Response to Assertions Made by Blue Coat About the ISA Firewall
(This response originally appeared in the February ISAserver.org newsletter. If you would like to be on the cutting edge of ISA firewall news and information, make sure you subscribe to the newsletter. It comes out once a month and we’ll never sell your address information to anyone! Sign up for the newsletter at: http://www.isaserver.org/pages/newsletter.asp)
In a webcast advertised in last month’s ISAserver.org newsletter (http://www.isaserver.org/pages/newsletters/january...06.asp) Blue Coat presented what they considered reasons why ISA firewall owners should switch to a Blue Coast proxy solution. During the webinar, the Blue Coat presenter pointed out five key areas where they considered the Blue Coat proxy solution to be superior to the ISA firewall solution. The five key assertions were:
- The ISA firewall cannot be as secure as Blue Coat proxies because it runs on a general purpose server that has ongoing security vulnerabilities
- The ISA firewall is unable to inspect traffic inside an SSL tunnel
- The ISA firewall is unable to inspect and manage peer-to-peer, instant messaging and multimedia connections
- The ISA firewall has limited support for granular access control
- The ISA firewall’s network performance is inferior to Blue Coat’s proxy performance
In my opinion, the first four are absolutely incorrect, and the fifth one is up for debate. Let’s take a look at each of these areas and see how the ISA firewall actually matches up to the assertions.
1. The ISA firewall cannot be as secure as Blue Coat proxies because it runs on a general purpose server that has ongoing security vulnerabilities
This assertion is based on one of the most common canards out there regarding the ISA firewall solution. As the common storytellers communicate it, “the ISA firewall cannot be secure because it runs on a unsecure Windows platform that must be updated on a regular basis”.
The problem with this statement is that they’re comparing apples to oranges. You cannot compare a white box default installation of Windows 2000, Windows XP or even Windows Server 2003 with a machine that runs ISA Server 2004 on a Windows 2003 Service Pack 1 computer that has been hardened and configured with a proper firewall policy.
The reason for this is that in order to exploit any of the alleged vulnerabilities that may appear in the core operating system on which the ISA firewall runs, the intruder must have access to vulnerable operating system services. The only way an intruder can leverage these potential weaknesses is if the ISA firewall administrator has explicitly configured the ISA firewall to accept connections to these services, or has chosen to use the ISA firewall as a workstation or general purpose server.
Since it is a well-known and accepted security practice in the ISA firewall community that extraneous services are never installed on an secure ISA firewall, and that you never allow unsecure communications to the ISA firewall itself, it is extraordinarily unlikely that any attack against an extant vulnerability in the underlying Windows Server 2003 operating system could ever be executed.
A more legitimate comparison is to assess the number of known and reported vulnerabilities discovered in the Blue Coat versus the ISA firewall’s software. Secunia provides a publicly available clearinghouse for this type of information.
Blue Coat vulnerabilities http://secunia.com/search/?search=bluecoat
ISA 2004 firewall vulnerabilities http://secunia.com/product/3687/
Blue Coat has a total of 13 vulnerabilities recorded in the Secunia database, while the ISA 2004 firewall has zero, none, not any, absolutely no known vulnerabilities reported by Secunia. So, given the fact that the ISA firewall protects the underlying Windows operating system from any potential attacks, and the fact that the ISA firewall has no known vulnerabilities as reported by Secunia, what do you think is the rational conclusion of the analysis?
2. The ISA firewall is unable to inspect traffic inside an SSL tunnel
While debunking Blue Coat’s first assertion regarding the ISA firewall took a few minutes of research, blowing away their second statement about the ISA firewall took no time at all. Ever since ISA Server 2000 hit the streets, and continuing with the ISA 2004 firewall, one of the main reasons for deploying an ISA firewall over conventional stateful packet inspection firewalls is the ISA firewall’s unique SSL to SSL bridging feature.
SSL to SSL bridging enables the ISA firewall to provide a secure SSL session from client to server, while allowing the ISA firewall to perform application layer inspection on the information moving through the SSL tunnel. The ISA firewall is able to do this because the client terminates its SSL session at the ISA firewall. This enables the ISA firewall to decrypt the SSL session, expose it to the HTTP application layer inspection engine(s), and then re-encrypt it and forward the connections to the Web server on the corporate network.
While the Blue Coat proxy can also do this, they promote poor network security practices in their own documentation. For example, if you go to the Blue Coat guidance site and review their documentation on how to “securely” publish Outlook Web Access sites (http://www.bluecoat.com/downloads/support/BCS_tb_s...WA.pdf), you’ll see that they recommend an unsecure connection between the Blue Coat proxy and the Web site on the corporate network. Attacks can easily intercept user credentials on the unsecure link and harvest user names and passwords of all users, including executive users, who connect to the published OWA server.
3. The ISA firewall is unable to inspect and manage peer-to-peer, instant messaging and multimedia connections
The ISA firewall can be configured, out of the box, to block peer-to-peer, instant messaging and multimedia connections that communication over their native protocols or over an HTTP channel. It’s a simple affair to configure the ISA firewall to block the native protocols used by these applications. However, for those applications that are able to tunnel themselves over an HTTP connection, the ISA firewall’s built-in HTTP security filter can be used to block these applications.
You can see examples of how to block some common applications at the Microsoft Web site at http://www.microsoft.com/technet/prodtechnol/isa/2...g.mspx and http://www.microsoft.com/technet/prodtechnol/isa/2...s.mspx
In addition, you can block any application from connecting to key servers required for the P2P, IM or streaming media communications to take place by URL and domain name sets. Microsoft provides guidance on how to do this at http://www.microsoft.com/technet/prodtechnol/isa/2...s.mspx
Now, unlike what I believe Blue Coat to be, I want to be upfront with you. It’s not always easy to block these unwanted applications. P2P applications use advanced techniques to get around the ISA firewall and instant messengers often use the same firewall circumventing technologies. Streaming media sites often go out of the way to prevent you from blocking them by using traditional methods such as file extensions, MIME types, and application protocol blocking. Unless you have a dedicated team of ISA firewall professionals dedicated to researching these issues, it is very challenging to stay ahead of the curve.
However, you can. for less than half the price of a comparably configured Blue Coat proxy device, add a third party plug-in to take care of all this for you. For example, Websense can be integrated with the ISA firewall to provide powerful protection against P2P, IM, multimedia, spyware, malware, pop-ups, and unapproved Web site traffic. They are able to do this because they have a large team of researchers to study application behavior and enhance the ISA firewall’s application layer inspection engine to block unwanted inbound and outbound communications through the ISA firewall. And the total package of ISA firewall software and hardware with the Websense add-on is about half of what it would cost to have a Blue Coat proxy of comparable hardware and software capabilities.
So it is clear that the ISA firewall is able to control P2P, IM and streaming media communications and it can do it right out of the box, and do it even better with third party application layer inspection add-ons.
4. The ISA firewall has limited support for granular access control
When I read this one, I had to wonder if the presenter or the creators of the Blue Coat Webcast presentation had ever seen or worked with an ISA firewall. Both the 2000 and 2004 versions of the ISA firewall should be consider models of granular inbound and outbound access control. With the ISA 2004 firewall you can control inbound and outbound access based on:
- Local user name or group
- Domain user name or group
- Time of day and day of week
- Simple or complex protocols
- HTTP command and data stream characteristics
- Source address, network, subnet or domain
- Destination address, network, subnet or domain
- MIME type or file extension
- Application used to connect to the Internet (you can block specific applications, regardless of what protocols they use)
- Any combination of the above
- All of the above applies to inbound, outbound and even remote access and site to site VPN connections!
Given the astounding level of granular access control supported by ISA firewall policy, it’s amazing that Blue Coat would make the assertion that the ISA firewall has limited support for granular access controls.
5. The ISA firewall’s network performance is inferior to Blue Coat’s proxy performance
Performance is classically a difficult area to assess. The vendor can do its own tests, pay someone else to do the tests for them, or ask/wait for an unbiased third party to do performance tests for them.
