Internet Security and Acceleration (ISA) Server is Microsoft's enterprise-level network firewall and Web-caching server. ISA Server 2000 was Microsoft's first leap into the network firewall market, and ISA Server 2004 builds on ISA Server 2000's success as an intelligent application-layer firewall.
You can install the ISA Server software on a Windows Server 2003 or Windows 2000 Server computer. One of ISA Server's advantages is that its management interface uses the same Microsoft Management Console (MMC) interface as other Windows administrative applications. Thus, ISA Server is easy to install and configure for anyone experienced with Microsoft network administration. Another advantage is ISA Server's extensibility from both the hardware and software perspectives. You can easily upgrade the hardware with more memory and hard disk space, and you can install multiple software add-ons to provide a one-box firewall solution. The hardware extensibility saves the cost of high-dollar proprietary hardware upgrades, and the one-box software solution improves performance and lets you quickly and easily update the firewall software to rapidly respond to an evolving attack environment. Let's look at the strengths and weaknesses of ISA Server 2000 and ISA Server 2004 and how you can use third-party products to bolster ISA Server's capabilities.
ISA Server 2000 Key Features
Several features set ISA Server 2000 apart from other enterprise-class network firewalls, including:
- application-layer filtering
- the firewall client
- integrated VPN support
- Web caching
- bandwidth prioritization
|
Application-layer inspection is essential in a complex network environment. The packet-filtering technology that traditional firewalls use can't protect against application-layer attacks such as worms that hide malicious code inside legitimate protocols. ISA Server filters at the packet, circuit, and application layers. ISA Server can perform deep application-layer inspection for incoming HTTP connections by using a version of URLScan that you install on the ISA Server firewall. Extending URLScan protection to the network perimeter stops exploits at the firewall so that they never reach the Web server.
ISA Server 2000's application-layer filtering provides a unique level of protection for Microsoft Exchange Server and Microsoft Outlook Web Access (OWA). Unlike other firewalls that pass Secure Sockets Layer (SSL) connections from the Internet host to the OWA site without inspecting the communications inside the SSL tunnel, ISA Server "unwraps" the encrypted SSL content and exposes it to URLScan and other HTTP application filters to block attacks that would otherwise sneak through the SSL tunnel.
The unsung hero of ISA Server 2000 is Firewall Client, client software that communicates directly with the Firewall service on the ISA Server machine and is thus independent from the routing infrastructure. Firewall Client sends the username and the name of the executable application on the client that issued the request to the firewall so that the firewall can log the information and include it in reports.
ISA Server 2000 integrates with Windows 2003 and Win2K VPN features and makes setting up VPN configurations in a tightly integrated firewall/VPN solution easy. Built-in VPN wizards simplify the creation of a VPN server for remote-access VPN clients or a VPN gateway for site-to-site VPN links. Other popular firewall/VPN solutions charge extra for VPN client licenses, but ISA Server uses the Microsoft PPTP and Layer Two Tunneling Protocol (L2TP) clients that come with every modern Windows OS.
Web caching speeds up Internet access and can reduce bandwidth consumption on the Internet link. ISA Server 2000 sports a fast cache engine that stores cached Web content in two places: a very fast RAM-based cache and an optimized disk-based cache database. Users access Web content from cache instead of waiting for distant Web servers to return requested content. Reverse caching speeds access to your own Web servers for outside users.
Bandwidth-intensive applications such as peer-to-peer (P2P) software can bring the corporate Internet link to its knees. ISA Server 2000 lets you set bandwidth priorities so that bandwidth required for mission-critical network applications is available when needed. Figure 1 shows the ISA Server 2000 management interface.
ISA Server 2004's New Features
As good as ISA Server 2000 is, it has some limitations. ISA Server 2004 addresses many of the previous version's limitations by adding
- multinetworking
- authentication of users from a different domain
- HTTP filtering
- an IP Security (IPSec) tunnel mode for a site-to-site VPN
- support for PPTP VPN servers behind the firewall
|
ISA Server 2000 assumes that all networks or subnets on the corporate network are equally trusted. For example, you might install three network interfaces on your ISA Server 2000 firewall—one for the Internet link and the other two for LAN connections. ISA Server 2000 assumes that both LAN connections are trusted networks and doesn't let you apply firewall policy to these interfaces. ISA Server 2004's multinetworking feature fixes this problem. Firewall policy is applied to all ISA Server 2004 interfaces, and access rules control all traffic moving between any two interfaces. The concept of a trusted network is gone, and ISA Server 2004's powerful stateful filtering and stateful inspection engines examine all traffic.
Many installations must have the ISA Server 2000 firewall in the same domain as the users to avoid authentication problems. This configuration isn't optimal because if the firewall is compromised, the attacker can leverage the firewall's domain-member status to attack corporate network resources. ISA Server 2004 enables Remote Authentication Dial-In User Service (RADIUS) authentication for Web cache and VPN clients. RADIUS lets ISA Server 2004 authenticate users that belong to any RADIUS-compliant directory. You can use the Microsoft Internet Authentication Server (which is a RADIUS server) to connect to the Active Directory (AD) user database.
HTTP filtering in ISA Server 2000 is limited to URLScan and URL blocking. URLScan protects corporate-network Web servers that you've made available to Internet users, and URL blocking blocks Web sites based on a list of banned URLs that you create. ISA Server 2004 inspects all components of an HTTP communication. You can block or allow HTTP (and SSL) communications based on any characteristic of an HTTP message moving through the firewall. Thus, blocking P2P and multimedia applications that use HTTP as their transport is simple.
Previous
Register
