Susan, On Tue, 2005-11-15 at 17:51 -0800, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: > The annoying SBSer with ISA on her box is going to challenge you on that > one. > > What exactly doesn't feel quite right? Why does it not feel right?
I tried to explain some of this to Jim Harrison, although I'm not necessarily sure that I did a fantastic job; to him, yesterday, I said this: "Actually, a lot of my unease comes from the fact that I just don't understand it. I'm sorry to drag another thread into a windows vs. linux comparison, but going with what I know which is !windows, I know (fairly well) how netfilter mangles my packets when I setup a ruleset, I can debug it when it breaks, etc (I can follow the code) - I can't say the same about ISA Server, and I put a lot of faith in the product working as advertised when I use it. Part of my unease is attributable to this!" As I pointed out elsewhere in the message, I really do like ISA - I think it's a great product, and I've used and deployed it anywhere and everywhere from companies with half a dozen users on top of SBS to clustered deployments spanning multiple vlans with thousands of clients. But that said, when discussing the benefits and shortcomings of various firewalls, I stand by my original statement that in an internet facing role, ISA often "Just doesn't feel right". A lot of this comes from the factor I mentioned above, that I really don't understand how ISA works (and whilst I'm hardly an expert on the inner workings of checkpoint or IOS either, IOS is ubiquitous enough that it has acceptance through scale of deployment as a network device, and checkpoint is sufficiently close to other operating systems which I do understand that I can feel more comfortable with it in this role). Again, don't get me wrong either that I don't think ISA should be deployed in an internet facing role - I've deployed ISA like this before, and I too have run ISA at home - more recently I ran a copy of 2004 enterprise edition on a spare machine for my internet connectivity (for several months), and before that I actually ran it on top of SBS too - inside a virtual PC instance of 2003 server on top of SBS! (this actually worked surprisingly well :P) - I'll be the first to admit it's versatile! ;) > In my network I like it because it's on a platform that I can monitor > easier. Control better. Patch easier. [WSUS will soon support ISA as a > matter of fact] > > Isn't the same true for big networks? Possibly - in many big networks I think that the promises made by appliance vendors really do matter - I see a lot of checkpoint firewalls in particular in instances where the attitude that people have is that the proprietary magic of the operating system makes it harder for those evil hackers to break into (or where people just don't associate 'firewall' with 'server' at all and don't realise that it's running an OS and can be compromised in a similar way to a regular server). Platform diversity is also a good thing - quite simply, having a windows infrastructure with windows desktop clients and windows firewalls just seems to be running a little too close to the proverbial wind for my liking (something about eggs and baskets here). Heterogenous environments may be something that small businesses don't worry about (actually, generally the reason I don't see ISA deployed in small businesses is the price - an appliance or linksys router is much cheaper), but working as I am for the moment for an organisation which has three datacenters spread out over a wide area for Disaster Recovery, running on one platform after spending so much time/effort to 'diversify' your infrastructure (geographically, organisationally, etc) for security just isn't a good idea. In my experience, this is quite a common criticism, particularly coming from 'firewall guys' who are used to the beast formerly known as MS Proxy Server! > I think we all need to let go of our OS perceptions and look at the > realities of operating systems these days and what not. If we can't > control it...understand it...I'm not sure it's not helping in the > security fabric of my network. Absolutely - interesting that 'control' and 'understanding' are two of the points I'm hesitant on with ISA and yet they're two of the points you cite in its favour! ;) The fact that it's running on a general purpose operating system, to my mind, is a good thing - it does offer a great degree of control over a device (firewalls) which traditionally people have had less control over - but for me, the degree to which I cannot customise ISA or Windows themselves is also a disadvantage - however locked down and switched of windows is, it's still a general purpose operating system with general purpose components, with DLLs, services, APIs, and drivers that I simply don't need in a firewall box. Similarly with ISA, if all I want is a stateful firewall, there's a lot of gunk in there that I can't turn off which is still hanging around slowing the firewall down and eating disk space/memory/CPU. As an example - Stateful packet firewalling really doesn't take that much code - if you take a look at m0n0wall, a BSD-based firewall distribution designed to operate on appliance-like hardware (such as soekris's excellent line of embedded PCs), the installation image is about 5 megabytes - including the operating system, firewalling code, and httpd for configuration. 