Blue Coat presents the results in a performance head to head over at http://www.bluecoat.de/CMS/imagescms/pressemitteil...23.pdf. There are a number of flaws in the testing scenario that obviate the validity of their conclusion that Blue Coat provides uniformly superior performance over a comparably priced ISA firewall solution:
- They used a white box installation of ISA 2004 without any intelligence applied to the configuration. This is an unrealistic scenario
- They compared a white box installation of the ISA firewall to a vendor hardened and optimized Blue Coat proxy product. This is invalid because a valid test would have compared the vendor optimized Blue Coat product with a vendor optimized ISA hardware firewall product, such as the one provided by Network Engines
- They compared the $20,000USD+ Blue Coat ProxySG 800-2 solution to a sub-$10,000USD ISA hardware and software solution (white box hardware, Windows and ISA)
- They used Windows 2000 SP4, rather than the more secure Windows Server 2003
- They provide no details on how the ISA firewall was configured (or misconfigured) to achieve the results they claim
- They provide no details regarding how the clients were configured (or misconfigured) to achieve the results they claim
It would be sheer conjecture on my part to make assumptions as to how the ISA firewall and client were configured on this test. I am aware that you can configure the ISA firewall and ISA clients to provide the worst possible performance, and there are ways to configure the ISA firewall and ISA clients to provide the best possible performance. You then need to ask yourself, “What is the likely configuration of the ISA firewall and ISA clients in the tests of the ISA firewall against the Blue Coat proxy?”
In addition, you should compare two comparably priced devices. As mentioned, one of the Blue Coat proxy devices is priced at over $20,000USD. A fair comparison would use an optimized ISA firewall, both in hardware and software, at a comparable price. Since the software cost for a white box installation would be about $2500USD, that leaves us to spend $17500 on the hardware. Think about the hardware power you could throw at an ISA firewall solution with that much money left over just for hardware.
For more information on how the ISA firewall should be configured for optimal performance, check out Best Practices for Performance in ISA 2004 at http://www.microsoft.com/technet/prodtechnol/isa/2...s.mspx
6. Conclusion
In this review of the assertions made by Blue Coat in their webinar advertised in last month’s ISAserver.org newsletter, I hope that I have been able to achieve my goal of countering what I consider to be inaccuracies and false statements regarding the capabilities of the ISA firewall.
What I did not intend to do is convince you that the ISA firewall is superior to the Blue Coat proxy solution (although this is my belief) or that the ISA firewall is capable of a much more multilayered and sophisticated protection for corporate networks of all sizes (although this is also my belief). What I hope I have accomplished is to provide the intelligent and discriminating ISA firewall administrator with the facts to correct the Blue Coat assertions regarding the ISA firewall’s features and capabilities.
The Antishinder Says:
April 5th, 2006 at 4:55 am
You don’t like Bluecoat and I don’t like ISA. Let the flamewar begin.
Sigh. Have you ever even used a ProxySG and compared it with ISA side by side, and if you have, did you know as much about both to be able to make an accurate comparison?
You know as well as everyone else that Microsoft is one of the founding fathers of vendor FUD.
Microsoft will never be able to lose its horrible security record, sorry.
Blue Coat’s recent vulnerabilities mostly are issues with OpenSSL and OpenSSH, two pieces of software a lot of products use. The other remaining one is at best, wrong in some respects but highlights the need to actually inspect the payload of traffic through CONNECT requests, something nobody really does. Except SSL Proxy as of SGOS 4.2!
ISA does not have SSL proxy. You can’t transparently intercept an SSL session between a client and any SSL origin content server that it is connecting to. Reverse proxy is something that everyone has had for years, forward SSL proxy is something nobody else has right now that I am aware of. Don’t knock a feature you clearly do not understand.
Blue Coat has never tried to classify the ProxySG as a firewall. Most firewalls don’t have a lot of vulnerabilities as they don’t expose services. Windows isn’t excluded from having the same problems as an SG might in the same place on the network.
Blue Coat wrote their own OS, from what I heard and seen it’s not based on anything off the shelf which is good, because in general the OS doesn’t need to do anything but what it’s supposed to. It’s never a good thing to waste resources on features you don’t use.. windows has a lot of these. NTFS is not optimized for handling a whole lot of tiny objects.
I don’t think you have an understanding of the IM or Streaming features of the box either. That’s alright. The idea is not to block IM, it’s to control it… so filtering/logging conversations, preventing clients from IM’ing outside of the network, while still being allowed to authenticate using their names, and blocking file attachments.. Microsoft would never implement such a thing because then they might have to acknowledge that IM clients other than MSN exist. Streaming media is another story…. you can do a lot to shape bandwidth, but can you do it without affecting existing streams with ISA? Can you cache streams with ISA? Can you move them between Multicast and unicast with ISA? Sure Microsoft has offerings in those areas but Blue Coat has better ones.
As far as policy is concerned. CPL blows away anything Microsoft offers, granularity is one thing, but anything you can do with ISA’s policy engine as far as layer 5-7 is concerned, Blue Coat can do a lot better. One could dispute that the APIs that Microsoft provides to ISA allow you to extend that functionality, but the fairness of Blue Coat’s comparison comes in value added by not having to seek such things out. You can’t possibly tell me that the vanilla SG proxy isn’t better compared to the vanilla ISA proxy server. Either can have an engineer optimize the configuration, and until I get to configure an SG against an ISA box of equal hardware that you set up, don’t tell me that one outperforms the other.
It’s very easy to replace Websense because they really treat their customers poorly and most CIOs have a distaste for them these days.
One closing remark to open the floodgates, Blue Coat just entered the WAN optimization market (though I’ll believe it when I see it.) Most of the protocols that that market tries to optimize (CIFS, MAPI) were incidently designed by the same company that wrote ISA, whose doing performance comparing again?
Thomas Shinder Says:
April 5th, 2006 at 7:58 am
This is an interesting rant, but that wasn’t the purpose of our retort against the Blue Coat disinformation campaign about the ISA firewall.
Blue Coat made egregriously false claims about the ISA firewall’s capabilities in their Webinar. So why should we believe any of the above?
So what if *you* don’t classify BC as a firewall? Does that give you imprimatur (I’m assuming you’re a Blue Coat employee because you use the same lack of technical precision as the FUD on the BC Web site) run an insecure box? From what I hear, customers actually think BC is more secure than ISA. They’ll be glad to see your post here claiming you don’t need to be secure.
As for SSL proxy, you’re wrong about that. Study up on Web listeners. That’s why your anti-ISA campaign was such a model of arrogance and incompetance — you didn’t understand your “enemy”.
As for IM or streaming control, ISA can do it on a basic level, and if I want more sophisticated control, I can bring Websense full security suite on the box for a lot less than the confiscatory markups your company adds to off the shelf PC platform parts. It’s amazing that folks are willing to pay you girls so much for such a poorly provisioned box.
Regarding performance, do you think you’ve tricked anyone with that hack job of a performance comparison by “broadband labs”? I hope you didn’t pay those guys too much for their “gonzo” approach to performance testing. Without going into the details at this point (be patient, you’ll get the details soon enough), let’s just say that their approach to testing and analyzing the results are a bit left of “industry standard”.
You’re patently wrong about granular of control. CPL is NOT more flexible, nor does it provide greater access control than ISA firewall policy. In fact, you’re sorely limited in your access control because you’re limited to your app proxies, and a pathetic SOCKS proxy, which depends on application configuration to work with the SOCKS proxy. I wouldn’t call this an “enterprise ready” solution, since scalability sUX0RS. In contrast, the ISA firewall’s Firewall client is a transparent Winsock proxy, installed and managed via Group Policy.
Regarding WAN optimization — your company needs to get out of the FUD campaign. Do you think anyone is actually biting at your vaporware? There’s nothing but high level BSology on your site. Come on, “byte caching”? Why not divorce yourseelf from the marketing buzz and tell your customers what you’re actually doing and that what you’re doing doesn’t provide optimization and can potentionally slow down the WAN.
