On Fri, 2005-11-18 at 11:39 -0800, Jim Harrison (ISA) wrote: > To tell the truth, I'm surprised at the lack of ISA / MS bashing in this > thread. Is it an indication of MS' place in the general security > community, a general lack of interest in ISA or the holiday season > approaching? The world may never know...
Well, we are on a microsoft-specific mailing list - in my experience, those who have no productive points to make about microsoft products (and still think that recent iterations of windows suffer from all of the same problems as windows 95) tend to be those who don't actually work with them, and therefore have little interest in taking part in mailing lists targeted specifically at microsoft products - I'm sure that if you're looking for some completely unfounded criticism, some of inhabitants of some of the more generally-focused mailing lists would be happy to oblige! :D > Actually, I was trying to be just that specific. > As was agreed to earlier in this thread, all modern firewalls can be > accurately oversimplified as "applications running on operating > systems". > All of those OS's have been compromised to some degree, and so obviates > this contextual "joining of church & state". Good points. > Following this context, we then examine the exploits and compromises > each firewall product *itself* has experienced; i.e, that attack that > succeeded in the context of the firewall code itself. > It's in this context where I state that ISA has experienced no reported > compromises. Again, a worthwhile comparison - my point is really that in pursuing this it's important to distinguish between 'firewalling' and 'platform' exploits for other firewalling solutions, which I didn't see any direct evidence of. I brought up netfilter as an example of this - although linux has had plenty of advisories and exploits released for it, practically none of these have been netfilter related. I've actually found one advisory targetting a very specific configuration of netfilter/iptables which allowed a malicious attacker to add a firewalling rule to allow them to access certain hosts on a network, but I don't see any evidence of any 'exploit' or actual targetting of this, because it is quite specific. > Also, ISA (and to be fair; the aforementioned competitors) is far more > than a simple "firewalling stack". What separates ISA from the others > is the fact that ISA has and continues to "lead the pack" in L4+ > inspection. Indeed - it's hard to summarise what ISA does in two pages, let alone two words! As I've said before, I work with and deploy ISA in a variety of configurations, and I really do think it's a great product - it's just worthwhile discussing and clarifying these issues! On another note, I think the misunderstanding which ISA enjoys is possibly to some extent responsible for the low profile it has, security-wise - very few wintel guys I meet who haven't directly and specifically worked with ISA have a particularly good understanding of what it does, and (as mentioned above) non-wintel people particularly don't understand, and have misconceptions about, ISA. I'd hazard a guess that one large factor responsible for the (admittedly) good security track record ISA has is simply the small number of guys out there looking for holes in it - even the best code suffers from bugs, and one would expect a firewall such as ISA to have such holes found. I could be wrong, though - this is just speculation! Thanks for your reply! - James. > Hope that clarifies things a bit... > > Jim Harrison > Security Platform Group (ISA SE) > If We Can't Fix It - It Ain't Broke! > > -----Original Message----- > From: James Eaton-Lee [mailto:[EMAIL PROTECTED] > Sent: Friday, November 18, 2005 9:23 AM > To: Jim Harrison (ISA) > Cc: John Kinsella; [email protected] > Subject: RE: ISA Server or Firewall Appliance? > > Jim, > > On Thu, 2005-11-17 at 13:28 -0800, Jim Harrison (ISA) wrote: > > Your statements are fine as far as they go, but there is real (as > > opposed to anecdotal) data that directly contradicts your stated > > concerns. > > There are *lots* of Enterprise networks running ISA 2000 and/or ISA > 2004 > > on the edge. > > Several of these customers have also consented to public case studies > > which are (proudly) posted on the microosft.com/isaserver pages. > > > > Short story - no one has offered anything more than "ancient history" > to > > counter the facts offered in ISA's favor. > > Not to be flippant, but I tried - I wasn't really trying to ISA bash, > but I disagreed with you when you said on Tuesday that: > > > I know it sounds like marketing spew, but the simple fact is; in 5+ > > years of service on anything from an SBS server, OEM appliance to HUGE > > enterprise deployments, ISA server has the distinction of not having > > been the recipient of one single exploit in the wild. > > > and then that... > > > I know it sounds like marketing spew, but the simple fact is; in 5+ > > years of service on anything from an SBS server, OEM appliance to HUGE > > enterprise deployments, ISA server has the distinction of not having > > been the recipient of one single exploit in the wild. > > ..more specifically, the bulk of my point was that you weren't comparing > like with like, you were comparing a whole firewall platform > (IOS/Juniper) with something (ISA) which is just a firewalling stack > which necessarily has pre-requisite software which it's combined with to > make up the whole firewall, and ignoring the platform (windows) which it > was running on top of. > > So far I haven't had a reply.. ;) > > If you want to discuss this, I'd be more than happy to re-send my > original post on this topic to the list, as this is really a > bastardisation of what I was originally trying to say! > > > - James. > > > --------------------------------------------------------------------------- > --------------------------------------------------------------------------- > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
