ISA Firewall Fairy Tales - What Hardware Firewall Vendors Don't Want You to Know (v1.02)
ISA 2004 Firewall Fairy Tales
What the Hardware Firewall Vendors Don't Want You to Know
By Thomas W Shinder, M.D.
I’ve been reading a lot of things about the upcoming release of ISA Server 2004. While lots of what I read is good, factual information, there’s a lot more that’s just basic claptrap (http://dictionary.reference.com/search?q=claptrap). What do I mean? Just check out some of these non-quotable quotes:
- "It is a good clean up update, but I won't say it is major. It doesn't all of a sudden make them a competitor to CheckPoint (http://www.infoworld.com/article/04/05/03/HNisaserver_1.html) [BTW -- this quote is our leader for 'clueless analyst comment of the year')
- "They insist ISA Server is a firewall, but it is a server. It is Gartner's strong belief that firewalls are gateway packet and stream processing devices and not servers. The market supports that; most new installations are appliances" (http://www.infoworld.com/article/04/05/03/HNisaserver_1.html)
- "I've worked with large enterprises where we've used Cisco [Systems] on the front end with ISA behind it," said Chris Darrow, a consultant at TCP-IP Inc., a Sacramento, Calif .-based consulting firm. "It's a good addition to a Checkpoint or Cisco firewall, but I still would not use it alone." (http://searchwin2000.techtarget.com/originalContent/0,289142,sid1_gci967964,00.html)
- "Franco, under the subject "Strange Setup" wondered why a Microsoft ISA server is dual-homed to bypass a firewall. Follow-up posters explained that the ISA Server requires such a setup and that it is a good HTTP proxy/cache/authenticator for a Windows network. (Read: Better than the firewall is.) All other traffic should still go through the firewall." (http://sandbox.rulemaker.net/ngps/infosec/fwiz/fwiz-2004-02-28)
If you run a Google search, you’ll find a lot more of this kind of stuff on the Web. Common themes that run through these types of comments and discussions include:
- Belief in the myth of "hardware" firewall.
- The assumption that Cisco and Checkpoint (and other traditional firewall) solutions are inherently more secure, without any understanding of the ISA Server 2004 firewall and without stating what precisely it is that controls their belief that these other firewall products provide better protection or are otherwise "more secure"
- Software running on a Microsoft Windows operating system can’t be trusted (I guess they don’t use Microsoft Exchange or Microsoft SQL servers, since they also run on Microsoft operating systems)
- The assumption that you should put your weakest link directly in front of the most valued corporate assets (sort of like putting security guard with a machine gun in the front of the Bank, and a poodle at the open entrance to the safe)
- Referring to a souped-up packet filtering device (PIX) as "the firewall" while referring to the ISA firewall as "the ISA Server" (and they say that Microsoft has the killer marketing machine?)
It’s clear that a number of commentators and industry analysts don’t understand the nature of firewall security in the 21st century and still cling to the marketing material they’ve received in 1997 from the current leaders in the firewall space. The problem is that they do their readers a serious disservice, as the glorified "stateful packet filter" of yesteryear just can’t stack up to a serious application layer aware firewall like ISA Server 2004.
In order to drive this point home, and to help our ISAserver.org readers fight back against the pabulum their colleagues might try to feed them when discussing firewall issues, we’ll cover the following key points:
- Defense in depth
- ISA Firewall Fallacies
- Why ISA Belongs in Front of Critical Assets
- A Better Network and Firewall Topology
- Old Dogs and New Tricks
By the time we’re done, you’ll be able to put the antediluvian firewall "experts" in their place and get your request for an ISA 2004 firewall approved.
The goal of this article is to show that ISA Server 2004 represents a true enterprise grade network firewall. The goal is not to demonstrate that it’s the firewall that will meet everyone’s needs in all possible scenarios. Other firewalls contain features that an organization may require that ISA Server 2004 firewall do not support, in the same way that ISA Server 2004 firewalls contain critical security features that other firewalls do not.
Defense in Depth
Just about every firewall administrator has heard the old joke where the guy’s boss asks him "is our network secure?" and the response is "of course, we have a firewall!" Unfortunately, this is the attitude of many real-life network and firewall administrators. They consider the network firewall at the network edge as their primary defense against all network woes.
The sad fact is that the network firewall at the edge of the network is only a small piece of your overall security plan. While the Internet edge firewall is a key component of your network security scheme, its only one part and that single part does very little to provide defense in depth. Defense in depth refers to the security philosophy that there are multiple partitions or security zones that must be protected. The interface between security zones represents a specific edge requiring a customized approach to security and access control.
The number of security zones requiring protection varies with the organization and how the organization’s network is laid out. Smaller organizations may have just a single network segment sitting behind an Internet edge firewall. Larger organizations may have very complex networks with multiple security zones and security zones within security zones. Regardless of the complexity of your network, the principle of least privilege leads you to the correct path to firewall placement and configuration.
To help demonstrate how security zones dictate access control, firewall configuration and firewall placement, we’ll go over a typical enterprise level network and how it might segregate its security zones. We will call these zones "Rings" and each ring is comparable to a layer in an onion, with the center of the onion representing your core network assets requiring the highest level of network level security. These rings are:
- Ring 1: The Internet Edge
- Ring 2: The Backbone Edge
- Ring 3: The Asset Network Edge
- Ring 4: Local Host Security
The figure below shows the outermost ring, which is the Internet edge.
