Use or Not to use ISA



Ron
07-09-2005, 10:52 PM
I am looking for advice on the best way to protect my web server.

I currently sit behind a Symantec Gateway 360 security appliance firewall
I have the following systems
2 Win2k3 DC's running active directory forwarding DNS requests to my ISP
with no recursion selected.
1 Win2k3 with IIS installed.
1 Win2k3 as a DHCP and Print server.
2 XP clients

I currently do consulting on a small scale and plan on hosting sites for a
small number of clients as well as my own.
I use my ISP's DNS services on the out side to route the sites to my public
IP address.
I have configured the firewall to allow for Ports 80 and 443 to be open and
point to my IIS server.
And have partitioned the drives of the IIS box which will hold the clients
sites and
have enabled web sharing for each client folder.
Have created separate web sites for each client using host header names.
Currently using 1 IP Address for all sites, will establish a separate IP
address each SSL site when necessary.

Would i be logical to run ISA on the IIS box for more security?
And what benefits would it give me?
Since i don't have the funds to place another firewall between the IIS box
and the rest of my internal network to create a DMZ.

A reply would be greatly appreciated.

Thanks
Ron

Karl Levinson, mvp
07-09-2005, 10:52 PM
"Ron" <Ron@discussions.microsoft.com> wrote in message
news:64746411-FC78-477D-BDD7-CA87B6501960@microsoft.com...

> Would i be logical to run ISA on the IIS box for more security?
> And what benefits would it give me?
> Since i don't have the funds to place another firewall between the IIS box
> and the rest of my internal network to create a DMZ.

ISA is very expensive, compared to, say, a www.netscreen.com low-end
appliance starting at around $600 US, or even a low end www.netgear.com
appliance starting around $100 US. If you prefer, there are also a number
of absoutely free *nix based firewalls that will run on any old 486 or
Pentium computer, such as www.openbsd.org, or a variety of free boot CDs
that include firewalls. You could also look into adding an additional
firewalled network interface port on your firewall appliance to create a DMZ
that way, many firewall appliances come with a "DMZ port" already.

Running ISA on your web server itself is not the ideal configuration for a
firewall IMHO for reasons of performance and security. If you wanted to run
a host-based software firewall on a web server, you could probably get
almost as much security with something like www.sygate.com or
www.blackice.com for under $100 US.

S. Pidgorny
07-09-2005, 10:52 PM
Recently I had to configure Cyberguard SG series devices (former SnapGear) -
totally Linux/open source based - very nice, too. If you don't know what's
going on, you can ssh into the device and deal with familiar things e.g.
Netfiler/iptables, Poptop and syslog.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:eHKd2HcXFHA.4064@TK2MSFTNGP10.phx.gbl...

> ISA is very expensive, compared to, say, a www.netscreen.com low-end
> appliance starting at around $600 US, or even a low end www.netgear.com
> appliance starting around $100 US.


Use or Not to use ISA