Finally, its rediculous to compare “vanilla” ISA firewalls to “vanilla” BC boxes. You need to compare the BC proxy to a competently configured ISA firewall. Just because your in-house engineers at Blue Coat don’t know how to correctly configure an ISA firewalll doesn’t mean that it can’t be correctly configured. It just means that you haven’t incentivized your employees into doing so.
So, with ISA you get:
1. Better performance
2. Better price
3. Better security
4. Easier to install and configure
5. More flexible and granular management
6. Better logging and reporting
7. Better protocol control
8. Better forward and reverse proxy
So, at Mr. T might have said “I pity the fool who’d pay through the nose for a Blue Coat Proxy”!
HTH,
Tom
The Antishinder Says:
April 5th, 2006 at 2:22 pm
To clairify I don’t work for Blue Coat, I just own a box and enjoy working with them when the opportunity arises; I used to work for a reseller of theirs, and I have friends there, which is why I to some degree seem to be taking this personally for whatever reason. These days I do independent consulting. I probably could go work for them, but too tell you the truth I enjoy the independence of working for myself thank you very much. Do you work for Microsoft? What relation do you have to them? I can’t really tell, but could make the same assumptions by your baseless attacks on other products.
If anyone should be accused of paying people to write reports in their favor Microsoft definitely wins the award. I always enjoy the anti-unix campaigns I read, and how true they are talking about ROI when you compare the cost of implementing Linux versus the free licensing that Microsoft probably gave the research company. Anyway, you may continue to refer to blue coat as mine, and I’ll do the same for your product ISA. I guess you can say that if you stand behind it.
I can assure you that I’m not the only person that knows that Blue Coat doesn’t sell firewalls. Personally, I dont think such functions would really suit the box well at all. Just because I cram a lot of features on a box doesn’t make it better. Checkpoint’s got a really nice firewall with really nice VPN features. Personally I like any vendors that under the philosophy that you should focus at what features you’re best at, not at a lot of features you’re ‘okay’ at. Blue Coat is really good at what it does.
I think it seems ignorant to compare any product not in the vanilla state with something that is. So I’m hoping what you mean is comparing a fully configured SG with a fully configured ISA, but if you’re not do make sure you say so. If yes, I give up.
I looked up web listeners, and the first document google gave me was this one http://www.microsoft.com/technet/Security/prodtech...w.mspx which though written for ISA 2000, seems to tell me what they are. That’s reverse proxy with URL rewriting. Okay, but that’s not what I’m talking about. I am talking about forward proxy. Perhaps I don’t fully understand what else web listeners do, but based on that it’s not the same thing. Do you reassign/regenerate the OCS’s (regardless of who the OCS is) SSL Certificate by a trusted internal CA on the fly? I’m not talking about users coming from the Internet to hit an internal server, I am talking about something else, when they showed it to me it blew my mind. Really, I don’t think ISA has this. Where do you configure the keypair it uses to generate certificates, and can you write a policy to deny clients the ability to accept a bad certificate in ISA? Can the objects going to the SSL server be scanned by ICAP as they come in? ISA doesn’t have this, please show me if you believe otherwise. I’d be happy to show you what I’m talking about. I am not talking about the techbrief you linked to, and I couldn’t find the other one because I was indeed sufficated by ‘Mach 5′ marketing and will just have to get the ones I’m talking about from the local BC guy.
Permeo had a good socks proxy which is probably why Blue Coat bought them. Though admittedly some of the other SSL VPN startups seem to have the zero-software thing down better than permeo did. As you pointed out in another article though, application delivery is not the business to be in these days with people like eSoft claiming to own it. Though SCO also wanted me to pay them for a Linux license and I said once they won the case and I had time to jump off a cliff, that I would consider it. Though the really funny part about this whole thing is that few really give a damn about the lame SOCKS tricks that either can do, and Blue Coat will eventually be able to say that they can do everything in the ADI space that Microsoft can just to check that off in the RFP. Whether or not anyone actually uses those functions will be a whole other story.
Using your same logic I can say that I can acheive almost everything ISA and Blue Coat can with Squid and netfilter. I could make a nice firewall/proxy combination that does not rely on $2500 license you mentioned, but then I’d have to worry about surviving squid.conf, and an IPTables ruleset. Just because SG’s cost a lot more doesn’t mean the TCO isn’t the same or less. Personally I’d rather drive a Corvette than a GMC Van though. While functionally I can fit more crap in a Van and regardless of whether or not I choose to do so, again, the car is better at going fast because it lacks the not needed functionality. Conversely, SGOS is faster because it doesn’t have all of the bells and whistles Windows does. Bluecoat’s programmers can make design decisions in their OS that Microsoft can’t safely make because Windows still has to worry about duties other than proxying and caching. I’m not saying that I know for sure they’ve made these decisions, but they do imply this often, and had I designed the OS I would have as well.
Regarding FUD as far as the WAN Optimization game is concerned, yes you should not annouce a product that’s coming out later of that magnitude. Blue Coat missed the boat there. Vista looks remarkably like every version of Windows I’ve seen only it takes more memory, has a worse looking default theme (XP’s was pretty bad though) and tabbed browsing! Microsoft does this all the time.. and they’re better at it than Blue Coat ever will be. I also like how they’ve been emphasizing security since Code Red, Nimda and others nearly brought the internet to its knees yet are just now finally getting around to it. What’s even funnier is the following of customers that still forgive your company. This next version will be really secure! Right, I wouldn’t bet on it. It has consistently had exploits available before GA, and even though things are better these days it’s taken you long enough to get it right.
Overall the sentiment I see is ISA/Websense installs being replaced by Blue Coat and others. I don’t hear a lot about the opposite happening. Sure that perception could be based on what I alone encounter, but I really just don’t think so. Websense has a lot of very unhappy customers with good reasons for feeling the way they do.
Mr. T pities the fool that attacks vendors for personal reasons.
I guess I’m just really surprised that you chose Blue Coat as your scapegoat, why not Cisco or NetApp? You seem to have a personal problem with them. It can’t possibly be only because of the vendor vs vendor attacks you’ve been mentioning, because if it is I’d like to be the first to welcome you to the world around you. Vendors do this a lot, and Microsoft is a lot more guilty of it.
I’ll go through each of these breifly:
1. Better performance
So far you haven’t proven that, you just pointed out that Blue Coat has a suspicious study that says its faster… how, many of those does Microsoft have? I’m contending they do that more often. I didn’t prove it either, but pointed out that an appliance that is designed to do proxying doesn’t have the same overhead as windows and OS architects can make design considerations that they can’t make in a general purpose OS, without making it really bad at things that proxies don’t do.
2. Better price
I can’t really much for that, other than Websense isn’t cheap, and for the same hardware and per-seat licensing depending on your deployment, the number isn’t that much different. The hidden cost center here is support which is something that is difficult to compare with hardware appliances versus software. Personally I like being able to blame my vendor for every problem I have with the box. Microsoft support can just tell me my performance problem is Dell’s fault, and Dell support could turn around and blame Microsoft. The same doesn’t work for Blue Coat.
3. Better security
In combination with someone elses firewall, I don’t know about that, but overall as a company BC has a better security record than Microsoft ever will.
4. Easier to install and configure
No; especially not after you cried about how a vanilla ISA install like in the test was so bad without the insight of an experienced engineer. I’ve heard a lot of complaints about visual policy manager versus ISA’s policy manager and personally I wasn’t so happy with it myself. Bottom line: neither product should be used by people that don’t know what they’re doing.
5. More flexible and granular management
Not really, I guess if you’re too lazy to leave MMC land, sure.. but as far as granularity is concerned, an example is that Microsoft doesn’t have the ability to do apparent content type, which allows a BC policy to guess what a file is based on what it contains, not just the very unreliable methods of checking the extension (I can’t believe you mentioned that one) or the mime-type. This is sort of like Apache’s mime magic. While both extension and mime type can easily be faked, it’s slightly more difficult though to produce an executable that doesn’t look like one.
