Sat, Oct 23 2004 15:25
Okay I'm in a mood....
Fredly posted in the newsgroup asking a question about Watchgard versus ISA and where ever he crossposted to responded back that he had gotten another response that said this:
“The best thing you can do is to get a firewall as Watchguard or another box
and remove the ISA. Its never any good ide to run a firewall on the same as
your production server. I cant think off any explanation why MS dont removed
the ISA when they removed the TS on SBS2003, its a bad ide to have firewall
on your production server, very bad. But if you have the Watchguard you will
be safe, and then you only need one network card. But if you only are runing
ISA, DHCP and DNS and not excahnge or other stuff, then you can use your SBS
as a stand alone firewall and thats ok, but maybe a litle overkill to have a
SBS box for that and not only a standard server with ISA.”
To whom it may concern that posted that: The best thing you can do is to understand that right now my vulnerabilties, my threats, my weaknesses are not my ISA on my domain controller but the fact that many of my line of business apps want local administrator. Having a firewall on our little boxes is not where my security threats are coming in from, dude. It's my blasted desktops that cause me my grief. A firewall is a speed bump. A Watchgard firewall is also just “software on a box“. And right now with my Shavlik, I have a patch tool for my firewall. Watchgard needs patching just like anything else.
As long as you are running Windows 98 or XP's in local administrator mode, the number of NICs, the position and make/brand etc of your firewall is irrelevant.
My threats are not attacking my domain controller. They are attacking my desktops.
As long as we don't understand where our true vulnerabilities are.... we will be arguing while the house burns down in flames behind us.
UPDATE: Bruce Schneider has a blog post on this subject:
“Again and again, it tells customers that they must buy a certain product to be secure. Again and again, they buy the products -- and are still insecure.
Firewalls didn’t keep out network attackers -- in fact, the notion of "perimeter" is severely flawed. Intrusion detection systems (IDSs) didn't keep networks safe, and worms and viruses do considerably damage despite the prevalence of antivirus products.
The key to network security is people, not products.”
Filed under: Security, Rants