The Internet edge is the first point of attack for externally situated hosts. Because most of us have a greater fear of the unknown than of the known, network and firewall administrators believe they should put their most intelligent and powerful firewalls at this location. If you don’t think about this too much, it makes sense. The problem is that the great majority of network attacks occur from inside the network. In addition, if you consider how this approach flies in the face how you secure anything else in this world, you’ll realize that the Internet edge firewall should not be your most secure or sophisticated firewall, it should be your fastest firewall.
Think about how a bank secures its cash assets. First, there are the Federal agencies that hover unseen around all of our lives. This "outermost" level of bank security doesn’t stop too many bank robberies in progress, though it helps in stopping law abiding citizens from deciding to rob a bank when they have nothing else to do that day.
The next layer of defense, moving inward toward the bank’s core assets, is the local police department. The police drive around town all day and maybe they’ll be in front of the bank when the bank robber is about to begin the hold-up. This isn’t very secure because they can’t be in front of the bank all the time and when they do respond, its after the fact when the perpetrator is long gone.
The next ring closer to the core bank assets is represented by the front door cameras (more likely parking lot cameras). The bank security people may be able to stop a robbery from taking place if they’re vigilant and identify the criminal right before he begins the robbery attempt. The problem with this approach is they can’t stop the guy until he does something that suggests a robbery attempt is in progress. You can’t stop a guy these days just because he’s wearing a sock over his head and carrying an empty pillow case. If he has a gun, but has a concealed carry permit, you still can’t do anything to him unless he’s displaying it illegally. However, this method is more sophisticated and more likely to stop a robbery attempt in progress than the Federal security ring or the local policy security ring.
The next ring is the one at the border of the outside of the bank and the area between the tellers. There is typically an armed guard in this area. The armed guard provides a better level of protection because he can stop a robbery as it begins, if he identifies a robbery taking place and if he shoots the robber before the robber shoots him. The armed guard in the lobby definitely provides a much higher level of security than the cameras watching outside the building, the local police cruising the streets and the Feds.
The next ring of security lies at the interface between the inside of the bank vault and the lobby and teller area, which is the door of the bank vault. If the robber flies past the Fed, arrives when there’s no police car in sight, looks like a typical customer and isn’t flagged by the security cameras, and shoots the armed guard before the armed guard shoots him (I’m assuming that the robber isn’t in a country or State that allows its citizens to carry weapons legally; if the Bank were in this one of these areas, the robber would also have to survive armed citizens), the final hurdle is the bank vault door. Unless the guy is a munitions expert or some kind of safe cracker, the bank vault door will stop him every time.
The bank vault door provides the highest level of security and it’s the most "hardened" and "impenetrable" of the bank defenses. That’s why its put right in front of the bank’s core assets, to protect these assets in the event that an intruder gets past all the other rings of security design to protect the bank’s assets. The bank vault door is represents the most hardened and most impenetrable security device in the path to the bank’s core assets.
However, no security ring, no matter how well protected is impenetrable (remind the "firewall experts" of this fact the next time they tell you about the inviolate nature of so-called "hardware" firewalls). Let’s assume the robber isn’t a munitions expert or a safe cracker. Instead, he’ll use the coward’s way out and takes advantage of social engineering (coward computer hackers use similar methods). In this case, the social engineering method used by the bank robber by threatening the lives of the customers and tellers if the bank vault door is not opened by the bank manager.
Since you can always find more money, but human life tickets are only good for one punch, the bank manager opens the vault door.
At this point you might think that the game is over and the robber won. He’s penetrated the last defense ring and the money is his (let’s overlook the fact that in order to win the robbery game, you also have to successfully leave the bank with the cash). However, there is the last layer of defense, and that is the defense the money itself can provide. The bags of money may have exploding ink in them, which explodes and covers the robber with a bright shade of pink if the cash is moved or removed at the wrong time or the incorrect way, or maybe if the money is moved inappropriately, anesthetic gas is pumped into the vault, or maybe the money is marked and is easily identified if it spent in public. If the bank hopes to recoup its money, it must make sure that there are methods of protection applied to the money itself, as that is the last ring of defense the bank has in protecting its assets.
The point of this story is that the bank, and any other entity that secures its core assets, put it’s most hardened, most sophisticated and most impenetrable barriers closer to those assets. The enemy is always at his best at the outermost ring and by the time he’s made it to the innermost ring, he’s either completely exhausted his resources or ready to give up. In either case, the enemy meets stronger defensive mechanisms as he continues to get weaker. This helps accelerate his ultimate defeat.
Table 1: Defense Rings Protecting Bank Assets
|Bank Defense Layer||Implementation|
|Federal Agencies||Outermost layer of protection. Helps keep honest people honest|
|Local Policy Department||Provides protection in the rare event that they happen to be in front of the bank during a robbery in progress; responds only after the fact|
|Perimeter Cameras||Allows vigilant security personnel to proactively stop a robbery if they can identify the robbery is about to begin|
|Bank Guard||Bank guard can shoot the robbery if the robber doesn’t shoot him first. Able to respond to robbery in progress and provides much more security than the levels above|
|Bank Vault Door||Strongest level of protection placed directly in front of critical bank resources.|
|Exploding Ink, Anesthetic Gas, etc||Represents "host-based" protection and increases the recoverability of assets even if they are stolen|
With these facts in mind, how do you explain the attitude of network and firewall administrators who claim "while I think an ISA firewall is great, I wouldn’t feel comfortable if I didn’t have a Checkpoint or a PIX in front of it."