5mb wouldn't hold the configuration for ISA, let along the program code! The fact that BSD is so customisable means that the authors of m0n0wall have been able to chop out everything unnecessary in the kernel and userspace, and literally run a system with what's required and nothing more. A 5mb image is so small that the standard method of deployment is to run it off a compact flash card and load the OS into memory at runtime - which coupled with the tiny overhead of the OS and firewalling stack, makes for a lightning fast firewall which is just as capable (for what it's designed for) as ISA. > Our firewalls are not our perimeters any more. > > http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032286231&EventCategory=3&culture=en-US&CountryCode=US They are and they aren't - I've seen plenty of well-segregated corporate networks where firewalls are a very effective perimeter, but firewalls have never been absolute dividers between 'good' and 'evil' traffic, and any competent security or network professional would have told you this 10 years ago! If firewalls had always been security boundaries, no-one would ever have (seriously) bothered with patch management, Intrusion Detection, antivirus protection, etc. Hopefully that helps to elucidate my viewpoint - if you want to tear it apart or ask more questions, feel quite free! :) - James > James Eaton-Lee wrote: > > On Tue, 2005-11-15 at 11:58 -0500, Marcos Marrero wrote: > > > >> Hello to all, > >> > >> I have a question to see what everyone out there thinks. Here it goes... > >> > >> Is it better to have a firewall appliance (Checkpoint, Juniper, etc) or > >> is ISA server enough to use as a firewall (along with all of the other > >> options it provides)? > >> > >> Of course the ISA server would sit facing the internet, like a firewall > >> would and it would have to sit on a hardened machine. > >> > >> Just want to know what everyone out there thinks about this > >> configuration or idea? > >> > > > > What you have to bear in mind here is that an appliance is, generally, a > > hardware platform fairly similar to that which you might deploy ISA on > > top of, with a proprietary operating system (typically based on freebsd, > > or some other BSD-derived OS). Oftentimes these firewalls will run from > > flash memory rather than hard disks, but that aside there can be very > > few differences - I've seen more than one appliance (checkpoint being > > just one) based around a fairly standard ATX motherboard with an > > AthlonXP chip! > > > > Appliances have advantages in some instances and not in others. > > > > Specifically, due to the overhead of running ISA (which is harder to > > chop down to provide a subset of the capabilities of a simpler package) > > and a large, general purpose operating system, you'll almost find that > > an appliance will handle a greater load then ISA on a similar box, > > particularly if you're doing anything remotely intensive (although with > > modern hardware you'll frequently hit hardware limitations first). > > > > Arguably, due to the dedicated nature of an appliance, it's also securer > > as there are fewer running services, and there's more operating system > > hardening and more functionality gutted out of the operating system - > > less to go wrong, and less to exploit when something does. > > > > There are also disadvantages to appliances - they're, generally > > speaking, not designed to be administered in as comprehensive-a manner > > as their 'software' counterparts - meaning that when you do need to > > remove or add something it can be harder. This argument applies equally > > to adding NICs and, for instance, adding proxying capability. > > > > Specific to ISA, ISA is extremely flexible, and you'll probably find is > > far more capable of being deployed in different roles than, for > > instance, checkpoint. This is also a mixed blessing (as you don't > > necessary want ISA providing routing for your internet backbone, even if > > you can use it for this). It also benefits from domain integration, and > > (in my opinion), this is one of the most compelling arguments in its > > favour. > > > > You could also argue that if you want separation between different > > segments of your security strategy, this is a bad thing when compared to > > a set of checkpoint firewalls. > > > > You'll get a different argument on this from everyone (everyone has > > their favourite firewall), but hopefully that's outlined some of the > > broader arguments in favour of appliances vs. software firewalls. > > > > It's also worth looking (shudder the thought) at 'free' alternatives, if > > you're doing a comparison - and there are just as many different options > > here as there are in the commercial world, from the use of an operating > > system which provides routing/firewalling capability through > > kernel&userspace tools generally bundled with the OS (such as openbsd > > with pf, freebsd with ipfw, or linux with iproute2/netfilter) to an > > 'appliance' based on BSD or linux. > > > > The latter choice starts to become more appealing when you bear in mind > > that plenty of vendors (checkpoint, juniper and borderware being just a > > few) base their network devices on BSD (and some on linux, like > > linksys). It's another debate entirely what they add to bog-standard > > BSD, but the comparison is worth making. > > > > m0n0wall, ipcop, smoothwall and redwall are all worth looking at in > > these situations - m0n0wall being perhaps the most appropriate for > > deployments you may be looking at. They are worth at least looking at > > when in the commercial world, license fees are such a large > > consideration! > > > > The only last point I'd make is that I'd be hesitant in deploying ISA in > > an internet facing role (although I do and have done that before) - but > > I don't really have a justification for this aside from "it just doesn't > > feel quite right". > > > > Hope that helps! :) > > > > - James. > > > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
