Welcome to the ISAserver.org newsletter! Each month we will bring
you interesting and helpful information on ISA Server. We want to
know what all *you* are interested in hearing about. Please send
your suggestions for future newsletter content to:
tshinder@isaserver.org.
1. Anti Microsoft Firewall Fatigue Syndrome (AMFFS)
By Dr. Thomas W Shinder
If you’re reading this newsletter, there’s a good chance you’re
either already an ISA firewall administrator or wish to become one
in the not-too-distant future. As an ISA firewall admin, you’ve
probably run into people who:
-
Don’t know what an
ISA firewall is,
-
Think it’s some sort
of caching server, akin to the old CacheFlow product (purchased by
Bluecoat) or Squid, or
-
Believe only hardware firewalls are inviolate and so-called
“software” firewalls are as penetrable as warm custard and aren’t
meant to be perimeter datacenter or enterprise firewalls.
Teaching the guys who never heard of an ISA firewall can be a
profoundly rewarding experience. You get to tell them about how an
ISA firewall provides strong inbound and outbound access controls in
ways that no other firewall can provide, how it blocks file sharing
programs, how it prevents malicious users from violating network
security policies such as downloading copyrighted material, how the
ISA firewall provides superior protection for Microsoft Exchange
services including OWA and MAPI/RPC, and how it is so easy to
configure that it blows away all other firewalls on the market (if
you don’t believe it, look at Checkpoint NG’s Byzantine management
interface).
The other two guys test my patience.
First, there’s the “ISA is a Web Proxy or caching server thingie, I
think” guy. This guy probably read some industry rag or attended a
conference where a security or firewall “guru” who’s never seen an
ISA firewall proudly and oracularly stated: “ISA is an update to
Proxy Server 2.0”.
What’s up with that? ISA firewalls are honest-to-goodness,
enterprise class firewalls that provide the strong inbound and
outbound access control and application layer filtering you need to
protect today’s networks, not the networks of yesteryear at
which traditional packet filter based firewalls are aimed. What
really drives me to the point of distraction is that these guys have
a really hard time letting go of the Proxy 2.0 fantasy. Yet, unless
they’re untrainable, you can usually disabuse them of their
misconceptions.
The “hardware firewalls descended from heaven” people are the most
difficult. They’ve been told over the years that hardware (ASIC-based)
firewalls are the “acme” of all possible firewalls, and any firewall
not based on ASIC is a lowly software firewall and doesn’t even
deserve the name of “firewall”. One wonders how they reconcile their
dogma with the fact that the number one selling firewall product is
CheckPoint, a (gasp!) software based firewall. I have to put the
ASIC true believers group with those who still believe the earth is
flat, believe the Universe revolves around the earth, and are sure
that the Moon follows them when they walk home from a big night at
Pizza Hut.
The hardware firewall fantasy is actually based on a historical
reality. In the past, firewalls could provide a reasonable level of
security and performance using simple packet filtering mechanisms
that look at source and destination addresses, ports and protocols,
and make quick decisions. Since the logic is “burnt-in” to the ASIC
(Application Specific Integrated Circuit), it’s not easy to hack the
basic system. However, attackers have learned that you don’t need to
hack the core instruction set to get around the relatively poor
security hardware based systems provide.
You can find an excellent article debunking the myth of ASIC
superiority at
http://www.issadvisor.com/viewtopic.php?t=368. The author makes
a very good case showing that hardware firewalls will never be able
to keep pace with modern threat evolution and that one-box software
based firewalls are the future of network firewalls and perimeter
security. Therein lies the massive advantage conferred by your ISA
firewall: it can be quickly upgraded and enhanced to meet not only
today’s threats, but also the exploits against which you’re sure to
need defense in the future.
The ISA firewall, be it ISA Server 2000 or ISA Server 2004, is the
ideal mainline enterprise firewall (mainline in the context that it
protects mission critical systems). The problem is the members of
the critical chorus who have swallowed the ASIC pill and can’t
accept this fact.
