+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 41
Educational Software Thread, Implemeting an ISA Server in Technical; Originally Posted by Lipjam Our LA is encouraging schools to move away from getting Internet services from them .They want ...
  1. #16

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,881
    Thank Post
    1,316
    Thanked 1,738 Times in 1,087 Posts
    Blog Entries
    19
    Rep Power
    563

    Re: Implemeting an ISA Server

    Quote Originally Posted by Lipjam
    Our LA is encouraging schools to move away from getting Internet services from them .They want us to do our own Internet. At the moment we do our own filtering & Firewall with Censornet but it's proving unreliable. Thanks for the suggestions.
    Which LA is this? Do they mean moving away from an RBC and buying your 'Net connection wholesale from someone like BT or NTL:Telewest Business?

  2. #17

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    732
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36

    Re: Implemeting an ISA Server

    Quote Originally Posted by tom_newton
    It's not so much that the firewall is bad, it's more that its a general purpose server OS being used as a perimeter firewall.

    When we use Linux, we take the kernel, make alterations, and then careflly chose the other tools we add.

    When you use ISA, you're basically taking a stock server OS and trying to make it fit for purpose - not a great idea. As long as you're doing *something* outside of it, then i'd say yes, fine, use it for the stateful inspection/app layer stuff, but i'd never put it direct onto my router.
    There is SCW wiazard that hardens the base OS by disabling the service and all you need to do is to select "ISA Server" and the Security Configuration wiaxrd will disable all services not required and keep the isa and thus hardening the server OS. This is the same sort of things that you guys do with you kernal modifications etc.

    Ashok.

  3. #18


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,448
    Thank Post
    865
    Thanked 839 Times in 662 Posts
    Rep Power
    194

    Re: Implemeting an ISA Server

    Ashok - I would suggest that hardening an operating system is more than merely disabling services. Personally, I wouldn't be happy running an ISA system, but a good many people are; having said that, many people use PPTP as well. I guess I am just a bit of a hard guy to please, but then that's my job

  4. #19
    Lipjam's Avatar
    Join Date
    May 2007
    Location
    Moreton
    Posts
    18
    Thank Post
    4
    Thanked 2 Times in 1 Post
    Blog Entries
    2
    Rep Power
    15

    Re: Implemeting an ISA Server

    Tom
    I did have a mess about with Smoothwall but couldn't configure it as we have two subnets and Censornet accomodates the two gateways. I may be wrong but I don't think smoothwall can do the same? I have little knowledge of Linux that is why I favour the Microsoft solution. It is looking expensive though so I would be happy for any help advice you can offer.

    I am waiting for a layer 3 managed switch to arrive so will not need two gateways. I want the new solution up and running before term starts in Sept so have a bit of time to play around and try out various solutions.

  5. #20


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    338

    Re: Implemeting an ISA Server

    I've got a smoothwall here as well. It's the business. Smoothwall has an easy to use webfrontend to set it up so no 'linux knowledge' is required -it just works.

  6. #21


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,448
    Thank Post
    865
    Thanked 839 Times in 662 Posts
    Rep Power
    194

    Re: Implemeting an ISA Server

    lipjam: It depends which version of SmoothWall you're looking at, and what you're trying to do We have instalations from companies with 10 10 man offices, to 10,000 users all going through a central location - and all points in between

    Give me a ring and we can go through what you're trying to do - might give you some ideas anyway! (phone no. in sig block)

  7. #22

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,541
    Thank Post
    831
    Thanked 610 Times in 413 Posts
    Rep Power
    432

    Re: Implemeting an ISA Server

    Got SmoothWall here (SchoolGuardian) and so far it's been fantastic..
    We did try to use ISA a long time ago an a Galaxy far far....

    Damn I knew i shouldn't have watched all them star wars films last night 8O

  8. #23

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    732
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36

    Re: Implemeting an ISA Server

    Quote Originally Posted by tom_newton
    Ashok - I would suggest that hardening an operating system is more than merely disabling services. Personally, I wouldn't be happy running an ISA system, but a good many people are; having said that, many people use PPTP as well. I guess I am just a bit of a hard guy to please, but then that's my job
    Hi Tom,

    When i mentioned about the services being disabled, that is one aspect of it, there are other things it modified and therefore disables the other functionality of windows server say. This is done through selecting the role(s) of the server and depending on which role you select it configuring the back-end os for that role and nothing else.

    Your solutions may be easier may be better or worse but certainly commenting that isa is poor at perimeter or second ring is bad. I guess people decide on ease of use, deployment and administration and some may find it easier to configuring firewalls using web browser etc and some like to have proper front-end gui.