Does it make sense to you that you should put your "weakest link" in terms of network firewall protection right in front of your core network assets? I assume these people "aren’t comfortable" because they believe that the ISA firewall isn’t as "secure" as their packet filtering devices are.
The real irony is that these network and firewall administrators are doing the right thing. It’s just that they’re doing the right thing for the wrong reason. They’ve been beaten over the head for years by "firewall experts" and "hardware firewall" marketeers with the idea that only the ASIC ("hardware") firewall can be secure; so-called "software firewalls" are inherently insecure because of reasons "X, Y and Z".
Reason "X" always has something to do with the underlying operating system. After repeating with great precision and perfect tempo "Windows is not secure" for several minutes, they never get around to reasons "Y" and "Z". I’ll leave it to you to explain why that happens.
Table 2: Hardware Firewall Vendors Reasons for why Software Firewalls are Insecure
|Hardware Firewall Vendor’s Reason for why Software Firewalls are Unsecure||Explanation|
|X||The Windows operating system can’t be secured|
|Y||We sell hardware firewalls with big margins|
|Z||We sell replacement parts and add-on’s for even bigger margins|
The truth is that the hardware firewall does belong at the Internet edge of the network. But not for the reasons the "firewall experts" proclaim. The actual reason is that while traditional firewalls cannot provide a high level of actual security for modern Internet connected networks, they can pass packets very quickly and do stateful packet filtering. The speed is very important for organizations that have multi-gigabit connections to the Internet. High security, application layer aware firewalls cannot handle this volume of traffic and provide the deep application layer stateful inspection required of a modern network firewall.
That is why the hardware firewalls should be placed on the Internet edge. They can handle the high volume of traffic, perform basic packet filters and allow inbound (outbound access control isn’t very effective for high speed packet filtering firewalls at the Internet edge) traffic only to services that you intend to provide to remote users.
For example, if you intend to provide only HTTP, HTTPS and IMAP4 access to resources on the corporate network, the high speed stateful packet filtering firewall will only allow new inbound connection requests for TCP ports 80, 143 and 443. The high speed packet filtering firewall can quickly determine the destination port and validity of the layer 4 and below information, and accept or reject the traffic. While this approach provides a small measure of security, it is far from what is required to protect modern networks.
So the next time you hear something quack "I wouldn’t be comfortable without having a PIX or Checkpoint in front of the ISA firewall", you’ll know that he’s right, but his discomfort is based on all the wrong reasons because he doesn’t understand that you increase security as you move inward, not reduce it.
Ring 2 is the Backbone Edge that marks a line between the internal interfaces of the Internet Edge firewalls and the external interfaces of the backbone segment firewalls. The figure below shows the placement of the four Backbone Edge firewalls surrounding the edges of the corporate backbone network.
The corporate backbone network provides a common network to which all other corporate network segments connect. The total traffic moving inbound and outbound through the backbone firewalls is lower on a per-firewall basis than the Internet Edge firewalls because there are more of them. For example, you might have two high speed packet filtering firewalls on the Internet Edge handling 5 gigabits/second each for a total of 10 gigabits/second between them. There are four Backbone Edge firewalls, and assuming that the load is shared equally among these, each of the Backbone Edge firewalls handles 2.5 gigabits/second.
The Backbone Edge firewalls can start to perform the real work of a network firewall – stateful application layer inspection of both inbound and outbound traffic. Since modern exploits are aimed at the application layer (because that’s where the "money" is), the backbone application layer firewalls do the job of checking the validity of the communications moving through them. For example, if you allow inbound HTTP, the stateful inspection application layer aware firewalls on the Backbone Edge and start to apply real network security by checking the details of the HTTP communication and block suspicious connections through the firewall.
This is a good location for the ISA Server 2004 firewall. Since the ISA Server 2004 firewall is the model of a stateful inspection application layer aware firewall, it can perform the heavy lifting required to protect the corporate backbone network and the network inside of it, as well as making sure that inappropriate traffic (such as worm generated traffic) does not cross the Backbone Edge ring. The volume of traffic in this example is not a problem for ISA Server 2004 firewalls, as they have been tested and confirmed to be multi-gigabit firewalls, based on their hardware configuration and firewall rule base.
Ring 3 is at the border of the of the backbone network and the networks that contain the corporate assets. Corporate assets can represent user workstations, servers, departmental LANs, management networks, and anything else you don’t want unauthorized access to. The line between the backbone network and the assets networks is the Asset Network Edge. This is the ring where you need the strongest, most sophisticated level of protection, because of the intruder is able to violate the integrity of this ring, they are in the position to directly access your corporate assets and carry out what may turn out to be a successful attack.
The figure below shows the location of the Asset Network edges in ring 3.
