February 21st, 2002, 02:03 PM
I am running an NT Domain with only one route out ot the internet. Right now we're running Firewall-1 and MS proxy 2.0 behind it. We need to upgrade the proxy, and MS's new toy is ISA server. I'm thinking about getting rid of FW-1 all together, and putting in ISA server both as proxy and firewall. Any comments in regards to ISA server?
February 21st, 2002, 03:51 PM
Haven't used this product. But, um, getting rid of ckpw for a m$ product. Hopefully this is a testing site and not your real ecommerce one.
If you do put this in - post the results.
February 21st, 2002, 04:03 PM
Whats the big deal with using a MS product rather than Checkpoints? Just because its MS? How would you know its worse than checkpoint if you never tried it? Its not actually an ecommerce site though. Its just the only opening to the internet for our network.
I've been playing with ISA for a while, and found it much nicer to work with than FW-1. Ran some basic port scan stuff, and every port on the ISA was 'stealthed' (is that the right word for it?), but the FW-1 scan came back with some closed ports...better than open I guess.
Either way I'll let you know how ISA stacks up to FW-1.
February 21st, 2002, 04:04 PM
umm, don't know much about ISA server, but keep the CP-FW1. Set up ISA as a secondary firewall if you want to, but trusting your security to a microsoft product is like trusting your keys to a car jacker.
\"Ignorance is bliss....
but only for your enemy\"
February 21st, 2002, 04:07 PM
At ease Sgt B. You can use whatever you like. When you post question, expect some input.
I haven't used ISA in a production environment myself, but have seen it running.
February 21st, 2002, 04:10 PM
I am in no way an expert on the subject, since I haven't used either product, but I think you should bare in mind that Microsoft products tend to be more of a target for hackers and crackers than most other products - so, even if they are of the same quality, vulnabilities for Microsoft products tend to surface quicker. If this is a good or a bad thing, I leave to your judgement - it could be both positive and negative.
I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.
February 21st, 2002, 04:51 PM
Thanks for all the input!
Gold Eagle: I think you got the wrong tone in my 'voice'. I was just asking you why you would say to ditch the MS product, not trying to flame you. After re-reading my post though, I could see how you could come to that conclusion. I didnt mean to sound angry.
February 21st, 2002, 04:57 PM
Microsoft's ISA server is nothing more than a glorified proxy. Not that there is anything wrong with it, but it is different from Checkpoint FW-1.
If I were you, I would keep the design the same and just upgrade the proxy 2.0 to MS ISA. This will give you a very secure setup. Just make sure on the FW that you only accept traffic from the proxy so that someone cannot circumvent the system by setting their default gateway to that of the FW and removing proxy settings. There might also be cases where something might not be able to be proxied. Deal with these on an individual basis and create necessary exceptions on the firewall.
I would not even make it a consideration to eliminate the CP FW alltogether. By doing this, you will eliminate alot of the flexibility that a stateful inspection FW gives you in the first place.
February 21st, 2002, 05:39 PM
You're right Invictus...we already paid for FW-1 anyway right? Sounds like thats the best route to go.
Thanks for the help and advice everyone!
February 21st, 2002, 06:18 PM
no offense taken.
We are glad to help. iNViCTuS is quite right, he has a lot of security experience so I put much in what he says. Let us know how it goes and if you need more help.