Firewall Wizards mailing list archives

RE: Microsoft ISA Server

From: "Bill Royds" <lists () royds net>
Date: Fri, 21 Jun 2002 18:42:05 -0400

It is basically an extension of the Microsoft Proxy Server and its roots sometime shows. 
Advantages
        - can use NT domains for authentication
        - is a true Application Gateway server, but has limits on which services it provides
        - can cache web pages to speed up subsequent access (not a security feature though).
        - can provide RADIUS/Kerberos authentication to other servers 

Disadvantages
        - As an App Gateway, can be a bottleneck
        - Already has had several severe security bugs 
        - has not a proven track record and has limited proxying capability.

What I would recommend is to use it behind a stateful filter firewall like a PIX or ipchains or FW-1 to handle NT 
authentications, caching and some extra application level firewalling, while the FW-1 etc. faces the big bad Internet.
  That takes advantage of its strengths while limiting its possible weaknesses. You could put you web server farm 
between the FW-1 and the ISA server, with your internal users going through the ISA. This will cache what the internal 
users surf, speeding up access and the ISA can be used as an authenticator for the FW-1 firewall for access control.

   

-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of
RWoerner () dor state ne us
Sent: Wed June 19 2002 09:37
To: firewall-wizards () nfr com
Subject: [fw-wiz] Microsoft ISA Server


We are looking at possibly using Microsoft's ISA Server as our
organization's firewall.
There are few reviews of it and it doesn't appear that it is used by many
organizations.
Is anyone on the list using it?
Does anyone have an opinion on it?
How well does it work as a firewall?
What are its pros and cons?

Any insights would be most appreciated.

Ron Woerner, CISSP
Information Security Officer
Nebraska Department of Roads
P.S.  My instincts say "don't trust Microsoft", however I want to be fair.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Microsoft ISA Server RWoerner (Jun 21)
- RE: Microsoft ISA Server B. Scott Harroff (Jun 21)
- RE: Microsoft ISA Server Bill Royds (Jun 21)
  - Re: Microsoft ISA Server Mikael Olsson (Jun 22)
- Re: Microsoft ISA Server R. DuFresne (Jun 22)
- Re: Microsoft ISA Server Patrick M. Hausen (Jun 22)
  - RE: NTLM on firewalls (was: Microsoft ISA Server) Ben Nagy (Jun 24)
    - Re: NTLM on firewalls (was: Microsoft ISA Server) Darren Reed (Jun 25)
- <Possible follow-ups>
- Re: Microsoft ISA Server R. DuFresne (Jun 26)