ISA Firewall Fairy Tales – What Hardware Firewall Vendors Don’t Want You to Know (v1.02)

Just about every firewall administrator has heard the old joke where the guy’s boss asks him “is our network secure?” and the response is “of course, we have a firewall!” Unfortunately, this is the attitude of many real-life network and firewall administrators. They consider the network firewall at the network edge as their primary defense against all network woes.

The sad fact is that the network firewall at the edge of the network is only a small piece of your overall security plan. While the Internet edge firewall is a key component of your network security scheme, its only one part and that single part does very little to provide defense in depth. Defense in depth refers to the security philosophy that there are multiple partitions or security zones that must be protected. The interface between security zones represents a specific edge requiring a customized approach to security and access control.

The number of security zones requiring protection varies with the organization and how the organization’s network is laid out. Smaller organizations may have just a single network segment sitting behind an Internet edge firewall. Larger organizations may have very complex networks with multiple security zones and security zones within security zones. Regardless of the complexity of your network, the principle of least privilege leads you to the correct path to firewall placement and configuration.

To help demonstrate how security zones dictate access control, firewall configuration and firewall placement, we’ll go over a typical enterprise level network and how it might segregate its security zones. We will call these zones “Rings” and each ring is comparable to a layer in an onion, with the center of the onion representing your core network assets requiring the highest level of network level security. These rings are:

• Ring 1: The Internet Edge
• Ring 2: The Backbone Edge
• Ring 3: The Asset Network Edge
• Ring 4: Local Host Security

The figure below shows the outermost ring, which is the Internet edge.

The Internet edge is the first point of attack for externally situated hosts. Because most of us have a greater fear of the unknown than of the known, network and firewall administrators believe they should put their most intelligent and powerful firewalls at this location. If you don’t think about this too much, it makes sense. The problem is that the great majority of network attacks occur from inside the network. In addition, if you consider how this approach flies in the face how you secure anything else in this world, you’ll realize that the Internet edge firewall should not be your most secure or sophisticated firewall, it should be your fastest firewall.

Think about how a bank secures its cash assets. First, there are the Federal agencies that hover unseen around all of our lives. This “outermost” level of bank security doesn’t stop too many bank robberies in progress, though it helps in stopping law abiding citizens from deciding to rob a bank when they have nothing else to do that day.

The next layer of defense, moving inward toward the bank’s core assets, is the local police department. The police drive around town all day and maybe they’ll be in front of the bank when the bank robber is about to begin the hold-up. This isn’t very secure because they can’t be in front of the bank all the time and when they do respond, its after the fact when the perpetrator is long gone.

The next ring closer to the core bank assets is represented by the front door cameras (more likely parking lot cameras). The bank security people may be able to stop a robbery from taking place if they’re vigilant and identify the criminal right before he begins the robbery attempt. The problem with this approach is they can’t stop the guy until he does something that suggests a robbery attempt is in progress. You can’t stop a guy these days just because he’s wearing a sock over his head and carrying an empty pillow case. If he has a gun, but has a concealed carry permit, you still can’t do anything to him unless he’s displaying it illegally. However, this method is more sophisticated and more likely to stop a robbery attempt in progress than the Federal security ring or the local policy security ring.

The next ring is the one at the border of the outside of the bank and the area between the tellers. There is typically an armed guard in this area. The armed guard provides a better level of protection because he can stop a robbery as it begins, if he identifies a robbery taking place and if he shoots the robber before the robber shoots him. The armed guard in the lobby definitely provides a much higher level of security than the cameras watching outside the building, the local police cruising the streets and the Feds.

The next ring of security lies at the interface between the inside of the bank vault and the lobby and teller area, which is the door of the bank vault. If the robber flies past the Fed, arrives when there’s no police car in sight, looks like a typical customer and isn’t flagged by the security cameras, and shoots the armed guard before the armed guard shoots him (I’m assuming that the robber isn’t in a country or State that allows its citizens to carry weapons legally; if the Bank were in this one of these areas, the robber would also have to survive armed citizens), the final hurdle is the bank vault door. Unless the guy is a munitions expert or some kind of safe cracker, the bank vault door will stop him every time.

