More inline... ;-) Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the book! ----- Original Message ----- From: "Connor Moran" <isa@xxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, December 13, 2001 15:56 Subject: [isalist] Re: Straw poll - separate ISA from SBS base http://www.ISAserver.org > The interesting thing is you're talking about a licensing, > not a security issue. > I understand what you're saying, but I believe that there are elements of security running a complete suite of Exchange, SQL, IIS5 and ISA on one machine with a dual NIC. Compromise the machine and you have access to the entire application suite without any more effort. Absolutely! That's the tradeoff, unfortunately. Another thing to remember is that MS is first and foremost, a business and as suvch, many product configuration and (especially) licensing options are not "server-smart". This is undoubtedly an area of investigation for MS in light of other recent efforts in the security arena for them. > SBS2K is intended for those folks who can't afford to > dedicate a server per function (that's why it's called "Small > Business Server"). > This is why I ask the question. We see more SBS than anything. It's the "volume" product. It's exactly this type of install that will end up being the more common, and perhaps the least likely to be correctly secured, and then the most vulnerable, all on one machine. As I said, our client's that understand enough, want to create a sacrificial ISA machine that can be blown away with a simple Ghost image reload if problems are suspected (and then re-secured). See above... > There are always tradeoffs between security and functionality, and > this is one place where "bang for the buck" was highest on the > list. > Part of my point, perhaps not explained, was that the trade-off is artifical. Microsoft created an excellent security product, but won't allow it to be separately installed for that extra piece of security if the client desires. * Disagree as explained above; the business requirements often override functionality provided. MS is relatively new to the "real" enterprise world compared to many Os and app developers and is learning as they move. Is there extra security to be had from a separate ISA machine truely and physically between application servers? * Yes, but again, what are the majority of folks willing to trade for it? As far as I can see the SBS ISA just allows Exchange, SQL, IIS5 to publish themselves via Packet Filters on the external NIC. From an external point-of-view, the services are there without ISA. Is ISA then involved in any filtering or intrusion detection? * Yes; ISA is always involved. Granted; packet filtering is the weakest form of server publishing, but then again, not all services on the ISA require that method. That's a generalization that fits most scenarios. Trial and error in a test environment is called for before deploying the production server. Regards, Connor Moran ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')