Re: ISA Server or Firewall Appliance?

Thu, 17 Nov 2005 10:20:42 -0800

I've seen/read the CISCO security guides on NSA... I've seen misconfigured appliance firewalls. There's a lot of complexity out there even in these dedicated devices.
I'm not convinced 'the vast majority of that complexity doesn't exist' is a valid statement anymore in what we have going through our firewalls these days and what we have installed. 


I'm a SBSer so throw me out the best practices window anyway as I break 
all of 'em ... but take a box [a], stick a secure.inf template on it or 
run the Secure Configuration Wizard, I'm just not convinced that unless 
you have folks that understand that firewall you can make such blanket 
statements these days.




Cisco Router Security Recommendation Guides // National Security Agency //:
http://nsa2.www.conxion.com/cisco/


[a] and when I say ..take a box... that means Windows 2003 only, 2000 
even with .inf's applied just isn't the same beast.


Abe Getchell wrote:

Susan,


ISA is a very flexible piece of software, as mentioned previously in 
this conversation. In technology, flexibility usually implies 
complexity. In this case, that implication is very true, as both ISA 
and Windows are extremely complex pieces of software. Complexity is 
not something you want in a firewall, under any circumstances, but 
especially not on the perimeter (given a "buffer" which usually exists 
in regards to an internal firewall). Complexity means more moving 
parts, more things to break, more things to misconfigure, more things 
to manage... With an appliance (or appliance-like) solution, the vast 
majority of that complexity doesn't exist. This theory is a simple 
"best practice" which many organizations follow, or should, if they 
don't.



Another problem I have, personally, with ISA is the fact that it's 
(usually) tied into the same directory which an organization uses to 
manage the rest of their business systems. This functionality should 
be completely separate in theory (in accordance with "best practices" 
as well as what Microsoft has stated in numerous whitepapers), but in 
practice, it usually is not. Managing your perimeter firewall via the 
same directory you use to manage the print server which is on your 
internal network is NOT a good idea, for any number of reasons.


Abe



--

Letting your vendors set your risk analysis these days?  
http://www.threatcode.com



---------------------------------------------------------------------------
---------------------------------------------------------------------------























					Reply via email to