ISA 2006 versus ASA

MyrtW
MyrtW used Ask the Experts™
on
At my workplace we are considering the implementation of a DMZ. Right now we use a Cisco ASA firewall for the Internet. We have multiple other outside lines that we need to secure other than the Internet.

I think that MS ISA 2006 would be ideal because of its capabilty to secure as many lines as the platform has NIC card slots. But the Cisco guys dismiss a software firewall as not a serious solution.

I need some outside input on the advantages/disadvantages of a software firewall like ISA 2006 versus the hardware type that Cisco sponsors.

BTW I know MS is coming out with a new firewall but I am not familar with it.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
If you already have an ASA, I would stick with that.  In my experience, ISA isn't as easy to use.  The ASA should be able to do anything you need it to do especially if you leverage it's ability to handle VLANs

-Christian
Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
Ask your Cisco people who got the EAL4+ accreditation first..... It was Sidewinder then ISA Server and eventually Cisco got there.....

Forefront Threat Management Gateway 2010 is very similar to ISA2006 - however a key difference in your setup is that FTMG is 64-bit only and only runs on 2008 whereas ISA is 32-bit only and runs on 2003 only.

What do you mean by multiple 'lines'?



Author

Commented:
Multiple lines: we have several other external organizations that have direct leased data lines into our core switch. Some of these organizations have pretty good security some don't. Since we do not control security policies in external organizations that use our data we need, IMHO, to secure the lines like they were the Internet.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Keith AlabasterEnterprise Architect
Top Expert 2008

Commented:
If the leased lines are 'direct into our core switch' then presumably these connections are not coming through the ASA currently at all - and you want them to?






Author

Commented:
Yes, you are basically correct. The leased lines need to be secured by going thru a firewall. Presently they are not.
Enterprise Architect
Top Expert 2008
Commented:
OK - then i would suggest, that in this instance, your Cisco chaps are likely correct - but you are as well.

The ISA server is not a router - ISA relies on the host operation system to perform the routing work - and so the ASA or equivalent would certainly be best placed to inter-connect the leased lines and your internet connection. being an appliance - asic driven - it wil be able to get rid of the chaff, the unwanted traffic and route/switch traffic much more quickly. Although the ASA is put out as an application layer device, this is not strictly correct. ASA operates at the lower end of the OSI model superbly and has limited capability at the higher end such as session, presentation and application layers. The ISA comes into its own at the higher layers and is much more granular in what you can and can't let through.

One of the most powerful combinations you can have is the Cisco as the extrnal firewall and consolidator of connections - because it is the fastest at switching/routing the traffic and dumping 'uninteresting' traffic

then have ISA as the internal firewall - this combination is practically unbeatable as ISA then publishes appropriate services, can inspect the protocols for compliance and session state etc etc.

It is a trade off though when you are on limited budget.
The performance of the ASA is not in question - it is superb (we run a 5540) - but ISA and now the new FTMG are unbeatable in the level of control that you have plus the forward and reverse proxy capabilities.

Personally i would not get rid of the ASA to get the ISA but if you have the budget to supplement the ASA with ISA then do it.

Keith

Commented:
i always prefer hardware solutions to software .. they are more reliable. regarding less cisco, juniper or any other brand

Commented:
MyrtW:

till now not convinced ?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial