ISA vs. hardware firewall
lllusion
devices like Netgear FWG114P, D-Link DI-824VUP+, LinkSys BEFSX41,
MultiTech RFRF560VPN, and 3COM 3CR870-95-ME.
ISA is certainly much more configurable and dynamic, but lets assume the
following situation: an ISA server that always gets the latest updates
(security, virus, OS) and has been basically hardened (unnecessary
services turned off, password settings set, etc.) but not much else is
done to the machine versus one of the devices listed above. For the most
part the only traffic going past the ISA server or hardware firewall is
SOHO traffic. Is the hardware firewall an easier target for attacks,
hacks and worms than the ISA server?
--
Howie
"The very belief that violence is unavoidable
is a root cause of violence."
Samdhong Rinpoche
1st Democratically Elected Chairman of the
Tibetan Cabinet-in-Exile
Miha Pihler
Personally I trust ISA more. I guess that this due to the fact that I know
Windows more then any other hardware firewall device. I know other software
firewall solutions (like Check Point or Symantec Enterprise Firewall)...
You have to know that just like Windows also hardware devices are based on
some kind of software and if this software has flaws this can be exploited.
There were quite a few exploits recently for CISCO firewalls and routers
when a flaw was fount in CISCO IOS.
Default installation of ISA 2004 will not allow any direct communication
from any network segment to ISA server itself. Not even "ping". This by
itself can protect your server from any worms and viruses (unless you
install Outlook and read your e-mail on your firewall or use your firewall
for surfing the internet)... I am not saying that this is all you should do
to protect your firewall server!
Attacks against Windows computers are based on exploits in applications.
Because of filters placed by ISA (or even IP filter in and Windows 2000 or
newer version) attacks (worms and viruses) can't reach the vulnerable
application.
http://freeweb.siol.net/mpihler/ndis.jpg Sorry but comments in this picture
are in my first language, but still I think it should help to imagine...
I still have a customer where I can't upgrade current version of Symantec
Enterprise Firewall. Since it is old version of SEF I can only have SP2 for
Windows 2000 (!!!) installed with no other patches! Still this server was
never infected or compromised... (This is not how I would like it to be --
but currently there is no other option. We did however too some other steps
to protect this server)...
Best advice that I once received was, to use solutions that I am most
comfortable with and that I know most about. Missconfigured (or badly
configured) ISA and Windows are just as dangerous as missconfigured CISCO
PIX or any other appliance...
Mike
"lllusion" <yeah...@microsoft.com> wrote in message
news:MPG.1b9fee43c...@news.microsoft.com...
lllusion
[snip]
> You have to know that just like Windows also hardware devices are based on
> some kind of software and if this software has flaws this can be exploited.
> There were quite a few exploits recently for CISCO firewalls and routers
> when a flaw was fount in CISCO IOS.
>
Have there been exploits on those devices I mentioned? I've not heard of
any.
> Default installation of ISA 2004 will not allow any direct communication
> from any network segment to ISA server itself. Not even "ping". This by
> itself can protect your server from any worms and viruses
[snip]
Yeah, I like this better than having to close down the unwanted. It's
easier to just open the wanted.
> Attacks against Windows computers are based on exploits in applications.
> Because of filters placed by ISA (or even IP filter in and Windows 2000 or
> newer version) attacks (worms and viruses) can't reach the vulnerable
> application.
[snip]
One of my reasons for looking at these other devices is that I just
don't use the ISA filtering features so I kind of wonder how much more
security I'm really getting over a simple hardware device. (Oooh, I can
just here the ISA gurus groaning. :P )
> Best advice that I once received was, to use solutions that I am most
> comfortable with and that I know most about.
[snip]
This is the catch, I don't know enough about these other devices. As I
mentioned, I've never heard of anyone trying to exploit them.
> Missconfigured (or badly
> configured) ISA and Windows are just as dangerous as missconfigured CISCO
> PIX or any other appliance...
[snip]
Ain't that the truth.
Steven L Umbach
for the type of attacks you mention. ISA is great if you need to cache web pages,
have elaborate reports, fine tune Internet Explorer internet access, integrate
advanced filtering of content, and restrict access by user and groups. If you don't
need all that then I think a quality hardware firewall makes sense in that they are
easier to configure for the most part and you are probably less likely to go down to
the fact that a computer is much more complex device that a firewall. However some of
the devices listed below are lower end devices that may have reliability issues [my
experience and others] for a network than needs 24/7 access and not have default
block all outbound rules. I think if you look at something like Netscreen, Sonicwall,
etc., you will have a secure and reliable device that largely can be configured via a
Web UI if need be. --- Steve
"lllusion" <yeah...@microsoft.com> wrote in message
news:MPG.1b9fee43c...@news.microsoft.com...
Lanwench [MVP - Exchange]
If you have the budget to buy ISA, buy it. You can use it in conjunction
with a hardware firewall appliance and it may be even better.
Miha Pihler
> don't use the ISA filtering features so I kind of wonder how much more
> security I'm really getting over a simple hardware device. (Oooh, I can
> just here the ISA gurus groaning. :P )
Are you talking about ISA 2000 or ISA 2004 filtering features?
Mike
Steve Dodson [MSFT]
currently going on, where to find more information, and how to fix.
