Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Isa

  1. #1
    Senior Member
    Join Date
    Feb 2002
    Posts
    177

    Isa

    I am running an NT Domain with only one route out ot the internet. Right now we're running Firewall-1 and MS proxy 2.0 behind it. We need to upgrade the proxy, and MS's new toy is ISA server. I'm thinking about getting rid of FW-1 all together, and putting in ISA server both as proxy and firewall. Any comments in regards to ISA server?

    Thanks

  2. #2
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    Haven't used this product. But, um, getting rid of ckpw for a m$ product. Hopefully this is a testing site and not your real ecommerce one.

    If you do put this in - post the results.
    Trappedagainbyperfectlogic.

  3. #3
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    Whats the big deal with using a MS product rather than Checkpoints? Just because its MS? How would you know its worse than checkpoint if you never tried it? Its not actually an ecommerce site though. Its just the only opening to the internet for our network.
    I've been playing with ISA for a while, and found it much nicer to work with than FW-1. Ran some basic port scan stuff, and every port on the ISA was 'stealthed' (is that the right word for it?), but the FW-1 scan came back with some closed ports...better than open I guess.
    Either way I'll let you know how ISA stacks up to FW-1.

  4. #4
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,883
    umm, don't know much about ISA server, but keep the CP-FW1. Set up ISA as a secondary firewall if you want to, but trusting your security to a microsoft product is like trusting your keys to a car jacker.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  5. #5
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    At ease Sgt B. You can use whatever you like. When you post question, expect some input.

    I haven't used ISA in a production environment myself, but have seen it running.
    Trappedagainbyperfectlogic.

  6. #6
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    I am in no way an expert on the subject, since I haven't used either product, but I think you should bare in mind that Microsoft products tend to be more of a target for hackers and crackers than most other products - so, even if they are of the same quality, vulnabilities for Microsoft products tend to surface quicker. If this is a good or a bad thing, I leave to your judgement - it could be both positive and negative.
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  7. #7
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    Thanks for all the input!
    Gold Eagle: I think you got the wrong tone in my 'voice'. I was just asking you why you would say to ditch the MS product, not trying to flame you. After re-reading my post though, I could see how you could come to that conclusion. I didnt mean to sound angry.

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    Microsoft's ISA server is nothing more than a glorified proxy. Not that there is anything wrong with it, but it is different from Checkpoint FW-1.

    If I were you, I would keep the design the same and just upgrade the proxy 2.0 to MS ISA. This will give you a very secure setup. Just make sure on the FW that you only accept traffic from the proxy so that someone cannot circumvent the system by setting their default gateway to that of the FW and removing proxy settings. There might also be cases where something might not be able to be proxied. Deal with these on an individual basis and create necessary exceptions on the firewall.

    I would not even make it a consideration to eliminate the CP FW alltogether. By doing this, you will eliminate alot of the flexibility that a stateful inspection FW gives you in the first place.

  9. #9
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    You're right Invictus...we already paid for FW-1 anyway right? Sounds like thats the best route to go.
    Thanks for the help and advice everyone!

  10. #10
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    no offense taken.

    We are glad to help. iNViCTuS is quite right, he has a lot of security experience so I put much in what he says. Let us know how it goes and if you need more help.

    Trappedagainbyperfectlogic.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •