BTW, we have large school district which is running 32+ ISA servers for over 1Million students 400-600mbit thruput. These can be consolidated down to 6x ProsgSG8100-20s.

The fact is, if the exploit cannot be exploited, does it matter that it’s there? If you’re deep under thunder mountain, does a atom bomb matter? Just because there is a possbile underlying weakness, doesn’t mean it can be exploited if that weakness is protected from. That’s what the ISA firewall does, and thus, makes the exploits more theoretical and exploitable.

Also, pay close attention to what I said about the SDL. Companies like Blue Coat skate away from being beholden to any kind of SDL or formal security review. Why? They claim that their devices are not security devices! Now, think about that before considering a Blue Coat box before an ISA firewall.

However, if you *need* features that BC provides that the ISA firewall doesn’t, it doesn’t make any sense to get an ISA firewall. However, if the ISA firewall does have all the features you require, it would be insane (certifiable) to buy a BC box when you can buy several ISA firewalls for the same price.

HTH,
Tom

The fact that Blue Coat and other so-called “hardware” solutions have many more vulnerabilities than the ISA firewall is significant. Why? Because MS is under the microscope and if there is a problem, someone is going to find it and try to get famous for it. And Microsoft is going to fix it fast.

In contrast, there are relatively few Blue Coat devices out there, and they’re deployed in large environments. Why waste your efforts on getting famous? Put the Blue Coat and Netapp exploits up for sale on the black market, and make money, instead of fame from them.

And I think it’s safe to assume that Blue Coat’s secure development practices are not nearly as sophisticated and codified as Microsoft’s. Microsoft has thoroughly documented their SDL and the impact the SDL has had in secure software development has been significant. Blue Coat doesn’t publish their secure software development policies and practices. If for no other reason, secure development practices and responses are the reason to go with a Windows based ISA firewall.

HTH,
Tom

Qualifier: I am an avowed ISA proponent.

Contrary to common misconception, the original ISA team was not, in fact “from Checkpoint”. We’ll save the history lesson for later, but accept that as fact. Has Microsoft gained people from competitors; absolutely - this is called “hiring good talent”. Please don’t engage in the “if they already had the right people” game. Microsoft HR rules discourage breeding with co-workers; particularly during working hours.

You’re welcome to express your opinion. The problem with your postings are twofold:
1. you approach what is clearly an ISA community with “ISA couldn’t find a packet in its pocket (with a pig on a rocket)” tone and expect to be taken seriously? Please; this is silly at best. You’ll discover if you provide reasoned thoughts and responses, that the folks here are typically more than willing to engage in factual debate. When you approach with assertions such as “I’ve been in firewalls since before ISA was born!!”, well; you’ve been there already, haven’t you?

2. No one (who knows firewall history) argues that ISA is a relative latecomer to the firewall / proxy game. Offering this as proof of anything other than temproal distinction is worthless. Regurgitating this point as “proof of insufficiency” merely generates yet another ping in an already noisy echo chamber. What you seem to overlook (or perhaps lack as knowledge) is that ISA has in fact proven itself to be a serious player in the edge protection space. There are plenty of customers who not only use ISA as their preferred edge firewall, but have in fact used it to replace their Cisco, CheckPoint, etc. devices (and frequently, the intractable admins). While it’s true that ISA 2000 had some vulnerabilities (some of these shared by such “old firewalls” as Checkpoint & Cisco, mind you), neither ISA 2004 nor ISA 2006 have had any reported (much less exploited) vulnerabilites. Neither Cisco nor ChekPoint can truthfully make this claim.

3. Likewise, no one herein will argue that the common anti-Microsoft party-line is “Microsoft can’t make secure products” (shall we do a point–by-point comparison yet again?). The fact is, that all firewall vendors have a history of patches. If you make the (not at all uncommon) statement that “I never have to patch my firewall”, then you’re more dangerous than any “weak technology”. All firewalls since ~2000 are layered software offerings, and of late, are based on some form of hardened OS; be it Linux, Unix or Windows. Thus, the “hardware vs. software” argument is completely moot and serves only to illustrate the proponent’s lack of current knowledge in this space.

4. You make such statements as “fail miserably”, yet fail completely to shore these statements with anything approaching demonstrable fact. What tests have you (or someone you reference) performed on which you base these statements? If you have proof, by all means offer it up for review and comment.

It’s this sort of “grey-beard ponytail guy” (props to Steve Riley) thinking that keeps some customers running on their original-issue unpatched devices. Even ISA 2000 has seen its day. Likewise, Cisco & Checkpoint have met the new threats with changes in their devices. Any product that doesn’t meet them dies - simple as that.

Jim

HTH,
Tom

April 15th, 2008 at 2:27 pm

Lol.. youre quite far from truth my friend..

you can call ISA server, a firewall server as much as you like it doesnt change the fact that its so called “firewall architecture” is hilarous compared to a genuine firewall, im actually not stating tha BC is a firewall, it is in fact what the name states a Proxy appliance, but what i do know since i worked with checkpoint firewalls and cisco firewalls for more than 15 years, long before ISA server was even thought of… that the ISA server is NOT and never will be able to live up to the name ie. “firewall server” pfffft.. it might protect some webservers from unwanted traffic, but theres no way in Hell one could rely on a ISA server as a Perimeter gateway.. without asking for trouble, and if you cant agree with me there…. then im pretty sure my point about ignorance hit the spot right on.”

Steve: Where’s the argument to prove what you say in your rant.

You do realise that the original ISA Team were ex Checkpoint..oh and Cisco make packet filters, not firewalls….

Speaking of ignorance, it is defined as the condition of being uninformed or uneducated, lacking knowledge or information. This clearly is a description of what you have put forth so far into this discussion.

Do not under estimate that Tom and others havent had extensive experience with all kinds of firewalls and security products since when moses was a boy (no offence Tom) and to say that you have worked with cisco and checkpoint for 15 years, long before ISA was around, in no way justifys your position above anyone else nor does it show the fact that ISA could not possibly be a good firewall purely because of its age or maturity as a product. ISA has most certainly developed as a product no doubt as im sure have many other products, but the real question about which one is more is more secure is a moot point really. The issue when evaluating products of any nature should be which one or two or three for that matter is best suited and provides the required features and security for the present scenario. There
are many people out there who have chosen ISA in this situation and in their doing so doesnt make them wrong and you right, it just means there is a differing of opinion and circumstance.

I will delcare an allegance to ISAserver.org and Tom as a collegaue however i in no way do i seek to degrade any ones opinion or mindset if stated clearly and with a basis of fact or evidence to support their arguments. I do however roll my eyes when i see people come out with statements like ‘Microsoft does NOT and will NOT ever produce at firewall thats worth more that the crate its shipped in’. These kind of statements do nothing for the posters’ credability and in fact show a narrowmindedness that you may be able to get away with, however if i was in the situation to be hiring someone to work along side me or run my network i would not give these people a second thought.