AV Software on the ISA Firewall?
Years ago I published a list of dumb ISA firewall tricks, which was a collection of what I considered “ISA firewall worst practices”. Near the top of the list was putting host based AV software on the ISA firewall.
There are number of reasons why putting a host based AV system on the ISA firewall is a dumb idea. Among the most significant are:
- It’s not required when the ISA firewall is configured an used correctly
- If the ISA firewall isn’t configured and used correctly, you’re going to have much more profound problems than those due to not having host-based AV software on the firewall
- You increase your overall software costs with no return on investment
- You degrade the performance of your ISA firewall
- You interfere with normal firewall operations
- It encourages the mindset that the firewall is a server, which leads panoply of problems. The ISA firewall is a firewall, and must not be thought of, operated as, to managed as a “server”
For a little different perspective on this issue, check out Tristan’s post over at:
(by the way, its a “saving” not a “savings”)
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer