bleujaegel
asked on
ISA server
How secure is ISA server when running directly connected to the internet? Does anyone recommend this? Is this something that should run behind a good hardware firewall, or is this a good stand-alone firewall?
ASKER
Agreed on SBS running DC with router. That's a must. Good point on letting the DSL router handle the rubbish.
I'm not totally clear with the following statement. Got the first part, but on the second, do you mean if you are running a router other than a PIX, you terminate the VPN internally to the ISA?
>>If you are going to be using VPN's I tend to use the Cisco PIX to terminate these. >>Anything else on the outside of the ISA, I terminate the VPN's on the ISA itself.
I'm not totally clear with the following statement. Got the first part, but on the second, do you mean if you are running a router other than a PIX, you terminate the VPN internally to the ISA?
>>If you are going to be using VPN's I tend to use the Cisco PIX to terminate these. >>Anything else on the outside of the ISA, I terminate the VPN's on the ISA itself.
Yes, that is what I was saying but that is a personal view rather than a technical view.
I have a knowledge of the Cisco PIX firewalls and am happy for them to terminate my VPN's when the client has purchased one (A PIX) with the ISA server inside acting as the internal firewall.
If the client has not purchased a PIX, I make the alternative external firewall/router act as a passthrough for VPN's and terminate them on the ISA server itself.
I have a knowledge of the Cisco PIX firewalls and am happy for them to terminate my VPN's when the client has purchased one (A PIX) with the ISA server inside acting as the internal firewall.
If the client has not purchased a PIX, I make the alternative external firewall/router act as a passthrough for VPN's and terminate them on the ISA server itself.
ASKER
I have a PIX 501 running 6.3. Do you have any experience with this model? Is this a 'secure' firewall to use at this point, or is the OS getting a little outdated, and possibly needs upgrading to run in front of ISA?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Cool. Thanks.
Welcome
The best combination I have seen to date is a PIX on the outside with the ISA as an internal firewall. If you are going to be using VPN's I tend to use the Cisco PIX to terminate these. Anything else on the outside of the ISA, I terminate the VPN's on the ISA itself.
The one exception to the rule is for SBS. This uses a slightly cutdown/amended version of ISA as it runs on the SBS DC server On these I always use a hardware firewall to put something between the DC and the Internet.
Regards
Keith