RE: Application Proxy/L7 Firewall Recommendation?

["Paul D. Robertson" <proberts () patriot net>]

On Mon, 9 Sep 2002 ark () eltex ru wrote:

> > Microsoft ISA Server <gasp, he didn't really mention a non-*nix based
> > product, much less a Microsoft product did he> :-)
> >
> > Actually, you really can use Microsoft ISA Server for this in various
> > configurations.
>
> As well as any other firewall system.
> No ISA advantages here.

Actually, the client coupling may be considered an advantage in some 
cases.  Depending on your desktop environment, it may be a significant 
advantage- such as if you've permissioned desktop users away from 
installing and renaming software.

> > Blocking Instant Messenger and other apps - article assumes that you are
> > running the ISA client software:
> > http://www.isaserver.org/pages/article.asp?id=215 
>
> There are 2 techniques described here:
> blocking by windows executable name - trivial and trivial to bypass

AFAIK, ISA is the only non-"PC firewall" product that does this.  It 
doesn't matter that it's trivial to bypass in some instances...

For instance, it may be very useful for policy enforcement- anyone who 
"doesn't know" the policy will create a denied log entry and can be 
suitably chastised by the policy police who come a waving their CISSP 
badges.  Anyone who purposefully renames executables is definitely on the 
list of "knowingly violoating the policy" and can get scheduled for their 
HR appointment or outprocessing briefing.

> blocking by destination IPs - ...
>  
> > Also, it looks like the hard core content filtering may come best via
> > partners running on top of ISA, for example GFI:
> > http://www.microsoft.com/isaserver/partners/contentsecurity.asp
> >
> > You can also use URLscan to do content filtering, but it is not officially
> > supported (MS really pushes the partners to do this function the "right"
> > way).
> >
> > If you want more info, check out www.isaserver.org. It is a really good ISA
> > reference site.
>
> None of those will do things requested by original poster.

Sure they will, they just do it in a different way, and depend upon other 
environmental issues.  That we don't *know* the original poster's 
environment makes it all the more important that the choice be presented.

> (actually there is no reliable way to do, though technique implemented in
> zorp seems to be the best)

Ah, but if I had to do this, I'd sure look at a layered implementation 
that inlcuded ISA on the inside to catch the folks who get to have an 
enforced policy reading session and zorp on the outside to go after the 
ones who are seeking other career opportunities.

In fact, the more I think about it, the more I like being able to 
differentiate between the casual "lemme try clicking and see if it works" 
policy violator and the active "I'm going to rename stuff and run this 
anyway" one.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards