[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ISA server

Posted on 2006-03-21
7
Medium Priority
?
402 Views
Last Modified: 2012-05-05
How secure is ISA server when running directly connected to the internet?  Does anyone recommend this?  Is this something that should run behind a good hardware firewall, or is this a good stand-alone firewall?
0
Comment
Question by:bleujaegel
  • 4
  • 3
7 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16254845
ISA server can operate in any of these modes safely. Love them or hate them, Microsoft's ISA is recognised as one of the best application layer firewalls on the market. it can also perform content filtering as wells as the satndard packet filtering. Personally I tend to run a hardware firewall on the outside for my installs even if this is simply the firewall on a dsl router. this allows all the rubbish I don't want to be blocked immediately without ISA having to waste resource/processing time checking things it need not be concerrned with.

The best combination I have seen to date is a PIX on the outside with the ISA as an internal firewall. If you are going to be using VPN's I tend to use the Cisco PIX to terminate these. Anything else on the outside of the ISA, I terminate the VPN's on the ISA itself.

The one exception to the rule is for SBS. This uses a slightly cutdown/amended version of ISA as it runs on the SBS DC server  On these I always use a hardware firewall to put something between the DC and the Internet.

Regards
Keith
0
 
LVL 2

Author Comment

by:bleujaegel
ID: 16254901
Agreed on SBS running DC with router.  That's a must.  Good point on letting the DSL router handle the rubbish.  

I'm not totally clear with the following statement.  Got the first part, but on the second, do you mean if you are running a router other than a PIX, you terminate the VPN internally to the ISA?

>>If you are going to be using VPN's I tend to use the Cisco PIX to terminate these. >>Anything else on the outside of the ISA, I terminate the VPN's on the ISA itself.


0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16258198
Yes, that is what I was saying but that is a personal view rather than a technical view.

I have a knowledge of the Cisco PIX firewalls and am happy for them to terminate my VPN's when the client has purchased one (A PIX) with the ISA server inside acting as the internal firewall.
If the client has not purchased a PIX, I make the alternative external firewall/router act as a passthrough for VPN's and terminate them on the ISA server itself.

0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 2

Author Comment

by:bleujaegel
ID: 16259254
I have a PIX 501 running 6.3.  Do you have any experience with this model?  Is this a 'secure' firewall to use at this point, or is the OS getting a little outdated, and possibly needs upgrading to run in front of ISA?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 16259948
6.3(5) is the latest version of the PIX IOS (the 501/506 cannot run version 7).

Yes, this is fine from a security point of view. It will certainly run 'in front of' ISA perfectly well. I believe that 6.3(5) had some updates in respect to some of the VPN support so an upgrade to this version if you have an earlier one will certainly be beneficial to you.

So, in summary.

An external connection fronted by your 501 and backed by isa2004 SP2 is one of the most powerful combinations I can think as well as being one of the most flexible.

'Up'ing the PIX501 from 6.3(x) to 6.3(5) would be a good move purely for the enhanced updates regarding the PIX VPN capabilities plus access to the latest PDM software for web based configuring if you use that.

Regards
Keith
0
 
LVL 2

Author Comment

by:bleujaegel
ID: 16263239
Cool.  Thanks.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16266179
Welcome
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month18 days, 2 hours left to enroll

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question