6. Better logging and reporting
Websense does have a nice reporting tool, but Reporter 8 is really really nice too. I admit I am not aware of Microsoft’s offering here.
7. Better protocol control
Besides firewall functions you mentioned earlier, this isn’t accurate. The SSL stuff is a good example of that, but so is the IM reflection technology. I’m comparing that with out of the box functionality of ISA, though you could probably argue that with a similar budget you can almost produce the same result by the use of third party extensions, that is, functionality that Microsoft failed to implement hoping someone else would do it for them.
8. Better forward and reverse proxy
Other than the reasons you’ve already specified, what in the heck are you talking about?
Thomas Shinder Says:
April 5th, 2006 at 3:12 pm
TOM: First thing, you know who you’re talking to, you should identify yourself in order to get some credibility. I will continue to assert that you’re on the Blue Coat Payroll until you can prove otherwise.
To clairify I don’t work for Blue Coat, I just own a box and enjoy working with them when the opportunity arises; I used to work for a reseller of theirs, and I have friends there, which is why I to some degree seem to be taking this personally for whatever reason. These days I do independent consulting. I probably could go work for them, but too tell you the truth I enjoy the independence of working for myself thank you very much. Do you work for Microsoft? What relation do you have to them? I can’t really tell, but could make the same assumptions by your baseless attacks on other products.
TOM: As I said, identify yourself first, and then you’ll be credible as an “independent” third party.
If anyone should be accused of paying people to write reports in their favor Microsoft definitely wins the award. I always enjoy the anti-unix campaigns I read, and how true they are talking about ROI when you compare the cost of implementing Linux versus the free licensing that Microsoft probably gave the research company. Anyway, you may continue to refer to blue coat as mine, and I’ll do the same for your product ISA. I guess you can say that if you stand behind it.
TOM: Nothing wrong with paying people to write reports and do studies. What’s wrong is the flawed testing environment. If you configure a test environment to give you the results you desire, how could they be considered a valid comparitive analylsis?
I can assure you that I’m not the only person that knows that Blue Coat doesn’t sell firewalls. Personally, I dont think such functions would really suit the box well at all. Just because I cram a lot of features on a box doesn’t make it better. Checkpoint’s got a really nice firewall with really nice VPN features. Personally I like any vendors that under the philosophy that you should focus at what features you’re best at, not at a lot of features you’re ‘okay’ at. Blue Coat is really good at what it does.
TOM: I don’t think anyone thinks Blue Coat sells firewalls, they sell Web proxy servers with some ALGs. Agree that Check Point has a great firewall, and so does Cisco and so does Microsoft. I also agree that Blue Coat is a good product. Didn’t you read what I said in the original post? My response wasn’t to attack the Blue Coat product, it was to attack their deceptive advertising campaign.
I think it seems ignorant to compare any product not in the vanilla state with something that is. So I’m hoping what you mean is comparing a fully configured SG with a fully configured ISA, but if you’re not do make sure you say so. If yes, I give up.
TOM: You’re absolutely incorrect about that. Comparing a special purpose appliance to generic ISA on generic Windows is ludicrous. In addition, proxies don’t work in a vacuum — you have to assess the client type, the network infrastructure and many other factors. To configure the optimized out of the box Blue Coat with a white box install of ISA is invalid. However, a comparison of a optimized out of the box Blue Coat with an optimized ISA firewall *is* a fair comparison.
I looked up web listeners, and the first document google gave me was this one http://www.microsoft.com/technet/Security/prodtech...w.mspx which though written for ISA 2000, seems to tell me what they are. That’s reverse proxy with URL rewriting. Okay, but that’s not what I’m talking about. I am talking about forward proxy. Perhaps I don’t fully understand what else web listeners do, but based on that it’s not the same thing. Do you reassign/regenerate the OCS’s (regardless of who the OCS is) SSL Certificate by a trusted internal CA on the fly? I’m not talking about users coming from the Internet to hit an internal server, I am talking about something else, when they showed it to me it blew my mind. Really, I don’t think ISA has this. Where do you configure the keypair it uses to generate certificates, and can you write a policy to deny clients the ability to accept a bad certificate in ISA? Can the objects going to the SSL server be scanned by ICAP as they come in!
? ISA doesn’t have this, please show me if you believe otherwise. I’d be happy to show you what I’m talking about. I am not talking about the techbrief you linked to, and I couldn’t find the other one because I was indeed sufficated by ‘Mach 5′ marketing and will just have to get the ones I’m talking about from the local BC guy.
TOM: ISA does not perform outbound SSL bridging out of the box. You’ll see to pay extra for that. Are you telling me that Blue Coat provides that for free with the base SGOS 4x?
Good to hear that you’re equally unimpressive with the MACH5 marketing. There’s no technical detail at all and I don’t see any on their Web site. I *suspect* (I can’t say for sure, because I would have to interpret their marketing drivel) that ISA employs (and other Web proxies) the same or similar methods, but they don’t call them out. I’ll definitely give Blue Coat some social credits if they can provide some technical information that shows they have *real* bandwidth control (I know they don’t from talking to industry insiders), and real technologies that actually accelerate the WAN. Keep in mind that without *real* bandwidth control, you can’t realistically get WAN acceleration. You can with ISA using Deterministic Networks (www.deterministicnetworks.com) FairShare for ISA add-on.
Permeo had a good socks proxy which is probably why Blue Coat bought them. Though admittedly some of the other SSL VPN startups seem to have the zero-software thing down better than permeo did. As you pointed out in another article though, application delivery is not the business to be in these days with people like eSoft claiming to own it. Though SCO also wanted me to pay them for a Linux license and I said once they won the case and I had time to jump off a cliff, that I would consider it. Though the really funny part about this whole thing is that few really give a damn about the lame SOCKS tricks that either can do, and Blue Coat will eventually be able to say that they can do everything in the ADI space that Microsoft can just to check that off in the RFP. Whether or not anyone actually uses those functions will be a whole other story.
TOM: Be careful with the RFPs. Whoever the vendor is that wrote the RFP for the client is going to have an advantage
But if you want SSL “VPN”, then knock yourself out with a Whale ISA firewall box.
Using your same logic I can say that I can acheive almost everything ISA and Blue Coat can with Squid and netfilter. I could make a nice firewall/proxy combination that does not rely on $2500 license you mentioned, but then I’d have to worry about surviving squid.conf, and an IPTables ruleset. Just because SG’s cost a lot more doesn’t mean the TCO isn’t the same or less. Personally I’d rather drive a Corvette than a GMC Van though. While functionally I can fit more crap in a Van and regardless of whether or not I choose to do so, again, the car is better at going fast because it lacks the not needed functionality. Conversely, SGOS is faster because it doesn’t have all of the bells and whistles Windows does. Bluecoat’s programmers can make design decisions in their OS that Microsoft can’t safely make because Windows still has to worry about duties other than proxying and caching. I’m not saying that I know for sure they’ve made these decisions, but they do imply this often, a!
nd had I designed the OS I would have as well.
TOM: This is all thought experiment in on your part. The only thing that matters is a real performance/price ratio, which I don’t see Blue Coat providing. Of course, to be fair, I don’t see ISA/Microsoft providing either. But to take a feather from your quiver, I’ll do my own thought experiment as assume that Blue Coat doesn’t do it because they’d lose, and Microsoft doesn’t do it because they haven’t got around to it yet, or worse, don’t know how to do it (hard to believe, but anything is possible).
