Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3314
  • Last Modified:

ISA Server 2006 Replacement

we have a AD forest with about 20 sites. each one has a ISA Server 2006 which acts as a proxy server.
i personally dont like that solution,since its a bit overhead to have an ISA Server 2006 on a site with only 3-5 employees.

i personally would have a centralized solution where each site could be administered from.

i also want to replace ISA Server 2006 with something new and more performant.

what could a good solution look-a-like?
0
DukewillNukem
Asked:
DukewillNukem
  • 15
  • 15
  • 3
8 Solutions
 
SteveCommented:
There's not really enough info for us to be able to make any recommendations


What features of the ISA server do you use/need?

Do all your sites connect to a central site/server or are they all running independently?

What 'administration' would you like to be able to perform centrally?
0
 
DukewillNukemAuthor Commented:
as previously described,ISA works only as a proxy and each runs independently. thats it.

i want to be able to administer each single site from our headquarter: white/blacklisting,etc
0
 
SteveCommented:
so you are referring only to the webfiltering element of ISA?

A web based filter may be your best bet then, as the other options I could recommend wouldn't allow central management of the filter.

opendns is one option but fairly easy to circumvent.
Webroot, websense & barracuda are all well know and work well.

some routers include this facility for a small subscription, but you'd have to manage them individually.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
DukewillNukemAuthor Commented:
not only.
i prefer to have an appliance whre i can doa ll the workl from one central point. i thought about bluecoat and /or F5,that seems to be a good one too.
0
 
btanExec ConsultantCommented:
you probably looking at application filter, network filter, secure gateway, reverse and forward proxy, dns firewall, web application firewall, anti-ddos, web defacement service, data leakage, breach detection etc...there is too huge for a one size fit all and also not scalable for single appliance as it becomes bottleneck in performance and security is deemed the culprit...actually all has their leading solution or provider for each capability. We are saying to optimise and replace TMG for a start then I do think the application delivery controller such as F5, Citrix or even A10 comes into picture...

Taking F5 for example, it starts of with LTM which can serves as network controller and has the Advanced FW (network FW to be exact) and App Security module (WAF) that can add on. More still it has APM for access control to proxy Kerberos, NTLM, SSL VPN  and even act as SAML gateway for AD federation service or the likes...not forgetting they are load balancer from a start...they likely to lose out the breach detection such as malware analysis, network forensic or sandbox capability...but that may not be your priority. ASM do support ICAP to AV server if needed to..

Just some F5 APM example or use case...
https://devcentral.f5.com/articles/tmg2f5-series-publishing-microsoft-exchange-using-f5
https://devcentral.f5.com/articles/-ldquoapples-to-apples-rdquo-comparing-an-apm-deployment-to-tmg

interestingly this article (with series of evaluation performed) perform some elimination of provider which you may want to take a look https://www.winsec.nl/2013/01/16/securing-edge-post-tmg-world/

but in its summary (part 6) https://www.winsec.nl/2013/03/29/securing-edge-post-tmg-world-part-6/, it concluded to the below

the main factors that drove this decision were:

Hyper-V support
Excellent GUI
Ease of use / gradual learning curve
Authentication model
Application control
Wide support for VPNs
Depth of customization
Depth or reporting
User friendlyness (user portal, graphical error messages)
Level of support available
Modularity (through licensing)

So yeah, that basically sums it up for this blog series.
Expect to see some follow ups with tips, advice, scenarios etc. in the near future when we start migrating the first ISA and TMG deployments to Sophos UTM.

Eventually it depends on what you need and I believe the existing rule migration is a big criteria for the winner take all...
0
 
SteveCommented:
not only.
Sorry mate. Not sure what you mean by that.

You can certainly consider a single appliance but it has big downsides when shared out for multiple sites.
Selecting a site to host the device is important as you need to consider bandwidth and the ability for all sites' traffic to flow smoothly to this central point.

You also need to consider how the sites would function if this central point wasn't reachable for any reason.
0
 
btanExec ConsultantCommented:
Indeed single application is not the best fitting for multiple sites espe international org has spread out in wide locality. the key is know where (regardless of site) is that the perimeter or boundary you are seriously going to guard and invest the control inspection. You cannot inspect what you cannot see so meaning the traffic is supposed to go through that ideally including VPN. however, that is the idealistic and simplistic assumption we make but minimally that set the bar to catch most traffic if you can set the boundary for the critical service and enclave them as architecture ...
0
 
DukewillNukemAuthor Commented:
all sites are connected through MPLS,but the traffic is unecrypted. so,from any site i want to connect to the internet,i will have to go through a proxy.

therefore,a single proxy should be able to cover every single site and that should be possible,right?
0
 
btanExec ConsultantCommented:
Should not be an issue and that is supposed what a proxy should do for traffic going through it. The box just need to be able to sustain that performance for real time filter. For F5 I believe they have LTM and WOM too in case you need for site to site wan optimisation. For multiple site, they should still go through the same proxy policy checks
0
 
DukewillNukemAuthor Commented:
so,a single proxy would be one-size-fits-all solution?  question is,which product (next to F5) would fulfill all the needs?  and how should it be configured?
0
 
btanExec ConsultantCommented:
Yes but caveat is F5 is primarily a reverse proxy in making from beginning. Forward proxy is viable but not its strength.

