Re: Firewall recommendation for sbs2003
- From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
- Date: Sat, 18 Feb 2006 11:31:47 -0800
I don't trust a non managed/non updated system to protect me, Windows or otherwise.
Leythos wrote:
In article <#tuitFENGHA.536@xxxxxxxxxxxxxxxxxxxx>, research@xxxxxxxxxxxxxxxxxx says....
I guess that depends on how you look at it. A properly configured server is in itself a layer of defense. Strong passwords enforced, services & apps configured correctly..etc. Then comes ISA which is a top notch firewall. I would even analogize it as being the deadbolt/lock assembly for entrance to a dwelling and the armed guard in front of it respectively. Realistically there are several layers of defense built in to an SBS box such as email attachment stripping...it is defense against something other than a hacker but it is aimed toward the same goal of keeping the integrity of the box intact.
I guess we could sum my position up like this: I don't trust a Windows based machine to protect my data. In fact, to clarify, I don't trust any non-hardened machine to properly protect my data.
What makes a separate box any better than what I have? If it fails or is hacked it is just that....hacked. Who knows what engineering & software quirks are embedded in one of those systems? You said you have been in the biz since the 70's so I know you know about those quirks in software/firmware etc.
You seem to have missed the "Hardened OS" or the Certified Appliance in this discussion. I don't see how anyone could call a server setup by a non-certified person, by someone that had no third party review, that has known holes in the OS, etc.... I don't see how I could even start to trust it.
I am not deliberately being argumentative or anything...I just think that many people have been sold a bill of goods in some respects and don't question conventional wisdom and standards often enough.
I agree, but I think that it's a "bill of goods" to suggest that a domain controller with a firewall application running on it, setup by the company owner or some two-bit computer shop/chap, should even remotely be considered as secure. What part of all the ISA problems posted here are you missing - how about the ones where people have created rules that have opened holes in ISA that lead directly to the DC in order to diagnose a problem with VPN's?
The old standard is still very good - and you don't put all your eggs in one basket. I will "always" use the two layers (or more) approach - which means a firewall appliance/server that has/is hardened and is not part of the DC/file servers.
It's just like the insistence on adding servers for all kinds of different crap. A very reputable local company insisted that I needed an additional server to run MS CRM and another additional server to run a simple financial system. I wondered to myself whether he realized that in general most windows server systems are basically doing SQUAT and that companies WAY overbuild their computer infrastructure. You know what I mean?
Yep, I've seen it many times, and I've also seen many instances where applications cause a server to become unstable - Accounting programs are notorious for this, so are some industrial process apps, etc... If you want a DC, then make it a DC. If you want an Application server, don't make it a DC.
I've also seen some applications that didn't cause any problems running on a server.
I've also seen a 8 node doctors office running on Win 2003 Standard with 4GB RAM and a 5 x 142GB RAID array with only 47GB of space used, 380MB of RAM in use after a month, and the users mapped to the C$ share on the server for their "F" drive - all of that done by a MCSE/MCT!
To bad there isn't a SBS Migration path (licenses) to take them out of Win 2003 Std to SBS 2003 Std without costing them all over again.
Needless to say I will never use that "reputable" local company. He had a mind to sell me what amounted to useless hardware because it was "loosely" considered a standard. I don't have a problem with people making money, everyone has to do it right? But I have to draw a line somewhere.
Again, while it's standard to want to protect the DC, it's not uncommon for people to know more than the people purchasing the solution. I've made it a point to never install MAS-200 or JobBoss on a DC or single server solution due to the "issues" they cause. Come to think of it, I never want to see Crystal Reports installed on a DC either (and I'm sure there are many others). I'm not saying you can't get away with it, but I've had more service calls from people that insisted it be done than from people that did it the application server way - and that relates to costs to maintain, down-time costs, and those cost all the time, hardware is a one-time costs that you can deduct as a business expense.
So, we're not going to agree and that's fine, that's what Usenet is about - sharing ideas with each other, we don't have to agree, it doesn't bother me, it's not like this is a competition or anything like that.
- References:
- Firewall recommendation for sbs2003
- From: Ray Joslyn
- Re: Firewall recommendation for sbs2003
- From: Maxibo
- Re: Firewall recommendation for sbs2003
- From: Dave Nickason [SBS MVP]
- Re: Firewall recommendation for sbs2003
- From: MikeR
- Re: Firewall recommendation for sbs2003
- From: MikeR
- Firewall recommendation for sbs2003
- Prev by Date: Re: Dual Boot XP and SBS
- Next by Date: Re: Exchange 2003 SP2 Installation
- Previous by thread: Re: Firewall recommendation for sbs2003
- Next by thread: Re: Firewall recommendation for sbs2003
- Index(es):
Relevant Pages
|