Regarding FUD as far as the WAN Optimization game is concerned, yes you should not annouce a product that’s coming out later of that magnitude. Blue Coat missed the boat there. Vista looks remarkably like every version of Windows I’ve seen only it takes more memory, has a worse looking default theme (XP’s was pretty bad though) and tabbed browsing! Microsoft does this all the time.. and they’re better at it than Blue Coat ever will be. I also like how they’ve been emphasizing security since Code Red, Nimda and others nearly brought the internet to its knees yet are just now finally getting around to it. What’s even funnier is the following of customers that still forgive your company. This next version will be really secure! Right, I wouldn’t bet on it. It has consistently had exploits available before GA, and even though things are better these days it’s taken you long enough to get it right.
TOM: I don’t think there’s a problem with announcing products early. I think there is a problem with not giving basic technical details on how it works, does it use any industry standard technologies, and if not, at least a mid level technical discussion around the basic concepts behind the technology. This “byte caching” marketroid stuff only serves to turn people off.
Are you beta testing Vista now? If not, you should. You’ll end up changing your mind on most of these issue, although Vista is not the topic for this board.
Overall the sentiment I see is ISA/Websense installs being replaced by Blue Coat and others. I don’t hear a lot about the opposite happening. Sure that perception could be based on what I alone encounter, but I really just don’t think so. Websense has a lot of very unhappy customers with good reasons for feeling the way they do.
TOM: I see the opposite in a lot of places. So, at least we agree that empiricism isn’t the best way to approach things.
Mr. T pities the fool that attacks vendors for personal reasons.
TOM: I didn’t attack them for personal reasons. Please read the editoral again. I was very even handed and didn’t say *anything* bad about the Blue Coat product. The focus of that discussion was their deceptive marketing campaign. The could have done very well by emphasizing their strengths, instead of highlight weaknesses in ISA that don’t even exist.
I guess I’m just really surprised that you chose Blue Coat as your scapegoat, why not Cisco or NetApp? You seem to have a personal problem with them. It can’t possibly be only because of the vendor vs vendor attacks you’ve been mentioning, because if it is I’d like to be the first to welcome you to the world around you. Vendors do this a lot, and Microsoft is a lot more guilty of it.
TOM: I did so because of their attempt to give false and misleading information to the ISA firewall community. That’s what ISAserver.org is all about — given information about the ISA firewall to the community. And when we see something like that deceptive marketing campaign, it doesn’t leave a good taste in any ISA firewall admin’s mouth.
I’ll go through each of these breifly:
1. Better performance
So far you haven’t proven that, you just pointed out that Blue Coat has a suspicious study that says its faster… how, many of those does Microsoft have? I’m contending they do that more often. I didn’t prove it either, but pointed out that an appliance that is designed to do proxying doesn’t have the same overhead as windows and OS architects can make design considerations that they can’t make in a general purpose OS, without making it really bad at things that proxies don’t do.
TOM: True, I haven’t proven that because the test results are not public yet. So at this point I’m making a point of fact that I know, but that you don’t know yet. But you’ll know soon when those results are posted on ISAserver.org. And these test results will be based on a legitimate AND reproducible test bed. That’s one thing you definitely can’t say about the Blue Coat test.
2. Better price
I can’t really much for that, other than Websense isn’t cheap, and for the same hardware and per-seat licensing depending on your deployment, the number isn’t that much different. The hidden cost center here is support which is something that is difficult to compare with hardware appliances versus software. Personally I like being able to blame my vendor for every problem I have with the box. Microsoft support can just tell me my performance problem is Dell’s fault, and Dell support could turn around and blame Microsoft. The same doesn’t work for Blue Coat.
TOM: Then get an ISA firewall appliance. They are the single vendor that you go to, just like with Blue Coat. No finger pointing games.
3. Better security
In combination with someone elses firewall, I don’t know about that, but overall as a company BC has a better security record than Microsoft ever will.
TOM: Another firewall isn’t required. In contrast to Blue Coat, the ISA firewall, even when deployed in Web proxy mode only, still have its core firewall engine protecting the box itself. The Blue Coat box doesn’t have an enterprise grade firewall protecting the Blue Coat box itself. Its a canard and a false asseration that I need a router with a “firewall” sticker on its bezel to protect the ISA firewall.
4. Easier to install and configure
No; especially not after you cried about how a vanilla ISA install like in the test was so bad without the insight of an experienced engineer. I’ve heard a lot of complaints about visual policy manager versus ISA’s policy manager and personally I wasn’t so happy with it myself. Bottom line: neither product should be used by people that don’t know what they’re doing.
TOM: YES, without a doubt the ISA firewall is easier to configure. Let’s not even discuss the UI that Blue Coat provides, which looks like it was put together by someone on the Windows 3.0 team. I never have to drop down to the CLI for basic tasks that should be configurable from the UI. And even if the task is in the UI, the Blue Coat UI is the antithesis of “discoverable”. Heck, even the Check Point UI is orders of magnitude superior to the circus grade Blue Coat UI.
But we definitely agree that neither product should be used by someone who doesn’t know what he’s doing. Its just if you do know what you’re doing with the ISA firewall, its a heck of a lot easier to do it.
5. More flexible and granular management
Not really, I guess if you’re too lazy to leave MMC land, sure.. but as far as granularity is concerned, an example is that Microsoft doesn’t have the ability to do apparent content type, which allows a BC policy to guess what a file is based on what it contains, not just the very unreliable methods of checking the extension (I can’t believe you mentioned that one) or the mime-type. This is sort of like Apache’s mime magic. While both extension and mime type can easily be faked, it’s slightly more difficult though to produce an executable that doesn’t look like one.
TOM: Yes, really. Are you equating lazy with easy? Why should I learn another command line syntax? Don’t I have enough to learn already? As a business owner, I don’t pay you to learn new languages, I pay you to get things done, and done fast. Why should I have to troubleshoot the enevitable typos? Also, regarding content examination, you can use add ons (just like Blue Coat, as I don’t think they throw this in for *free*).
6. Better logging and reporting
Websense does have a nice reporting tool, but Reporter 8 is really really nice too. I admit I am not aware of Microsoft’s offering here.
TOM: Absolutely. The built in reporting for ISA leaves a lot to be desired, but with Websense, its top notch.
7. Better protocol control
Besides firewall functions you mentioned earlier, this isn’t accurate. The SSL stuff is a good example of that, but so is the IM reflection technology. I’m comparing that with out of the box functionality of ISA, though you could probably argue that with a similar budget you can almost produce the same result by the use of third party extensions, that is, functionality that Microsoft failed to implement hoping someone else would do it for them.
TOM: Just like with Blue Coat, ISA add-in provide the same functionality. And with a similar budget, I’m not going to have to pay 10,000US for a 1,000US piece of hardware.
8. Better forward and reverse proxy
Other than the reasons you’ve already specified, what in the heck are you talking about?
TOM: Faster cache engine, integration with Active Directory (please tell the crowd how Blue Coat authenticates against AD, they’ll get a real chuckle out of it), integrated support for OWA, OMA, ActiveSync, RPC over HTTP, the HTTP security filter, user certificate authentication for the proxy itself, the list goes on and on and on.
BTW — I loved to be proved WRONG about things, since I learn in the process. Let me know where I’m wrong and point to a BC doc so that I know not to make the same mistake again.
Steve Moffat Says:
April 5th, 2006 at 3:57 pm
Good argument……..