    There are also other people making comments about it being expensive, its not that expensive for schools i.e. £50 approx for the base server license, and £150 approx for the isa server itself so not too bad. Native MS AD support it good and if you're a microsoft shop then it makes it ideal.

    I'm only carrying on this debate because so far i haven't seen any advisories regarding isa server 2004 or 2006 but have seen many issues regarding hardware firewalls even from big guys.

    Agree with the PPTP bit some people are taking chances with this and should use something more secure i.e. L2TP/IPSec but that's the firewall admin being either lazy, or ignorant.

    Ash.

  9. #24


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,448
    Thank Post
    865
    Thanked 839 Times in 662 Posts
    Rep Power
    194

    Re: Implemeting an ISA Server

    Ash,

    I never said ISA was poor as a second ring f/w, I just said I wouldn't trust it on the perimeter. It certainly is an inexpensive option for education. Lack of advisories is a BAD thing - no software is perfect, and if there are no advisories this is very suspicious, though I am sure that's not the case with ISA - it's just that the advisories are a touch oblique - you have to go looking for flaws in parts of ISA. http://secunia.com/advisories/26003/ for example, at a guess ISA is vulnerable to that, but it's not an "ISA vuln". TBH, there are rarely advisories against firewall code itself such as IPtables/netfilter or even microsoft's firewall.

    In all probability you're better off with ISA than some of the low end stuff- supportability is worth more than most features

    Tom

  10. #25

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,575
    Thank Post
    869
    Thanked 1,293 Times in 786 Posts
    Blog Entries
    1
    Rep Power
    436

    Re: Implemeting an ISA Server

    Quote Originally Posted by tom_newton
    Lack of advisories is a BAD thing - no software is perfect, and if there are no advisories this is very suspicious, though I am sure that's not the case with ISA
    The same thing could be said for Smoothwall could it not.
    it's just that the advisories are a touch oblique - you have to go looking for flaws in parts of ISA. http://secunia.com/advisories/26003/ for example, at a guess ISA is vulnerable to that, but it's not an "ISA vuln". TBH, there are rarely advisories against firewall code itself such as IPtables/netfilter or even microsoft's firewall.
    Considering by the looks of the MS site ISA does not require .Net 2.0 then its not a concern. Also requires logged on user which no one would ever allow. Its like allowing users to login using SSH to smoothwall when there is a ssh exploit. Its not a issue if you trust the person doing it.

    Really I dont think this thread is about the security issues as none, as we have proved, exist for ISA 2004 so I really dont think its relevant to even imply it has holes and one is better then the other when such evidence is lacking. Open source can have as many issues regardless of how you pack it. Its up to the admin to secure it down properly and if he is doing his job both have minimal risk associated.

  11. #26

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223

    Re: Implemeting an ISA Server

    Does Windows Update download patches for ISA? Or do you have to go hunting for them?

  12. #27


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,448
    Thank Post
    865
    Thanked 839 Times in 662 Posts
    Rep Power
    194

    Re: Implemeting an ISA Server

    Quote Originally Posted by ZeroHour
    Quote Originally Posted by tom_newton
    Lack of advisories is a BAD thing - no software is perfect, and if there are no advisories this is very suspicious, though I am sure that's not the case with ISA
    The same thing could be said for Smoothwall could it not.
    That depends - if by the same thing you mean "The vulnerabilities are larglely a sum of the vulnerable parts", then yes, if you mean "no advisories" - we don't (often) directly issue advisories unless we feel there would be a distinct benefit for our customers, we usually rely on the advisories for the relevant component. Patch management is, of course, handled centrally, so it's not down to the customer to handle updates for discrete parts.

    it's just that the advisories are a touch oblique - you have to go looking for flaws in parts of ISA. http://secunia.com/advisories/26003/ for example, at a guess ISA is vulnerable to that, but it's not an "ISA vuln". TBH, there are rarely advisories against firewall code itself such as IPtables/netfilter or even microsoft's firewall.
    Considering by the looks of the MS site ISA does not require .Net 2.0 then its not a concern. Also requires logged on user which no one would ever allow. Its like allowing users to login using SSH to smoothwall when there is a ssh exploit. Its not a issue if you trust the person doing it.
    That was just the last "general MS advisory" I had lying about My point being that (like ourselves) ISa is a "sum of parts" and as such won't have (m)any "specific" vulns.
    Really I dont think this thread is about the security issues as none, as we have proved, exist for ISA 2004 so I really dont think its relevant to even
    Hang on! We haven't "proved" any such thing, and to say something has no holes is incredibly dangerous. I am sure I couldn't find a single security company who would stand up and swear there's no holes in their product - no-one can ever be 100% sure - unless they're talking about a "hello world"!

    imply it has holes and one is better then the other when such evidence is lacking. Open source can have as many issues regardless of how you pack it. Its up to the admin to secure it down properly and if he is doing his job both have minimal risk associated.
    I did not (intend to) imply that anything was "better" or "worse", simply that ISA would be far from my first choice at the perimeter. That said, I would rather have ANY firewall with a competant admin than any without. If we are honest, the human component is 90% of the security.

