How does MS ISA stack up as a stand alone firewall
Bob Conley
to a standard firewall like Watchguard or Sonicwall, but haven't seen
one. Or just a basic review outlining the positives and negatives of
that product. Any pointers? If not how about some comments on the
major functional differences?
Bill Stewart
> It's funny that you need registry hacks to keep ISA from leaving
> connections open, but with an Appliance you set it and forget it (not
> really, but it's about the same).
What registry hacks? (Curious minds want to know)
David
but also a web proxy, socks4 proxy, h.323 gatekeeper, as well as other algs
and
features to allow NAT traversal for certain applications. There is also an
API so that you can write your own filters and algs for your own
applications. Ties in nicely with the windows domain model as far as
authentication and administration is concerned. With W2003 server it should
be able to provide end to end IPSec in transport mode over NAT as opposed to
the previous restriction of tunnel mode being terminated at the gateway.
As to negatives...The standard performance issues associated with a server
based firewall (plus the added hit for the application proxy) as opposed to
a nice lean hardware device. Not to mention the additional man-hours to
harden the OS. Then again your not in a position where you have to have
total trust in a hardware vendor and their firmware.
Maybe a bit pricey off the shelf particularly when adding the price of
hardware and the OS, but if you need most of the functionality it provides
or need ALGs for specific applications to traverse NAT then its not a bad
choice.
Didier
http://www.icsalabs.com/html/communities/firewalls/certification/rxvendors/index.shtml
This is a start point...
rgds,
didier
"Bob Conley" <mrbc...@yahoo.com> wrote in message
news:702a3ce.03050...@posting.google.com...
---
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.478 / Virus Database: 275 - Release Date: 5/6/2003
David
content filters for http and NAT translators that allow ftp or other
problematic protocols to pass but how they operate is very different from an
application proxy. Granted application proxies need more processor power so
they are not acceptable in many circumstances, however in networks where
they do fit in you are afforded much more control over what can be done.
The authentication models of most hardware devices are not tied into the
windows domain or AD. Group and user management can be a real pain in the
butt if you have to deal with user rights not only in your windows domain
and AD but also on separate hardware devices.
You may not trust your own developers to write plug-ins for a firewall, but
you are always left trusting someone's developer's. Whether it is your own,
third party plug-in companies, a device's firmware development team or even
open source developers (such as for openSSL which is incorporated into some
devices). Granted someone may not have an adequate development team to write
such plug-ins, but the option for that or for acquiring 3rd party plug-ins
is there.
All in I suspect more situations are better suited to some of the hardware
devices currently available, however in many circumstances ISA provides a
much better fit.
> > ISA offers more functionality. Not only does it provide packet
filtering,
> > but also a web proxy, socks4 proxy, h.323 gatekeeper, as well as other
algs
> > and
> > features to allow NAT traversal for certain applications.
>
> Most hardware firewall appliances offer all of the above.
>
> > There is also an
> > API so that you can write your own filters and algs for your own
> > applications. Ties in nicely with the windows domain model as far as
> > authentication and administration is concerned. With W2003 server it
should
>
> I'm not one to allow my developers to write code for API calls that
> touch the firewall - that's like asking the Cat to watch the hen house
> :)
David
inspect and filter on application data. Not transparent forwarding proxies
which only work at the network level to perform stateless or stateful
inspection. Or NAT traversal filters which only look in the application data
for imbedded IP addresses to translate. There is a huge difference.
Watchguard Fireboxes do provide various application level proxies and that
puts them above most of the other devices. But that is why I stated most
and not all in my initial posts. Watchguard Fireboxes are great devices and
probably more than adequate for a lot of users, but they do not provide the
extensibility or level of domain integration that you get with ISA or
Firewall-1 for that matter.
> > Most hardware devices do not provide application level proxies. Some
have
> > content filters for http and NAT translators that allow ftp or other
> > problematic protocols to pass but how they operate is very different
from an
> > application proxy. Granted application proxies need more processor power
so
> > they are not acceptable in many circumstances, however in networks where
> > they do fit in you are afforded much more control over what can be done.
>
The Firebox line certainly does have application level proxies but if you
haven't found a single appliance that doesn't have application level proxies
than you haven't looked very far because most of them don't. And the ones
that do provide only a limited amount of what is possible with application
level filtering.