Hope that helps!
Steve Dodson [MSFT]
MCSE, CISSP
PSS Security
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
--------------------
>From: lllusion <yeah...@microsoft.com>
>Subject: Re: ISA vs. hardware firewall
>Date: Wed, 1 Sep 2004 17:02:57 +0200
>Message-ID: <MPG.1ba0030e9...@news.microsoft.com>
>References: <MPG.1b9fee43c...@news.microsoft.com>
<ejnq4IDk...@TK2MSFTNGP10.phx.gbl>
>X-Newsreader: MicroPlanet Gravity v2.50
>Newsgroups:
microsoft.public.security,microsoft.public.windows.networking.firewall
>NNTP-Posting-Host: mh108-42.dynamic.mh.se 193.10.108.42
>Lines: 1
>Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12
.phx.gbl
>Xref: cpmsftngxa10.phx.gbl
microsoft.public.windows.networking.firewall:1634
microsoft.public.security:62427
>X-Tomcat-NG: microsoft.public.security
Robert Moir
> From a security point of view in avoiding hacker attacks, how secure
> are devices like Netgear FWG114P, D-Link DI-824VUP+, LinkSys BEFSX41,
> MultiTech RFRF560VPN, and 3COM 3CR870-95-ME.
>
> ISA is certainly much more configurable and dynamic, but lets assume
> the following situation: an ISA server that always gets the latest
> updates (security, virus, OS) and has been basically hardened
> (unnecessary services turned off, password settings set, etc.) but
> not much else is done to the machine versus one of the devices listed
> above. For the most part the only traffic going past the ISA server
> or hardware firewall is SOHO traffic. Is the hardware firewall an
> easier target for attacks, hacks and worms than the ISA server?
You can't buy just one thing and call it good. ISA server runs on Windows, a
platform that is the focus of many attacks, and also there are many exploits
for many or even all of the "hardware firewall appliances" out there.
Personally, I run a dual layer system of a ISA box protected by a hardware
firewall appliance.
lllusion
stev...@online.microsoft.com says...
> Search on www.cert.org for the product, and you can find out what is
> currently going on, where to find more information, and how to fix.
>
> Hope that helps!
>
lllusion
ne...@atlantis.si says...
> Are you talking about ISA 2000 or ISA 2004 filtering features?
>
years now. Due to various reasons I'm looking to replace this box with
something small, lightweight, _quite_ and with low power absorption. I
need to keep the purchase costs down.
There's no filtering set, just a site rule for using a destination set
to block advertisements.
lllusion
lanw...@heybuddy.donotsendme.unsolicitedmail.atyahoo.com says...
> Take a look at www.astalavista.com
>
> If you have the budget to buy ISA, buy it. You can use it in conjunction
> with a hardware firewall appliance and it may be even better.
>
due to various reasons I'm looking to replace this box with something
small, lightweight, _quite_, with low power absorption and keep the
purchase costs down. There was a time that I used and had bigger plans
for much of what ISA 2000 offers. However, times, needs and plans have
changed.
Maybe I'm asking some of the wrong questions. The Netgear FWG114P offers
me several functionality features that I'm looking for but I'm wondering
where my weaknesses will be in switching from the ISA box. My ISA setup
(on top of win2ksvr basic security setup and maintenance) is pretty
basic: opened what I needed, including VPN in and out (which I'm not
currently using and thus have closed) no extra filtering or monitoring.
Jeff Cochran
wrote:
>> You have to know that just like Windows also hardware devices are based on
>> some kind of software and if this software has flaws this can be exploited.
>> There were quite a few exploits recently for CISCO firewalls and routers
>> when a flaw was fount in CISCO IOS.
>Have there been exploits on those devices I mentioned? I've not heard of
>any.
It's exploits *through* those device you have to worry about. And
there are certainly exploits that can attack those devices, DOS
attacks for example. None of them are very adequate at detecting and
dropping many DOS attack packets.
ISA also has much more granular control over the options. ISA's
filtering can block attacks on a port while letting other traffic
through the port, whereas your devices listed are pretty much a
block/don't block control.
And in many cases, products like ISA are used because of the reporting
abilities, which are severly lacking in the devices you list. In
fact, it's a poor comparison since you should be looking at hardware
firewalls, not routers that also do some firewall functions.
Jeff
lllusion
> there are certainly exploits that can attack those devices, DOS
> attacks for example. None of them are very adequate at detecting and
> dropping many DOS attack packets.
>
> ISA also has much more granular control over the options. ISA's
> filtering can block attacks on a port while letting other traffic
> through the port, whereas your devices listed are pretty much a
> block/don't block control.
> And in many cases, products like ISA are used because of the reporting
> abilities, which are severly lacking in the devices you list. In
> fact, it's a poor comparison since you should be looking at hardware
> firewalls, not routers that also do some firewall functions.
Agreed. The underlying decision factor being cost.
lllusion
<@.> says...
> The loss of user-level authentication. With ISA you can control who has
> access to what by thier user accounts and not by what machine they are
> sitting at. The other devices you mentioned won't do that. You will not be
> able to depend on IP#s to allow of deny clients if you use DHCP since
> machine may not always have the same IP#.
>
Thanks. In this particular case this is not an issue.