Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Threats of killing PIX for ISA

Status
Not open for further replies.
rubbaninja

rubbaninja

MIS
Jun 1, 2002
217
US
We have a new guy that wants to replace our PIX's with ISA servers.

Can I get a hand with valid arguments against this?

Your opinion is valuable.

Thanks!
A
 
Sort by date Sort by votes
With a recent look at the Microsoft Security bulletins, I'm not sure that I would feel comfortable replacing my PIX with ANYTHING that was based on a Microsoft Operating System. I have faced the same challenge, but I am just not convinced it would be a good move. It will only take once, and with Microsoft that "once" has a lot higher chance of happening, at least for the present. GOOD LUCK!!! I'll bet the new guy reads a lot of trade rags!
 
Upvote 0 Downvote
Haha


ok it is suggested to install ISA on a DC (from the ISA MOC)
hummm.... a domain controller on the internet protected by Microsoft software "i don't think so"

ISA IS Swiss cheese for inbound security

Now for application layer security and outbound control that's where ISA is best


My suggestion is to KEEP the PIX by all means possible
and use it as the head end device(ACL's), VPN Gateway(IPSec)
and it will also create a DMZ on the inside of the PIX

Then put the ISA Server on the internal interface of the PIX (the DMZ)

Use ISA in conjunction with active directory to control application layer firewalling and access control on a user or group basis

My bet it the new guy came from a CTEC skool and that was his elective for his MCSE and he is intimidated by a CLI device with no buttons or pictures to configure it!


just a guess

cheers
 
Upvote 0 Downvote
HI.

I agree with the above posts.

You can use the pix for blocking inbound traffic (layers 3-4), and use another device like ISA to filter outbound traffic at higher layers.



Yizhar Hurwitz
 
Upvote 0 Downvote
I agree with them very much.. PIX is one of the most secure devices you can get. the only thing that will get through is what you let through...


BuckWeet
 
Upvote 0 Downvote
---post--
dx1 (MIS) Sep 9, 2003
Leave your PIX in place. Have your ISA behind the PIX and let it do the caching, smtp filtering and whatever it was design to do.

----

This is what I have in place now.
I think I am winning this battle. I wanted other opinions as well and you all did a great job. My thoughts exactly.

Thanks guys,
A
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2
  • Locked
  • Question
Loss of my privacy
Replies
12
Views
1K
Rick998
Rick998
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
600
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
534
XLNTech1
XLNTech1
Shmid
  • Locked
  • Question
Hi We´re thinking of enabling Ac
Replies
0
Views
455
Shmid
Shmid
LonnieJohnson
  • Locked
  • Question
Monitoring incoming threats
Replies
2
Views
123
LonnieJohnson
LonnieJohnson

Part and Inventory Search

Sponsor

Back
Top