The Antishinder Says:
April 5th, 2006 at 7:30 pm
That’s the thing, this could come as a surprise to you but I’m just under 19 and in school
Most tech companies won’t touch you at that age, except for small resellers, which is sad. I know of a lot of wasted talent out there. This is unless of course someone around these parts wants to gimme a job ;-D Though I do know of exceptions. I could just as easily leave school and go do that, but that might actually be a bad idea, perhaps if I end up with a PhD and when I’m old enough I’ll buy you a drink. While I’d love to go ahead and reveal my identity, I’d like to avoid that scenario as to not jepordize relationships that I’ve been trying to build over the last couple years, or of the reseller I help out at now and then. I’m also concerned that I could make a total ass of myself if I haven’t done that already 
I understand your accusation, and I suppose I accept your reasons for it, but I’m just asking for a little understanding here. On that regard, I’ll fight the uphill battle without the additional credibility. I’m actually studying product marketing and psychology because I don’t see the need to really technically move forward through the use of school, I really just want to learn how to sell. This is a fascinating case of a vendor getting challenged for claims against another, I’d like to know what in your opinion you would have said differently had you been in Blue Coat’s shoes. Obviously the objective of the presentation was to say why/what the competing company has over the other. I’m not saying write them a sales presentation, but my question is this: Is it in your eyes, even possible for a vendor to boast superiority over another without someone that such as yourself supports a competing product saying it’s not legitmate? If yes, how many marketing guys for any tech company do you know that can actually produce that result, technically backing it up enough to not be attacked, but without alienating the real decision makers such as senior management? This is my life story Doc, what I just described is at least one of the things I’d like to accomplish. This is already why Salespeople travel with Sales engineers, that’s what makes it work.
For the sake of and getting back to this debate, I’m just going to drop the jabbing as you’re very right about this being a potential learning experience more than anything else, for more reasons that you realize. Microsoft has a great product and so does Blue Coat, I’m glad we have an understanding there, I probably misinterpreted most of what you wrote for just outright hatred for a company that I like.
So lets go through a couple things:
Outbound SSL bridging:
Yeah it’s a licensed feature, you pay extra, and my demo is up. Recess is over children, get back inside.
But! Here’s what it can do: It can check a certificate on an OCS for validity and take action instead of allowing your users to make that decision by clicking yes when something is wrong with it and/or it can open up the SSL session by completeing the connection with the OCS and generating a certificate with the same CN of it. It uses the CA key of an internal CA to do that, the browser doesn’t complain and at that point you can scan the content for viruses and stuff, or in the case of Skype or Tor, identify that it really is valid SSL. That’s neat. Is that what these third party extensions do or non out of the box functions can do, and can they use an accellerator card to generate those keypairs and certificates at the same rate?
For the new stuff: They’ve told everyone April. We’re there. I’ll be on bluecoat.com at 23:59:59 on the 30th waiting
They must have been working on that for a while though because SSL proxy came out in February sometime, and nobody has that quick of a cycle. I don’t think most companies would so hot about doing beta testing on their production networks.
The apparent content type thing is just more CPL, not a licensed feature.. Something that adds value though! I mean sure someone probably could have implemented that in an ISA extension. I have no idea what the code for it would really look like, though I could probably take a peek at apache and find out, yikes. Something that really should be standard. It’s even more annoying to see vendors pointing at how they can acheive that with mime type and extension when they know how unreliable it really is.
The CheckPoint policy UI looks a lot like the BlueCoat VPM… lets you pick up on it really fast. As far as the aesthetic appeal of other areas in the UI, yeah Java applets are pretty limited in UI sex appeal, but the idea is not to be pretty, it’s to be functional. It makes enough to sense to let you get what you need done quickly, I’ve never had to really dig around for a feature, and I’ve never had to run regedit on a Blue Coat box either
So I will go ahead and enlighten the crowd about authentication. Because it makes me chuckle, but it’s not Blue Coat’s fault until you can tell me of a better way. Basically BC installs an agent like every appliance not designed by Microsoft has to in order to do NTLM or Kerberos, I can’t think of the name of it now. In order to do Kerberos in transparent deployments, you can’t send a 407 proxy auth to IE because IE won’t do it, though you can send a 401. IE by default considers any hostname without periods in it (a non-FQDN) to be within the “Local Intranet Zone” which basically means that by default, IE will give up its NTLM or kerberos authentication credentials to anyone that asks for it as long as they meet that criteria. Websense has come up with some far more elegant ways of getting your username. My favorite is the ability to send a netbios query to the messenger service on your local machine to get the username, which is now off by default in Windows. Websense has convinced more than a couple of customers I ran into to use that type of authentication. Incidently Blue Coat can also do this with a policy substitution realm but it’s very highly discouraged for very obvious reasons. Blue Coat also supports client certificate based authentication now too very similar to what you mentioned. I don’t know if you need an BC SSL license for that, but probably.
It’s interesting to point out too that you didn’t see LDAP or RADIUS support until recent betas of ISA 2006. I’ve always knew that Microsoft would one day have to realize that other platforms exist and they have to provide support for authenticating to them.
So Microsoft fully handles the support of ISA appliances? I must have missed out when they got in the server hardware business. I would contend the blame game doesn’t disappear here, but I wouldn’t be surprised if I’m wrong.
Finally, so your performance results aren’t public yet. That’s fine, but who did the research, and how can they prove it lacks bias? Who gets to decide what a legitimate testbed is? This is appears to me to be a biased site, a community of people that use and love ISA server, you fit this demographic perfectly and if anything user base FUD is far worse than vendor FUD. I’d look forward to that but where exactly can you find an unbiased study these days anyway? I’m looking this from an engineer perspective in saying that I see the architecture Blue Coat has offering advantage X Y and Z, that Windows can’t and shouldn’t offer because of what it is, a general purpose OS. If it’s really true, then I’d like to know why so I can design something faster than both someday.
One other question I have about Microsoft ISA Server. Besides AD and the position that it is in, what deployment options does it offer? Can you use Cisco’s WCCPv2? Can you use policy routing? Can you do it with a bridge? Can your bridge card fail-open? WCCP is, though a Cisco invention, distributed by nature and provides fault tolerance.
Thomas Shinder Says:
April 5th, 2006 at 7:56 pm
Hi Billy Bob,
But I look forward to continuing this discussion. I might even learn a thing or two!
Now we’re getting into an interesting technical discussion! I’m going to have to defer my response until tomorrow, as my free work quota has been met today
Thanks!
Tom
DavidFA Says:
April 6th, 2006 at 2:57 am
For Antishinder:
regarding: “Blue Coat Systems ProxySG & URL Filtering Performance Tests” i read it and i didnt get what isa you actually used and what filteres iun it you switched on or of or added:
“..an IBM platform with a single Xeon 3.06GHz processor, 2GB of RAM and an Ultra320 SCSI disk-subsystem, plus dual Ethernet NICs. Windows 2000 SP4 Server was installed along with the ISA Server 2004. On top of this we installed the Websense application and URL list….”
Very unclear also no note about authenticatuion used.. firewall client ntlm or switched off?? was requests on ISA2004(sp2?) http1.1 pipelined … .what real world in the reality are they referring to?
Proxy HTTP connections? or real connection transparently picked UP BY ISA server (transparent proxy mode as cisco got)
Can you send me packet request and responses for 4 http requests generated after each other from the test?
Anyway… this kind of speed comparing is always questionable and can easily fool ppl who don’t know technical details that’s why this marketing technique is used
.
Just to make clear: I don’t think ISA would outperform in speed performance(http TPS) pure hw based appliance.
However we have to understand that speed is required as a feature till certain point. You don’t need 500TPS in most implementations and if you need it from single gate , your network environment is wrongly configured to being secured and you need to scale it.
Plus: I wouldn’t trust (security wise) new BC OS written just for their appliance maybe after 10 years on the market;) Look at IOS.
Another thing is investment protection. With ISA you can extend it whatever you like it.. Do you miss HTTP sites certificate revocation testing on ISA2000 server forced for all your clients?
+ you got customized solution.
… there are lot of dev who can make you easily plug-in to do so and price will still not reach price of BC
Or do you need AV scanning matching your needs? No problem you got multiple choices with ISA server.
ISA with all its standards is backing your investment.
Personally with BC I would felt uneasy even if I knew I would get out of BC box some added feature. But if you can risk or transfer risk to your customers .. it’s up to your wise decision. We all learn mostly on our own mistakes after all.
Peace. David.
The Antishinder Says:
April 6th, 2006 at 8:53 am
I don’t work for Bluecoat and have absolutely no information about those tests. I doubt even BC does.
