Re: Best practices: Two nic's but have harware firewall

I am not aware of any application layer filtering in WatchGuard products.
This may be a failing on my part. I would welcome a link to any references
to such.

"Leythos" <void@xxxxxxxxxxx> wrote in message
news:tMPMf.183090$PY6.96663@xxxxxxxxxxxxxxxxxxxxxxxxx
In article <O79QkgBPGHA.3260@xxxxxxxxxxxxxxxxxxxx>, not@xxxxxxxxxxx
says...
I don't agree with much Tom says, and this article is more than a little
'skewed', but I find it of interest:

ISA Firewall Fairy Tales - What Hardware Firewall Vendors Don't Want You
to
Know (v1.02)
http://www.isaserver.org/articles/2004tales.html

Here is a snipped of what he seems to be saying that ISA does while
Firewall Appliance don't:
======
It is at this level that an ISA Server 2004 firewall becomes critical.
In contrast to a packet filter hardware device, you need real firewall
protection. Simple packet filtering is inadequate when it comes to
protecting resources in the network asset ring. Not only must you be
able to insure that all incoming connections are subjected to deep
application layer inspection, you must also control what leaves the
asset networks using strong user/group based access control.

Strong outbound user/group based access control is an absolute
requirement. In contrast to your typical hardware packet filtering
firewall that lets everything out, the firewalls at the Asset Network
edge must be able to control outbound connections based on user/group
based membership. Reasons for this include:

* You must be able to log the user name of all outbound connections
so that you can make users accountable for their Internet activity
* You must be able to log the application the user used to access
Internet content; this allows you to determine if applications not
allowed by network use policy are being used and enables you to take
effective countermeasures
* Your organization may be held responsible for material leaving
your network; therefore you must be able to block inappropriate material
from leaving your network
* Sensitive corporate information may be transferred outside the
network from Asset Network locations. You must be able to block this and
record user names and applications the users are using to transfer
proprietary information to a location outside your network

The ISA Server 2004 firewall is the ideal firewall for the Asset Network
edges because it meets all of these requirements. When systems are
properly configured as Firewall and Web Proxy clients, you are able to:

* Record the user name for all TCP and UDP connections made to the
Internet (or any other network that the user might connect to by going
through the ISA Server 2004 firewall)
* Record the application the user uses to make these TCP and UDP
connections through the ISA Server 2004 firewall
* Block connections to any domain name or IP address based on user
name or group membership
* Block access to any content outside their network based on user
name or group membership
* Block transfer of information from the Asset Network to any other
network based on user name or group membership

All this deep application layer stateful inspection and access control
requires processing power. That?s why you should size your servers
appropriately to meet the requirements of powerful stateful application
layer processing. Fortunately, even with complex rule sets, the ISA
Server 2004 firewall is able to handle well over 1.5 gigabits/second per
server, and even higher traffic volumes with the appropriate hardware
configuration.
=====

The WatchGuard firewall appliances do all of this and more, I know, I've
got it setup doing the above. So, it seems that the Quality solutions do
what ISA does and don't expose the solution to Windows flaws at the same
time.


--

spam999free@xxxxxxxxxx
remove 999 in order to email me


.

Relevant Pages

  • Re: Port 443 Outbound
    ... If you've done what you should with your network then malware has gotten behind your network because *it* has admin access, and it is trivial for malware to *use* that admin access to reconfigure a firewall, whether that is software or hardware. ... Agreed - I would much rather nothing got on the network in the first place and have Trend and auditing set up but surely a device that could monitor 443 outbound would only act as an extra layer of defence? ... No no...an edge device is used for inbound blocking and filtering, but is not an effective security boundary for malware already in your network. ...
    (microsoft.public.windows.server.sbs)
  • Re: Incoming mail not updating in inbox
    ... We are behind an ISA server ... >> That Use the Network Address Translation ... Could be a software firewall on ... the user tried deleting and re-adding the Exchange service? ...
    (microsoft.public.outlook.general)
  • Re: Updates now max out IEs agent string length, causing problems
    ... causing some kind of issue in your network. ... I am using Active Directory, Filtering, Firewall, ...
    (microsoft.public.windowsupdate)
  • [fw-wiz] State of security technology for the enterprise
    ... enterprise network. ... Content filtering on the firewall ... VMWARE/Hypervisor sensors to protect my virtual infrastructure ...
    (Firewall-Wizards)
  • Re: Linksys router as Firewall
    ... >>the external network. ... None of the Linksys line provide filtering of the INBOUND connections ... The Linksys does not isolate internal from external, ... > Virus scanning and spam filtering is not a function of a firewall. ...
    (comp.security.firewalls)