Link to home
Create AccountLog in
Avatar of bleujaegel
bleujaegel

asked on

ISA server

How secure is ISA server when running directly connected to the internet?  Does anyone recommend this?  Is this something that should run behind a good hardware firewall, or is this a good stand-alone firewall?
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

ISA server can operate in any of these modes safely. Love them or hate them, Microsoft's ISA is recognised as one of the best application layer firewalls on the market. it can also perform content filtering as wells as the satndard packet filtering. Personally I tend to run a hardware firewall on the outside for my installs even if this is simply the firewall on a dsl router. this allows all the rubbish I don't want to be blocked immediately without ISA having to waste resource/processing time checking things it need not be concerrned with.

The best combination I have seen to date is a PIX on the outside with the ISA as an internal firewall. If you are going to be using VPN's I tend to use the Cisco PIX to terminate these. Anything else on the outside of the ISA, I terminate the VPN's on the ISA itself.

The one exception to the rule is for SBS. This uses a slightly cutdown/amended version of ISA as it runs on the SBS DC server  On these I always use a hardware firewall to put something between the DC and the Internet.

Regards
Keith
Avatar of bleujaegel
bleujaegel

ASKER

Agreed on SBS running DC with router.  That's a must.  Good point on letting the DSL router handle the rubbish.  

I'm not totally clear with the following statement.  Got the first part, but on the second, do you mean if you are running a router other than a PIX, you terminate the VPN internally to the ISA?

>>If you are going to be using VPN's I tend to use the Cisco PIX to terminate these. >>Anything else on the outside of the ISA, I terminate the VPN's on the ISA itself.


Yes, that is what I was saying but that is a personal view rather than a technical view.

I have a knowledge of the Cisco PIX firewalls and am happy for them to terminate my VPN's when the client has purchased one (A PIX) with the ISA server inside acting as the internal firewall.
If the client has not purchased a PIX, I make the alternative external firewall/router act as a passthrough for VPN's and terminate them on the ISA server itself.

I have a PIX 501 running 6.3.  Do you have any experience with this model?  Is this a 'secure' firewall to use at this point, or is the OS getting a little outdated, and possibly needs upgrading to run in front of ISA?
ASKER CERTIFIED SOLUTION
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Cool.  Thanks.