SAT endorses Microsoft's ISA Server 2004

Space Age Technologies (SAT) has had the pleasure of working with Microsoft's Internet Security Accelerator (ISA) 2004 server since Beta 2 became available at the end of January 2004. We prefer to stress products internally right from the beta stages so to enable us to effectively and honestly advise clients on the correct solution for their organisation.

Since our first live rollout of ISA 2004 in July (shortly after the final RTM release became available) we continued to deploy a number of ISA 2004 servers amongst our clients, often migrating from popular firewalls such as Linux; PIX; CheckPoint; ISA 2000; Borderware, and Netscreen.

While we are clearly aware of the conflicting opinions concerning Microsoft's security products, not many people realise that Microsoft spends over $6.8 billion on R&D, of which research into security products/technologies take top priority. ISA 2004 was completely re-engineered with the specific purpose to become the defacto choice, even in large enterprises and should not be compared with ISA 2000 or Microsoft's shelved Proxy server.

A school of thought remains that the only true firewalls worth purchasing are the 'traditional hardware (ASIC) firewalls', but serious consideration should be paid to modern firewalls that can perform deep application-level inspection against network traffic. Much larger organisations still have to look at options involving back-to-back firewall configurations (most often due to the required throughput).

Based on our experience with ISA 2004, it is our opinion that the technological enhancements will benefit any network, (most) predominantly Microsoft networks; reduce the total cost of ownership; improve functionality, and greatly ease ongoing security management.

Allow us to explain why we are so excited about this product.

ISA2004 is a true multi-networking firewall. One does not just define which networks are local (and thus trusted), and then all other networks are considered external. Now every network can be classified as required - making it easy to define an untrusted network, from which all trusted networks will be protected with powerful stateful application-layer inspection. Access rules must then be defined to allow communication between the networks (in both directions), allowing very strict control. One can also modify the routing relationship used between the different networks -whether addresses will be translated (provide transparency) or routed. This type of control allows the product to integrate even into very complicated networks -whether that be because multiple DMZ/perimeter network are required; there is a need for (multiple) partner extranets; or multiple organisations sharing a common internet; and many other possible scenarios.

ISA 2004 server also acts as a very sophisticated VPN Server. Many VPN Server solutions are configured either to allow all specifically authenticated users unrestricted access to the corporate network, or use simple packet-filters to limit which ports/devices can be reached. These packet-filters also very often apply to all connections regardless of the user/device that is connecting. ISA 2004 allows administrators to create specialised Firewall groups to which they can apply specific access rules (using stateful application-layer inspection, granting access on specific protocols, specific destinations and specific schedules etc) to control access in a very granular way. Because ISA 2004 conforms to the open standard for IPSec tunnel mode, site-to-site connections can easily be established to a wide array of third party VPN servers available in the market -Quite an important feature, as many smaller branch offices have a need to deploy less expensive VPN servers for example. One advanced feature afforded when using ISA 2004 in conjunction with your Windows Server 2003, is being able to quarantine VPN connections. With support for this technology growing, this for example, will allow you to Quarantine a VPN client if their Virus pattern is not up-to-date, and apply specific firewall policy to such clients.

One very strong motivation to implementing ISA 2004 is that no other firewall can protect Microsoft services like Outlook Web Access (OWA) and RPC over HTTP as well as ISA server can. ISA 2004 can generate the Forms-based login page commonly used in OWA 2003 deployments. All OWA requests are thus already authenticated before the requests are even submitted to your Exchange server. Moreover, few firewalls can actually inspect inbound SSL (encrypted) connections. This makes publishing secure (HTTPS) websites or tunnelled services like RPC over HTTP dangerous. ISA 2004 on the other hand is capable of decrypting these requests and inspecting them before submitting the re-encrypted request to the designated resource. ISA 2004 also uses a special HTTP Security filter to inspect all HTTP traffic travelling through any network interface regardless of the source of the HTTP request. Besides this comprehensive protection, it also offers the firewall administrator very strict control over HTTP traffic. Some examples of the control provided, is blocking specific executable content, or blocking many applications that are able to tunnel via HTTP like so many Messenger and Warez programs do.

As firewall technology has advanced, so has the sophistication of network attacks. This means you want a firewall that allows you to perform real-time monitoring against all logged events; has advanced alerts that can be configured to take the necessary action(s); and to allow you to manipulate firewall sessions in real-time. ISA 2004 provides this through an intuitive graphical interface. We have found this to be very advantageous when troubleshooting and performing traffic analysis.

A critical component of any security policy is being able to report on network usage. Administrators now have the ability to verify that compliancy is being maintained. ISA 2004 not only generates fairly comprehensive reports based on the criteria you specify, but it's also able to save these reports in HTML format to a network location. ISA 2004 can furthermore log straight to SQL Server, effectively abandoning the need for third party applications to leverage ISA reporting.

While firewalls are normally positioned directly in front of an organisation's critical assets, the ability for quick restores of critical elements such as servers are of the utmost importance. ISA 2004 allows administrators to backup its entire configuration, or only parts thereof very easily. The backups are performed to an .XML file that is both easy and secure to mould into your existing backup strategy. This configuration can be restored to an alternate server regardless of that server's name or the hardware therein. Those accustomed to working with many proprietary hardware firewalls would agree that this kind of flexibility is very hard to compete with. SAT even uses this ability to expedite the deployment of ISA Server - pre-configuring a good deal of the firewall policy in our test lab before even obtaining the client's new hardware for example.

There are also a couple of things that SAT believes would improve upon the ISA Server offering that Microsoft currently relies on partners to provide.

Herewith our personal wish list for ISA Server:

* Policy-based routing is something you need to provide upstream in the form of a Cisco or Linux router for example. Windows Server limits you to being able to route based on destination. The ability to direct outbound HTTP traffic over a more cost-effective link like ADSL, whilst still routing other traffic through a more expensive link would be useful in many businesses for example.

* The ability to provide both Link redundancy and Link aggregation out-of-the-box would be very valuable. Currently the most popular why to provide this through ISA Server is using RainConnect: http://www.rainfinity.com/products/rainconnect.html

* The ability to provide QoS (Quality of Service) would also be a valuable addition. Being able to limit SMTP traffic to roughly a certain percentage of your internet link would help ensure this traffic does not interfere with other legitimate business traffic for example. Whilst there are many ways to provide this type of functionality, our experience has shown Packeteer devices to do the job very well: http://www.packeteer.com

* Whilst no one can deny the power of ISA's filtering and reporting capabilities, the ability to filter based on bandwidth management parameters would be a nice addition. One of the most popular products providing this (and further leveraging the power of ISA) is SurfControl's Web Filter for ISA Server: http://www.surfcontrol.com/products/web/ms_isa/

Industry support for ISA Server is growing at a rapid rate. Many people have shown interest in having dedicated security appliances running ISA 2004. Information about some of these hardware solutions can be found at http://www.microsoft.com/isaserver/howtobuy/hardwaresolutions.asp. They start off with fairly basic offerings from vendors like Hewlett Packard, whilst a very advanced offering is available through RimAppTechnologies that covers the needs of our wish-list (and more) for example.

Please note that the intention of this article was merely to discuss our interactions with ISA 2004, as no single firewall can provide the solution to all the possible scenarios that can be found in the market today. We hope you found this article to be informative, and that it will encourage people to question and discuss the capabilities of modern firewalls the way SAT has.