It is at this level that an ISA Server 2004 firewall becomes critical. In contrast to a packet filter hardware device, you need real firewall protection. Simple packet filtering is inadequate when it comes to protecting resources in the network asset ring. Not only must you be able to insure that all incoming connections are subjected to deep application layer inspection, you must also control what leaves the asset networks using strong user/group based access control.
Strong outbound user/group based access control is an absolute requirement. In contrast to your typical hardware packet filtering firewall that lets everything out, the firewalls at the Asset Network edge must be able to control outbound connections based on user/group based membership. Reasons for this include:
- You must be able to log the user name of all outbound connections so that you can make users accountable for their Internet activity
- You must be able to log the application the user used to access Internet content; this allows you to determine if applications not allowed by network use policy are being used and enables you to take effective countermeasures
- Your organization may be held responsible for material leaving your network; therefore you must be able to block inappropriate material from leaving your network
- Sensitive corporate information may be transferred outside the network from Asset Network locations. You must be able to block this and record user names and applications the users are using to transfer proprietary information to a location outside your network
The ISA Server 2004 firewall is the ideal firewall for the Asset Network edges because it meets all of these requirements. When systems are properly configured as Firewall and Web Proxy clients, you are able to:
- Record the user name for all TCP and UDP connections made to the Internet (or any other network that the user might connect to by going through the ISA Server 2004 firewall)
- Record the application the user uses to make these TCP and UDP connections through the ISA Server 2004 firewall
- Block connections to any domain name or IP address based on user name or group membership
- Block access to any content outside their network based on user name or group membership
- Block transfer of information from the Asset Network to any other network based on user name or group membership
All this deep application layer stateful inspection and access control requires processing power. That’s why you should size your servers appropriately to meet the requirements of powerful stateful application layer processing. Fortunately, even with complex rule sets, the ISA Server 2004 firewall is able to handle well over 1.5 gigabits/second per server, and even higher traffic volumes with the appropriate hardware configuration.
The last ring 4, the Host-based security ring. This represents the junction between the host systems and the network to which they are directly attached. The figure below shows the position of ring 4.
Approaches to host-based security are somewhat different than what you see with network firewall protection, but the principles are the same. Host based security requires that you control what is allowed inbound and outbound to the host machine and that the applications on the hosts are designed with security in mind. Some of the things you should consider when dealing with the Host-based Security ring include:
- Using a Host-based firewall to control what incoming and outgoing connections are allowed and what applications can send and receive data. This is the typical "personal firewall" approach, but can be expanded to support Server applications in addition to providing personal firewall support for user workstations
- IPSec policy (on systems that support it) can be used to control what is allowed inbound and outbound from and to specific hosts. If a particular workstation or server does not need to connect to all possible computers, you can lock them down using IPSec policies to limit connections to a predefined collection of machines
- Applications and services running on the hosts must be designed with security in mind. That means these applications and services are not vulnerable to common attacks such as buffer overflow and social attacks (such as HTML e-mail exploits and opening attachments)
- Antivirus software must be used to block viruses that come from other network locations or introduced by compromised hotfixes and software
- Anti-scumware software must be installed to protect the machines to prevent Adware and other malicious software from being installed on the machine
- Anti-spam software must be installed on the machine, if an e-mail client is installed. Anti-spam software should also be installed on SMTP relays that handle inbound and outbound mail, to block spam that carries not only potentially dangerous payload, but also to reduce losses in employee productivity related to spam
- Users and installed services should run with least privilege, to limit the impact malicious software can have should it be executed. For example, a lot of adware, scumware, spyware, viruses, and rootkits will fail to install if the compromised user account does not have admin or power user rights
The Host-based security is the last defense. The ISA Server 2004 and the Asset Network can help with this to a certain extent, but no firewall can completely make up for weaknesses found at the host layer. Network firewall security is helpful for control access from corporate network to corporate network, and attacks coming from non-local networks that must traverse the ISA Server 2004 firewall, but only host-based security can handle attacks coming from the local network where the connection does not traverse a network firewall.
Now that you have a good grounding in the varieties of security perimeters, you realize that comments like "I wouldn’t feel comfortable putting an ISA firewall in without putting a PIX or Checkpoint in front of it" are akin to saying "I wouldn’t feel comfortable putting a ICBM missile silo in unless I can put a poodle in front of it".
Note that for smaller networks that might have a single ring, which is the Internet Edge ring, the entire discussion is moot. The only reason to put a packet filtering traditional firewall in front of the ISA firewall is to waste money. You’d be better off buying two ISA firewalls, or buying two sophisticated application layer firewalls, with the ISA firewall behind the other application layer firewall, so that the ISA firewall can implement the strong user/group based security you require.
ISA Firewall Fallacies
Now let’s get to answering some of my favorite ISA firewall fantasies. These include:
- Software firewalls are inherently weak. Only hardware firewalls can be trusted to secure a network
- You can’t trust any service running on the Windows operating system to be secure. You could never secure a firewall running on a Windows OS
- ISA machines make for good proxy servers, but I need a real firewall to protect my network
- ISA firewalls are just glorified versions of Proxy 2.0
- ISA firewalls run on an Intel hardware platform, and only firewalls that have all "solid state" components can be firewall. A firewall should have no moving parts if you want to consider it to be a firewall
- "I have a firewall and an ‘ISA Server’"
- A real firewall should be a nightmare to configure and ideally, should use a CLI to make it accessible only to highly trained individuals
Let’s take each of these ISA firewall fallacies one at a time.