For example, the article at
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss346_art676,00.html
extends the misconception that ISA firewalls aren’t suited to be
enterprise perimeter firewalls. The problem is that comments such as
“ISA 2004 isn't going to replace mainline, perimeter firewalls, nor
is it intended as a sole layer of protection for Microsoft apps,
but it's a pretty good addition to the layers of the security onion”
infer that there is only a single network or security perimeter.
Like most commentators who make similar statements, those who say
this never come up with reasons supporting their de profundis
assertion. It’s especially problematic when some of the assertions,
such as ISA not providing the highest level of protection for
Microsoft apps, run so far afield from the facts that it ends up
sounding like a canard.
In fact, enterprise networks contain many security perimeters (see
my article on this subject at
http://www.networkengines.com/lib/whitepaperdownload.aspx?wp=ISAFirewall).
No, I wouldn’t want the ISA firewall as the Internet edge or at
edges of very high traffic backbone segments, because only a simple
(and thus fast) packet filter-based firewall can meet the
packet-passing performance requirements at those locations. However,
it is important to realize that high-speed packet passing with
simple packet filters and “fix-ups” doesn’t equal acceptable
security – these hardware based packet passing firewalls are useful
for very high traffic perimeters, but are of little use at the
perimeters that border the server and client systems because of
their lack of deep application layer intelligence.
So, the next time you
run into a firewall or security expert proselytizing the
impenetrability of “hardware” firewalls and ragging on so-called
“software” firewalls, belly up to the bar and give the so-called
“expert” a strong reality check. He might just be salvageable and
the network he ends up saving with the ISA firewall might be his own..
By Stephen Chetcuti
We are pleased to announce the launch of our latest site - WindowsNetworking.com - a site completely dedicated to Windows networking related topics such as setting up Windows NT/XP/2000/2003 networks, troubleshooting, connectivity and much more.
With the launch of WindowsNetworking.com, we are extending our ongoing commitment to providing free, high-quality content to IT professionals and enthusiasts. We've wasted no time adding a vast range of content that will keep you busy reading for a long time! Everything is presented in the same clean and easily navigable design our visitors have come to expect.
- You'll currently find over 250 articles and tutorials on WindowsNetworking.com with fresh articles being added every week. Get in-depth knowledge on diverse topics such as General Networking, Network Troubleshooting, Dial-up Networking, ADSL articles and more.
Email Updates - Subscribe to the WindowsNetworking.com newsletters to receive email updates on all newly added articles to make sure you don't miss a thing!
Software Directory - The comprehensive software directory includes hundreds of titles in a variety of categories such as Network Inventory Software, Patch Management Software, Network Monitoring Software and more, allowing you to quickly find the right solution for your needs.
WindowsNetworking.com will soon launch additional site features....
- Join us on the forthcoming Email Discussion List and online Message Boards where everyone is able to discuss anything related to networking.
Tips - An extensive Tips section with thousands of Windows and networking related tips from administrators throughout the world will be added to the site shortly with even more site features on the way!
We invite you to drop in for a visit, we're sure you'll be impressed and that you'll feel right at home on WindowsNetworking.com!
|
By Thomas W
Shinder
ISA Server and Beyond is now available! ! We've included tons of
stuff on DMZs, firewall chaining, hierarchical Web caching (Web
Proxy chaining), SSL bridging, SSL publishing, OWA, Secure
IMAP4/SMTP/POP3 publishing, and publishing services on the ISA
Server itself! Most of this stuff isn't described anywhere else.
If you're ready to take ISA Server 2000 to the next level, then
this is a book you must have.
Click here to order ISA Server and Beyond from
Amazon.com today!
Are you wrestling with ISA Server? Need to get your head around
what makes ISA Server tick? If so, consider my one-day seminar
on ISA Server. I'll bring meaning to inbound and outbound
access, ISA Server client types, Web and Server Publishing, and
VPN Servers and VPN Gateways. I guarantee you'll learn something
new and maybe even have fun along the way. The next seminar is
May 9th here in Dallas, Texas. Click
HERE for more info and I hope to see you there!
|
Click here to Order your
copy today
|
