Re: Microsoft ISA

["Volker Tanger" <volker.tanger () discon de>]

Greetings!

On Fri, 7 Mar 2003 20:35:53 -0800 (PST)
Rob Beyman <robbeyman () yahoo com> wrote:

> Has anyone used this, and
> if so, is it as bad as I think it's going to be or is
> it just my prejudice from too much time spent plugging
> the holes that the worm of the month exploits showing
> through?

I've worked (a lot) with it's direct predecessor (sp?), the MS-Proxy -
including debugging sessions in Microsoft's labs in Munich. And
from what I've seen, the ISA is not really much more that a bit polish
packed over the old internals:

    * port filters on the interfaces
    * stateless packet filter
    * socks proxy with few filter possibilities - that's where they 
      claim the "stateful inspection" from
    * HTTP proxy coded as IIS plugin with some URL filtering


Or short: too few, dispersed and incoherent functionality (for a
firewall) on an basis OS that's dragging along too much ballast for what
is needed for a firewall.

So I'd suggest to get a "real" even if basic firewall (software or
appliance) that supplies:
        - simple, reliable software update
        - consistent configuration/management
        - unified logging (e.g. to external, too) that makes log 
          evaluation possible

The maintenance cost (i.e. TCO) will be *way* less than maintaining an
ISA properly. You can still use the ISA as proxy (even if there are
better options for that IMHO, too).

Bye

Volker Tanger
IT-Security Consulting



PS: This is my personal, subjective opinion, not necessarily the same 
    as my employer's.

-- 

discon gmbh
Wrangelstraße 100
D-10997 Berlin

Telefon  (030) 6104-3307
Telefax  (030) 6104-3435

volker.tanger () discon de
http://www.discon.de/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards