ISA server

How secure is ISA server when running directly connected to the internet?  Does anyone recommend this?  Is this something that should run behind a good hardware firewall, or is this a good stand-alone firewall?
LVL 2
bleujaegelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
ISA server can operate in any of these modes safely. Love them or hate them, Microsoft's ISA is recognised as one of the best application layer firewalls on the market. it can also perform content filtering as wells as the satndard packet filtering. Personally I tend to run a hardware firewall on the outside for my installs even if this is simply the firewall on a dsl router. this allows all the rubbish I don't want to be blocked immediately without ISA having to waste resource/processing time checking things it need not be concerrned with.

The best combination I have seen to date is a PIX on the outside with the ISA as an internal firewall. If you are going to be using VPN's I tend to use the Cisco PIX to terminate these. Anything else on the outside of the ISA, I terminate the VPN's on the ISA itself.

The one exception to the rule is for SBS. This uses a slightly cutdown/amended version of ISA as it runs on the SBS DC server  On these I always use a hardware firewall to put something between the DC and the Internet.

Regards
Keith
0
bleujaegelAuthor Commented:
Agreed on SBS running DC with router.  That's a must.  Good point on letting the DSL router handle the rubbish.  

I'm not totally clear with the following statement.  Got the first part, but on the second, do you mean if you are running a router other than a PIX, you terminate the VPN internally to the ISA?

>>If you are going to be using VPN's I tend to use the Cisco PIX to terminate these. >>Anything else on the outside of the ISA, I terminate the VPN's on the ISA itself.


0
Keith AlabasterEnterprise ArchitectCommented:
Yes, that is what I was saying but that is a personal view rather than a technical view.

I have a knowledge of the Cisco PIX firewalls and am happy for them to terminate my VPN's when the client has purchased one (A PIX) with the ISA server inside acting as the internal firewall.
If the client has not purchased a PIX, I make the alternative external firewall/router act as a passthrough for VPN's and terminate them on the ISA server itself.

0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

bleujaegelAuthor Commented:
I have a PIX 501 running 6.3.  Do you have any experience with this model?  Is this a 'secure' firewall to use at this point, or is the OS getting a little outdated, and possibly needs upgrading to run in front of ISA?
0
Keith AlabasterEnterprise ArchitectCommented:
6.3(5) is the latest version of the PIX IOS (the 501/506 cannot run version 7).

Yes, this is fine from a security point of view. It will certainly run 'in front of' ISA perfectly well. I believe that 6.3(5) had some updates in respect to some of the VPN support so an upgrade to this version if you have an earlier one will certainly be beneficial to you.

So, in summary.

An external connection fronted by your 501 and backed by isa2004 SP2 is one of the most powerful combinations I can think as well as being one of the most flexible.

'Up'ing the PIX501 from 6.3(x) to 6.3(5) would be a good move purely for the enhanced updates regarding the PIX VPN capabilities plus access to the latest PDM software for web based configuring if you use that.

Regards
Keith
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bleujaegelAuthor Commented:
Cool.  Thanks.
0
Keith AlabasterEnterprise ArchitectCommented:
Welcome
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.