Re: Straw poll - separate ISA from SBS base
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 13 Dec 2001 17:22:37 -0800
More inline... ;-)
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the book!
----- Original Message -----
From: "Connor Moran" <isa@xxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, December 13, 2001 15:56
Subject: [isalist] Re: Straw poll - separate ISA from SBS base
http://www.ISAserver.org
> The interesting thing is you're talking about a licensing,
> not a security issue.
>
I understand what you're saying, but I believe that there are elements
of security running a complete suite of Exchange, SQL, IIS5 and ISA on
one machine with a dual NIC. Compromise the machine and you have access
to the entire application suite without any more effort.
Absolutely! That's the tradeoff, unfortunately. Another thing to remember
is that MS is first and foremost, a business and as suvch, many product
configuration and (especially) licensing options are not "server-smart".
This is undoubtedly an area of investigation for MS in light of other recent
efforts in the security arena for them.
> SBS2K is intended for those folks who can't afford to
> dedicate a server per function (that's why it's called "Small
> Business Server").
>
This is why I ask the question. We see more SBS than anything. It's the
"volume" product. It's exactly this type of install that will end up
being the more common, and perhaps the least likely to be correctly
secured, and then the most vulnerable, all on one machine. As I said,
our client's that understand enough, want to create a sacrificial ISA
machine that can be blown away with a simple Ghost image reload if
problems are suspected (and then re-secured).
See above...
> There are always tradeoffs between security and functionality, and
> this is one place where "bang for the buck" was highest on the
> list.
>
Part of my point, perhaps not explained, was that the trade-off is
artifical. Microsoft created an excellent security product, but won't
allow it to be separately installed for that extra piece of security if
the client desires.
* Disagree as explained above; the business requirements often override
functionality provided. MS is relatively new to the "real" enterprise world
compared to many Os and app developers and is learning as they move.
Is there extra security to be had from a separate ISA machine truely and
physically between application servers?
* Yes, but again, what are the majority of folks willing to trade for it?
As far as I can see the SBS ISA just allows Exchange, SQL, IIS5 to
publish themselves via Packet Filters on the external NIC. From an
external point-of-view, the services are there without ISA. Is ISA then
involved in any filtering or intrusion detection?
* Yes; ISA is always involved. Granted; packet filtering is the weakest
form of server publishing, but then again, not all services on the ISA
require that method. That's a generalization that fits most scenarios.
Trial and error in a test environment is called for before deploying the
production server.
Regards,
Connor Moran
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