The bank vault door provides the highest level of security and it’s the most “hardened” and “impenetrable” of the bank defenses. That’s why its put right in front of the bank’s core assets, to protect these assets in the event that an intruder gets past all the other rings of security design to protect the bank’s assets. The bank vault door is represents the most hardened and most impenetrable security device in the path to the bank’s core assets.

However, no security ring, no matter how well protected is impenetrable (remind the “firewall experts” of this fact the next time they tell you about the inviolate nature of so-called “hardware” firewalls). Let’s assume the robber isn’t a munitions expert or a safe cracker. Instead, he’ll use the coward’s way out and takes advantage of social engineering (coward computer hackers use similar methods). In this case, the social engineering method used by the bank robber by threatening the lives of the customers and tellers if the bank vault door is not opened by the bank manager.

Since you can always find more money, but human life tickets are only good for one punch, the bank manager opens the vault door.

At this point you might think that the game is over and the robber won. He’s penetrated the last defense ring and the money is his (let’s overlook the fact that in order to win the robbery game, you also have to successfully leave the bank with the cash). However, there is the last layer of defense, and that is the defense the money itself can provide. The bags of money may have exploding ink in them, which explodes and covers the robber with a bright shade of pink if the cash is moved or removed at the wrong time or the incorrect way, or maybe if the money is moved inappropriately, anesthetic gas is pumped into the vault, or maybe the money is marked and is easily identified if it spent in public. If the bank hopes to recoup its money, it must make sure that there are methods of protection applied to the money itself, as that is the last ring of defense the bank has in protecting its assets.

The point of this story is that the bank, and any other entity that secures its core assets, put it’s most hardened, most sophisticated and most impenetrable barriers closer to those assets. The enemy is always at his best at the outermost ring and by the time he’s made it to the innermost ring, he’s either completely exhausted his resources or ready to give up. In either case, the enemy meets stronger defensive mechanisms as he continues to get weaker. This helps accelerate his ultimate defeat.

Now let’s get to answering some of my favorite ISA firewall fantasies. These include:

• Software firewalls are inherently weak. Only hardware firewalls can be trusted to secure a network
• You can’t trust any service running on the Windows operating system to be secure. You could never secure a firewall running on a Windows OS
• ISA machines make for good proxy servers, but I need a real firewall to protect my network
• ISA firewalls are just glorified versions of Proxy 2.0
• ISA firewalls run on an Intel hardware platform, and only firewalls that have all “solid state” components can be firewall. A firewall should have no moving parts if you want to consider it to be a firewall
• “I have a firewall and an ‘ISA Server’”
• A real firewall should be a nightmare to configure and ideally, should use a CLI to make it accessible only to highly trained individuals

Let’s take each of these ISA firewall fallacies one at a time.

As an ISA firewall admin, you’ve probably run into network and firewall admins who:

• Never heard of an ISA firewall
• Think it’s some sort of caching server, akin to the old CacheFlow product (purchased by Bluecoat) or Squid, or
• Believe hardware firewalls are inviolate and so-called “software” firewalls are as penetrable as warm custard and thus incapable of protecting the perimeter or network datacenter

Teaching the guys who never heard of an ISA firewall can be a rewarding experience. You can tell them about how an ISA firewall provides strong inbound and outbound access controls in ways that no other firewall can, how it blocks file sharing, peer to peer programs, how it prevents malicious users from violating network security policies such as downloading copyrighted material, how the ISA firewall provides superior protection for Microsoft Exchange services including OWA, OMA, ActiveSync and MAPI/RPC, and its ease of configuration blows away all other firewalls on the market (if you don’t believe it, look at Checkpoint NG’s Byzantine management interface).

The other two guys test my patience.