Software Firewalls are Inherently Weak
As an ISA firewall admin, you’ve probably run into network and firewall admins who:
- Never heard of an ISA firewall
- Think it’s some sort of caching server, akin to the old CacheFlow product (purchased by Bluecoat) or Squid, or
- Believe hardware firewalls are inviolate and so-called "software" firewalls are as penetrable as warm custard and thus incapable of protecting the perimeter or network datacenter
Teaching the guys who never heard of an ISA firewall can be a rewarding experience. You can tell them about how an ISA firewall provides strong inbound and outbound access controls in ways that no other firewall can, how it blocks file sharing, peer to peer programs, how it prevents malicious users from violating network security policies such as downloading copyrighted material, how the ISA firewall provides superior protection for Microsoft Exchange services including OWA, OMA, ActiveSync and MAPI/RPC, and its ease of configuration blows away all other firewalls on the market (if you don’t believe it, look at Checkpoint NG’s Byzantine management interface).
The other two guys test my patience.
First, there’s the "ISA is a Web Proxy or caching server thingie, I think" guy. This guy probably read some industry rag or attended a conference where a security or firewall "guru" who’s never seen an ISA firewall proudly and oracularly stated: "ISA is an update to Proxy Server 2.0".
What’s up with that? ISA firewalls are honest-to-goodness, enterprise class firewalls that provide the strong inbound and outbound access control and application layer filtering you need to protect today’s networks, not the networks of yesteryear at which traditional packet filter based firewalls are aimed. What really drives me to the point of distraction is that these guys have a really hard time letting go of the Proxy 2.0 fantasy. Yet, unless they’re untrainable, you can usually disabuse them of their misconceptions.
The "hardware firewalls descended from heaven" people are the most difficult. They’ve been told over the years that hardware (ASIC-based) firewalls are the "acme" of all possible firewalls, and any firewall not based on ASIC is a lowly software firewall and doesn’t even deserve the name of "firewall". One wonders how they reconcile their dogma with the fact that the number one selling firewall product is CheckPoint, a (gasp!) software based firewall. I have to put the ASIC true believers group with those who still believe the earth is flat, believe the Universe revolves around the earth, and are sure that the Moon follows them when they walk home from a big night at Pizza Hut.
The hardware firewall fantasy is actually based on a historical reality. In the past, firewalls could provide a reasonable level of security and performance using simple packet filtering mechanisms that look at source and destination addresses, ports and protocols, and make quick decisions. Since the logic is "burnt-in" to the ASIC (Application Specific Integrated Circuit), it’s not easy to hack the basic system. However, attackers have learned that you don’t need to hack the core instruction set to get around the relatively poor security hardware based systems provide.
You can find an excellent article debunking the myth of ASIC superiority at http://www.issadvisor.com/viewtopic.php?t=368. The author makes a very good argument that hardware firewalls will never be able to keep pace with modern threat evolution and that one-box software based firewalls are the future of the network firewall. Therein lies the massive advantage conferred by your ISA firewall: it can be quickly upgraded and enhanced to meet not only today’s threats, but also the exploits against which you’re sure to need defense in the future.
The ISA firewall, be it ISA Server 2000 or ISA Server 2004, is the ideal mainline enterprise firewall (mainline in the context that it protects mission critical systems). The problem is the members of the critical chorus who have swallowed the ASIC pill and can’t accept this fact.
For example, the article at http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss346_art676,00.html extends the misconception that ISA firewalls aren’t suited to be enterprise perimeter firewalls. The problem is comments such as "ISA 2004 isn't going to replace mainline, perimeter firewalls, nor is it intended as a sole layer of protection for Microsoft apps, but it's a pretty good addition to the layers of the security onion" infer that there is only a single network or security perimeter. By the way, who said its "not intended" for protecting Microsoft services?
Like most commentators who make similar statements, those who say this never come up with reasons supporting their de profundis assertions. It’s especially problematic when some of the assertions, such as ISA not providing a high level of protection for Microsoft apps, run so far afield from the facts that it ends up sounding like a canard.
The fact is enterprise networks contain many security perimeters, as you learned earlier in this article. No, I wouldn’t want the ISA firewall at the Internet edge or at edges of very high traffic backbone segments, because only a simple, fast packet filtering firewall can meet the packet-passing performance requirements for these very high volume segments.
However, it is important to realize high-speed packet passing with simple packet filters and "fix-ups" does not equal acceptable security – these hardware based packet passing firewalls are useful for very high traffic perimeters, but are of little or no use at the perimeters bordering the server and client systems (ring 3 – the Asset Networks) because of their lack of deep application layer intelligence.
