News Stay informed about the latest enterprise technology news and product updates.

Building a better firewall

ISA Server expert Tom Shinder answers user questions about firewalls and Microsoft's ISA Server in this follow-up to his March 14 webcast "Building a better firewall." If you missed the live event, be sure to tune into the audio transcript. You can also download his presentation from this Best Web Link subcategory.

SearchWin2000: I'm a beginner in firewalls. What books or Web sites would you recommend to learn more indepth on how to set them up and configure them?
There is a good book called "Building Internet Firewalls" by Zwicky, Cooper, and Chapter which is great! I highly recommend it. After reading that book you'll be in good shape to expand your firewall knowledge. It's available at the SearchWin2000 bookstore. SearchWin2000 (David Dellano): Bandwidth Control - Does ISA's QoS work?
QoS is very problematic. I have found that it likes to change rules and drop them out. To test H.323, create a Bandwidth Rule just for the H.323 Protocol, and create a Bandwidth Priority just for the H.323 Protocol. Then fire up the bandwidth counters and see what happens. SearchWin2000: What are the advantages/disadvantages of ISA server over a hardware-based firewall?
ISA Server is easier to configure if you're already very well acquainted with the Windows interface. It uses the MMC and can also take advantage of the Active Directory and Windows NT 4.0 SAM users accounts databases. Most hardware-based firewalls have a limited level of support, and you often have to pay them a princely fee to get help. There is a large ISA Server user community, and online resource, that can help you solve virtually any problem! SearchWin2000: Is it "legal" to use ISA Server to hide or protect a group of computers from others on the same network? Both the internal and external NICs are on the same network.
The external interface can't be on the same network as the external interface. However, the internal and external interface can be connected to the corporate intranet. That works fine for creating security zones for corporate LANs connected to the backbone. However, if all the machines belong to the same domain, you'll run into issues with intradomain communications across the ISA Server. In this case, you might want to consider a VPN solutions to allow the DCs to communicate with one another.

About Tom Shinder:
Tom Shinder is the author of the best-selling book Configuring ISA Server 2000 and the editor of the Brainbuzz Win2k News newsletter. He is a regular contributor to TechProGuild, and content editor, contributor and moderator for SearchWin2000: With SBS adding an additional server, should I move ISA off the PDC or use a two-tier ISA system?
If you have a second server, you should move all the network services off the ISA Server and put them on the internal network server. Your life will be a lot easier, more secure and it's a better overall configuration. SearchWin2000: Do you recommend a software or hardware firewall for small businesses with 1-40 employees?
I think you can use either, depending on the features and price point that matches your requirements. Think about what you want the firewall to do, and then compare the features provided with the different firewalls with what you need. The nice thing about ISA Server is that there is a lot of community support for it. And I'll always be around to help you. SearchWin2000: What would be the next step once you have been alerted that an intruder has performed a port scan?
Port scans should also be checked out in the packet filter log. Compare the time of the alert with the packets appearing in the packet filter log. Sometimes ISA Server reports port scans from servers that are slow in responding. You'll only be able to determine this by looking at the packet filters. Remember that port scans by themselves aren't a problem, but you might want to pay more attention to the log files if you find that you're getting other connections from the IP address that is scanning you.

Dig Deeper on Legacy operating systems

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.