First, there’s the “ISA is a Web Proxy or caching server thingie, I think” guy. This guy probably read some industry rag or attended a conference where a security or firewall “guru” who’s never seen an ISA firewall proudly and oracularly stated: “ISA is an update to Proxy Server 2.0”.
What’s up with that? ISA firewalls are honest-to-goodness, enterprise class firewalls that provide the strong inbound and outbound access control and application layer filtering you need to protect today’s networks, not the networks of yesteryear at which traditional packet filter based firewalls are aimed. What really drives me to the point of distraction is that these guys have a really hard time letting go of the Proxy 2.0 fantasy. Yet, unless they’re untrainable, you can usually disabuse them of their misconceptions.

The “hardware firewalls descended from heaven” people are the most difficult. They’ve been told over the years that hardware (ASIC-based) firewalls are the “acme” of all possible firewalls, and any firewall not based on ASIC is a lowly software firewall and doesn’t even deserve the name of “firewall”. One wonders how they reconcile their dogma with the fact that the number one selling firewall product is CheckPoint, a (gasp!) software based firewall. I have to put the ASIC true believers group with those who still believe the earth is flat, believe the Universe revolves around the earth, and are sure that the Moon follows them when they walk home from a big night at Pizza Hut.

The hardware firewall fantasy is actually based on a historical reality. In the past, firewalls could provide a reasonable level of security and performance using simple packet filtering mechanisms that look at source and destination addresses, ports and protocols, and make quick decisions. Since the logic is “burnt-in” to the ASIC (Application Specific Integrated Circuit), it’s not easy to hack the basic system. However, attackers have learned that you don’t need to hack the core instruction set to get around the relatively poor security hardware based systems provide.

You can find an excellent article debunking the myth of ASIC superiority at http://www.issadvisor.com/viewtopic.php?t=368. The author makes a very good argument that hardware firewalls will never be able to keep pace with modern threat evolution and that one-box software based firewalls are the future of the network firewall. Therein lies the massive advantage conferred by your ISA firewall: it can be quickly upgraded and enhanced to meet not only today’s threats, but also the exploits against which you’re sure to need defense in the future.
 

The ISA firewall, be it ISA Server 2000 or ISA Server 2004, is the ideal mainline enterprise firewall (mainline in the context that it protects mission critical systems). The problem is the members of the critical chorus who have swallowed the ASIC pill and can’t accept this fact.

For example, the article at http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss346_art676,00.html extends the misconception that ISA firewalls aren’t suited to be enterprise perimeter firewalls. The problem is comments such as “ISA 2004 isn’t going to replace mainline, perimeter firewalls, nor is it intended as a sole layer of protection for Microsoft apps, but it’s a pretty good addition to the layers of the security onion” infer that there is only a single network or security perimeter. By the way, who said its “not intended” for protecting Microsoft services?

Like most commentators who make similar statements, those who say this never come up with reasons supporting their de profundis assertions. It’s especially problematic when some of the assertions, such as ISA not providing a high level of protection for Microsoft apps, run so far afield from the facts that it ends up sounding like a canard.

The fact is enterprise networks contain many security perimeters, as you learned earlier in this article. No, I wouldn’t want the ISA firewall at the Internet edge or at edges of very high traffic backbone segments, because only a simple, fast packet filtering firewall can meet the packet-passing performance requirements for these very high volume segments.

However, it is important to realize high-speed packet passing with simple packet filters and “fix-ups” does not equal acceptable security – these hardware based packet passing firewalls are useful for very high traffic perimeters, but are of little or no use at the perimeters bordering the server and client systems (ring 3 – the Asset Networks) because of their lack of deep application layer intelligence.

So, the next time you run into a firewall or security expert proselytizing the impenetrability of “hardware” firewalls and debasing “software” firewalls, belly up to the bar and give the “firewall expert” a strong reality check. He might just be salvageable and the network he ends up saving with the ISA firewall might be his own

I’m often asked about how can we run ISA Server 2004 firewalls on a machine running the Windows operating system, given the number of security bug fixes for the base operating system. It’s good question. Here are highlights you should consider regarding the issue of the underlying Windows operating system and running the ISA firewall on top of it:

