Response to Assertions Made by Blue Coat About the ISA Firewall
(This response originally appeared in the February ISAserver.org newsletter. If you would like to be on the cutting edge of ISA firewall news and information, make sure you subscribe to the newsletter. It comes out once a month and we’ll never sell your address information to anyone! Sign up for the newsletter at: http://www.isaserver.org/pages/newsletter.asp)
In a webcast advertised in last month’s ISAserver.org newsletter (http://www.isaserver.org/pages/newsletters/january2006.asp) Blue Coat presented what they considered reasons why ISA firewall owners should switch to a Blue Coast proxy solution. During the webinar, the Blue Coat presenter pointed out five key areas where they considered the Blue Coat proxy solution to be superior to the ISA firewall solution. The five key assertions were:
- The ISA firewall cannot be as secure as Blue Coat proxies because it runs on a general purpose server that has ongoing security vulnerabilities
- The ISA firewall is unable to inspect traffic inside an SSL tunnel
- The ISA firewall is unable to inspect and manage peer-to-peer, instant messaging and multimedia connections
- The ISA firewall has limited support for granular access control
- The ISA firewall’s network performance is inferior to Blue Coat’s proxy performance
In my opinion, the first four are absolutely incorrect, and the fifth one is up for debate. Let’s take a look at each of these areas and see how the ISA firewall actually matches up to the assertions.
1. The ISA firewall cannot be as secure as Blue Coat proxies because it runs on a general purpose server that has ongoing security vulnerabilities
This assertion is based on one of the most common canards out there regarding the ISA firewall solution. As the common storytellers communicate it, "the ISA firewall cannot be secure because it runs on a unsecure Windows platform that must be updated on a regular basis".
The problem with this statement is that they’re comparing apples to oranges. You cannot compare a white box default installation of Windows 2000, Windows XP or even Windows Server 2003 with a machine that runs ISA Server 2004 on a Windows 2003 Service Pack 1 computer that has been hardened and configured with a proper firewall policy.
The reason for this is that in order to exploit any of the alleged vulnerabilities that may appear in the core operating system on which the ISA firewall runs, the intruder must have access to vulnerable operating system services. The only way an intruder can leverage these potential weaknesses is if the ISA firewall administrator has explicitly configured the ISA firewall to accept connections to these services, or has chosen to use the ISA firewall as a workstation or general purpose server.
Since it is a well-known and accepted security practice in the ISA firewall community that extraneous services are never installed on an secure ISA firewall, and that you never allow unsecure communications to the ISA firewall itself, it is extraordinarily unlikely that any attack against an extant vulnerability in the underlying Windows Server 2003 operating system could ever be executed.
A more legitimate comparison is to assess the number of known and reported vulnerabilities discovered in the Blue Coat versus the ISA firewall’s software. Secunia provides a publicly available clearinghouse for this type of information.
Blue Coat vulnerabilities http://secunia.com/search/?search=bluecoat
ISA 2004 firewall vulnerabilities http://secunia.com/product/3687/
Blue Coat has a total of 13 vulnerabilities recorded in the Secunia database, while the ISA 2004 firewall has zero, none, not any, absolutely no known vulnerabilities reported by Secunia. So, given the fact that the ISA firewall protects the underlying Windows operating system from any potential attacks, and the fact that the ISA firewall has no known vulnerabilities as reported by Secunia, what do you think is the rational conclusion of the analysis?
2. The ISA firewall is unable to inspect traffic inside an SSL tunnel
While debunking Blue Coat’s first assertion regarding the ISA firewall took a few minutes of research, blowing away their second statement about the ISA firewall took no time at all. Ever since ISA Server 2000 hit the streets, and continuing with the ISA 2004 firewall, one of the main reasons for deploying an ISA firewall over conventional stateful packet inspection firewalls is the ISA firewall’s unique SSL to SSL bridging feature.
