Firewall, SBS: Are we just lucky, or ahead of the curve?

Recently Chad talked about his reasons for moving off of ISA in SBS deployments, and replacing ISA with CheckPoint’s Safe@Office 500W. In the past, we’ve avoided ISA on SBS, standardizing instead on using the SnapGear (SG) product line for our client's perimeter security. Internally, the basis of this decision is rooted back in the SBS2000 timeframe, but ultimately is a result of the cost-benefit analysis of managing ISA, versus that of a perimeter appliance and the feature-set that our clients were requesting. In other words, ISA while “free” on SBS, and feature-rich in terms of what it can do, ended up being more than our clients tended to need, while the costs of change-management on ISA tended to exceed those of the SG-series that we were moving to standardize on.

None of this is to say that I don’t personally like ISA, nor do I consider it inherently insecure as some seem to. In fact, we’ve used it on a stand-alone box internally for some time, and have enjoyed the benefits that come with AD-integration, and web-publishing. So while our environment no longer precisely mirrors our client-environments (for a whole host of reasons), and I am a advocate of ISA – especially in mid-sized organizations, we’ve standardized on SnapGear for our SBS deployments.

Besides, Cougar is going to require something in front of SBS in the future. So we're either ahead of the curve, or just lucky.