RE: Some question on ISA Server funtionality

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 14 Apr 2004 08:23:50 -0500

Hi Troy,

The PIX is a very nice packet filter, but its firewall features are
sorely lacking. In recent application layer filtering tear down reviews,
Cisco doesn't even submit the PIX, because its firewall model is more
suited to front-end high capacity packet filtering, not true modern-day
firewall inspection. It has a place in front of the ISA fireall if you
have OC12 lines you need to service, but to use a PIX to protect the
back end services, you have to have implicit faith in all servers you
publish to the Internet, 'cause the PIX isn't going to be much help
except for "opening a port" (it does have an Open Port button, doesn't
it?).

Each product should be used to leverage its strengths. I admit that the
ISA team needs to working on the networking model, because you really
need to be able to control the source IP address for outbound
connections, but I'm sure they'll fix that (right Jim?) :-)

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder
ISA 2004 Beta - Get it now!
http://www.microsoft.com/isaserver/beta/default.asp
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Troy Radtke [mailto:TRadtke@xxxxxxxxxxxx] 
Sent: Wednesday, April 14, 2004 8:15 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Some question on ISA Server funtionality


http://www.ISAserver.org

*remembers to read all replies FIRST before assuming that ISA can things
that a PIX can do*

D'Oh!

Troy Radtke



-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Wednesday, April 14, 2004 4:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Some question on ISA Server funtionality


http://www.ISAserver.org

Hi Radien,

ISA NATs from LAT to non-LAT hosts. Routes from LAT to LAT hosts or
non-LAT
to non-LAT hosts.

Packet filters control LAT to LAT and non-LAT to non-LAT communications.

Protocol Rules control LAT to non-LAT communications.

No granular control of IP address bindings with LAT. Access control via
packet filters is like with Linux, just weak packet filtering without
strong
access control.

Firewall Client enables strong user/group based authenticated outbound
access and secondary connection management using a generic Winsock
proxy.
Far superior to primative packet filtering which is ignorant of
application
layer and authenticated access control.

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder
ISA 2004 Beta - Get it now!
http://www.microsoft.com/isaserver/beta/default.asp
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: radien@xxxxxxxxx [mailto:radien@xxxxxxxxx] 
Sent: Wednesday, April 14, 2004 5:14 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Some question on ISA Server funtionality


http://www.ISAserver.org

Dear All
I'm a linux guy, and trying to underestand ISA Server 2000.

I read ISA Server 2000's documentation. There are something that can't
Understand.

See, It's what I think about ISA server and I'm not sure about them,

+Am I right about them:
------------------------------------------------------------------------
--------
 
It seems ISA Server NATs outgoing traffic by default.

It seems ISA Server uses fire client software to detect RELATED packets
(related to an application that has existing connection(s)) to for those
protocols that do not have a defined application filter.

------------------------------------------------------------------------
--------


+And here my questions:
------------------------------------------------------------------------
--------
 
How to NAT to many (more than one) IP's? (Specific or mapping to a
range)

How about ordinary routing between different networks?? specially if you
want put some access control or filtering on passing trough traffic.

What is the order of processing "IP Packet Filter" rules, for a packet?

------------------------------------------------------------------------
--------

Thx in advance
Regards
__Radien__

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange
Server Resource Site: http://www.msexchange.org Windows Security
Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange
Server Resource Site: http://www.msexchange.org Windows Security
Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tradtke@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Some question on ISA Server funtionality
• » RE: Some question on ISA Server funtionality
• » RE: Some question on ISA Server funtionality
• » RE: Some question on ISA Server funtionality
• » RE: Some question on ISA Server funtionality
• » RE: Some question on ISA Server funtionality
• » RE: Some question on ISA Server funtionality
• » RE: Some question on ISA Server funtionality

1. Home
2. isalist
3. Archive
4. 04-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---