Re: SBS Premium installed - Some configuration questions...
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 11/21/04
- Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: ...more SBS configuration questions... Security settings, SSL + Media Admin, Exchange server..."
- Previous message: Marina Roos [SBS-MVP]: "Re: KB 884032 Install problems"
- In reply to: Lerner: "Re: SBS Premium installed - Some configuration questions..."
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 21 Nov 2004 08:12:40 -0800
ISA and a hardware firewall are in the same league. It's blocking ports
and only allowing those ports in.
Consider filtering outbound.... here's why
Say you have a end user who's surfing the net and opens up web email and
they haven't updated their virus defs so they pick up a trojan. Without
outbound filtering...that trojan is operational...
Egress filtering protects you from yourself. ISA also has great HR
logs. Make sure your firewall is giving you the data you need for that
side of the puzzle. I put the hardware firewall on the outside and then
have ISA on the inside for the egress filtering/HR part of it.
Windows Update does not patch everything on this server.. it only
publishes "Windows" updates. That's what I'm trying to tell you that if
you merely go to Windows update and nothing else....there are more
patches to get. Don't stop there... you aren't done.
Lerner wrote:
> "Susan Bradley, CPA aka Ebitz SBS Rocks [MVP] " <sbradcpa@pacbell.net> wrote
> in message news:e8u5rk5zEHA.1188@tk2msftngp13.phx.gbl...
>
>>No it doesn't. I have a small router firewall on the outside and only
>>those ports open are open. A firewall that has open ports like 25 gives
>>you no additional protection for that open port.
>>
>>Did I get Sasser, blaster or ANY of the "fill in the blanks" ..no
>>because I had a firewall, antivirus and Patching in place.
>
>
> This is what I'm saying... you still need the hardware firewall even though
> ISA is in place. When Sasser first appeared any Win2K box was unsafe unless
> it was protected by another piece of hardware. I don't trust the ISA server
> to protect itself for the same reason. Even if a patch is released 24 hours
> after an exploit is discovered that's still 24 hours that I could be
> attacked. I trust my hardware firewall to block any traffic that I haven't
> forwarded through it, and I trust it to forward packets to only specific
> machines on the network.
>
> From my understanding, ISA provides:
> - Firewall: Blocking inbound or outbound access to specific network ports.
> Great for blocking virii like Sasser or users from connecting to
> unauthorized services like ICQ.
> - URL filtering: Stopping users from accessing specific websites. DNS can do
> this if it's really important. I plan on 0.0.0.0 for *.intellitxt.com once
> everything is working properly, for example.
> - Web caching: Holds frequently accessed content to lower the load on the
> WAN side of the network. Personally I despise caches. For our needs a
> webcache is unecessary. Any file that is important enough to hit often is
> downloaded to a local share.
>
> As far as firewall functionality goes. My hardware firewall does a good job
> for incoming traffic. We don't have need to firewall outbound traffic.
>
> As far as address filtering, I don't want to get into the nightmare of
> building website blacklists or whitelists. There's no way I can have an
> accurate blacklist that blocks every website that is malicious, so I can't
> trust that to protect my network. Similarly, a whitelist of "acceptable"
> websites would be impossible to build.
>
> I've already mentioned my feelings toward caching servers.
>
>
>>If you only rely on a firewall as your protection you will not be
>>protected.
>
>
> If you connect your PC to anything, including electricity you won't be
> protected. Nothing is perfect but ISA is definately overkill for us. User
> education is a big factor and none of our users are dumb enough to open
> attachments that the weren't expecting or click "OK" on the popup that says
> "Install the Gretast Internet SpeeduP appz". Exploits such as hidden IFrames
> are issues that sit squarely on Microsofts shoulders and are neutralized
> with regular OS/App updates. Realtime AV scanning/updates and regular
> spyware scans catch anything that happens to get into the network.
>
> ISA is great for a larger organization, but overkill for a small operation.
>
>
>>Right now if you are running with local administrator rights on your
>>workstations, your threats, your risks are so much more on those
>>destkops than any firewall on your system.
>
>
> It hasn't been an issue on our Workgroup LAN. Also, it's an issue we plan on
> improving once the domain is online and we can determine security levels of
> our users. Within our group we have no hierarchy. There is no "IT" person,
> no "administrator" per se... We are a true peer network with all users doing
> all functions.
>
>
>>That's my entrance point ... email and web surfing... and whether my
>>firewall is a hardware firewall or ISA makes no difference. As long as
>>I let my Secretary download smiley faces for her email, I'm threated
>>with entrances into my network.
>
>
> Exactly... If ISA isn't going to stop that, and my hardware firewall stops
> the rest, why do I need ISA?
>
>
>>What's the brand of that firewall? Have you patched it? Any hardware
>>firewall is just code in a box. If you don't patch it, you are missing
>>security vulnerabilities there too.
>
>
> True, but the ability to get "into" one of these boxes and reverse engineer
> an exploit is much more difficult than for a Windows box.
>
>
>>And no, a firewall and a visit to Windows update is NOT enough.
>
>
> The Microsoft should work on their security because that's all the security
> you're going to get with an ISA server... whatever hardware you can put in
> front of it and whatever patches MS publishes.
>
>
>>Gawd kill off Win95. No security whatsoever.
>
>
> I don't use it... Just explaining that much of the functionality of our
> current Workgroup server is based on individual server apps that could
> function on a Win95 box - possibly Win 3.11 if I really tried : )
>
>
> Anyhow... I really don't want this to turn into an arguement.
>
> Simply put, we don't trust a dedicated Windows PC and associated hardware to
> be reliable enough to protect itself from attacks or failure. Especially
> when a $100 router will do 90% of the job much more securely and with less
> downtime. The whole reason that we're rebuilding our network is because the
> current Workgroup server has had a number of hardware failures and we don't
> want the whole network offline should the same thing happen with the new
> server.
>
>
-- http://www.sbslinks.com/really.htm http://www.msmvps.com/bradley https://www.ecora.com/ecora/jump/pm99.asp
- Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: ...more SBS configuration questions... Security settings, SSL + Media Admin, Exchange server..."
- Previous message: Marina Roos [SBS-MVP]: "Re: KB 884032 Install problems"
- In reply to: Lerner: "Re: SBS Premium installed - Some configuration questions..."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