I would guess they didn’t make any performance mistakes on the BC box and just set up the ISA box to mimic the same effect. Probably basic NTLM was involved but who knows. I wish more information was given too, but as I said - how much can a vendor really give without alienating the management people they’re really trying to convince? If the OS is actually faster, that’s something you would want to emphasize in selling it. Perhaps these incomplete studies by Microsoft, Cisco, and every other vendor including BC are meant to mislead. With all of the misleading studies out there, how do you identify when one isn’t?
Bluecoat OS isn’t IOS. The age or maturity of an operating system does not equal security. Though it’s never something you should SOLELY rely on, it’s argueably security by obscurity. IOS, Windows, and Blue Coat’s OS have had some nasty vulnerabilities, and if we look at the scoreboard, BC has probably had the least of the 3, but probably only because of its relative age and smaller market. All 3 were around way before I knew what was even out there too. From a comparison standpoint, I think you’ll find Bluecoat and a few others like Check Point slightly more mature than some of the startups. I would not go as far to say that Blue Coat or even Microsoft for that matter are transferring risk to customers by releasing software. This would only be the case if either knew of security vulnerabilities and either refused to fix them, or knowingly continued to market with an emphasis on security despite unfixed vulnerabilties are not proactively being addressed.
There will always be a ton of Black/grey/white-hatting going on, seaching for buffer overflows in software etc, regardless of who the vendor is.
One could also argue that without an operating system that supports the hardware of and can be run on my PC (which automatically excludes most appliances and custom OSes that include only the hardware support they need, and a have no plug and play requirement,) hackers won’t be able to locate vulnerabilities as quickly because they don’t actually have the ability to read the memory/run their own programs on the appliance. More security by obscurity, but in a healthy dosage.
You’re also right in pointing out that at some point speed doesn’t need to get any faster. I’ve been saying that for years that I really do not need a bigger/faster computer to do anything but run more inefficient versions of Microsoft (and others’) software when the versions I have now do just fine. I’m always surprised when I boot into Linux how in general if I stick to non graphical things, accomplishing stuff the command shell is always way faster than I will ever need. As far as TPS though goes, you’ll always have someone trying to overload the box, when you start throwing 20,000 users at a single box, that number grows quickly, but then you need to wonder why you are not balancing the load across several blue coats, and why one box is now suddenly a single point of failure.
While for my personal use, I don’t really need certificate validation as I can personally inspect a certificate and make that decision on my own, if I was a business owner I would not be comfortable with that security risk still being present. Call it a chronic case of fear uncertainty and doubt, but I just wouldn’t be comfortable with someone in my accounting department for example, that didn’t understand SSL making that same decision. That said, such a feature does add a lot of value by adding that assurance.
-K
Telecom,Security and P2P » Blog Archive » What’s your choice? Blue Coat or ISA ? hardware or software proxy? Says:
March 6th, 2007 at 11:03 pm
[…] Almost every enterprise IT security managers are facing the same problems: how to control the internet? how to implement the granular security policy at the perimeter ? When you dig the Internet, you must find a bunch of discussions and threads, among which the discussions and debates between Thomas and Antishinder are quite interesting. […]
Packetstorm Says:
April 15th, 2008 at 5:50 am
“quote” “Check Point has a great firewall, and so does Cisco and so does Microsoft. ” youve gotta be kidding.. what kinda moron would actually stipulate that Microsoft has a good Firewall !! Microsoft does NOT and will NOT ever produce at firewall thats worth more that the crate its shipped in.. Be adviced that if you start talking about Firewalls, you should actually know something about firewalls, and your point about Microsoft produces a great firewall kinda undermines any knowledge you might have in that area.
ISA server is nothing more than a simple Proxy server encapsulated in typical GUI crab, and stating it has anything to do with a firewall is just showing off plain stupidity or come to think of it, probably just ignorance.
ISA server probably has its place in a microsoft environment, but please this whole comparison to BlueCoat, has completely lost focus, ISA will NOT ever reach the quality of BlueCoat proxySG appliance, as all ready stated do what you do best and leave the rest to experts, Microsoft ISA server is just another MS product that started out with good intensions, but growed up to be useless, or in best maybe average. End of Discussion
tshinder Says:
April 15th, 2008 at 7:35 am
Wow! You have quite an education in front of you.
You make quite a few comments that have entirely no basis in fact. I suggest you read up on the ISA Firewall documention, then read my books. That will start your education. Then you can read the hundreds of articles on this site on the ISA Firewall, and learn how the ISA Firewall is one of the most secure firewalls on the market today.
When you learn about the value of the ISA Firewall and the superior security it provides (esp. of the poor BlueCoat device), you’ll probably end up being a reseller. Education brings you the light of day and you’ll really be the beneficiary of it!
Just the fact that you call the ISA Firewall a “simple proxy” shows you know nothing of the firewall engine and the ISA Firewall’s firewall architecuture. Fight the power! Don’t be held down by the PHAT margin Cisco and BC guys and give you customer’s a chance for a more secure solution at a lower price.
HTH,
Tom
Packetstorm Says:
April 15th, 2008 at 2:27 pm
Lol.. youre quite far from truth my friend..
you can call ISA server, a firewall server as much as you like it doesnt change the fact that its so called “firewall architecture” is hilarous compared to a genuine firewall, im actually not stating tha BC is a firewall, it is in fact what the name states a Proxy appliance, but what i do know since i worked with checkpoint firewalls and cisco firewalls for more than 15 years, long before ISA server was even thought of… that the ISA server is NOT and never will be able to live up to the name ie. “firewall server” pfffft.. it might protect some webservers from unwanted traffic, but theres no way in Hell one could rely on a ISA server as a Perimeter gateway.. without asking for trouble, and if you cant agree with me there…. then im pretty sure my point about ignorance hit the spot right on.
G Says:
April 16th, 2008 at 1:39 am
Dont you guys (packetstorm) get sick of trudging out the same old spew time after time.
Speaking of ignorance, it is defined as the condition of being uninformed or uneducated, lacking knowledge or information. This clearly is a description of what you have put forth so far into this discussion.
Do not under estimate that Tom and others havent had extensive experience with all kinds of firewalls and security products since when moses was a boy (no offence Tom) and to say that you have worked with cisco and checkpoint for 15 years, long before ISA was around, in no way justifys your position above anyone else nor does it show the fact that ISA could not possibly be a good firewall purely because of its age or maturity as a product. ISA has most certainly developed as a product no doubt as im sure have many other products, but the real question about which one is more is more secure is a moot point really. The issue when evaluating products of any nature should be which one or two or three for that matter is best suited and provides the required features and security for the present scenario. There
are many people out there who have chosen ISA in this situation and in their doing so doesnt make them wrong and you right, it just means there is a differing of opinion and circumstance.
I will delcare an allegance to ISAserver.org and Tom as a collegaue however i in no way do i seek to degrade any ones opinion or mindset if stated clearly and with a basis of fact or evidence to support their arguments. I do however roll my eyes when i see people come out with statements like ‘Microsoft does NOT and will NOT ever produce at firewall thats worth more that the crate its shipped in’. These kind of statements do nothing for the posters’ credability and in fact show a narrowmindedness that you may be able to get away with, however if i was in the situation to be hiring someone to work along side me or run my network i would not give these people a second thought.
Steve Moffat Says:
April 16th, 2008 at 5:55 am
“Packetstorm Says:
April 15th, 2008 at 2:27 pm
Lol.. youre quite far from truth my friend..
you can call ISA server, a firewall server as much as you like it doesnt change the fact that its so called “firewall architecture” is hilarous compared to a genuine firewall, im actually not stating tha BC is a firewall, it is in fact what the name states a Proxy appliance, but what i do know since i worked with checkpoint firewalls and cisco firewalls for more than 15 years, long before ISA server was even thought of… that the ISA server is NOT and never will be able to live up to the name ie. “firewall server” pfffft.. it might protect some webservers from unwanted traffic, but theres no way in Hell one could rely on a ISA server as a Perimeter gateway.. without asking for trouble, and if you cant agree with me there…. then im pretty sure my point about ignorance hit the spot right on.”
