Microsoft ISA 2004 as a viable Company Firewall
 

As title. I've been playing with ISA 2004 Beta for use as an in-house web-proxy and even @ home as a firewall.

We need to re-evaluate our current Firewall solution @ work and we're looking at a product from Sun using Firewall-1.

Just wondering if ISA should be considered as a serious firewall for business use. Does anyone know of sites/organisations that actually test firewall's to see if they live up to the marketing hype?

Stefan

I would most definitely not choose an MS product as the primary method of securing my network :)

That was my gut reaction, but is it all hearsay or is it a very unsecure product?

Stefan

It has had issues in the past, and one cannot rule out anything happening in futur (how many times have you patched the same Windows OS). Go with a proper dedicated firewall for peace of mind.

Go with a FW1/NG or cisco pix solution IMO.

Steve

When I do these things, I run a dedicated firewall then ISA behind that, so at my level, a Sonicwall Tele or summat, then ISA. Bit harder to configure but not relying on ISA as primary defence.

Cisco Pix or Symantec offering (raptor)

I'd second sonicwall as they are cheap but effective (and moderately obscure)

What size environments are you guys running. I'm sure the Cisco high-end stuff is fantastic kit, but has anyone experience in a Small-Medium business? Is the simpler/cheaper kit from the likes of Nokia/Cisco/SonicWall/Symantec just as manageable and secure?

What's the support channel like on these?

Stefan

P.S. This is quite interesting reading.

I would be inclined to agree with the general opinion here. Look how long it has taken Cisco to sort out the Pix firewall. Up to this year, our R&D guys would not add Pix to the list of supported firewalls because they weren't happy with it (when you also consider that we are one of the top 20 or so buyers of Cisco kit, that it is a very significant decision).

We've always been a big Nokia / Check Point house and they do appear to be very effective (currently nearly a 1000 managed firewalls). Bear in mind that Microsoft has already re-written large parts of the security elements of XP for inclusion in the latest service pack - that to me speaks volumes. It's a brave man who would use ISA for their perimeter defence.

Sonicwall is a big favourite of mine (I used to install them all over the place) - very easy to setup and secure. The mid range stuff from Cisco and Check Point is equally effective. You are not sacrificing features, rather speed and processing.

Also have a look at Netscreen - very good kit and they've just been bought out by Juniper, so they must be doing something right.

I guess the ulitmate decision comes down to budget and who will be supporting the device. There are plenty of sites and magazines that do firewall testing. A search on Google should reveal loads.

Chris

If you want a reasonably priced all in one solution have a look at http://www.netpilot.com/

We have a couple for our sallelite offices. They run on Linux and can act as firewall, mail server, anti spam, proxy server, surf control, virus scanner and VPN depending on what modules you require. The support agreement we have with one of their resellers is a total replacement in 4 hours. They will replace the whole unit, import your settings and away you go.

In terms of configuration they are pretty noddy compared with the likes of Cisco, but they do the job.

Yeah, I used to work for a Reseller who sold the NetPilots. That was about 3 years ago, so I'll have a look at their recent products.

Stefan

I've spent so much time with Netpilots in small server rooms with their incessant beepings that I hate them. Takes 20 minutes to reboot them... beep beep beep beep. Gaaaaah! When they work, they work, but we had lots of failures.

The older Power PC ones were very slow, but the new intel based ones are much quicker, about 5 mins to reboot maximum. We had a failed Hard Disk on an older one but the the others have been fine. I don;t know about yours but ours only beep to let you know when they are rebooting and when they have completed rebooting :confused:

OK......

If your firewall is not ICSA approved (http://www.icsalabs.com/) then don't use it for perimeter defense. I've had a play with ISA 2004 and it looks fine but....it relies on the underlying OS for its security. Can you ever be sure that you have hardened Windows correctly ? 'cos I can't.

I also wouldn't recommend Checkpoint FW1 NG on Windows for the same reasons, Nokia/Intrusion.com is the way to go with Checkpoint. Appliances are great because they are pre-hardened so anything from SonicWALL, Netscreen, Snap-Gear, Servegate, Watchguard, Fortinet etc should/would be fine. Cisco Pix are a little odd and have only very recently been up to the same standard as the others I've mentioned. I find then a pain in the ar** to maintain or manage and would much prefer SonicWALL or Netscreen.

Deep Packet inspection and Intrusion Prevention is this years black and you should look at providing this functionality within your bastion host.

Security and Microsoft are not natural bedfellows....

One last thought....

You might have the best firewall in the world but unless it's configured correctly its worse than having nothing........Security should be in layers not a single 'shell'

Thanks Jeff,

How far are you from Brighton? Do you offer consultancy as well as reselling firewall solutions?

Stefan

We do consultancy and we're about 40-50miles from Brighton

Give me a shout if I can help (01892 839901)

Regards

Jeff

Thanks Jeff. I'm based outside Edinburgh myself, but Head Office is in Brighton. My Boss and the other IT admin guys are based there.

He's away on an Oracle course this week, so I'll speak to him on Monday and see if we can take the firewall replacement a stage further.

I'll let you know if things progress.

Stefan

I'm often in Dunfermline with a client....nice part of the world.

For a cheap but powerfull solution, the winning firewall in last months edition of Linux Format was SmoothWall Express 2.0

Naturally I had to download it and stick it up on a spare machine.

I found it to be excellent. Via 3 network cards I had an internal, external and DNZ, all very easily controlled.

It has snort built in along with IPSec a HTTP Proxy, Mail gateway and PPTP.

you can ssh into it and configure everything by hand, or for the less geeky people whom aren't familiar with both linux and security, there is a great interface over both HTTP and HTTPS

Deffinetly recommended. If I didn't run my own built firewalls I would consider this.

Yeah, I've used SmoothWall and IP-Cop on my home network. We run a Linux-based Firewall just now (Trustix), but the support is cr@p and their fecking as around with our current contract after the company was bought over.

The one thing IP-Cop has over SmoothWall (well the free versions) is it's support for multiple public IP Addresses on a single NIC.

Stefan