Re: Thoughts on ISA 2004 BETA

From: Thomas W Shinder [MVP] (tshinder_at_hotmail.com)
Date: 04/29/04 

Date: Thu, 29 Apr 2004 12:14:24 -0500

Hi A,

inline... 

--
Tom
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
ISA Server and Beyond Seminars - http://tinyurl.com/9sce
MVP -- ISA Server 2000
"a" <anonymous@discussions.microsoft.com> wrote in message
news:81370C9A-B482-4B3E-80D9-91FD95AE6265@microsoft.com...
: 1.  Get rid of  MMC.  You lose too much screen area to sidebars and other
trash that is not needed.
==>the ISA 2004 is very bulky, I agree. I think they should have optimized
it for 800x600, not 1024x768
: 2.  Logging is still weak and needs some improvements.
==>the logging feature is actually very good, since you pay through the nose
to get comparable logging capabilities with CP or PIX. You can always buy an
add-on to get the same functionality and the same TCO :-)
: 3.  A Man with two left brains designed the ISA MMC console screens.
Pretty pictures!
==>I think that's two right brains, if you like the art work :-)
: 4.  Though I like many of the quick guides I feel like I am being talked
down to.  Now kiddies this is what a network looks like with only one
network, this is what it looks like with two networks.  Sorry, you can not
pick that one please try again.
==>Not everyone is a firewall or networking expert, but they still need a
firewall. Even the pros can benefit from a helping hand. Its a LOT easier to
work with than the dreaded CP interface, and the PIX interface acts like it
was dropped on its head at birth!
: 5.  Thank goodness it  is still in BETA.  Cisco and Checkpoint  has
nothing to fear from this product.
==>Actually, I think they have a LOT to fear. Cisco isn't much of a
firewall, its a router with some simple "fixups" etc and packet filter.
Packet filtering routers have there place, but in the 21st century, I don't
think of them as firewalls any more. Maybe the hackers are less
sophisticated where you're from :-)  CP is getting close in terms of layer 7
awareness, but its hopeless UI and prohibitive cost and learn curve make it
only second best.
: 6.  This is a vast improvement over the old proxy but ISA 2004 as a
Firewall product is still lacking.  Manual rule definitions don't always
work as they should.  Microsoft networking gets in the way. What you define
in a rule is not what you get.  There is no strong policy checking and
logging that I can see to validate security settings.
==>I think you mean to say that as a packet filter based router its lacking.
But as a firewall, it really sets the standard. The myth of the hardware
router is pretty much busted; ASIC and "add on app filter" cards can't keep
up with modern software based firewall. However, a router and a firewall
aren't the same thing, so if you need both, you need to buy both. Plus, you
need those ASICs on the front-end if you have an OC12+ line, 'cause the
software based firewalls can't keep up.
: 7.  This product does have superior feedback from users, MVPs and
Microsoft personnel.    Checkpoints support system is so weak any other
product is worth the try.  Cisco continues to make itself as proprietary as
possible in order to gain the greatest dependency on their own support
system.
==>Another reason to stay away from CP -- poor support and Byzantine
interface, as well as an insane licensing scheme. You get better firewall
features, comparable performance (depending on hardware) and far, far better
support with ISA 2004, which I'm happy to say is now a real firewall.
HTH,
Tom

Relevant Pages

  • Re: Best practices: Two nics but have harware firewall
    ... I am not aware of any application layer filtering in WatchGuard products. ... ISA Firewall Fairy Tales - What Hardware Firewall Vendors Don't Want You ... the firewalls at the Asset Network ... The ISA Server 2004 firewall is the ideal firewall for the Asset Network ...
    (microsoft.public.windows.server.sbs)
  • Re: Incoming mail not updating in inbox
    ... We are behind an ISA server ... >> That Use the Network Address Translation ... Could be a software firewall on ... the user tried deleting and re-adding the Exchange service? ...
    (microsoft.public.outlook.general)
  • Re: Unable to connect to ISA Server VPN from External Network. Err
    ... Unfortuently my Router doesnt' allow the GRE Packets to be forwarded, ... whenever I try to connect from External Network to ISA Server I get Verifying ... DHCP Request from Internal/VPN Clients to LocalHost All Users ...
    (microsoft.public.isa.vpn)
  • Re: Security comparison
    ... > Internet connection as well as VPN tunnel from both VPN router, ... Microsoft ISA server includes proxy and caching features as well, ... firewall is and how it is different from a stateful firewall and a NAT ...
    (microsoft.public.security)
  • Re: Conecting to an external VPN
    ... Modem involved too,..hopefully a separate "box" from the router. ... How to configure a PPPoE connection in ISA Server 2006 or in ISA Server 2004 ... outbound VPN connections,...but I was unable to find any. ... There is no firewall client.. ...
    (microsoft.public.isa.vpn)