    Right... lets see if I have got the quoting correct here... I have the distinct feeling its going to be squiffy... [click!]

  13. #28

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,575
    Thank Post
    869
    Thanked 1,293 Times in 786 Posts
    Blog Entries
    1
    Rep Power
    436

    Re: Implemeting an ISA Server

    Hang on! We haven't "proved" any such thing, and to say something has no holes is incredibly dangerous. I am sure I couldn't find a single security company who would stand up and swear there's no holes in their product - no-one can ever be 100% sure - unless they're talking about a "hello world"!
    Sorry my phrasing was bad, I meant "proved there are no *known* ISA exploits (remote)". The MS advisory as you say was a example
    Lets call personal preference like you say, as to which firewall you like. Both have good and bad points and there own issues associated but both are firewalls that do a good job. At least no one has blackice (well the older versions were BAD)

  14. #29

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223

    Re: Implemeting an ISA Server

    Quote Originally Posted by ZeroHour
    I meant "proved there are no *known* ISA exploits (remote)".
    You should of researched this assertion, I bothered to pull up the CVE entries for ISA 2004.

    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-7027
    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3652
    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1651

    At least no one has blackice (well the older versions were BAD)
    No, they were fine. BlackIce was an IDS not a firewall.

  15. #30

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,575
    Thank Post
    869
    Thanked 1,293 Times in 786 Posts
    Blog Entries
    1
    Rep Power
    436

    Re: Implemeting an ISA Server

    I really dont want this thread going down this route but I want to stick up for poor ISA so here we go.
    Quote Originally Posted by Geoff
    1:
    http://www.securityfocus.com/archive.../5100/threaded
    Suggests its actually to do with the log files in CSV format and that 3rd party apps are the problem and its not really ISA's fault. By default though I think ISA uses a local MSDE to store the logs so unless you were CSV'ing your logs AND your 3rd party viewer had a problem with the < in the logs, would you have a issue.
    This is what the guy posting the response says (in brief):
    I don't think it should be one application's responsibility to protect
    against all the possible attacks that could be launched against
    third-party products that happen to parse the original application's
    output - unless either the application's core functionality is to
    protect against such an attack (e.g. an anti-virus product that sits
    between the Internet and a desktop machine).
    2:
    It states on the page:
    NOTE: as of 20060715, this could not be reproduced by third parties.
    Also see:
    http://www.securityfocus.com/archive...100/0/threaded
    so it may not be valid at all (not got time to test).

    3:
    Disputed - "Neither ISA Server 2004 nor Windows 2003 Basic Firewall support IPv6 filtering ... This is different network protocol."
    Its a BAD admin that enables IPv6 routing on the ISA. I know that you need to "know" these issues but that's why MS invented the hardening tool for ISA.
    See http://www.emailbattles.com/2006/04/...aadfaggbbb_gd/ for more on the debate and options.
    Yes ISA should support IPv6 but it doesn't. This is a negative point for it but if you dont enable/use it then really its a moot point. MS have a thing on there site saying how to remove it. See:
    http://www.microsoft.com/technet/isa....mspx#Protocol and scroll down.

    Think all that info seems correct

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Server 2003 R2 File Server Resource Manager
    By Dos_Box in forum How do you do....it?
    Replies: 1
    Last Post: 12th October 2007, 12:28 PM
  2. Replies: 5
    Last Post: 5th July 2007, 11:43 PM
  3. Windows Server 2003 File Server Resource Manager
    By mrforgetful in forum Windows
    Replies: 1
    Last Post: 17th June 2007, 01:51 PM
  4. Virtual Server 2005 R2 kills server network connection
    By ajbritton in forum Thin Client and Virtual Machines
    Replies: 0
    Last Post: 31st August 2006, 06:19 AM
  5. Downsides to passing tftp server via 2003 DHCP server?
    By pete in forum Wireless Networks
    Replies: 7
    Last Post: 11th July 2006, 10:07 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •