Microsoft ISA 2004 as a viable Company Firewall
#1
Scooby Regular
Thread Starter
Microsoft ISA 2004 as a viable Company Firewall
As title. I've been playing with ISA 2004 Beta for use as an in-house web-proxy and even @ home as a firewall.
We need to re-evaluate our current Firewall solution @ work and we're looking at a product from Sun using Firewall-1.
Just wondering if ISA should be considered as a serious firewall for business use. Does anyone know of sites/organisations that actually test firewall's to see if they live up to the marketing hype?
Stefan
We need to re-evaluate our current Firewall solution @ work and we're looking at a product from Sun using Firewall-1.
Just wondering if ISA should be considered as a serious firewall for business use. Does anyone know of sites/organisations that actually test firewall's to see if they live up to the marketing hype?
Stefan
#4
Scooby Regular
It has had issues in the past, and one cannot rule out anything happening in futur (how many times have you patched the same Windows OS). Go with a proper dedicated firewall for peace of mind.
Trending Topics
#9
Scooby Regular
Thread Starter
What size environments are you guys running. I'm sure the Cisco high-end stuff is fantastic kit, but has anyone experience in a Small-Medium business? Is the simpler/cheaper kit from the likes of Nokia/Cisco/SonicWall/Symantec just as manageable and secure?
What's the support channel like on these?
Stefan
P.S. This is quite interesting reading.
What's the support channel like on these?
Stefan
P.S. This is quite interesting reading.
Last edited by ozzy; 30 March 2004 at 02:24 PM.
#10
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
I would be inclined to agree with the general opinion here. Look how long it has taken Cisco to sort out the Pix firewall. Up to this year, our R&D guys would not add Pix to the list of supported firewalls because they weren't happy with it (when you also consider that we are one of the top 20 or so buyers of Cisco kit, that it is a very significant decision).
We've always been a big Nokia / Check Point house and they do appear to be very effective (currently nearly a 1000 managed firewalls). Bear in mind that Microsoft has already re-written large parts of the security elements of XP for inclusion in the latest service pack - that to me speaks volumes. It's a brave man who would use ISA for their perimeter defence.
Sonicwall is a big favourite of mine (I used to install them all over the place) - very easy to setup and secure. The mid range stuff from Cisco and Check Point is equally effective. You are not sacrificing features, rather speed and processing.
Also have a look at Netscreen - very good kit and they've just been bought out by Juniper, so they must be doing something right.
I guess the ulitmate decision comes down to budget and who will be supporting the device. There are plenty of sites and magazines that do firewall testing. A search on Google should reveal loads.
Chris
We've always been a big Nokia / Check Point house and they do appear to be very effective (currently nearly a 1000 managed firewalls). Bear in mind that Microsoft has already re-written large parts of the security elements of XP for inclusion in the latest service pack - that to me speaks volumes. It's a brave man who would use ISA for their perimeter defence.
Sonicwall is a big favourite of mine (I used to install them all over the place) - very easy to setup and secure. The mid range stuff from Cisco and Check Point is equally effective. You are not sacrificing features, rather speed and processing.
Also have a look at Netscreen - very good kit and they've just been bought out by Juniper, so they must be doing something right.
I guess the ulitmate decision comes down to budget and who will be supporting the device. There are plenty of sites and magazines that do firewall testing. A search on Google should reveal loads.
Chris
#11
Scooby Regular
Join Date: Sep 2002
Location: The biosphere
Posts: 7,824
Likes: 0
Received 0 Likes
on
0 Posts
If you want a reasonably priced all in one solution have a look at http://www.netpilot.com/
We have a couple for our sallelite offices. They run on Linux and can act as firewall, mail server, anti spam, proxy server, surf control, virus scanner and VPN depending on what modules you require. The support agreement we have with one of their resellers is a total replacement in 4 hours. They will replace the whole unit, import your settings and away you go.
In terms of configuration they are pretty noddy compared with the likes of Cisco, but they do the job.
We have a couple for our sallelite offices. They run on Linux and can act as firewall, mail server, anti spam, proxy server, surf control, virus scanner and VPN depending on what modules you require. The support agreement we have with one of their resellers is a total replacement in 4 hours. They will replace the whole unit, import your settings and away you go.
In terms of configuration they are pretty noddy compared with the likes of Cisco, but they do the job.
#12
Scooby Regular
Thread Starter
Yeah, I used to work for a Reseller who sold the NetPilots. That was about 3 years ago, so I'll have a look at their recent products.
Stefan
Stefan
#13
I've spent so much time with Netpilots in small server rooms with their incessant beepings that I hate them. Takes 20 minutes to reboot them... beep beep beep beep. Gaaaaah! When they work, they work, but we had lots of failures.
#14
Scooby Regular
Join Date: Sep 2002
Location: The biosphere
Posts: 7,824
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by workshy_fopp
I've spent so much time with Netpilots in small server rooms with their incessant beepings that I hate them. Takes 20 minutes to reboot them... beep beep beep beep. Gaaaaah! When they work, they work, but we had lots of failures.
