Your statements are fine as far as they go, but there is real (as opposed to anecdotal) data that directly contradicts your stated concerns. There are *lots* of Enterprise networks running ISA 2000 and/or ISA 2004 on the edge. Several of these customers have also consented to public case studies which are (proudly) posted on the microosft.com/isaserver pages.
Short story - no one has offered anything more than "ancient history" to counter the facts offered in ISA's favor. I can guarantee that literally no one would be more interested in hearing of a properly configured ISA server breach than I would. The fact is - it just hasn't happened. Jim Harrison Security Platform Group (ISA SE) If We Can't Fix It - It Ain't Broke! -----Original Message----- From: John Kinsella [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 16, 2005 9:11 AM To: [email protected] Subject: Re: ISA Server or Firewall Appliance? Susan et all... :) I'll attempt to address from the other end...I usually work with large clients on major networks. One cavaet: While quite familiar with Windows and it's positives/negatives, I haven't personally used ISA yet...gotta get it up in my lab. For me, I usually try to be OS-agnostic. An OS is a tool; as long as that tool meets my needs in an effective and efficient manner, I'm happy. In the environments I work in, network security is handled by network teams - firewalls usually are Checkpoint, Cisco or Juniper/Netscreen. They all have their pros and cons. As a security professional, I became ok with the concept of Windows in the infrastructure as a db/app/web server, as long as the OS is hardened and the box is firewalled at least to layer 4. Boxes that I recommend as firewalls have proven over time that they have a reliable network stack, can provide fault-tolerance, can easily handle wire-speed attacks, and use a command line which the network administrators[1] are familiar with. Windows has not demonstrated a reliable network stack to me, and while it can be fairly reliable as an OS I can't comment on high-availability designs of ISA since I haven't tested it. Microsoft still isn't providing me with the level of satisfacation I'd want from a security vendor. So, if you're a windows shop, with a small to medium size network, ISA might just treat you fine, but personally that idea is scary as all hell. I'll always recommend firewalling windows servers, even if they have firewall software on them. For a larger shop that uses managed switches, dynamic routing, multiple VLANs...They're just going to be more comfortable with the CLIs. My recommendation for a "small" firewall - check out Netscreen's 5GT - sweet little box for a few hundred bucks. Oh, last thing, regarding talking about NICs getting burned out in a PC - most PC firewalls I've seen in the last year or two have on-board NICs, so if that gets smoked, you might be seeing more than just a NIC go up in a poof. Just something to keep in mind... John 1: "Network Administrators" is being used in it's "real" definition - people who administer networks. This differs from "Windows administrators" or "UNIX administrators." --------------------------------------------------------------------------- ---------------------------------------------------------------------------
