Don't Fear the Hork Mode Firewall (or reason one million and twelve why it's not the ISA firewall's fault
Yuri Diogenes put together nice nice blog post on a network performance situation that was initially blamed on the ISA firewall (the firewall is always one of the usual suspects when it comes to Internet performance issues). To make matters worse, it was a hork mode (also known as "single NIC) firewall, which would have made you wonder why anyone would have considered blaming the poor thing for anything other than feeling blue for having 95% of its functionality ripped out of it due to the hork mode deployment 🙂
Another nice thing Yuri's article points out is that the ISA firewall's ability to update itself each month is a good thing. In the past I used to take on an apologetic tone when it came to ISA firewall updates. Heck, it would lead to 3 minutes of downtime a month because of the reboot! But over time I realized "hey, that three minutes is a very small price to pay for security". Especially when the overwhelming majority of Cisco deployments (and other "hardware" firewall deployments) have outdated and vulnerable software running because they never update the darned things.
Check out Yuri's interesting article at:
(he even includes a red herring regarding ICMP redirects!)
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer