Re: Straw poll - separate ISA from SBS base
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 13 Dec 2001 19:12:09 -0800
From all I've read and heard, you can't separate the SBS2K components.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the book!
----- Original Message -----
From: "Jim Locke" <jim@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, December 13, 2001 18:15
Subject: [isalist] Re: Straw poll - separate ISA from SBS base
http://www.ISAserver.org
I have a simple question fro this thread.
I have a customer that is thinking of SBS for 2 reasons
1) ISA
2) Exchange
Now my question is:
Is the ISA included in the SBS been modifed to only install on SBS?
They already own a Win2k server so ISA was
to go there and Exchange on the SBS
Jim
----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, December 13, 2001 5:22 PM
Subject: [isalist] Re: Straw poll - separate ISA from SBS base
> http://www.ISAserver.org
>
>
> More inline... ;-)
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/authors/harrison/
> Read the book!
>
> ----- Original Message -----
> From: "Connor Moran" <isa@xxxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Thursday, December 13, 2001 15:56
> Subject: [isalist] Re: Straw poll - separate ISA from SBS base
>
>
> http://www.ISAserver.org
>
>
> > The interesting thing is you're talking about a licensing,
> > not a security issue.
> >
>
> I understand what you're saying, but I believe that there are elements
> of security running a complete suite of Exchange, SQL, IIS5 and ISA on
> one machine with a dual NIC. Compromise the machine and you have access
> to the entire application suite without any more effort.
>
> Absolutely! That's the tradeoff, unfortunately. Another thing to
remember
> is that MS is first and foremost, a business and as suvch, many product
> configuration and (especially) licensing options are not "server-smart".
> This is undoubtedly an area of investigation for MS in light of other
recent
> efforts in the security arena for them.
>
> > SBS2K is intended for those folks who can't afford to
> > dedicate a server per function (that's why it's called "Small
> > Business Server").
> >
>
> This is why I ask the question. We see more SBS than anything. It's the
> "volume" product. It's exactly this type of install that will end up
> being the more common, and perhaps the least likely to be correctly
> secured, and then the most vulnerable, all on one machine. As I said,
> our client's that understand enough, want to create a sacrificial ISA
> machine that can be blown away with a simple Ghost image reload if
> problems are suspected (and then re-secured).
>
> See above...
>
> > There are always tradeoffs between security and functionality, and
> > this is one place where "bang for the buck" was highest on the
> > list.
> >
>
> Part of my point, perhaps not explained, was that the trade-off is
> artifical. Microsoft created an excellent security product, but won't
> allow it to be separately installed for that extra piece of security if
> the client desires.
>
> * Disagree as explained above; the business requirements often override
> functionality provided. MS is relatively new to the "real" enterprise
world
> compared to many Os and app developers and is learning as they move.
>
> Is there extra security to be had from a separate ISA machine truely and
> physically between application servers?
>
> * Yes, but again, what are the majority of folks willing to trade for it?
>
> As far as I can see the SBS ISA just allows Exchange, SQL, IIS5 to
> publish themselves via Packet Filters on the external NIC. From an
> external point-of-view, the services are there without ISA. Is ISA then
> involved in any filtering or intrusion detection?
>
> * Yes; ISA is always involved. Granted; packet filtering is the weakest
> form of server publishing, but then again, not all services on the ISA
> require that method. That's a generalization that fits most scenarios.
> Trial and error in a test environment is called for before deploying the
> production server.
>
> Regards,
>
> Connor Moran
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