> I don't know what firewall products you are using, but my personal
> WatchGuard Firebox II provides proxy for services (I can even specify
> which IP I want it to proxy through). The Firebox II is 4 years old, and
> their III and V.Class do it also. I've installed MANY, MANY, MANY,
> firewall appliances and never found one that didn't provide a proxy for
> services (applications).
>
There is no doubt ISA isn't cheap but if someone needs something that is
extensible as far as specific application proxies or filtering is concerned
then there are benefits with software based solution. Whether it is ISA or
Check Point's FW-1 or any other lesser known brand. It's all about what you
need, desire, and fits the budget. There are several 3rd party plug-ins for
ISA which gives you more choice as to whose technology you wish to use for
specific proxies or filters. You are not totally locked into the scheme of
things that any particular device manufacturer has chosen.
> If you want to talk about firewall products, don't talk about the wanna-
> be firewall products like Linksys, D-Link, and others in the sub $2,000
> range - We were talking about ISA, which with server and licensing is
> more than $3,500. That price point puts you into a very nice firewall
> appliance.
>
I don't think any of the Watchguard models allow you to directly tie into
Windows AD for user and group management or certificate services. They do
allow for domain authentication as well as radius server compatibility for
local and remote users. Once again though Watchguard provides much more than
most of the other devices I have dealt with, but it is still not as tightly
integrated and as easy to manage as ISA or FW-1. Then again "easy to manage"
is different for different folks.
> > The authentication models of most hardware devices are not tied into the
> > windows domain or AD. Group and user management can be a real pain in
the
> > butt if you have to deal with user rights not only in your windows
domain
> > and AD but also on separate hardware devices.
>
> Watchguard provides all of this - I use them in this manner all the
> time.
>
If you use certain application gateways then you may be using third party
code in your updates and not even know it. The main benefit of application
gateways is to filter application data, hence content. So you can use a
hardware device and stick with what they decide is best and get firmware
updates when they decide. Or you can have some choice. With a Firebox you
have SpamScreen, WebBlocker, and your own filters. With ISA you have several
antivirus, content, reporting, intrusion detection, SSL, authentication,
application proxies, and monitoring plug-ins to chose from. Many of which
are written by major players in the technology they are adding. Symantec,
Trend, ISS and RSA. All major players who know more about the functionality
they are providing than many FW vendors. Some of them are FW vendors
themselves. Filtering at the application level is not a static thing. New
exploits are discovered every day so why bother spending the extra moola for
application level proxies if they only look for old hacks. And if you can
find a hardware device that keeps up with the current exploits for their
application gateways then I bet they are working hand-in-hand with many of
the same companies.
Most of these add ons do not screw with the core functionality of the
firewall, they are simply adding filters just as someone might do manually,
or adding compatibility so you are not locked into any specific type of VPN
technology, encryption algorithm, monitoring scheme, etc. Dollar for dollar
the Watchguard units provide a pretty good bang for the buck, but they don't
even come close to providing the extent of application level filtering that
can be done with a software firewall.
> I would not use a non-firewall vendor to supply me with updates. I trust
> Checkpoint, Sonic, and WatchGuard to provide me with what I need for
> their solutions - I would not trust someone that didn't have a perfect
> understanding of the product to write something that didn't leave a hole
> in it.
David
I don't trust most as far as that either, and it is more often then not a
reason to simply recommend appliances only for those types of folks. ISA is
not something you plug in, set up a few rules and off you go, that's for
sure. I'm very familiar with it and will always point out it's pluses and
minus' if someone specifically asks about it. I'm not one to automatically
suggest something else when someone specifically asks about ISA. I'd rather
throw around the plusses and minus so people get a better idea of what
situations warrant what. Then they will know what may be best for their
particular situation instead of getting a bunch of opinions from people who
need to justify what they choose to hawk or have purchased for themselves.
The fact is almost all of these firewalls are a good fit somewhere, but
where they fit in best depends on the specifics of each case. Which frankly
none of us besides the OP really knows.
So the OP at least got a fair answer to his question as opposed to the
usual..."MS sucks, you can't trust them, so I suggest what I sell instead"
>
> It was nice to see that we could have this discussion without it turning
> into a flame. I'm on both sides, ISA/Appliance, but I don't trust most
> clients to manage their firewalls properly.
>
Bob Conley
firewall. Does anybody have any insight to this comment? Thxs.
"David" <davi...@adelphia.net> wrote in message news:<s4aua.12919$Jf.68...@news1.news.adelphia.net>...
David
> I read a brief comment in another group that ISA is a stateless
> firewall. Does anybody have any insight to this comment? Thxs.
?