Re: Straw poll - separate ISA from SBS base
- From: Connor Moran <isa@xxxxxxxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 14 Dec 2001 07:56:27 +0800
> The interesting thing is you're talking about a licensing,
> not a security issue.
>
I understand what you're saying, but I believe that there are elements
of security running a complete suite of Exchange, SQL, IIS5 and ISA on
one machine with a dual NIC. Compromise the machine and you have access
to the entire application suite without any more effort.
> SBS2K is intended for those folks who can't afford to
> dedicate a server per function (that's why it's called "Small
> Business Server").
>
This is why I ask the question. We see more SBS than anything. It's the
"volume" product. It's exactly this type of install that will end up
being the more common, and perhaps the least likely to be correctly
secured, and then the most vulnerable, all on one machine. As I said,
our client's that understand enough, want to create a sacrificial ISA
machine that can be blown away with a simple Ghost image reload if
problems are suspected (and then re-secured).
> There are always tradeoffs between security and functionality, and
> this is one place where "bang for the buck" was highest on the
> list.
>
Part of my point, perhaps not explained, was that the trade-off is
artifical. Microsoft created an excellent security product, but won't
allow it to be separately installed for that extra piece of security if
the client desires.
Is there extra security to be had from a separate ISA machine truely and
physically between application servers?
As far as I can see the SBS ISA just allows Exchange, SQL, IIS5 to
publish themselves via Packet Filters on the external NIC. From an
external point-of-view, the services are there without ISA. Is ISA then
involved in any filtering or intrusion detection?
Regards,
Connor Moran
Other related posts:
