Comet provides out-of-this-world security features for the Internet firewall market

\[Editor's Note: This article is based on Microsoft Internet Security and Acceleration (ISA) Server beta 3. As a result, the information might not apply to the final release of the product.\]

With the introduction of Proxy Server 1.0, Microsoft made its first foray into two burgeoning new markets: Internet security and accelerated Web access. Although the initial version of Proxy Server provides only basic security features and doesn't support several popular Internet protocols, it quickly gained popularity among Windows NT-centric organizations that needed user-level access control to Internet services, Internet firewall functionality, and accelerated Web access.

In Proxy Server 2.0, Microsoft addressed several of the first version's shortcomings by including the ability to control inbound and outbound traffic and adding support for a wider array of Internet protocols and applications for proxy-enabled clients. (For more information about Proxy Server 2.0, see "Related Articles in Previous Issues," page 52.) Microsoft also enhanced the product's security functionality to include a sophisticated packet-filtering feature that lets administrators define and control the flow of specific traffic types through the Proxy Server system. For many large organizations, Proxy Server's primary benefits are the ability to leverage the NT user accounts database to control user access to Internet services, and the ability to use Proxy Server's caching features to optimize Internet connection performance. However, despite Proxy Server 2.0's security improvements, many large organizations have reservations about implementing the product as their primary firewall because it lacks many of the features that other firewall products provide.

Proxy Server has faced challenges in being accepted as a standalone Internet security product. As a result, Microsoft has targeted the next version to incorporate the security features that Proxy Server 2.0 lacks. In addition, the company has set out to remedy some of Proxy Server 2.0's other shortcomings, such as its lack of support for popular protocols and its reliance on the installation of client-side software for Proxy Server access. Microsoft named the beta 1 and beta 2 phase of Proxy Server 2.0's progeny Comet, but as of beta 3, the company rechristened the product Microsoft Internet Security and Acceleration (ISA) Server. This new name better represents the product's capabilities and its target audience: the Internet firewall market.

What Comet Entails
Although ISA Server is a descendent of Proxy Server, the new product is much more than a simple upgrade of its predecessor. ISA Server introduces a wealth of new features and improves many of Proxy Server's existing capabilities.

New firewall features. ISA Server sports a robust set of firewall features that can compete with most security products on the market. In addition to supporting packet-, circuit-, and application-level traffic filtering, ISA Server supports stateful packet inspection (i.e., the ability to examine data passing through the firewall in the context of its protocol and the state of the connection). ISA Server can also leverage Windows 2000's Active Directory (AD) or NT's SAM to secure individual features and services at a user or group level—a feat that most third-party firewall products can't achieve because they're based on IP addresses or use a separate database for user authentication. ISA Server offers out-of-the-box support for detecting, preventing, and alerting you to several attack types, including Windows out-of-band (e.g., WinNuke), Ping of Death, Land attacks, and UDP bombs. ISA Server also provides true Network Address Translation (NAT) services through its SecureNAT feature, which lets LAN clients point their default gateways at ISA Server and securely and transparently access the Internet without client software.

Policy-based administration. Another important ISA Server feature is its use of policy-based administration. ISA Server lets administrators define policy elements such as users and groups, client protocols, schedules, sites, and content groups, then use those elements to manage various settings through ISA Server policies (e.g., client protocol access policies, site access policies, bandwidth usage policies). You can create policies at an array level or an enterprise level for AD-enabled networks. (Enterprise-level policies let you enforce companywide security policies through AD.)

RRAS and VPN integration. A major improvement that ISA Server offers is the software's seamless integration with Win2K's RRAS and VPN services. Unlike Proxy Server's RAS and RRAS integration under NT 4.0, the process of establishing a VPN through ISA Server to a remote RRAS VPN server is a breeze. To facilitate the setup process, ISA Server includes an easy-to-use VPN configuration wizard that will even launch RRAS setup if you haven't already installed the service for local VPN configurations.

Smart caching. ISA Server offers active caching features that let administrators proactively cache content from popular Web sites. Administrators can schedule cache updates to run automatically at predetermined times during the day.

Smart application filters. Using smart application filters, you can define filters that control traffic through ISA Server on an application-specific level. For example, you can implement an email traffic filter that blocks certain content types or a filter that handles streaming audio or video data.

