From all I've read and heard, you can't separate the SBS2K components. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the book! ----- Original Message ----- From: "Jim Locke" <jim@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, December 13, 2001 18:15 Subject: [isalist] Re: Straw poll - separate ISA from SBS base http://www.ISAserver.org I have a simple question fro this thread. I have a customer that is thinking of SBS for 2 reasons 1) ISA 2) Exchange Now my question is: Is the ISA included in the SBS been modifed to only install on SBS? They already own a Win2k server so ISA was to go there and Exchange on the SBS Jim ----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, December 13, 2001 5:22 PM Subject: [isalist] Re: Straw poll - separate ISA from SBS base > http://www.ISAserver.org > > > More inline... ;-) > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/authors/harrison/ > Read the book! > > ----- Original Message ----- > From: "Connor Moran" <isa@xxxxxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Thursday, December 13, 2001 15:56 > Subject: [isalist] Re: Straw poll - separate ISA from SBS base > > > http://www.ISAserver.org > > > > The interesting thing is you're talking about a licensing, > > not a security issue. > > > > I understand what you're saying, but I believe that there are elements > of security running a complete suite of Exchange, SQL, IIS5 and ISA on > one machine with a dual NIC. Compromise the machine and you have access > to the entire application suite without any more effort. > > Absolutely! That's the tradeoff, unfortunately. Another thing to remember > is that MS is first and foremost, a business and as suvch, many product > configuration and (especially) licensing options are not "server-smart". > This is undoubtedly an area of investigation for MS in light of other recent > efforts in the security arena for them. > > > SBS2K is intended for those folks who can't afford to > > dedicate a server per function (that's why it's called "Small > > Business Server"). > > > > This is why I ask the question. We see more SBS than anything. It's the > "volume" product. It's exactly this type of install that will end up > being the more common, and perhaps the least likely to be correctly > secured, and then the most vulnerable, all on one machine. As I said, > our client's that understand enough, want to create a sacrificial ISA > machine that can be blown away with a simple Ghost image reload if > problems are suspected (and then re-secured). > > See above... > > > There are always tradeoffs between security and functionality, and > > this is one place where "bang for the buck" was highest on the > > list. > > > > Part of my point, perhaps not explained, was that the trade-off is > artifical. Microsoft created an excellent security product, but won't > allow it to be separately installed for that extra piece of security if > the client desires. > > * Disagree as explained above; the business requirements often override > functionality provided. MS is relatively new to the "real" enterprise world > compared to many Os and app developers and is learning as they move. > > Is there extra security to be had from a separate ISA machine truely and > physically between application servers? > > * Yes, but again, what are the majority of folks willing to trade for it? > > As far as I can see the SBS ISA just allows Exchange, SQL, IIS5 to > publish themselves via Packet Filters on the external NIC. From an > external point-of-view, the services are there without ISA. Is ISA then > involved in any filtering or intrusion detection? > > * Yes; ISA is always involved. Granted; packet filtering is the weakest > form of server publishing, but then again, not all services on the ISA > require that method. That's a generalization that fits most scenarios. > Trial and error in a test environment is called for before deploying the > production server. > > Regards, > > Connor Moran > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')