Ed
Wed Aug 24 17:24:25 CDT 2005
ISA solely for SMTP is overkill, I agree; an IIS SMTP service is just fine
for that. For publishing OWA, POP and IMAP, it's a nice tool. You can buy
a hardened appliance version of ISA. My employer sells one.
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"
"Al Mulnick" <amulnick_No_SPAM@ncDOTrr.com> wrote in message
news:OKJA%23yNqFHA.1272@TK2MSFTNGP11.phx.gbl...
> Well, I'll play along with this one. Why is it recommended? I think
> Leythos knows enough about this subject to deserve a better explanation.
> To be honest, the ISA server in a SMTP situation doesn't offer a lot of
> protection vs. a hardened machine. Especially one with a the firewall
> built in etc. ISA is much more suited to layer-7 filtering of Microsoft
> products than other firewall services. That's a true statement. But for
> SMTP only, I can't see the benefit of deploying ISA server into this
> situation. I see it as overkill and not providing roi to the effort I'm
> putting into it and the introduction of new technology I don't already
> have. Translation? extra burden on my staff if I do that with very little
> return.
>
> For RPC/HTTP or HTTP (OWA) access, I highly recommend ISA. I know the
> difference on the wire why it would make sense vs. the other firewall
> products out there. But it's best use is as part of a bigger strategy not
> just something to replace an already existing strategy/architecture that
> works and certainly not for just SMTP (30+ year old protocol) which can be
> secured about as much as it is going to be on just about any relay machine
> whether Windows, *nix or whatever you choose. I prefer to pick relays
> that have queue management possibilities (little to no code required) so I
> haven't really wanted to deploy a lot of Windows servers for relay
> devices. I would be loathe to deploy ISA for just SMTP relay for that same
> reason. It's a gap in the strategy that hasn't been filled. It's not much
> better with other vendors, but I keep holding my breath hoping that
> security vendors will see the error of their ways and create devices that
> can be smart about being in the mail stream. Until then, a DMZ
> architecture that uses some MTA that I prefer is the way I'll continue.
> Unless of course it's convenient because I also want AV, HTTP& 2-factor
> access, etc. Then it would make sense to take advantage of the MTA already
> there.
>
>
> Unless you were thinking of some other reasons why this makes sense and I
> totally missed the boat. Please correct me if you see differently.
>
> FWIW, I can run a hardened server of just about any flavor in a DMZ
> environment. But it only takes one port to do damage, so I'm much more
> apt to prefer a local host firewall and a good monitoring system for both
> the application and the wires. Some folks will tell you that a DMZ is not
> even necessary any longer. :)
>
>
>
> "Don Wilwol" <donwilwol@yahoo.com> wrote in message
> news:erURL6KqFHA.3516@TK2MSFTNGP15.phx.gbl...
>>
>>
>> --
>> Hope it helps...........
>>
>> dw
>>
>> Don Wilwol
>> Blog -
http://spaces.msn.com/members/wilwol/
>> Web -
http://capital.net/~wilwol/dw.htm
>> DonWilwol(REMOVE)@yahoo.com
>>
>> "Leythos" <void@nowhere.lan> wrote in message
>> news:MPG.1d762f9612f549c9989cf5@news-server.columbus.rr.com...
>>> In article <#7$sgQKqFHA.712@TK2MSFTNGP15.phx.gbl>, "Don Wilwol"
>>> <donWilwol@(EMAIL)yahoo.com> says...
>>>> If you are going to do this, why not do it right and make that server
>>>> in the
>>>> DMZ an ISA server?
>>>
>>> Why would I need ISA on a hardened box?
>>
>> It is a recommended MS setup.
>>
>>
>>>
>>> Why would I want to have ISA running as a "Firewall" on a non-firewall
>>> server?
>> To provide controlled Authentication.
>>
>>>
>>> Why, if I have a real firewall appliance in front of the server in the
>>> DMZ, and have proven rules that work fine, would I need to consider
>>> another firewall?
>>
>> Why do you have 2 to start with? Is there really a such of a thing as too
>> much protection?
>>
>>>
>>> Are you suggesting that you can't run servers in a DMZ properly unless
>>> they have some soft firewall solution on them?
>> Yep!
>>>
>>> --
>>>
>>> spam999free@rrohio.com
>>> remove 999 in order to email me
>>
>>
>
>