Dynamic IP filtering. Many firewall products can reduce administrators' management burden by dynamically opening firewall ports for active client sessions to the Internet and closing them after the client terminates the session. ISA Server provides a similar dynamic-filtering feature so that you don't have to run to the firewall to manually open ports every time your network clients use a new protocol.

Scalability. In large organizations, scalability is an important feature of a Web caching server because performance can deteriorate when a server caches a lot of data. To address this situation and meet enterprise-network needs, ISA Server provides dynamic load-balancing functionality through the Cache Array Routing Protocol (CARP), which Proxy Server also supports. CARP improves performance in ISA Server farms by automatically sending client requests to the server that is most likely to house the requested content. ISA Server's use of Win2K's Network Load Balancing (NLB) services through multiserver arrays enhances the product's dynamic load-balancing capabilities and improves ISA Server systems' overall availability. You can also configure ISA Server to have multiple or backup connections (aka routes) to other ISA Server systems to enhance server availability.

Bandwidth usage rules. NLB isn't the only new Win2K feature that ISA Server leverages. By utilizing Win2K's bandwidth control and Quality of Service (QoS) features, ISA Server lets you configure rules that define how much bandwidth might be consumed by various protocols and traffic types that pass through an ISA Server between the Internet and the local network. This feature provides more control over the availability and utilization of a corporate Internet connection than Proxy Server provides.

Enhanced reporting. ISA Server lets you run extensive reports on user ac-cess and security events. You can schedule ISA Server to automatically run these reports and deliver them to you at specified intervals (e.g., daily, weekly, monthly).

H.323 gatekeeper service. ISA Server includes an H.323 gatekeeper component, which lets administrators use ISA Server to manage IP telephony calls between H.323 protocol-enabled applications (e.g., Microsoft NetMeeting 3.0). After you create DNS SRV record registrations to advertise the gatekeeper services, clients can connect to ISA Server, register their names with the gatekeeper service, and establish connections to other H.323 endpoints.

Look Ma, No Client
An essential feature in many of today's Internet security products is support for NAT. The Internet Engineering Task Force (IETF) Request for Comments (RFC) 1361 defines NAT, which is a set of standards that lets one Internet-connected host act as an Internet gateway for internal LAN clients by translating the clients' internal network IP addresses into the Internet-connected address on the NAT-enabled gateway device. This technology provides a high level of security by protecting internal client IP addresses and making them inaccessible to Internet hosts. In addition, NAT reduces organizations' IP address procurement costs because companies need only the single routable Internet address on the NAT device. Another major benefit of NAT is transparency: The internal network clients don't require special software or configuration (other than ensuring that the NAT device is the default gateway to the Internet) to establish Internet connections. These benefits have promoted NAT support from an amenity to a standard feature of all Internet gateway devices.

ISA Server's NAT implementation, SecureNAT, provides the security and client transparency benefits of traditional NAT support and functionality that further augments ISA Server's security. Unlike many NAT implementations, which provide no means of controlling or limiting Internet access for specific machines or traffic types, SecureNAT lets you control all traffic that passes through the ISA Server system. Thus, you can control Internet sessions from clients—even clients without firewall client software installed—according to session attributes such as the source or destination IP address or protocol type in use.

This ability is an important advantage over Proxy Server, which uses an "opt in" methodology for securing client connections. Internet access through a Proxy Server system requires that client browsers use proxy services or proxy client software. Although you can use NT's security features to protect access to Internet services through a Proxy Server system, this setup requires you to configure clients to use proxy services. Thus, organizations whose network configurations let users uninstall the proxy client or reconfigure their systems to talk directly to the Internet gateway can have problems with client connections that bypass proxy services. Because ISA Server is the Internet gateway and enforces the security policies that you've defined, SecureNAT ensures that clients can't bypass security policies.

NAT is a standard feature of Win2K Server's RRAS and Win2K Professional's Internet Connection Sharing (ICS) component. (For information about Win2K's NAT and ICS features, see "Related Articles in Previous Issues.") However, ISA Server's SecureNAT is a superset of the NAT features found in RRAS and ICS. Therefore, if you already have NAT installed or ICS enabled for any net-work connection, remove them before you install ISA Server to prevent conflicts between these components and SecureNAT.

