Domain: isaserver.org
Stories and comments across the archive that link to isaserver.org.
Comments · 7
-
Re:Firefo 14 will encrypt searches
Not if you're using IEx in an Active Directory domain. They won't flag the domain controller or the ISA/ForeFront server in this exact scenario, because they're explicitly told not to. Chrome or FF probably do but IE plays by the domain controller's rules.
See http://www.isaserver.org/tutorials/Configuring-HTTPS-Inspection-Forefront-Threat-Management-Gateway-TMG-2010.html for how to.
As you can see, if the unsuspecting IE user doesn't investigate, they'd never know what's going on. -
Re:Do power users abuse their IT knowledge?
Look at what the Forefront TMG Firewall client can do.
-
Re:We do need to redefine privacy - with cryptogra
So what you're saying is that if you provide a fake certificate, HTTPS is insecure.
What I'm saying is that what the other poster said isn't "horse****". If you jack into my ethernet hub, and it turns out that my ethernet hub is connected to a firewall like this, I can read your HTTPS traffic, if not most of your encrypted traffic. SSH is only protected because it keeps a list of known fingerprints and alerts you if something changed. If you get a completely different certificate for https://www.paypal.com/ tomorrow, as long as the browser can confirm that it was signed by someone it was configured to trust (for instance Microsoft, or AT&T), it won't even bat an eye.
Maybe the other guy was confused, or just confusing, but everything that he said is fully possible. -
Re:FUD
I agree with everything except your firewall beliefs. Anyone who buys a hardware firewall thinking they are perfectly secure is an idiot. I have a SW firewall at where I work and haven't had problem yet. Even better and will add fuel to the fire: Microsoft Windows 2003 + Microsoft ISA Server 2000. WOW, all Microsoft? And haven't been hacked yet? Amazing. All software based. All I can say is: Get out of the: Hardware firewalls are the only real firewalls.
Read this. Yes, it's from a Microsoft junkie probably but many of his ideas are sound. And I must admit, my software firewall is easier to manage than most hw firewall's I've dealt with. -
ISA
If you want a Windows solution then ISA is the way to go.
It will handle reverse web proxying along with providing transparent caching etc.
It's also very very easy to set up.
If you want more specific into, try Thomas Shinder's site http://isaserver.org -
ISA Server in front of ExchangeActually, having ISA Server publish your Exchange server (using RPC) or Outlook Web Access (OWA) is a great alternative to hosting yet another server you're going to have to patch and lock down. Configuring a firewall that is meant to be secure is much easier than trying to tie down a web server. Web servers on the edge don't even have the monitoring and reporting capability that you will need to know that things are running smoothly (or not). If all you want to let out is webmail, just publish OWA. ISA Server can add a layer of protection that a web server can't, including URLScan filtering, SecurID two-factor authentication, and pre-authentication. On top of that, if you want, you can install a Symantec virus filtering agent on the ISA Server and simultaneously filter out viruses in your webmail. There are hundreds of users who user ISA to protect their Exchange and webmail. Don't take my word for it though. Check out
:Serverwatch
Microsoft's own site
ISAServer.org
The best answer is always to have defense in depth - Having a firewall in front of your web servers and email servers is good. Having an application aware firewall in front of your web/email servers is better. Having both and having a secure policy on them with AV software and keeping your machines patched is the best.
-
If opensource isn't needed, they start creating itlast time I used Mcboboche stuff was back in the DOS days...
Oh wait... I did once under win95, when it killed my system (isn't that the job of a VIRUS anyways?
:) ) I've been on norton since then.
Now the thing that scares me the most is that norton will probably pull the same thing... it starts with one hole, and you end up being the big ass at the end
;)
Now let's picture this (sorry if it's redundant)
First, your job is to kill viralware, now you blattanly say you won't...One MAJOR loophole is just what it takes to pull another redalert/codered/etc type of attack...
Second, how many time do you think it will take for ANY hackers to find that bitch and slap it? how many milliseconds after that will it take to make a load of varient based on that same code that passes right thru the system you're supposed to protect?
Before I didn't really see the need for open-source stuff, I didn't NEED opensource tools to do my job, the commercial alternative were cheap enought to be worth the timesaving they would bring me, so you can picture me as a Blind Microsoft cash cow IT administrator, but with enough IQ to pull out when we milk me before I can even eat my wheat (goes well with my nick, no?
:)).
The IDEA of my comment is the following: The more I see this stuff going, the more you're completely losing my trust, hense, my buisness, I've started learning NetBSD to replace that new Microsoft Firewall server that I was supposed to buy when I've found out it was as bad as the rest of Microsoft's product security-wise (i.e. Codered infecting your supposely secure firewall, you would have thought that even if it's using windows technology, they would have worked out the loophole for that expensive product). Now I know that viruses can go thru a firewall, but INFECTING your firewall server at the same time? and spreading across your users as well? that's bad
:) it's even worse when you get hit twice within 2 months with about the same virus!.
Now, this is making me losing my confidence in a product... but you might give them a chance, you've invested enough and a lot of companies depend on their software so you'd assume that they would address it quickly and do their best to not pull that kind of thing a second time, but what's next, product activation (A NIGHTMARE for administrators that do upgrades to users from pro to developper or to upgrade their machines and putting the older one with something that let's say doesn't require Developper but the small buisness license could do).. anyways that's just an example, I've boycotted windowsXP after my horrible officeXP XPrience, and if major companies continue pulling that kind of stunt, they will create their own recession. I won't put the company I am working for at risk because some guy somewhere chose to blattantly put holes in every single security steps. If you want a backdoor to hack, a lot of kids will find the keys, and they will drive it down the road till they hit something, I won't risk the company's IP because of people that are powertripping somewhere.
And besides, the point of a SECURE SERVER/FIREWALL/DESKTOP/OS/NAMEIT is to have 0.00000 Known defect, putting a hole into it makes it NON-SECURE. If you want to fool customers and do false advertising, you can continue using Secure desktop terminology, but if y a virus writer goes thru that security hole of yours and smash systenms and posts it publicly, you will get Shafted so bad by a class-action suit that you'll be sorry that you ever made that decision! This is so depressing, someone should really start doing an opensource antivirus software for the win32 platform, seems like there's a nice new niche here.
I wonder where all this will stop.. speeding photoradar, gps phones, encryption backdoor, spycams everywhere, IP confidential mail getting opened "in case there's some anthrax"?, phone tapping without court approval, carnivore, heh , heck, with this logic, I can see the day where having a dildocam on every dildo or condoms be mandatory in case you're hiding drugs somewhere...
:)