I am running an NT Domain with only one route out ot the internet. Right now we're running Firewall-1 and MS proxy 2.0 behind it. We need to upgrade the proxy, and MS's new toy is ISA server. I'm thinking about getting rid of FW-1 all together, and putting in ISA server both as proxy and firewall. Any comments in regards to ISA server?
Haven't used this product. But, um, getting rid of ckpw for a m$ product. Hopefully this is a testing site and not your real ecommerce one.
If you do put this in - post the results.
Whats the big deal with using a MS product rather than Checkpoints? Just because its MS? How would you know its worse than checkpoint if you never tried it? Its not actually an ecommerce site though. Its just the only opening to the internet for our network.
I've been playing with ISA for a while, and found it much nicer to work with than FW-1. Ran some basic port scan stuff, and every port on the ISA was 'stealthed' (is that the right word for it?), but the FW-1 scan came back with some closed ports...better than open I guess.
Either way I'll let you know how ISA stacks up to FW-1.
umm, don't know much about ISA server, but keep the CP-FW1. Set up ISA as a secondary firewall if you want to, but trusting your security to a microsoft product is like trusting your keys to a car jacker.
At ease Sgt B. You can use whatever you like. When you post question, expect some input.
I haven't used ISA in a production environment myself, but have seen it running.
I am in no way an expert on the subject, since I haven't used either product, but I think you should bare in mind that Microsoft products tend to be more of a target for hackers and crackers than most other products - so, even if they are of the same quality, vulnabilities for Microsoft products tend to surface quicker. If this is a good or a bad thing, I leave to your judgement - it could be both positive and negative.
Thanks for all the input!
Gold Eagle: I think you got the wrong tone in my 'voice'. I was just asking you why you would say to ditch the MS product, not trying to flame you. After re-reading my post though, I could see how you could come to that conclusion. I didnt mean to sound angry.
Microsoft's ISA server is nothing more than a glorified proxy. Not that there is anything wrong with it, but it is different from Checkpoint FW-1.
If I were you, I would keep the design the same and just upgrade the proxy 2.0 to MS ISA. This will give you a very secure setup. Just make sure on the FW that you only accept traffic from the proxy so that someone cannot circumvent the system by setting their default gateway to that of the FW and removing proxy settings. There might also be cases where something might not be able to be proxied. Deal with these on an individual basis and create necessary exceptions on the firewall.
I would not even make it a consideration to eliminate the CP FW alltogether. By doing this, you will eliminate alot of the flexibility that a stateful inspection FW gives you in the first place.
You're right Invictus...we already paid for FW-1 anyway right? Sounds like thats the best route to go.
Thanks for the help and advice everyone!
no offense taken.
We are glad to help. iNViCTuS is quite right, he has a lot of security experience so I put much in what he says. Let us know how it goes and if you need more help.