So, the next time you run into a firewall or security expert proselytizing the impenetrability of "hardware" firewalls and debasing "software" firewalls, belly up to the bar and give the "firewall expert" a strong reality check. He might just be salvageable and the network he ends up saving with the ISA firewall might be his own
You can’t trust any service running on the Windows operating system to be secure
I’m often asked about how can we run ISA Server 2004 firewalls on a machine running the Windows operating system, given the number of security bug fixes for the base operating system. It’s good question. Here are highlights you should consider regarding the issue of the underlying Windows operating system and running the ISA firewall on top of it:
- Not all hotfixes apply to the ISA Server 2004 firewall. Many of these hotfixes are services based. Since you don’t run client or server services on the ISA Server 2004 firewall machine, most of the hotfixes are irrelevant
- Some hotfixes do address issues with the core operating system components, such as RPC (which the Blaster worm took advantage of). Since the ISA Server 2004 firewall applies security policy to all interfaces, you would have to create a firewall policy allowing the attacker access to the firewall. In the specific case of RPC, the secure RPC filter blocks Blaster and related attacks. IIS problems are a non-issue, because you do not run IIS services (with the exception of maybe the IIS SMTP service) on the firewall. Other services are only accessible if you allow access to the ports on the firewall. A properly configured ISA Server 2004 firewall therefore is infinitely more secure than the base operating system because network access to the firewall is severely truncated
- Other hotfixes apply to stability issues. You will need to apply these hotfixes and service packs. However, all firewall vendors issue regular fixes (if they don’t then they’re not paying attention and their software is vulnerable, even if they don’t know it, and even if they haven’t acknowledged the vulnerabilities to you).
- Some hotfixes require restarting. You can schedule the restart for a convenient time. Note that you do not need to install all hotfixes because not all of them, or even a significant number of them, apply to your ISA Server 2004 firewall. The number of restarts required should be negligible.
- If you can’t trust any services running on a Windows operating system, then how can you trust the underlying OS for your Exchange, SQL, SharePoint and other Microsoft server installations?
- The underlying OS on the ISA Server 2004 firewall can be hardened. In fact, there is a profile in the Windows Server 2003 SP1 Security Configuration Wizard (SCW) that allows you to harden the underlying OS automatically using the SCW.
- You can harden the underlying OS manually if you don’t want to use the SCW or don’t have access to it. There will be an OS hardening guide released concurrently with ISA Server 2004 that walks you through the process of hardening the underlying OS while leaving the ISA Server 2004 firewall services unaffected. This was a significant issue with ISA Server 2000, because many of use attempted to harden the OS which lead to some unexpected side effects.
ISA Firewalls make good Proxy Servers, but I need a Real Firewall to Protect My Network
It’s true ISA Server 2004 is a great proxy server. In fact, ISA Server 2004 is a proxy firewall, which is the most sophisticated and secure type of firewall available.
The conventional packet filtering firewall uses very simple mechanisms to control inbound and outbound access: source and destination port, source and destination IP address, and for ICMP, source and destination IP address together with ICMP type and code. Packet filters must be explicitly created for each inbound and outbound connection. More sophisticated packet filters can dynamically open response ports. ISA Server 2004 firewalls are able to dynamically open ports via its dynamic packet filtering feature.
The "circuit layer" firewall is akin to what most commentators refer to as the "stateful firewall" It should be noted that the term "stateful" can mean whatever you want it to mean. It was introduced as a marketing term, and like most marketing terms, was designed to sell product, not to quantify and specify any specific feature or behavior. However, most people think of stateful filtering (in contrast to stateful inspection) as a mechanism where the stateful packet filter tracks connection state at the transport (layer 4) level. TCP includes information within the protocol that define connection state, while UDP does not. Because of this, UDP communications must have a pseudostate enforced by the stateful filtering device. Stateful filtering is helpful in protecting against a number of sub-application layer attacks, such as session hijacking.
The term "packet" refers to layer 3 (network layer) and below. However, the term stateful filtering refers to tracking connection state, which actually refers to layer 4 processes. However, given that the term "stateful" means nothing in and of itself, the term "stateful filtering" is just as good as any when describing the tracking transport layer connection state.
Most commodity firewalls stop there. They perform simple packet filtering, dynamic packet filtering, and stateful packet filtering (stateful filtering). These firewalls often provide advanced routing features, which places them more in the class of a network router than a true modern firewall. In contrast, ISA Server 2004 routing features are less impressive than you see in traditional packet filter firewalls.
As we’ve discussed earlier, the packet filter firewall is useful on Ring 1 (the Internet Edge) because of its processing speed. The primary problem with these firewalls is they do not provide the level of protection required to stop exploits from reaching Rings 2 and 3, where advanced application layer inspection must be performed.
This is where the proxy firewalls enter the equation. A proxy firewall is able to inspect the entire content of an application layer communication by reconstructing the entire application layer message. For example, the proxy firewall reconstructs the entire HTTP message, examines the commands and data, statefully inspects the contents and compares those with the application layer rules, and then passes or blocks the communication based on the application layer rules configured for the HTTP protocol.
For example, one of the more common HTTP exploits is the directory traversal attack. Many popular worms take advantage of directory traversal to access executables on the Web server that allows the attacker to take control of the Web server. For example, the following URL:
executes the cmd.exe file and runs the "dir c:\" command which lists all files in the C:\ directory. Note the "%5c" string. This is a Web server escape code. Escape codes represent normal characters in the form of %nn, where nn stands for a two-character entry. The escape code "%5c" represents the character "\". The IIS root directory "enforcer" might not check for escape codes and allow the request to be executed. This is because the Web server understands escape codes and executes the command.