• Not all hotfixes apply to the ISA Server 2004 firewall. Many of these hotfixes are services based. Since you don’t run client or server services on the ISA Server 2004 firewall machine, most of the hotfixes are irrelevant
• Some hotfixes do address issues with the core operating system components, such as RPC (which the Blaster worm took advantage of). Since the ISA Server 2004 firewall applies security policy to all interfaces, you would have to create a firewall policy allowing the attacker access to the firewall. In the specific case of RPC, the secure RPC filter blocks Blaster and related attacks. IIS problems are a non-issue, because you do not run IIS services (with the exception of maybe the IIS SMTP service) on the firewall. Other services are only accessible if you allow access to the ports on the firewall. A properly configured ISA Server 2004 firewall therefore is infinitely more secure than the base operating system because network access to the firewall is severely truncated
• Other hotfixes apply to stability issues. You will need to apply these hotfixes and service packs. However, all firewall vendors issue regular fixes (if they don’t then they’re not paying attention and their software is vulnerable, even if they don’t know it, and even if they haven’t acknowledged the vulnerabilities to you).
• Some hotfixes require restarting. You can schedule the restart for a convenient time. Note that you do not need to install all hotfixes because not all of them, or even a significant number of them, apply to your ISA Server 2004 firewall. The number of restarts required should be negligible.
• If you can’t trust any services running on a Windows operating system, then how can you trust the underlying OS for your Exchange, SQL, SharePoint and other Microsoft server installations?
• The underlying OS on the ISA Server 2004 firewall can be hardened. In fact, there is a profile in the Windows Server 2003 SP1 Security Configuration Wizard (SCW) that allows you to harden the underlying OS automatically using the SCW.
• You can harden the underlying OS manually if you don’t want to use the SCW or don’t have access to it. There will be an OS hardening guide released concurrently with ISA Server 2004 that walks you through the process of hardening the underlying OS while leaving the ISA Server 2004 firewall services unaffected. This was a significant issue with ISA Server 2000, because many of use attempted to harden the OS which lead to some unexpected side effects.

It’s true ISA Server 2004 is a great proxy server. In fact, ISA Server 2004 is a proxy firewall, which is the most sophisticated and secure type of firewall available.

The conventional packet filtering firewall uses very simple mechanisms to control inbound and outbound access: source and destination port, source and destination IP address, and for ICMP, source and destination IP address together with ICMP type and code. Packet filters must be explicitly created for each inbound and outbound connection. More sophisticated packet filters can dynamically open response ports. ISA Server 2004 firewalls are able to dynamically open ports via its dynamic packet filtering feature.

The “circuit layer” firewall is akin to what most commentators refer to as the “stateful firewall” It should be noted that the term “stateful” can mean whatever you want it to mean. It was introduced as a marketing term, and like most marketing terms, was designed to sell product, not to quantify and specify any specific feature or behavior. However, most people think of stateful filtering (in contrast to stateful inspection) as a mechanism where the stateful packet filter tracks connection state at the transport (layer 4) level. TCP includes information within the protocol that define connection state, while UDP does not. Because of this, UDP communications must have a pseudostate enforced by the stateful filtering device. Stateful filtering is helpful in protecting against a number of sub-application layer attacks, such as session hijacking.

If you hear this one, you really know that you’re conversing with the clueless. Proxy 2.0 was a Web proxy server built on the IIS WWW service. In contrast, the ISA Server 2004 firewall has no dependency on IIS and all interfaces are subject to firewall policy. In addition, the ISA Server 2004 firewall applies firewall policy to VPN remote access and VPN site to site connections.

When you run into someone who compares Proxy 2.0 with an ISA Server 2004 firewall, walk away. The person you’re talking with is incompetent and arguments with incompetents never get you anywhere.