 I see the NGFW or UTM build can also be candidate. If you check my first posting links you see that they eliminated a list of possible and drill down to Sophos. Coming back they do have application proxy gateway capability.
http://searchsecurity.techtarget.com/magazineContent/NGFW-Getting-clarity-on-next-gen-firewall-features
0
 
btanExec ConsultantCommented:
This is the link to Sophos UTM and you can catch the proxying section...
https://www.winsec.nl/2013/03/29/securing-edge-post-tmg-world-part-5/
0
 
DukewillNukemAuthor Commented:
i dont care so much about the product itself,it could be anything.
our situation is as follows: each site has its own ISA 2006 server which gets administrated separately because each site is independent from each other with its own provider.

according to our CEOs,this must change in future. each site must be administered from a single,central point.

so,what could be a solution that fulfills our needs?
0
 
btanExec ConsultantCommented:
Then the above has shared that it can be fulfilled from central box
0
 
DukewillNukemAuthor Commented:
which one?
0
 
btanExec ConsultantCommented:
Pardon me, it is the Sophos UTM - From the "Proxying" and "Advanced Features" section it describe further https://www.winsec.nl/2013/03/29/securing-edge-post-tmg-world-part-5/
0
 
DukewillNukemAuthor Commented:
that one looks interesting.is there another product,this way i can compare them?
0
 
btanExec ConsultantCommented:
Probably
Barracuda NG  - one thing highlighted is that lacking user-controlled overriding (or soft blocking as it is known in other products), which allows you to select a subset of users who get to override certain filters if required
https://www.winsec.nl/2013/02/23/securing-edge-post-tmg-world-part-4/
0
 
DukewillNukemAuthor Commented:
o,,thank you
0
 
DukewillNukemAuthor Commented:
we also have sourcefire as IDS,but im certain we can get rid of that one too and have a "all-in-one" solution.any other suggestions?
0
 
btanExec ConsultantCommented:
that is what UTM "want" to offer and since you already persist for the multi feature UTM or NGFW is probably the possible candidate .... Cisco also bought over Sourcefire and they have the Cisco ASA CX (but it is not SourceFire inside though they have IPS capability already built in for CX, not separate physical module)

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/qa_c67-700607.html
0
 
DukewillNukemAuthor Commented:
Cisco also bought Sourcefire?? didnt knew that....since we already have cisco firewalls too,that could lead to an easy decision.....
0
 
btanExec ConsultantCommented:
Good to poll those "sale" guys again and probably  a upgrade is more enticing and optimal for the all in one that you are looking at

http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/sourcefire.html#~faqs

Q: What are the plans for Cisco integrated IPS on ASA?
A: The ASA is an industry leading firewall and Cisco intends to continue to aggressively invest and evolve the ASA. Specifically, Cisco intends to utilize the Snort engine and signature set as part of the ASA integrated IPS offers. This is in-line with the architectural evolution that was already planned as part of the Cisco platform evolution and is consistent with Cisco's commitment to growing the Snort open source community and Snort usage across the industry.

Q: What are Cisco's plans for the Sourcefire FirePOWER Platforms?
A: Sourcefire's FirePOWER platform is a powerful, integrated multi-service security appliance which aligns very well to Cisco's overall platform strategy. The FirePOWER platform performance and efficacy has been demonstrated by NSS Labs and other independent 3rd party tests. After close, Cisco intends to build upon this success and plans to further accelerate the roadmap and adoption of the FIrePOWER platform.
0
 
DukewillNukemAuthor Commented:
ok.
heres a follow up from our infrastructure: we do have about 30 ISA servers on each of our sites and we have deployed some ISA server chaining,because from site in countries like china; websites like,say BBC or ABC are not available.
to successfully migrate,this fact must be considered and deployed.
in future,i want to administer each site from one single point. is that possible?
0
 
btanExec ConsultantCommented:
though I have not used but they do seems to have central mgmt of the various chained device including existing ASA

http://www.drchaos.com/comparing-asa-management-internal-vs-external-cisco-prime-security-manager-overview/

For those that want to centralize managing all security features for both 1st and 2nd generation ASAs, Cisco offers External Prime security manger.  For example, you can push out one Access List or Policy to enforce something to all security solutions on your network (ASA 5520s, ASA5545s and any CX modules as an example). External Prime can be an appliance or VM and has a cost.
0
 
DukewillNukemAuthor Commented:
i forgot top mention that we have  ISA chaining as a solution. so sophos would fulfill this all too?
0
 
btanExec ConsultantCommented:
I see Sophos may not even chaining though, but the implementation aspects will be best clarified by the principle based on the capacity provided. At most they are looking at HA configuration with all traffic coming into the same node and the sizing is to be properly catered on the effective throughput load.
0
 
DukewillNukemAuthor Commented:
looks this could be our best solution....any other suggestions?
0
 
btanExec ConsultantCommented:
May be better to focus Cisco CX and Sophos UTM :) We can hear from others though
0
 
DukewillNukemAuthor Commented:
from that point,i`d go for sophos.
but we also have sourcefire IDS. maybe we can implement that into cisco ASA
0
 
btanExec ConsultantCommented:
Thanks for sharing
0
 
DukewillNukemAuthor Commented:
since its not clear what Cisco is up to,ill better wait.However, with our proxy solution we can proceed. heres even more info: there proxy-chaining implemented,that seems to be the trickiest part: how do we migrate all those settings into a single appliance/device?
0
 
btanExec ConsultantCommented:
i do suggest not going to delve into proxy chaining support in the replacement as it may other means to achieve it and not termed as proxy chaining - have the support or sales to advice instead. The use case outcome should stand to lessen the overall impact.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 15
  • 15
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now