to ISA or not to ISA......

[MrCoffee]

Got the server set up, but off the net until the Sonicwall arrives next week.

Thanks to all for your input!
MrCoffee

[morganlefay]

Mr Coffee

To fully benifit from the ISA firewall...use 2 NICs
One to the sonic firewall (WAN) and one to the LAN.

..an extra level of protection cant hurt

MLF

[Tedob1]

im going to disagree.

SBS is meant as a complete package a for small business. That is an organization that has one server to dedicate to the internet. There is nothing basically insecure about ms-ftp outside of the fact the the password is sent in plain text. It still has to be captured. (trojan on a client your router is wide open, etc.) if the account that is used does not have any significant rights.... if its configured properly, you watch the logs and follow good sec procedures its alright. if you have a 'basic' web site without frontpage extensions or any test or example components, any asp thats used follows good sec guidelines and its configured and updated as it should be...its secure. Whats wrong with exchange if you know what your doing? I mean you have to go out of your way to make it an open relay and if it's kept up to date there are no remote exploits. Sure they happen but they are patched just as fast. It might not be the ideal security model but its sufficient as long as your not extending your use of it beyond its intended purpose.

If you use it your job becomes one of looking for new exploits against it, keeping it patched (all components) and using work-arounds until a fix is found for any new exploit and if the company your working for has not sprung for a good AV system, one that works with exchange...quit. It's only going to hurt your reputation and self esteem..

There is NO NEED of an additional firewall if you learn to use ISA correctly and harden the server. If you want more security you can find it in your routers configuration.

Although its reporting abilities suck and third party plug ins are needed ($$) to get any real info the logs are still available to you and can be searched/grepped for the info you want and a well written batch file can give you more than adequate reports...or better yet perl.

I used isa for almost two years....hated it. It was really mickey mouse but it servered its purpose.

If the network gets hacked while your administering it...you did something wrong or better yet you did not do something right.

[SDK]

Tedob1,

When you look at Microsoft Overview page of ISA 2004 (See Link), the figure 1 really show that ISA should be use to intermediate server. For me, ISA is just a firewall build on Windows Kernel with Active Directory Abilities.

Link : http://www.microsoft.com/isaserver/e...ew/default.asp

[MrCoffee]

Morganlefay: Yup, good suggestion, I actually have two teamed NICs, and a third for ISA

Tedob1: I am leaning toward agreeing with you, the more I read and learn about SBS. But based on my 1) lack of overall knowladge of ISA, and 2) my short time frame to get this up and running, and 3) my lack of any kind of budget, and 4) that I am getting no kind of payment what so ever for setting this all up (It is being done on my time) it is most likely best that I install the sonicwall I ordered.
The plan is basically this: Set up SBS2000 server, Exchange, ISA, IIS behind the sonicwall. Go home and set up a "testbed" network of SBS. READ READ READ, try, test READ READ READ, try test some more. Learn ISA inside out, learn SBS inside out. READ READ READ. Reconfigure live server as needed. (Read some more)..
Honestly I just do not have the faith in my skills that I can do ISA properly at this point.
But so far I have been reading a book called "SBS 2000 Best practices" which takes you from planning to full configuration of SBS and all it's parts. The forewards are written by Ben Smith, from Microsoft, and having met him, I thought I would get his input. His email mirrored yours pretty closely. If you ARE going to use ISA without a hardware firewall, you HAVE TO configure it RIGHT. But it can do the job, and is, for both Hotmail and MSN.

SDK: My understanding is that ISA as a stand alone product is used as a intermediate server, but the functionality is different under SBS. You might want to look at the ISA product info in comparison. Always remember that when you are talking SBS verses other MS Servers, all the products MUST reside on the SBS server. There is no way to properly "break them out".

Cheers!
MrCoffee

[SDK]

I lack information about SBS. I'll look into it before my next port! If I never manage to get some free time before Monday, I never to take down my network this week-end! Will be pain!

[morganlefay]

SBS is a whole nother beast because everything resides on one box.

ISA, Exchange, SQL, etc

I never would recomend a SBS to have public access...unless that is all it is going to be used for.

I guess it all depends on what is being stored on the box.

Most small businesses only have the one server.......and use it for internet access, email and a database app, user files etc.

I would always put a hardware firewall in front as an extra layer..

But then again...if the port is open for a service....its still open to attack.

My thoughts are if there is a vulenrability with the OS, ISA, Exchange or SQL or any 3rd party app.....maybe it can be stopped by the hardware firewall until the server can be downed and patched....which with a small business you down all services..
.and hope it comes back on line

My .02 cdn

MLF

[Tiger Shark]

Morgan is right.... For a few reasons....

1. Defense in depth.....
2. Additional ability to open and close services regardless of potential vulnerability
3. Improved and more diverse logging of connections.
4. It's just smart to have a HW firewall sitting in front, with luck you can properly DMZ it all too.

No brainer.... I think Morgan was using US cents....

[Tedob1]

if you have a HW FW there is absolutly no reason to use ISA unless you configure it to be a proxy only...and why would anyone want such a piss-poor proxy at such a price?

[morganlefay]

Tedob1


The ISA logs and controls access...in and out.

Most of the low end HW FW only log incoming.

I am asked every once in a while to report on a users internet usage...and I use the ISA logs to get my data from.

The new features of SBS are mostly for remote access, Outlook Web access,vpn, terminal server etc....I would want the ISA there to authenticate and log who\when is accessing the server.

The SBS Standard does not come with ISA.

The SBS Premium comes with ISA and SQL...and most of the time...the ISA is just a bonus cause the businesses want the SQL to run their databases.

Tiger...Thanks
But it definately is canadian sense

MLF