Although NAT provides many benefits, several protocols and applications can't work through SecureNAT (or any NAT implementation), such as certain gaming protocols and protocols that embed client IP addresses within their packets. In addition, if you need to use SAM or AD-based users or groups to secure Internet access, SecureNAT can't help. In this case, you must install on each client the firewall client software that ISA Server includes.

ISA Server Installation
Although installing ISA Server is fairly painless, you should know about a few things before you take the plunge. First, you need to consider ISA Server's minimum system requirements. As a Win2K Server-based product (it doesn't run on NT 4.0), ISA Server has the same minimum requirements as any Win2K Server system, which means you need a Pentium II processor or better CPU and at least 128MB of RAM (256MB of RAM is preferable). In addition, you need a minimum of two network connections on the server: one LAN adapter for the internal network and a second connection for the Internet connection (e.g., network card, ISDN adapter, modem). To implement caching features, you need at least one NTFS-formatted volume with enough free disk space to accommodate the intended cache size. Also, to build an ISA Server array, the system must be in an AD-enabled network.

ISA Server's functionality in an AD-enabled network requires modifications to the AD schema (i.e., additional object classes and properties), so you need to run a special preinstallation schema modification utility before you can install ISA Server. The ISA Server installation CD-ROM's main menu references this ISA Server Enterprise Initialization utility. As of beta 3, ISA Server doesn't provide any facilities for uninstalling the schema modifications, so I recommend that you avoid installing any ISA Server beta release on your production network.

During schema modification, a dialog box, which Figure 1 shows, prompts you to specify how ISA Server should apply enterprise policy at the array level and whether to enable packet filtering and publishing rules on the array. Although you can modify these choices later, you'll benefit from a thorough understanding of policies and arrays as they pertain to ISA Server before you proceed. The sidebar "Understanding ISA Server Arrays and Policies" defines these terms. If you have any problems with the schema modification step, consult the Ldif.log file, which the installation process creates in the root of the target server's boot partition.

After schema modification is complete, the next step is to install ISA Server. To begin installation, click the Install ISA Server option from the installation CD-ROM's main menu. If you want to disable specific features (e.g., the H.323 gatekeeper service), select Custom; otherwise, select Full. During installation, the setup program determines whether your server is part of an AD-enabled network, and if so, verifies that the enterprise initialization tool made the required schema modifications. Next, setup asks whether you want the server to be part of a domain array or an independent array. If you're creating a new array, you're prompted for the array's name. The next dialog box asks what mode you want ISA Server to run in. ISA Server can act as either an Internet firewall server (i.e., in firewall mode) or a caching server (i.e., in cache mode), or both (i.e., in integrated mode). After you select a mode and click Continue, the next screen informs you that setup is stopping Microsoft IIS services and that you need to uninstall IIS after the ISA Server installation is complete or reconfigure IIS not to use ports 80 and 8080 (ISA Server uses these ports). Although you can set up IIS and ISA Server to cohabit in a system by modifying the IIS configuration as suggested in the dialog box, I recommend keeping your public IIS server on another machine behind ISA Server rather than trying to combine the two.

The next few installation screens ask you to configure cache size and create the Local Address Table (LAT) that defines the internal network's IP address space. As Figure 2, page 54, shows, when building the LAT, you can manually enter the IP address ranges that make up the internal IP address space or click Table to autobuild the LAT. Clicking Table opens a dialog box that lets you automatically include the RFC 1918-defined private address ranges of 10.x.x.x, 172.16.x.x to 172.31.x.x, and 192.168.x.x, or use the internal Win2K routing table to base a determination of the address ranges on the IP addresses of the various NICs in the system. If you choose the internal Win2K routing table, be sure to select only the internal NIC and not the external NIC that connects to the Internet. In addition, if your private IP address ranges might change in the future and you want to accommodate that possibility now, you can include all the private address ranges rather that just the ones representing your current IP network. If you run into a problem, check the installation process's log file for information about the problem. You can find the log file, firewallc.log, in the root of the server's boot partition.

The Tutorial: Not Just for Newbies
At the end of the installation process, setup asks whether to launch the ISA Server Administration tool and the Getting Started Tutorial. I strongly recommend starting with the tutorial, even if you've had extensive experience with Proxy Server or other firewall products. The tutorial is helpful in two ways: It provides a step-by-step series of wizards that help you configure basic server settings, such as for firewall and caching configuration, and it provides thorough explanations about what each configuration step accomplishes. Although you'll almost certainly need to perform additional configuration tuning after you complete the tutorial, using it will educate you about ISA Server's many configuration options and help you complete most configuration work. As Figure 3 shows, the tutorial's menu has two main sections: one for configuring policies and another for configuring arrays.