I’ve heard this one a number of times and it always leaves me scratching my head. Why does the firewall require no moving parts and my Exchange Server, SQL Server, Web Server, FTP Server and any other mission critical service not require the absence of moving parts? Here are some advantages to using the Intel PC based platform for firewalls:

• When the memory, processor or network card goes bad on the device, you can replace it at commodity hardware prices. You do not need to go back to the solid state hardware vendor and pay premium prices for their hacked up versions of hardware components
• When you want to upgrade memory, processor, storage, NIC, or any other component, you can use commodity hardware and add that to your machine. You do not need to go to the source hardware vendor to obtain overpriced upgrades to your box
• Because the ISA Server 2004 software is hard disk based, you do not have the memory and storage restrictions of solid state devices. You can install on-box application layer filters, increase the cache size, tweak performance and security settings, and perform fine-tuned customizations required by your environment
• The “no moving parts” aspect pertains primarily to hard disks. Hard disk MTBF values are in years. Even lowly IDE drives last 3+ years with normal use. And when the disk fails, the ISA Server 2004 firewall configuration is easy to restore because the entire configuration is stored in a simple .xml file. You can be up and running within 15 minutes with the right disaster recovery plan. Compare that to fried memory in a hardware device where the entire device must be returned to the manufacturer

The disaster recovery aspect is perhaps the most compelling reason for using a “software” firewall. A single ISA Server 2004 firewall, or an entire array of 10 ISA Server 2004 firewalls can be rebuilt in a matter of minutes without having to replace the entire box or requiring you to obtain hardware pieces from the vendor. And if you’re using removable drives, it’s a no-brainer to be up and running for the entire array in less than 30 minutes!

I can’t tell you have many times I’ve heard this one. “I’ve got a firewall and I want to place an ISA Server behind it, how do I do that”? These comments come from ISA fans, so I know there’s no intent to denigrate the ISA firewall. Instead, this is an indication that the ISA firewalls admins don’t realize that ISA firewalls are the firewalls for their network and the packet filters they put in front of the ISA firewalls are typically performing basic packet filtering which helps with processor off-loading.

This fallacy is easily corrected by saying “I have a packet filtering firewall in front of my ISA firewall, how do I get them to work together?” or “I have a Sonicwall in front of my ISA firewall, how do I get them to work together?”

To be fair, I have to admit that not everyone uses the ISA Server 2004 firewall as a firewall. You do have the option to install the ISA Server 2004 firewall in single NIC mode, which is comparable to the “cache only” mode that ISA Server 2000 included. In single NIC mode, the ISA Server 2004 firewall is caponized. Most of the firewall functionality is removed and the machine provides limited functionality as a Web proxy server only.

This is not to imply that the ISA Server 2004 firewall in single NIC mode is not secure. Enough of the firewall functionality is left in place to allow the ISA Server 2004 firewall to protect itself, and to secure the Web proxied connections made through the single NIC ISA Server 2004 firewall. The ISA Server 2004 single NIC firewall only allows connections to itself that you explicitly allow, via the firewall’s system policy. The only connections it allows to corporate network hosts are those you explicitly allow via Web Publishing Rules and the only outbound connections that can be made through the single NIC ISA Server 2004 firewall are those you allow via a truncated HTTP/HTTPS only list of Access Rules.

While I would prefer to see all organizations use the ISA Server 2004 firewall for its intended use, which is as a full featured, blended stateful packet filtering and blended stateful inspection application layer firewall, I do realize larger organizations have spent literally millions of dollars on other firewall solutions. These organizations do want to benefit from the reverse proxy components for superior OWA, OMA, ActiveSync and IIS protection. For this reason, its important to point out that the ISA Server 2004 firewall, even in it crippled single NIC mode, provides a high level of protection for forward and reverse proxy connections.

We’ve covered a lot of ground, so let’s sum up the reasons for why the ISA Server 2004 firewall belongs in front of your critical network assets:

