How Trustworthy Is ISA Server 2004?

Security is a top concern for most IT pros, and Microsoft takes a lot of heat over what many consider its products' lack of security. In the wake of notorious attacks such as Nimda and Code Red, the company intensified its focus on security in early 2002, halting development on Windows Server 2003, requiring all employees to take classes on developing secure code, and mandating a review of all code for security vulnerabilities. Responding to our survey about Internet Security and Acceleration (ISA) Server 2004, readers made clear that they want to know why they should deploy ISA Server 2004 and what internal testing it's undergone to meet trustworthy computing standards. Readers also are interested in how Microsoft deploys ISA within its own IT infrastructure. Representative questions include

• "What testing was done on this software to conform to Microsoft's secure computing initiative?"
• "Is ISA Server receiving more attention to security than other Microsoft products?"
• "How is ISA configured at Redmond?" (For an answer to this question, see the Interact! sidebar "Eating Its Own Dog Food," http://www.windowsitpro.com, InstantDoc ID 45597.)

Many respondents want to know whether ISA will address spyware. While I was talking with Microsoft about ISA, the company announced its acquisition of GIANT Company Software and its antispyware product. For information about that acquisition and Microsoft's antispyware plans, see the Interact! sidebar, "Spyware: A GIANT Solution," InstantDoc ID 45595. (For a comparative review of five third-party antispyware products, see "Spyware Hunters," page 27.)

Other concerns and questions our readers have involve ease of use; ISA migration, integration, and interoperability; the benefits of ISA for small businesses and upgrading the version of ISA that comes with Small Business Server (SBS); and ISA's scripting capabilities. And so many respondents had questions about ISA hardware appliances that I devote the Interact! "ISA Server Appliances" sidebar (InstantDoc ID 45596) to that topic.

I discussed the survey with the Microsoft ISA development team's Senior Product Managers, Josue Fontanez and Joel Sloss. I focus this column on survey respondents' questions about trustworthy computing and Microsoft's internal implementation of ISA; the Interact! box explains how you can listen to Josue's and Joel's responses to all my questions. In addition, the ISA team agreed to answer several of the technical questions readers asked; to access those answers, see Interact!

First Things First
What is ISA Server 2004? The ISA Web site (http://www.microsoft.com/isaserver) describes it as "an extensible enterprise firewall and Web cache server" that includes management tools for defining policies that let you route traffic, monitor security, and enforce rules for Internet use (e.g., by specifying which Web sites users are allowed to access). It also provides VPN functionality and caching for frequently accessed Web sites. You can implement ISA Server as a separate firewall and cache server or combine those capabilities by using ISA Server in integrated mode.

Of the 567 people who responded to this month's survey, 74 percent were aware of ISA, 21 percent had heard of it, and about 5 percent aren't unaware of it. About 60 percent of readers said they weren't using any version of ISA. The most frequently cited reasons that respondents don't use ISA are because they use other firewall products, prefer hardware or appliance solutions, are concerned about the product's security, or are deterred by the cost.

Thirty percent of the respondents to our survey said they do use some version of ISA. Seventeen percent of all respondents use ISA Server 2000 Standard Edition, 13 percent have ISA Server 2000 Enterprise Edition, and 9 percent have ISA Server 2004 Standard Edition. (Some respondents use multiple versions.) The remaining few use earlier versions or products. (Although ISA Server 2004 went to market without an enterprise edition, Microsoft released ISA 2004 Enterprise Edition in March.)

I also asked readers who have deployed ISA to select all the features they use. About 29 percent of those who are using some version of ISA selected the firewall feature, 24 percent chose caching, 17 percent use ISA Server's VPN capabilities, and 11 percent specified application publishing. The 7 percent who chose Other most commonly use ISA as a proxy.

Trustworthiness
To address the reader questions about the trustworthiness of a Microsoft security product, I asked what rigors this new version of ISA went through to meet the trustworthy computing requirements. Joel responded, "ISA Server went through all the design reviews, code reviews, penetration testing—everything that's required and more before it was released to market."

Specifically, Josue added, "In 2004, incorporating our learnings over the past 2 years, we formalized the Security Development Lifecycle (SDL), which is taking our commitment to deliver more secure software to the next level in a more structured way. ISA Server 2004 was one of the products to go through this level of testing and development."

What are the requirements of SDL? "There are seven stages," Josue said.

1. Training—Microsoft trains staff during employee orientation. Microsoft also trains developers, testers, program managers, user education staff, and architects annually (and before a new project's first coding milestone).
2. Requirements—At a project's inception, developers identify security feature requirements and ensure security milestones are understood.
3. Design—In this stage, we produce and review design guidelines and threat models and agree on ship criteria (i.e., the conditions that must be met before Microsoft will release a product).
4. Development—In this stage, the development team follows guidelines, best practices, and coding and test standards and conducts code analysis.
5. Verification—The development team reviews threat models and code, conducts attack testing, evaluates new threats, and completes security testing.
6. Release—In the Final Security Review (FSR), a team separate from the development team reviews threat models, unfixed bugs, and new bugs and finishes penetration testing. The devel-opment team archives documentation.
7. Security response feedback—In the final stage, Microsoft evaluates tools and processes and completes postmortems.

Joel and Josue pointed out that in addition to internal testing, Microsoft has submitted ISA 2004 for independent security certification. Joel told me that ISA 2004 is "in evaluation right now for Common Criteria (CC) Evaluation Assurance Level 4+ (EAL4+), which is the certification level for most firewalls. We took it a slight step further by going for 4+, which now includes a specific 'security target' for the firewalls: We can define the scenarios in which ISA will be deployed, provide the criteria that define a secure deployment, and then this outside organization certifies that ISA does everything we stated it could do in those scenarios."

I asked whether ISA 2004 would undergo other external audits or certifications. Joel responded, "We're also in the process of doing the ICSA Labs Modular Firewall Product Certification Criteria version 4.1, which was new last year. So both from an internal process perspective of making sure that it's gone through the code reviews and all the trustworthy computing components, we're doing it on the external side as well."

Josue added that besides Microsoft's investments to improve its software's security, the company "is investing in security training and certification for employees to help ensure that customers can implement the software securely. As a result, over 400 Microsoft consultants, technology specialists, and others have earned the Certified Information Systems Security Professional (CISSP) credential, helping them to assist customers with their security needs."

Hands-On Experience
Security is a complicated topic, and ISA is a highly complex product. So how can you decide whether you need it? Josue replied, "On www.microsoft.com/isaserver we have a hands-on virtual lab environment where a customer can evaluate the product without installing it."

Joel added, "And users can download the full eval bits, install it locally, and pilot it in their environment."

Your Verdict?
What could Microsoft do to make you more comfortable with its security efforts? Let me know what you think about ISA Server 2004 and other security products. I'm always interested in your questions and experiences, and I promise to pass them along to Microsoft.