ISA Server offers a lot of configuration options, but you don't have to use them all—you can use as many or as few as are appropriate for your network. Although you can't remove unnecessary options from the main Microsoft Management Console (MMC), you can remove them from the tutorial walkthrough. In the Configure policy by dialog box (which Figure 4 shows) that the first tutorial menu selection presents, you can define the types of policies you'll be using on your network. The selections you make cause the tutorial to remove any steps related to policy types that are unnecessary in your configuration.

The next few steps in the tutorial help you define the basic elements that you use to create rules (aka policies) and the minimum set of rules you'll need to get ISA Server running. To define policies within ISA Server, you assemble various sections independently, then put them together. In the end, you'll have a useful tool. ISA Server's rules/policies use the following basic elements:

  • Client address sets—Collections of computers, identified by their IP addresses, that the rules you define will reference (e.g., to grant or deny access).
  • Destination sets—Collections of remote, Internet-based hosts that the rules you define will reference (e.g., to grant or deny access to them).
  • Schedules—Time slots during which defined policies are effective or disabled. By default, ISA Server defines the Weekends and Work Hours time slots. You can customize the settings for these schedules or add schedules. After you define schedules, you can use them as the time period during which a rule is effective or not.
  • Protocol definitions—Definitions of various protocol types that rules will permit or deny. ISA Server provides many built-in protocol definitions, and you can create additional protocol definitions by identifying the port number, IP protocol type, direction of the protocol (i.e., inbound or outbound), and any secondary connections (i.e., additional protocol definitions that the first protocol uses after it makes an initial connection).
  • Bandwidth priorities—Relative bandwidth usage priorities that you can define, then later use in bandwidth rules to prioritize traffic externally to the Internet or internally between clients behind ISA Server.
  • Content type groups—MIME types that you can configure in groups and use within various rule types to control access to those content types. These types are the same content/MIME types that Web browsers use during connections with Web servers to determine how to handle data stream types.

The tutorial's final steps are related to configuring server security, firewall routing, and caching settings. The tutorial's Secure Your Server option is particularly important. When selected, this step runs a wizard that lets you choose from three predefined security configuration settings: High Security, Moderate Security, and Windows 2000 Default Security. The appropriate choice for your server depends on the services and applications running on that server. The High Security option is best for standalone firewall configurations in which no other applications are running or the highest possible level of security is required. Moderate Security permits ISA Server to run on servers acting as domain controllers or housing other infrastructure-related services, such as DNS and WINS. (I don't recommend this configuration because it offers little or no security.) Windows 2000 Default Security is for ISA Servers that are database servers or run other application types. During the Secure Your Server step, the tutorial presents a scary warning about the importance of getting this choice right because you can't undo security policy changes. The reason for this warning is that many applications running on servers require low security levels to work, and setting the security level too high could result in problems. As a result, I recommend that you avoid running any applications on your ISA Server or choose the Windows 2000 Default Security option. If the server is a domain controller and doesn't run any applications, you might be able to get away with running the Moderate Security setting. However, I strongly recommend that you test ISA Server in an environment that emulates the services that your intended production server houses to determine which security setting will work.

In the tutorial's next steps, you configure additional firewall-related features, including IP packet filtering and intrusion detection. Finally, the tutorial prompts you to configure settings related to upstream firewall traffic routing (including client Web traffic) and to caching.

Making Up the Rules
After you define the policy elements that your rules will require, you're ready to start configuring the rules. If you completed the tutorial, you already have firsthand experience with creating examples of the two most important rule types used within ISA Server: a site and content rule and a protocol rule. ISA Server uses site and content rules to determine which users or machines can access which Internet locations and when. Protocol rules define which traffic types can pass through ISA Server.

All access to the Internet through ISA Server is disabled by default, so you must define at least one protocol access rule that permits the traffic type you want to use through the server. If your clients can't connect to the Internet after your initial ISA Server configuration but your server can ping hosts on the Internet, the problem is probably that you didn't create a protocol access rule.