• ISA Server 2004 firewalls run on commodity hardware, which keeps costs in check while allowing you the luxury of upgrading the hardware with commodity components when you wish to “scale up” the hardware platform that ISA Server 2004 firewall runs on
• Being a “software” firewall, the firewall configuration can be quickly upgraded with application aware enhancing software from Microsoft and from third-party vendors
• Being a “software” firewall, you can quickly replace broken components without returning the entire firewall to the vendor or requiring that you have several hot or cold standbys waiting in the wings
• The ISA Server 2004 firewall provides sophisticated and comprehensive application layer filtering, in addition to stateful packet filtering. The stateful application layer and stateful packet filtering protect against common network layer attacks and modern application layer attacks
• The ISA Server 2004 firewall should be placed behind high-speed packet filtering firewalls if you have a very high speed connection to the Internet. This is especially important on networks with multi-gigabit connections. The packet filtering firewalls reduce the total amount of traffic each back end ISA Server 2004 firewall needs to process. This reduces the total amount of processing overhead required on the ISA Server 2004 firewalls and allows the ISA Server 2004 firewalls to provide the true, deep application layer stateful inspection required to protect your network assets
• While the ISA Server 2004 firewall can’t match the pure packet passing capabilities of traditional hardware ASIC based firewalls, the ISA Server 2004 firewall provides a much higher level of firewall functionality via its stateful packet filtering and stateful application layer inspection features
• The ISA Server 2004 firewall is able to authenticate all communications moving through the firewall. The provides for strong user/group based authentication to and from the vital asset networks. Ideally, another non-authenticating ISA Server 2004 firewall is placed in front of the authenticating ISA Server 2004 firewall so that stateful application layer and packet filtering is done before that connections reach the ISA Server 2004 firewalls that perform authentication

At this point we’ve put to rest the ISA firewalls aren’t as secure as packet filter firewalls. With that in mind, where exactly should we place the ISA Server 2004 firewall?

The answer depends on the size of your network and the number of rings or security zones you need to protect. If you have a large network, then the four ring approach we discussed will work best, with the Backbone and Asset Networks protected by ISA Server 2004 firewalls. The Backbone Network ISA Server 2004 firewall is configured for full stateful filtering and stateful application layer inspection without outbound access controls, while the Asset Network ISA Server 2004 firewalls provide stateful filtering and stateful application layer inspection as well as inbound and outbound user/group based access controls.

The figure below recaps this configuration.

Simple network configurations may not have multiple rings or multi-gigabit network connections. In these networks, there is no reason for a fast packet filtering firewall at the Internet Edge ring. You can use only ISA Server 2004 firewalls and rest assured that you have the best firewall protection available.

If you want to host publicly accessible services on a DMZ segment between the Internet Edge and the Asset Edge, you can place two ISA Server 2004 firewalls in sequence. This represents your DMZ segment. You can safely and confidently place the ISA Server 2004 firewall at the Internet Edge and be confident that you have a high level of security and access control than you would have with a conventional packet filtering firewall. In addition, you can configure the Internal (back-end) ISA Server 2004 firewall for strong inbound and outbound user/group based access control.

The firewall below depicts this type of configuration.

The most simple configuration requires a single firewall situated at the Internet edge. In that case, you can place a single ISA Server 2004 firewall at the Internet Edge and benefit from its full firewall functionality knowing that it provides your network a far higher level of security and protection then what you would derive from a simple high speed packet filter based firewall.

As the old saying goes, it takes a while before you can teach an old dog new tricks. ISA Server 2004 is the market leader in blended packet filter/proxy firewalls and the ISA firewall line continues to improve with each incarnation. However, it’s going to take some time before the traditional firewall administrators get out of the mindset that they need to put weaker devices in front of stronger ones and that you can’t secure a Windows based firewall.

While I see the tide slowly turning in this regard, it takes continuous education and reinforcement to educate busy and misinformed firewall administrators, network administrators and network security officers. Traditional packet filter firewall admins still think in terms of “opening a port” and that particular TCP or UDP ports equate to network services. Only after they begin learning about modern firewalls, like ISA Server 2004, will they appreciate the risks they put their core assets at by using conventional stateful packet filter firewalls.

The take home message: ISA Server 2004 firewalls are full fledged network firewalls that provide a superior level of security than you can get from traditional packet filter firewalls. ISA Server 2004 firewalls provide a very high level of security on the front-end with the rate limiting factor being throughput for multigigabit connections. But if throughput issues aren’t a concern, do not hesitate to make the ISA Server 2004 firewall both your front-end and back-end firewall.

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=20;t=000167 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privac