Re: Connecting an SBS 2003 Server to the internet - the preferred way?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

gmiller wrote:
That is correct.

Most of my clients don't really require the extras in Premium.

The reason I was asking this initially, was I was curious about how
secure the standard firewall is. Has anyone had any problems with it?


It's not a matter of how secure, it only defends against direct TCP/IP
attacks, but not against forms of attack which are invited in by users
e.g. malicious email and web content. It is only a stateful packet
inspection filter.

What it isn't is a web or other proxy server, which you get with ISA.
Ideally a firewall appliance used with SBS Standard should have at least
a web proxy and preferably a mail proxy. What these do is remove known
harmful content and discard non-standard messages e.g. emails with
headers crafted to try to disrupt the mail server. A web proxy will
also offer much more control over permitted and denied websites and
file downloading than the typical domestic firewall/router, which
generally has very limited URL recognition.

ISA also allows control over outgoing TCP/IP connections, on a user and
application basis. Since TCP/IP does not carry user or application
information, any control over outgoing access must encapsulate packets
in a protocol which does carry this, and which the firewall can use, so
workstations need client software to carry this out. ISA and its client
software does this.

Since a good firewall appliance also offers stateful packet inspection,
in theory using SBS Standard in two-NIC mode will add nothing to this.
On the other hand, while it is unusual for commercial routers or
firewalls to be found vulnerable to exploits, it isn't unheard of, and
any device can be misconfigured or turned off for testing and
accidentally left off. An additional layer of even simple packet
filtering may save a server from being hijacked.
.

Relevant Pages

  • RE: Force use of ISA Firewall Client
    ... Is any functionality lost if I force use of the Client Firewall? ... You see three types of ISA 2004 firewall clients in ISA console, ... the system will use Web Proxy ...
    (microsoft.public.windows.server.sbs)
  • RE: Force use of ISA Firewall Client
    ... the Firewall client automatically sends user credentials ... or the user account must be mirrored on the ISA 2004 firewall. ... But if you visit Websites or FTP, the web proxy has improved performance. ...
    (microsoft.public.windows.server.sbs)
  • RE: Force use of ISA Firewall Client
    ... the Firewall client automatically sends user credentials ... or the user account must be mirrored on the ISA 2004 firewall. ... Firewall Client will result in usernames being included in the ISA logs, ... But if you visit Websites or FTP, the web proxy has improved performance. ...
    (microsoft.public.windows.server.sbs)
  • Re: Is Firewall Client necessary?
    ... Web Proxy Service: Clients use it via the browser's "proxy settings". ... Firewall Service: Client use it via having the Firewall Client installed. ... another viewpoint re: outbound packets: ...
    (microsoft.public.isa.clients)
  • Re: Is Firewall Client necessary?
    ... Web Proxy Service: Clients use it via the browser's "proxy settings". ... Firewall Service: Client use it via having the Firewall Client installed. ... another viewpoint re: outbound packets: ...
    (microsoft.public.isaserver)