In addition to site and content and protocol rules, you can define three other primary rule types within ISA Server. You use bandwidth rules to assign relative priorities to various types of traffic to the Internet and between the internal clients that ISA Server protects. This feature gives administrators an unprecedented level of control over the utilization of network and Internet bandwidth. For example, if your company's CEO has an important videoconference with shareholders, you might decide to implement a bandwidth rule that assigns his traffic higher priority than Web browsing traffic from the general employee populace. You use the ISA Server Administration tool to define and manage site and content rules and bandwidth rules.

The other two rule types, Web publishing rules and server publishing rules, fall under the array-specific publishing rules container in the ISA Server Administration tool's contents pane. Web publishing rules control how ISA Server responds to incoming client HTTP, HTTP over Secure Sockets Layer (HTTPS), and FTP requests (e.g., denying requests or routing them to another server).

Server publishing rules are a catchall for all other redirections from ISA Server to internal servers for various incoming client requests. You also use server publishing rules to configure ISA Server to handle and redirect incoming and outgoing email traffic with an internal email server. To set up email publishing rules, right-click the Server Publishing Rules container in the ISA Server Administration tool's contents pane and select Publish Mail Server. This action launches the Mail Server Setup Wizard, which Figure 5 shows. This wizard prompts you for the necessary information to configure ISA Server to filter and redirect mail for the network, including the external and internal IP addresses assigned to the mail server and the types of mail services that ISA Server intercepts.

Odds and Ends
During my experiences with ISA Server, I deduced miscellaneous tips and discoveries. First, I formed an answer to the question of whether you should install on Windows-based network workstations the firewall client that ISA Server includes. Although ISA Server doesn't require the client for firewall operation, the firewall client provides benefits such as the ability to specify usernames and group names within rules rather than specify only client IP addresses. If you need to secure your firewall by using rules that leverage SAM or AD-based usernames or group names, install the client.

A second benefit of the firewall client is that it automatically configures client browsers for the firewall server during installation. ISA Server's firewall client is almost identical to Proxy Server's Winsock client in both installation and function.

ISA Server is an open-development platform. Microsoft has made writing add-on products that enhance the server's functionality very easy for third-party vendors. The product even includes an ISA Server software development kit (SDK—in the CD-ROM's \sdk subdirectory). As of this writing, several Internet security product vendors have announced products designed to work on top of ISA Server.

Although my overall impression of ISA Server was favorable, I had concerns about its performance. Although my test server was a relatively capable system (i.e., a 400MHz Pentium II processor system with 196MB of RAM), I noticed that ISA Server often ran quite sluggishly. I'm hoping that I can attribute this slow performance to the fact that I was working with a beta version of the product.

In addition, if you're upgrading to ISA Server from Proxy Server, read the special document that the ISA Server CD-ROM includes that addresses Proxy Server-specific migration concerns. You can access this useful and informative document from the installation CD-ROM's main menu or by opening the file Pre-Migration-Considerations.htm in the CD-ROM's root directory. The beta 3 CD-ROM also includes an installation guide, cmtstart.htm, and the release notes, readme.htm, in the CD-ROM's \ISA subdirectory, and the main ISA Server Help file, isa.chm, is in the CD-ROM's \ISA\CHMBOOK subdirectory.

Related Articles in Previous Issues
You can obtain the following articles from Windows 2000 Magazine's Web site at http://www.win2000mag.com/.

ZUBAIR AHMAD
"Windows 2000's Network Address Translation," February 2000, InstantDoc ID 7882
"Proxy Server 2.0," October 1998, InstantDoc ID 3848
SEAN DAILY
"Maximizing Proxy Server Security," October 1999, InstantDoc ID 7197
Winner in the Wings
Microsoft appears to have a winner on its hands with ISA server. The product enhances Proxy Server's access and caching benefits with the addition of industrial-strength firewall features and client transparency through NAT support. I couldn't get an official release date from Microsoft, but I predict that the company will release ISA Server by the end of 2000.

Although ISA Server requires Win2K Server or Win2K Advanced Server to run, the ability to use ISA Server in a standalone configuration on non-AD networks means that organizations don't have to wait until they migrate to AD to take advantage of ISA Server's offerings. In addition, ISA Server's greatly improved security, performance, and transparency features will help it gain acceptance in IT shops in which Proxy Server 2.0 didn't make the grade. For Win2K-based and NT networks that need to accelerate and secure their Internet connections, ISA Server appears to be an excellent choice.