Escape codes are also very useful for bypassing poorly written filters enforced on input received from users. If the filter looks for "../", then the attacker could easily change the input to "%2e%2e/". This has the same meaning as "../", but is not detected by the filter. The escape code %2e represents the character "." (dot). The ISA Server 2004 firewall, being a sophisticated stateful inspection (application layer aware) firewall, easily blocks these exploits.
Proxy firewalls have the potential to block exploits for any application layer protocol. Other application layer protocols include SMTP, NNTP, Instant Messaging protocols, POP3, IMAP4 and others. Blended firewalls like ISA Server 2004, which combine stateful filtering and stateful (application layer) inspection, can easily be upgraded with software to block the most recent application layer attack. In contrast, the packet filter firewalls are totally unaware of application layer attacks, and even hardware firewalls with rudimentary application layer inspection cannot be quickly upgraded to meet the latest application layer exploit because of the limits of ASIC (hardware) processing and development.
So, the next time you hear that "ISA is a nice proxy", remind the unitiated commentator that only proxy firewalls have the ability to protect your asset networks and that not using them shows what we consider to be a significant lack of due diligence.
ISA Firewalls are Glorified Versions of Proxy 2.0
If you hear this one, you really know that you’re conversing with the clueless. Proxy 2.0 was a Web proxy server built on the IIS WWW service. In contrast, the ISA Server 2004 firewall has no dependency on IIS and all interfaces are subject to firewall policy. In addition, the ISA Server 2004 firewall applies firewall policy to VPN remote access and VPN site to site connections.
When you run into someone who compares Proxy 2.0 with an ISA Server 2004 firewall, walk away. The person you’re talking with is incompetent and arguments with incompetents never get you anywhere.
ISA firewalls run on an Intel hardware platform and Firewalls should have "no moving parts"
I’ve heard this one a number of times and it always leaves me scratching my head. Why does the firewall require no moving parts and my Exchange Server, SQL Server, Web Server, FTP Server and any other mission critical service not require the absence of moving parts? Here are some advantages to using the Intel PC based platform for firewalls:
- When the memory, processor or network card goes bad on the device, you can replace it at commodity hardware prices. You do not need to go back to the solid state hardware vendor and pay premium prices for their hacked up versions of hardware components
- When you want to upgrade memory, processor, storage, NIC, or any other component, you can use commodity hardware and add that to your machine. You do not need to go to the source hardware vendor to obtain overpriced upgrades to your box
- Because the ISA Server 2004 software is hard disk based, you do not have the memory and storage restrictions of solid state devices. You can install on-box application layer filters, increase the cache size, tweak performance and security settings, and perform fine-tuned customizations required by your environment
- The "no moving parts" aspect pertains primarily to hard disks. Hard disk MTBF values are in years. Even lowly IDE drives last 3+ years with normal use. And when the disk fails, the ISA Server 2004 firewall configuration is easy to restore because the entire configuration is stored in a simple .xml file. You can be up and running within 15 minutes with the right disaster recovery plan. Compare that to fried memory in a hardware device where the entire device must be returned to the manufacturer
The disaster recovery aspect is perhaps the most compelling reason for using a "software" firewall. A single ISA Server 2004 firewall, or an entire array of 10 ISA Server 2004 firewalls can be rebuilt in a matter of minutes without having to replace the entire box or requiring you to obtain hardware pieces from the vendor. And if you’re using removable drives, it’s a no-brainer to be up and running for the entire array in less than 30 minutes!
"I have a firewall and an ‘ISA Server’"
I can’t tell you have many times I’ve heard this one. "I’ve got a firewall and I want to place an ISA Server behind it, how do I do that"? These comments come from ISA fans, so I know there’s no intent to denigrate the ISA firewall. Instead, this is an indication that the ISA firewalls admins don’t realize that ISA firewalls are the firewalls for their network and the packet filters they put in front of the ISA firewalls are typically performing basic packet filtering which helps with processor off-loading.
This fallacy is easily corrected by saying "I have a packet filtering firewall in front of my ISA firewall, how do I get them to work together?" or "I have a Sonicwall in front of my ISA firewall, how do I get them to work together?"
To be fair, I have to admit that not everyone uses the ISA Server 2004 firewall as a firewall. You do have the option to install the ISA Server 2004 firewall in single NIC mode, which is comparable to the "cache only" mode that ISA Server 2000 included. In single NIC mode, the ISA Server 2004 firewall is caponized. Most of the firewall functionality is removed and the machine provides limited functionality as a Web proxy server only.
This is not to imply that the ISA Server 2004 firewall in single NIC mode is not secure. Enough of the firewall functionality is left in place to allow the ISA Server 2004 firewall to protect itself, and to secure the Web proxied connections made through the single NIC ISA Server 2004 firewall. The ISA Server 2004 single NIC firewall only allows connections to itself that you explicitly allow, via the firewall’s system policy. The only connections it allows to corporate network hosts are those you explicitly allow via Web Publishing Rules and the only outbound connections that can be made through the single NIC ISA Server 2004 firewall are those you allow via a truncated HTTP/HTTPS only list of Access Rules.