Steve: Where’s the argument to prove what you say in your rant.
You do realise that the original ISA Team were ex Checkpoint..oh and Cisco make packet filters, not firewalls….
Packetstorm Says:
April 16th, 2008 at 9:34 am
“when evaluating products of any nature should be which one or two or three for that matter is best suited and provides the required features and security for the present scenario.” i couldnt agree more, and actually i think i did write somewhere that ISA server did have its place i certain environments.. what i disputed was the issue of using the ISA server as a perimeter gateway aka. Firewall, or an appliance designed solely for that purpose. its in that assemblence i think the ISA server fails miserably. but enough said we all have our favourite toy.. and apparently som grow up faster than other
tshinder Says:
April 16th, 2008 at 8:51 pm
The error in your evaluaton is that you don’t understand the ISA Firewall and have likely never deployed it properly as an edge firewall to provide superior security for your clients. I have, for dozens of clients, and I know many others who have done the same thing. You lack of expereince with the ISA Firewall, lack of understanding of the ISA Firewall’s architecture, and clear “faith” in “hardware” are consistent with many I’ve had the pleasure to work with. The good news is that for many of those who were willing to give the ISA Firewall a chance, they ended up being very happy with the solution and couldn’t believe how hapless their favorite firewalls were in meeting the security requirements for modern networks. Again, learn about the ISA Firewall, deploy it correct as an edge firewall, and I think you’ll be pleasantly surprised by the results. But don’t think you can just “throw on up” — network security isn’t easy, and you have a learning curve ahead of you.
HTH,
Tom
JimmyJoeBobAlooba Says:
April 17th, 2008 at 7:59 am
(for “packetstorm” - an interesting nome de plume for a flood of FUD, IMHO)
Qualifier: I am an avowed ISA proponent.
Contrary to common misconception, the original ISA team was not, in fact “from Checkpoint”. We’ll save the history lesson for later, but accept that as fact. Has Microsoft gained people from competitors; absolutely - this is called “hiring good talent”. Please don’t engage in the “if they already had the right people” game. Microsoft HR rules discourage breeding with co-workers; particularly during working hours.
You’re welcome to express your opinion. The problem with your postings are twofold:
1. you approach what is clearly an ISA community with “ISA couldn’t find a packet in its pocket (with a pig on a rocket)” tone and expect to be taken seriously? Please; this is silly at best. You’ll discover if you provide reasoned thoughts and responses, that the folks here are typically more than willing to engage in factual debate. When you approach with assertions such as “I’ve been in firewalls since before ISA was born!!”, well; you’ve been there already, haven’t you?
2. No one (who knows firewall history) argues that ISA is a relative latecomer to the firewall / proxy game. Offering this as proof of anything other than temproal distinction is worthless. Regurgitating this point as “proof of insufficiency” merely generates yet another ping in an already noisy echo chamber. What you seem to overlook (or perhaps lack as knowledge) is that ISA has in fact proven itself to be a serious player in the edge protection space. There are plenty of customers who not only use ISA as their preferred edge firewall, but have in fact used it to replace their Cisco, CheckPoint, etc. devices (and frequently, the intractable admins). While it’s true that ISA 2000 had some vulnerabilities (some of these shared by such “old firewalls” as Checkpoint & Cisco, mind you), neither ISA 2004 nor ISA 2006 have had any reported (much less exploited) vulnerabilites. Neither Cisco nor ChekPoint can truthfully make this claim.
3. Likewise, no one herein will argue that the common anti-Microsoft party-line is “Microsoft can’t make secure products” (shall we do a point–by-point comparison yet again?). The fact is, that all firewall vendors have a history of patches. If you make the (not at all uncommon) statement that “I never have to patch my firewall”, then you’re more dangerous than any “weak technology”. All firewalls since ~2000 are layered software offerings, and of late, are based on some form of hardened OS; be it Linux, Unix or Windows. Thus, the “hardware vs. software” argument is completely moot and serves only to illustrate the proponent’s lack of current knowledge in this space.
4. You make such statements as “fail miserably”, yet fail completely to shore these statements with anything approaching demonstrable fact. What tests have you (or someone you reference) performed on which you base these statements? If you have proof, by all means offer it up for review and comment.
It’s this sort of “grey-beard ponytail guy” (props to Steve Riley) thinking that keeps some customers running on their original-issue unpatched devices. Even ISA 2000 has seen its day. Likewise, Cisco & Checkpoint have met the new threats with changes in their devices. Any product that doesn’t meet them dies - simple as that.
Jim
George698 Says:
August 14th, 2008 at 4:44 am
I do not have any affiliation with either manufacturer but I have used Netapp (now discontinued), Bluecoat and ISA proxies in an Enterprise environment for a number of years. Given the choice I would use Bluecoat or Netapp any time over ISA. The fact is that ISA, (or to be clear it\’s normally the windows 2003 server os) needs to have updates applied a lot more often which causes risk, downtime, cost, bad user experience etc. Our proxies are in use 24×7 and we find that the Netapp and Bluecoat proxies do not need to be updated nearly so often. We review the vulnerabilities of each product and make a decision whether or not to apply any updates. With Microsoft windows server, more often then not the risk is too great given the dominance of the product on the market. The threat could come from the internal network, not necessarily out on the internet. When people list vulnerabilities, it is misleading to list ISA server vulnerabilities in isolation without including windows server vulnerabilities. (unless you are referring to an ISA appliance which may need less updates, but I don’t have experience of these)
Thomas Shinder Says:
August 14th, 2008 at 7:35 am
That’s not true. If those vulnerabilities cannot be exploited, it doesn’t matter. The key take home message here is that the ISA firewall protects the underlying operating system. There must be a vulnerability in the ISA firewall software before any vulnerabilities in the underlying operating system can be exploited. That is the key differentiator and the reason why we don’t really need to consider the operating system issues.
The fact that Blue Coat and other so-called “hardware” solutions have many more vulnerabilities than the ISA firewall is significant. Why? Because MS is under the microscope and if there is a problem, someone is going to find it and try to get famous for it. And Microsoft is going to fix it fast.
In contrast, there are relatively few Blue Coat devices out there, and they’re deployed in large environments. Why waste your efforts on getting famous? Put the Blue Coat and Netapp exploits up for sale on the black market, and make money, instead of fame from them.
And I think it’s safe to assume that Blue Coat’s secure development practices are not nearly as sophisticated and codified as Microsoft’s. Microsoft has thoroughly documented their SDL and the impact the SDL has had in secure software development has been significant. Blue Coat doesn’t publish their secure software development policies and practices. If for no other reason, secure development practices and responses are the reason to go with a Windows based ISA firewall.
HTH,
Tom
George698 Says:
August 15th, 2008 at 6:20 am
Tom, I don’t see any advice coming from Microsoft which says “If you’re running ISA on Windows 2003 server then you don’t need to bother applying security patches” Maybe I’ve missed this?
Thomas Shinder Says:
August 15th, 2008 at 6:35 am
You also don’t see any KB articles telling you not to chew on broken glass
The fact is, if the exploit cannot be exploited, does it matter that it’s there? If you’re deep under thunder mountain, does a atom bomb matter? Just because there is a possbile underlying weakness, doesn’t mean it can be exploited if that weakness is protected from. That’s what the ISA firewall does, and thus, makes the exploits more theoretical and exploitable.
Also, pay close attention to what I said about the SDL. Companies like Blue Coat skate away from being beholden to any kind of SDL or formal security review. Why? They claim that their devices are not security devices! Now, think about that before considering a Blue Coat box before an ISA firewall.
However, if you *need* features that BC provides that the ISA firewall doesn’t, it doesn’t make any sense to get an ISA firewall. However, if the ISA firewall does have all the features you require, it would be insane (certifiable) to buy a BC box when you can buy several ISA firewalls for the same price.
HTH,
Tom