router >>>> nat ) to the ouside interface >>>> >>>> 6- make ur own rules on the ISA server >>>> >>>> >>>> >>>> BASIC SME NETWork SETUP >>>> >>>> Internet Cloud >>>> | >>>> | >>>> | >>>> | >>>> ADSL (AZTECH ETHERNET USB) Broadband Router >>>> DHCP >>>> | _____________________________ >>>> | | | >>>> |___outside interface ( 10.11.1.1/24) | ISA Server >>>> ___insdie interface ( 192.168.1.1/24 ) | >>>> | |_____________________________| >>>> | >>>> |______________________ >>>> LoCAL AREA NETWORK (Unmanaged Switch) >>>> LAN IP Address 192.168.1.0/24 >>>> >>>> ______________________________ >>>> >>>> SBS2003-BOX (HP DL3*) LINUX-Box (HP DL3*) >>>> >>>> AD OpenSource Helpdesk System >>>> DHCP OpenSource Network Monitoring(nagios, nmis) >>>> DNS SMS Pager >>>> Intranet AV(clamWin Free AV) >>>> Accounting >>>> MAILs (Pulled from ISP thru pop3 connector) >>>> CRM >>>> WSUS >>>> AV (clamWin Free AV + AVG) >>>> >>>> >>>> !~` Yesterday is a History` ~! >>>> !~` Tomorrow is a Mystery` ~! >>>> !~` Today is a Gift` ~! >>>> !~` So we call it ...............` ~! >>>> !~` Present .......Simple` ~! >>>> Mob : +966 50 2953591 >>>> >>>> >>>> >>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> From: Gene Sibbs <gen_sib@xxxxxxxxx> >>>>> Reply-To: isalist@xxxxxxxxxxxxx >>>>> To: isalist@xxxxxxxxxxxxx >>>>> Subject: [isalist] SME LAN and ISA >>>>> Date: Sun, 21 May 2006 02:25:59 -0700 (PDT) >>>>> >>>>> >>>>> >>>>> Greetings, >>>>> >>>>> >>>>> >>>>> I have attached a basic LAN setup diagram and I would like to pick >>>>> your brains as far as the security is concerned. >>>>> >>>>> >>>>> >>>>> My objective is that the In/Outbound traffic must pass thru ISA box >>>>> >>>>> >>>>> >>>>> Base on the attached design I feel that the security is lacking. I >>>>> have downloaded ISA 2006 BETA version...and I want to introduce ISA >>>>> Server as a member of the family to beef-up security. >>>>> >>>>> >>>>> >>>>> How can I make ISA Server 2006 beta play with this basic design, >>>>> bearing in mind that I don't have a static IP address from my ISP. My >>>>> ADSL is dhcp obtaining the IP address from ISP. >>>>> >>>>> >>>>> >>>>> I want to run ISA2006 on a separate box completely. >>>>> >>>>> >>>>> >>>>> With many thanks! >>>>> >>>>> >>>>> >>>>> Gene Sibbs >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> New Yahoo! Messenger with Voice. Call regular phones from your PC >>>>> <http://us.rd.yahoo.com/mail_us/taglines/postman5/*http://us.rd.yahoo.com/ >>>>> evt=39666/*http://messenger.yahoo.com> and save big. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Feel free to call! Free PC-to-PC calls. Low rates on PC-to-Phone. Get >>>>> Yahoo! Messenger with Voice >>>>> <http://us.rd.yahoo.com/mail_us/taglines/postman10/*http://us.rd.yahoo.com >>>>> /evt=39663/*http://messenger.yahoo.com> >>>>> >>>>> >>>>>> >BASIC SME NETWork SETUP >>>>>> > >>>>>> >Internet Cloud >>>>>> > | >>>>>> > | >>>>>> > | >>>>>> > | >>>>>> >ADSL (AZTECH ETHERNET USB) Broadband Router >>>>>> > DHCP >>>>>> > | >>>>>> > | >>>>>> > | >>>>>> >________|______________________ >>>>>> >LoCAL AREA NETWORK (Unmanaged Switch) >>>>>> >LAN IP Address 10.11.1.0/24 >>>>>> > >>>>>> >______________________________ >>>>>> > >>>>>> >SBS2003-BOX (HP DL3*) LINUX-Box (HP DL3*) >>>>>> > >>>>>> >AD OpenSource Helpdesk System >>>>>> >DHCP OpenSource Network Monitoring(nagios, nmis) >>>>>> >DNS SMS Pager >>>>>> >Intranet AV(clamWin Free AV) >>>>>> >Accounting >>>>>> >MAILs (Pulled from ISP thru pop3 connector) >>>>>> >CRM >>>>>> >WSUS >>>>>> >AV (clamWin Free AV + AVG) >>>>>> >______________________________ >>>>>> > >>>>>> >Security is an issue here... >>>>>> > >>>>> >>>>> >>>> ------------------------------------------------------ List Archives: >>>> //www.freelists.org/archives/isalist/ ISA Server Newsletter: >>>> http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and >>>> Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server >>>> Blogs: http://blogs.isaserver.org/ >>>> ------------------------------------------------------ Visit >>>> TechGenix.com for more information about our other sites: >>>> http://www.techgenix.com >>>> ------------------------------------------------------ To unsubscribe >>>> visit http://www.isaserver.org/pages/isalist.asp Report abuse to >>>> listadmin@xxxxxxxxxxxxx >>>> >>> >>> >> >> > >