While I would prefer to see all organizations use the ISA Server 2004 firewall for its intended use, which is as a full featured, blended stateful packet filtering and blended stateful inspection application layer firewall, I do realize larger organizations have spent literally millions of dollars on other firewall solutions. These organizations do want to benefit from the reverse proxy components for superior OWA, OMA, ActiveSync and IIS protection. For this reason, its important to point out that the ISA Server 2004 firewall, even in it crippled single NIC mode, provides a high level of protection for forward and reverse proxy connections.
Why ISA Belongs in Front of Critical Assets
We’ve covered a lot of ground, so let’s sum up the reasons for why the ISA Server 2004 firewall belongs in front of your critical network assets:
- ISA Server 2004 firewalls run on commodity hardware, which keeps costs in check while allowing you the luxury of upgrading the hardware with commodity components when you wish to "scale up" the hardware platform that ISA Server 2004 firewall runs on
- Being a "software" firewall, the firewall configuration can be quickly upgraded with application aware enhancing software from Microsoft and from third-party vendors
- Being a "software" firewall, you can quickly replace broken components without returning the entire firewall to the vendor or requiring that you have several hot or cold standbys waiting in the wings
- The ISA Server 2004 firewall provides sophisticated and comprehensive application layer filtering, in addition to stateful packet filtering. The stateful application layer and stateful packet filtering protect against common network layer attacks and modern application layer attacks
- The ISA Server 2004 firewall should be placed behind high-speed packet filtering firewalls if you have a very high speed connection to the Internet. This is especially important on networks with multi-gigabit connections. The packet filtering firewalls reduce the total amount of traffic each back end ISA Server 2004 firewall needs to process. This reduces the total amount of processing overhead required on the ISA Server 2004 firewalls and allows the ISA Server 2004 firewalls to provide the true, deep application layer stateful inspection required to protect your network assets
- While the ISA Server 2004 firewall can’t match the pure packet passing capabilities of traditional hardware ASIC based firewalls, the ISA Server 2004 firewall provides a much higher level of firewall functionality via its stateful packet filtering and stateful application layer inspection features
- The ISA Server 2004 firewall is able to authenticate all communications moving through the firewall. The provides for strong user/group based authentication to and from the vital asset networks. Ideally, another non-authenticating ISA Server 2004 firewall is placed in front of the authenticating ISA Server 2004 firewall so that stateful application layer and packet filtering is done before that connections reach the ISA Server 2004 firewalls that perform authentication
A Better Network and Firewall Topology
At this point we’ve put to rest the ISA firewalls aren’t as secure as packet filter firewalls. With that in mind, where exactly should we place the ISA Server 2004 firewall?
The answer depends on the size of your network and the number of rings or security zones you need to protect. If you have a large network, then the four ring approach we discussed will work best, with the Backbone and Asset Networks protected by ISA Server 2004 firewalls. The Backbone Network ISA Server 2004 firewall is configured for full stateful filtering and stateful application layer inspection without outbound access controls, while the Asset Network ISA Server 2004 firewalls provide stateful filtering and stateful application layer inspection as well as inbound and outbound user/group based access controls.
The figure below recaps this configuration.
Simple network configurations may not have multiple rings or multi-gigabit network connections. In these networks, there is no reason for a fast packet filtering firewall at the Internet Edge ring. You can use only ISA Server 2004 firewalls and rest assured that you have the best firewall protection available.
If you want to host publicly accessible services on a DMZ segment between the Internet Edge and the Asset Edge, you can place two ISA Server 2004 firewalls in sequence. This represents your DMZ segment. You can safely and confidently place the ISA Server 2004 firewall at the Internet Edge and be confident that you have a high level of security and access control than you would have with a conventional packet filtering firewall. In addition, you can configure the Internal (back-end) ISA Server 2004 firewall for strong inbound and outbound user/group based access control.
The firewall below depicts this type of configuration.
The most simple configuration requires a single firewall situated at the Internet edge. In that case, you can place a single ISA Server 2004 firewall at the Internet Edge and benefit from its full firewall functionality knowing that it provides your network a far higher level of security and protection then what you would derive from a simple high speed packet filter based firewall.
Old Dogs and New Tricks
As the old saying goes, it takes a while before you can teach an old dog new tricks. ISA Server 2004 is the market leader in blended packet filter/proxy firewalls and the ISA firewall line continues to improve with each incarnation. However, it's going to take some time before the traditional firewall administrators get out of the mindset that they need to put weaker devices in front of stronger ones and that you can’t secure a Windows based firewall.
While I see the tide slowly turning in this regard, it takes continuous education and reinforcement to educate busy and misinformed firewall administrators, network administrators and network security officers. Traditional packet filter firewall admins still think in terms of "opening a port" and that particular TCP or UDP ports equate to network services. Only after they begin learning about modern firewalls, like ISA Server 2004, will they appreciate the risks they put their core assets at by using conventional stateful packet filter firewalls.
The take home message: ISA Server 2004 firewalls are full fledged network firewalls that provide a superior level of security than you can get from traditional packet filter firewalls. ISA Server 2004 firewalls provide a very high level of security on the front-end with the rate limiting factor being throughput for multigigabit connections. But if throughput issues aren’t a concern, do not hesitate to make the ISA Server 2004 firewall both your front-end and back-end firewall.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=20;t=000167 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom
If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privac