Packet Filter and ISA

X

xy16644

I work with someone (who happens to be a friend of mine too) and the ONLY firewall he belives in is ISA Server from Microsoft. Now I'm not going to even pretend I am a firewall guru but I wanted to discuss with him how great PF is.

What are the pros and cons about pf and ISA? When would you choose to use one over the other?

This isn't an ISA bashing post but I have had to look at ISA occassionally and I have never liked it. PF on the other hand just "clicks" with me.

The one thing he keeps telling me is that ISA has never been hacked which I find hard to believe! On the other hand, I read that Defcon uses OpenBSD and (I assume) pf to protect their LAN which I find incredible!

Sooo, how can I have an intelligent disucssion about the two firewalls without it getting into a "mines better than yours" argument? :e
 
Wow.. that is just amazing. I would wonder how he could trust something that is basically a black box? I would never even consider it as an option due to that. And who wants to pay licensing fees for something like a firewall? I don't know much about it, having never run one, but a friend of compared them by saying ISA defaults to a default open and PF (can) default to a default closed. This was after the two of us spent a few days cleaning up a mess for a customer where ISA made their Exchange server an open relay. Needless to say, I will be not allowing him to install ISA anywhere again and we will be setting up Soekris boxes running PicoBSD.
 
Thats a good point about it being a black box!

My friend pays a MONTHLY licensing fee for Windows AND ISA.

I think your friend is mistaken about ISA defaulting to allow all through (unless thats how older version worked). The versions I have looked at default to block/deny all (2004 and 2006).

I do like the sound of Soekris boxes running PicoBSD...
 
ISA is great as a proxy as it's easy to integrate with existing windows clients. I would never use it as a firewall though.

For big setups I probably wouldn't even use PF but opt for Cisco ASA or Checkpoint. Preferably even both.
 
Performance mostly and lets not forget vendor support (big companies like to have it).
 
You must log in or register to reply here.
Back
Top