ISA Server?
Results 1 to 10 of 10

Thread: ISA Server?

  1. #1
    Member
    Join Date
    Aug 2003
    Posts
    69

    ISA Server?

    Anyone have a working opinion of using ISA server in a primary firewall/vpn/security role? I'm looking at something to use at home, with some sort of robust routing capabilities (something better for DMZ usage than the linksys "one machine is a DMZ" mantra, for instance).

    I touched several ISA servers in the past and they always seemed to be a bear to configure.

    My other options for firewall services are, uh, in this order of preference:

    buy some hardware fw solution (watchguard, raptor, sonicwall, etc)

    take the plunge and learn linux enough to have an educated opinion on what flavor to use, then learn enough about that one to secure it, then learn the different firewalls that run on linux enough to make an educated decision on which to use, and then learn enough about that firewall to secure it properly.

    Thanks,
    jeff

  2. #2
    Senior Member
    Join Date
    Dec 2002
    Posts
    134
    hi,
    i`m no expert on the software but i was running ISA 2k enterprise edition on a win2k advanced server for a couple of weeks. I was using it for a firewall and router for a small home network. It was perfectly stable and casused no problems but took a long time to configure properly. But in the end i decided it was a bit OTT for my needs and isa along with win2k used to much resources so i`ve gone back to NT4.
    So bascially the only advise i`d give is that for a small network (under 10 computers) i wouldn`t bother with it but if you`ve got a larger network than that i couldn`t fault it.
    What Windows version were you thinking of running it on?

    m. smith

  3. #3
    Member
    Join Date
    Aug 2003
    Posts
    69
    Well, I was considering throwing it on a windows 2000 server with a half-gig of ram and an athalon 2000 xp and a couple o mirrored 40 gb ata100 drives.

    Now I do seem to recall it being a resource pig. Hrm.

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    We use a couple of ISA servers for our webbrowsing. It works well and integrates nicely with your MS environment (windows+internet explorer).

    I personally would never use it in a firewall configuration though. But that's just because I don't trust anything that comes out of Redmond.

    If your budget would allow it I would suggest getting different boxes for each of the purpose you're trying to implement. That way you can buy something that's more designed for the purpose you're going to implement. So I would buy a hardware firewall (pix or nokia/checkpoint), ISA server as a proxy and a hardware VPN box. This will give you the best of all worlds.

    But this is probably a bit too rich for your home environment

    Why not try your hand at Open Source? You can setup a great firewall using Linux or any of the BSDs. Not only will you have a great firewall you will also learn alot in the process when setting it up. Just get your hands on an 'old' PC. Anything above 200MHz will do fine. Mine is an old pentium 90 with 16MB ram and a 500MB harddisk. I've set it up using FreeBSD and IPFilter. It works like a charm and it's cheap
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Member
    Join Date
    Aug 2003
    Posts
    69
    I'm open to the open source idea, but I want to do things right (ie not get hacked and become a bot for the next big ddos exploiter). So, I'd have to do a lot of research on linux or xbsd (I wanted to try freebsd once, but drivers become a problem - it wouldnt run on my motherboard).

    I have 0 experience with linux or whatnot, and I think the learning curve will take up too much time (I'm not in a hurry to get this rolling, but would like it to be up and running before october).

    I'd have to figure out what linux version to use, how to use it, how to secure it, and then move on to what firewall to use and how to configure.

    I've used checkpoint firewall-1 on the nokia and on 2000 server and liked it a lot. I've also got experience with the watchguard product line and some pix experience, and some ISA. I guess if I could find something similar to firewall-1 or the like on linux that might work.

    Just something to maybe do proxy services to make the web 'faster' and also secure my environment, including a dmz'd owa box.

    thanks for the input. Feel free to make recommendations on a good 'starter' place for linux I guess. I think that might be my route for this. Sadly my house isn't an enterprise environment where I can budget a few thousand in IT expenses for security.

    I was thinking about going the opensource route from the start, but when I talk to linux guys it invariably turns into some quasi religious bout



    You know what I mean?

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    I can only tell you how to do it on Freebsd. I have used Linux before but switched over and never looked back.

    I can only suggest reading though the FreeBSD Handbook and especially the Security part.

    You can find the list of supported hardware for 4.8-stable here
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Member
    Join Date
    Aug 2003
    Posts
    69
    Ah sweet, I've got some spare bits laying around, maybe I can throw together something supported by FreeBSD. I've still got the cds I ordered 3 years ago. Although I'm sure I'll want to d/l the newest and burn it for install

    Thanks man, thats a step.

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    If it's three years old you'll definitely need new ones alot has changed (for the good).

    If you can get the box online using ethernet you can also install over the Internet. Just download two floppies and the rest will install from the Internet. But having a couple of spare BSD cds around is always a good idea.

    Just slap a few of your spares together and build yourself a great firewall.
    You can always use that Athlon box as a proxy/web/database/whatever server.

    That's how my network kinda grew. I started small but now it has a p90 (fbsd, firewall), p100 (fbsd, apache), p2-350(fbsd, mysql,fileserver), p2-400(doing nothing yet, thinking about putting w2k on it) and a dual 2GHz Athlon (XP, my workstation).
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038

    Re: ISA Server?

    Originally posted here by jeffs72
    Anyone have a working opinion of using ISA server in a primary firewall/vpn/security role? I'm looking at something to use at home, with some sort of robust routing capabilities (something better for DMZ usage than the linksys "one machine is a DMZ" mantra, for instance).

    I touched several ISA servers in the past and they always seemed to be a bear to configure.

    My other options for firewall services are, uh, in this order of preference:

    buy some hardware fw solution (watchguard, raptor, sonicwall, etc)

    take the plunge and learn linux enough to have an educated opinion on what flavor to use, then learn enough about that one to secure it, then learn the different firewalls that run on linux enough to make an educated decision on which to use, and then learn enough about that firewall to secure it properly.

    Thanks,
    jeff

    We have been using ISA server at work for about 1 year now and have had no problems. I have it on a 800 Mhz AMD machine with 512 Megs of SDRAM and it does great for our network of 30 computers. We do use it as a primary firewall (yet I do still want to get a hardware firewall) and it has worked fine. No MSblaster worm or any hacks into our network. I would think that it is a bit expensive for home use (but so are some of those hardware firewalls you mentioned) but it has worked great for our work enviroment. The only thing that I wish was better about ISA Server is its reporting capabilities, but you can buy addon products for that.

    As to the configuration: Its not too hard to set up. Took me about an hour to set up the firewall rules (block traffic, ports and so on) and about 2 total with the installation. Its worked very well for our enviroment.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  10. #10
    Junior Member
    Join Date
    Sep 2003
    Posts
    21
    Bad:
    Relatively piggy w/ resources
    Expensive for home use
    Tends to be time consuming to configure
    Requires a machine to run it on

    Good:
    Learning ISA is way easier than learning all of the ins and outs of a new OS and how to properly secure it
    Lot fewer holes in it than other M$ products (I guess their OSs are easier targets )
    Not that difficult to configure

    We use it for a few of our clients and have had no issues (breaches, failures of the software to perform as expected, etc). Our clients are smaller so obviously less visability helps them stay out of the crosshairs, regardless no security issues so far. We also use Netopia routers for other clients, very easy to use and effective for the price (~$900us). Also with the router you don't need another machine and it is a small amount cheaper than the ISA software, not to mention any licensing you may need to get for the OS on the ISA box.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •