Traditional Firewalls are simple stateful filtering devices, sometimes referred to as stateful packet inspection. All modern firewalls perform stateful filtering.

Attacks on networks now take place at the application layer and only stateful application-layer inspection firewalls like the ISA firewall can meet the challenge of protecting against these modern Layer 7 attacks.

Simple stateful packet-filtering firewalls should be placed on the Internet edge of the network if the effective Internet bandwidth exceeds the rate at which the stateful application-layer filtering ISA firewall can effectively process traffic (about 400Mbps). If the Internet pipe exceeds the ISA firewall s bandwidth limits, place stateful packet-filtering firewalls in front of the ISA stateful application-layer inspection firewall to offload some processing.

There are multiple security perimeters on any network. Stateful filtering and stateful application-layer inspection should ideally be done at each perimeter.

The Windows operating system can be hardened to the extent that it is no more or less penetrable than any other firewall, including hardware firewalls.

Because ISA firewalls provide a significantly higher level of protection than stateful filtering hardware firewalls, the ISA firewalls should be placed closest to the core network assets.

The sample network layout in this chapter provides the information you need to replicate the network topology we use in the discussions and exercises through out book.

We used VMware Workstation 4.51 as our test bed environment.