Readers who responded to our Internet Security and Acceleration (ISA) Server 2004 survey had many questions about malicious software and how ISA can help prevent it. Many respondents asked what ISA Server 2004 can do to limit spam, adware, spyware, and general attacks. Spyware was a particular concern, so I asked the Microsoft ISA development team’s Senior Product Managers, Josue Fontanez, and Joel Sloss, to talk about Microsoft’s recent acquisition of a company that developed an antispyware solution. I also touched base with Paul Bryan, director of product management, Microsoft Security Business and Technology Unit, Windows AntiSpypware, who gave me some background information about the recent Windows AntiSpyware beta.
Joel agreed with our survey's findings. “Customers are definitely experiencing a lot of pain right now because of things like spyware and other types of application-layer intrusions, where some sort of code is coming into the organization and doing things that you don’t want.” In fact, Josue quoted a Gartner Group study that found that 70 percent of Web attacks are application-layer attacks.
“ISA Server can help with a lot of these things today,” Joel continued. “But we’re also looking at future generations of the platform: How can the edge firewall or the application publishing device help protect the corporate clients as well as the applications that are being published? No matter where you’re coming to information from, you should be protected from that resource and that resource should be protected from you—whether you’re internal or coming from the outside, or whether you’re a customer accessing data that belongs to another organization. So that’s definitely on our radar.”
How does Microsoft’s recent purchase of an antispyware solution address these issues? “Microsoft acquired GIANT Company Software, a New York-based company that develops antispyware and Internet security products.” Paul explained. “The goal of this strategic investment is to help Microsoft Windows customers by offering security technology that helps protect them from spyware and other potentially unwanted software. This acquisition is part of Microsoft’s comprehensive approach for tackling the spyware issue. Beyond technology innovation, this approach involves guidance and engagement, industry collaboration, and cooperation with legislators and law enforcement.”
What does this mean to IT pros today? “Near-term, we're offering a beta version of software that helps protect individual users from spyware and other potentially unwanted software” Paul replied. “The tool is available to users of Windows Server 2003, Windows XP, Windows 2000, and Windows 2000 Server. Customers can find a link to download the beta version of new antispyware software at http://www.microsoft.com/spyware. We invite our enterprise customers to install the software in their test environment and provide us with feedback.”
What functionality will this new offering provide? Paul said, “The beta can detect and help remove known spyware found on your PC. Continuous protection also improves Internet browsing safety by guarding over 50 ways spyware can enter your PC. Participants in the worldwide SpyNet community play a key role in determining which suspicious programs are classified as spyware. Microsoft researchers quickly develop methods to counteract these threats, which are automatically downloaded to your PC, so you stay up-to-date.”
I asked whether the product would come with ISA Server 2004 or be part of another product offering, and Josue responded, “Details on timing and terms of product availability for our new antispyware offerings are yet to be determined. The acquisition will provide a strong foundation for Microsoft to innovate with new antispyware technologies that will benefit customers in the future.”
As for other application-layer threats, Joel pointed out that “There are some embedded capabilities in ISA 2004, particularly application protection. There’s a signature-based policy element if you’re doing the forward proxy from ISA Server—so if you’re a corporate client and want to get out to the Internet and access things (and that’s one of the more frequent attack vectors that a firewall can help with), by using the signature-based capability in ISA Server, you can configure it to trap for known threats like Blaster, Nimda, Code Red—that class of things that piggy-back on HTTP traffic. We also have partners that provide even more depth on application and content filtering. For example, if you want to do it at the URL level, products from companies such as SurfControl and Websense block access to those kinds of sites, or you can do depth HTML filtering for either publishing an outbound application or for Internet browsers. So you can do a variety of things on the custom configuration as well as working with third-party add-ons.”
Josue added, “We have a document on our Web site—one of the key areas customers always talk to us about is key attack vectors, one of them being peer-to-peer applications. It’s a great way to get on a user’s machine because many users are using peer-to-peer applications. That document contains information as to how to configure the HTTP filter to protect and block those types of applications.”