#15
Scooby Regular
OK......
If your firewall is not ICSA approved (http://www.icsalabs.com/) then don't use it for perimeter defense. I've had a play with ISA 2004 and it looks fine but....it relies on the underlying OS for its security. Can you ever be sure that you have hardened Windows correctly ? 'cos I can't.
I also wouldn't recommend Checkpoint FW1 NG on Windows for the same reasons, Nokia/Intrusion.com is the way to go with Checkpoint. Appliances are great because they are pre-hardened so anything from SonicWALL, Netscreen, Snap-Gear, Servegate, Watchguard, Fortinet etc should/would be fine. Cisco Pix are a little odd and have only very recently been up to the same standard as the others I've mentioned. I find then a pain in the ar** to maintain or manage and would much prefer SonicWALL or Netscreen.
Deep Packet inspection and Intrusion Prevention is this years black and you should look at providing this functionality within your bastion host.
Security and Microsoft are not natural bedfellows....
If your firewall is not ICSA approved (http://www.icsalabs.com/) then don't use it for perimeter defense. I've had a play with ISA 2004 and it looks fine but....it relies on the underlying OS for its security. Can you ever be sure that you have hardened Windows correctly ? 'cos I can't.
I also wouldn't recommend Checkpoint FW1 NG on Windows for the same reasons, Nokia/Intrusion.com is the way to go with Checkpoint. Appliances are great because they are pre-hardened so anything from SonicWALL, Netscreen, Snap-Gear, Servegate, Watchguard, Fortinet etc should/would be fine. Cisco Pix are a little odd and have only very recently been up to the same standard as the others I've mentioned. I find then a pain in the ar** to maintain or manage and would much prefer SonicWALL or Netscreen.
Deep Packet inspection and Intrusion Prevention is this years black and you should look at providing this functionality within your bastion host.
Security and Microsoft are not natural bedfellows....
Last edited by Jeff Wiltshire; 31 March 2004 at 06:43 AM.
#16
Scooby Regular
One last thought....
You might have the best firewall in the world but unless it's configured correctly its worse than having nothing........Security should be in layers not a single 'shell'
You might have the best firewall in the world but unless it's configured correctly its worse than having nothing........Security should be in layers not a single 'shell'
#18
Scooby Regular
Originally Posted by ozzy
Thanks Jeff,
How far are you from Brighton? Do you offer consultancy as well as reselling firewall solutions?
Stefan
How far are you from Brighton? Do you offer consultancy as well as reselling firewall solutions?
Stefan
Give me a shout if I can help (01892 839901)
Regards
Jeff
#19
Scooby Regular
Thread Starter
Thanks Jeff. I'm based outside Edinburgh myself, but Head Office is in Brighton. My Boss and the other IT admin guys are based there.
He's away on an Oracle course this week, so I'll speak to him on Monday and see if we can take the firewall replacement a stage further.
I'll let you know if things progress.
Stefan
He's away on an Oracle course this week, so I'll speak to him on Monday and see if we can take the firewall replacement a stage further.
I'll let you know if things progress.
Stefan
#21
For a cheap but powerfull solution, the winning firewall in last months edition of Linux Format was SmoothWall Express 2.0
Naturally I had to download it and stick it up on a spare machine.
I found it to be excellent. Via 3 network cards I had an internal, external and DNZ, all very easily controlled.
It has snort built in along with IPSec a HTTP Proxy, Mail gateway and PPTP.
you can ssh into it and configure everything by hand, or for the less geeky people whom aren't familiar with both linux and security, there is a great interface over both HTTP and HTTPS
Deffinetly recommended. If I didn't run my own built firewalls I would consider this.
Naturally I had to download it and stick it up on a spare machine.
I found it to be excellent. Via 3 network cards I had an internal, external and DNZ, all very easily controlled.
It has snort built in along with IPSec a HTTP Proxy, Mail gateway and PPTP.
you can ssh into it and configure everything by hand, or for the less geeky people whom aren't familiar with both linux and security, there is a great interface over both HTTP and HTTPS
Deffinetly recommended. If I didn't run my own built firewalls I would consider this.
#22
Scooby Regular
Thread Starter
Yeah, I've used SmoothWall and IP-Cop on my home network. We run a Linux-based Firewall just now (Trustix), but the support is cr@p and their fecking as around with our current contract after the company was bought over.
The one thing IP-Cop has over SmoothWall (well the free versions) is it's support for multiple public IP Addresses on a single NIC.
Stefan
The one thing IP-Cop has over SmoothWall (well the free versions) is it's support for multiple public IP Addresses on a single NIC.
Stefan
Thread
Thread Starter
Forum
Replies
Last Post
Sub-Subaru
General Technical
1
28 September 2015 12:47 PM