Firewall Wizards mailing list archives

RE: PIX -> ISA -> OWA Configuration

From: Chris Blask <chris () blask org>
Date: Mon, 16 May 2005 01:59:35 -0400

Hey Tom!

At 02:16 PM 5/13/2005, Thomas W Shinder wrote:

Since the ISA firewall was designed to protect OWA, what would be the
rationale for not using an ISA firewall?

It isn't inherently a bad idea, as long as you can make that ISA server assecure as any other option. Making that server secure means configuringthe OS and all assorted paraphernalia correctly (much of which is there forreasons having nothing to do with - and in many cases in contrevention of -the intended purpose), keeping up on patches (and making sure they don'tstomp on existing desired function) and otherwise on-going care and fiddling.


Pros of ISA:

o  You have a single vendor solution with integrated mangement and function.

o Some of what you learn working on other MS solutions may apply to theISA server (but you may pick up bad habits, as well).

o There could be proprietary functions with the single-vendor solutionthat you cannot achieve via other means, and you could want to use thesefeatures (don't know of any, but they could be there in theory).


Cons:

o With all due respect to the folks at Microsoft, they do not have astellar track record on security. They do other things for a living.

o Running ISA on a Win OS means you will have lots of great capabilitiesinstalled on that ISA server and, hopefully, for now, those capabilitiesare turned off. The hackers' mission, should they choose to accept it, isto turn some of those capabilities back on and use your security device toeviscerate your network.

o You have a chain of implementations with similarcharacteristics. Should someone find an exploit that works on one link inthe chain, it is quite possible it will work on all links in the chain.

An appliance built and maintained by folks who focus on nothing else for aliving is a coherent specific answer to a question, as opposed to a one-offimplementation of a collection of components, some intended for the purposeand some not. Like all emerging technologies, at some point front-endingmail securely into a network precipitates out of solution into theinfrastructure and becomes a standard feature of something already there,but that time does not seem to be now.

For a topic in as much flux as email security, I think it is still theright time to go with the specialists. For my vote, a physical box thatdemarks the edge of trusted mailspace is a reliable solution that won'tcomsume undue resource to implement or maintain and will more likelyprovide the function and security you require.


-cheers!

-chris

PS - I have no involvement with BorderWare at the moment, so no axe togrind here. They and their competitors had good workable solutions last Ilooked.



Chris Blask
chris () blask org
blaskworks.blogspot.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: PIX -> ISA -> OWA Configuration, (continued)
- RE: PIX -> ISA -> OWA Configuration Sanford Reed (May 05)
- Re: PIX -> ISA -> OWA Configuration Jason Gomes (May 05)
- PIX -> ISA -> OWA Configuration woodsd001 (May 05)
  - RE: PIX -> ISA -> OWA Configuration Paul Melson (May 05)
    - Re: PIX -> ISA -> OWA Configuration Michael Brown (May 08)
    - RE: PIX -> ISA -> OWA Configuration Mark Tinberg (May 08)
    - Re: PIX -> ISA -> OWA Configuration Victor Williams (May 08)
    - Re: PIX -> ISA -> OWA Configuration Chris Blask (May 12)
- RE: PIX -> ISA -> OWA Configuration Behm, Jeffrey L. (May 08)
- RE: PIX -> ISA -> OWA Configuration Thomas W Shinder (May 15)
  - Message not available
    - RE: PIX -> ISA -> OWA Configuration Chris Blask (May 17)
- RE: PIX -> ISA -> OWA Configuration Jeremiah Cornelius (May 17)
  - Re: PIX -> ISA -> OWA Configuration Victor Williams (May 18)
- RE: PIX -> ISA -> OWA Configuration Paul Melson (May 17)