SSL to SSL bridging enables the ISA firewall to provide a secure SSL session from client to server, while allowing the ISA firewall to perform application layer inspection on the information moving through the SSL tunnel. The ISA firewall is able to do this because the client terminates its SSL session at the ISA firewall. This enables the ISA firewall to decrypt the SSL session, expose it to the HTTP application layer inspection engine(s), and then re-encrypt it and forward the connections to the Web server on the corporate network.
While the Blue Coat proxy can also do this, they promote poor network security practices in their own documentation. For example, if you go to the Blue Coat guidance site and review their documentation on how to "securely" publish Outlook Web Access sites (http://www.bluecoat.com/downloads/support/BCS_tb_securing_OWA.pdf), you’ll see that they recommend an unsecure connection between the Blue Coat proxy and the Web site on the corporate network. Attacks can easily intercept user credentials on the unsecure link and harvest user names and passwords of all users, including executive users, who connect to the published OWA server.
3. The ISA firewall is unable to inspect and manage peer-to-peer, instant messaging and multimedia connections
The ISA firewall can be configured, out of the box, to block peer-to-peer, instant messaging and multimedia connections that communication over their native protocols or over an HTTP channel. It’s a simple affair to configure the ISA firewall to block the native protocols used by these applications. However, for those applications that are able to tunnel themselves over an HTTP connection, the ISA firewall’s built-in HTTP security filter can be used to block these applications.
You can see examples of how to block some common applications at the Microsoft Web site at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/httpfiltering.mspx and http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/commonapplicationsignatures.mspx
In addition, you can block any application from connecting to key servers required for the P2P, IM or streaming media communications to take place by URL and domain name sets. Microsoft provides guidance on how to do this at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/faq-urldomainnamesets.mspx
Now, unlike what I believe Blue Coat to be, I want to be upfront with you. It’s not always easy to block these unwanted applications. P2P applications use advanced techniques to get around the ISA firewall and instant messengers often use the same firewall circumventing technologies. Streaming media sites often go out of the way to prevent you from blocking them by using traditional methods such as file extensions, MIME types, and application protocol blocking. Unless you have a dedicated team of ISA firewall professionals dedicated to researching these issues, it is very challenging to stay ahead of the curve.
However, you can. for less than half the price of a comparably configured Blue Coat proxy device, add a third party plug-in to take care of all this for you. For example, Websense can be integrated with the ISA firewall to provide powerful protection against P2P, IM, multimedia, spyware, malware, pop-ups, and unapproved Web site traffic. They are able to do this because they have a large team of researchers to study application behavior and enhance the ISA firewall’s application layer inspection engine to block unwanted inbound and outbound communications through the ISA firewall. And the total package of ISA firewall software and hardware with the Websense add-on is about half of what it would cost to have a Blue Coat proxy of comparable hardware and software capabilities.
So it is clear that the ISA firewall is able to control P2P, IM and streaming media communications and it can do it right out of the box, and do it even better with third party application layer inspection add-ons.
4. The ISA firewall has limited support for granular access control
When I read this one, I had to wonder if the presenter or the creators of the Blue Coat Webcast presentation had ever seen or worked with an ISA firewall. Both the 2000 and 2004 versions of the ISA firewall should be consider models of granular inbound and outbound access control. With the ISA 2004 firewall you can control inbound and outbound access based on:
- Local user name or group
- Domain user name or group
- Time of day and day of week
- Simple or complex protocols
- HTTP command and data stream characteristics
- Source address, network, subnet or domain
- Destination address, network, subnet or domain
- MIME type or file extension
- Application used to connect to the Internet (you can block specific applications, regardless of what protocols they use)
- Any combination of the above
- All of the above applies to inbound, outbound and even remote access and site to site VPN connections!
Given the astounding level of granular access control supported by ISA firewall policy, it’s amazing that Blue Coat would make the assertion that the ISA firewall has limited support for granular access controls.
5. The ISA firewall’s network performance is inferior to Blue Coat’s proxy performance
Performance is classically a difficult area to assess. The vendor can do its own tests, pay someone else to do the tests for them, or ask/wait for an unbiased third party to do performance tests for them.
Blue Coat presents the results in a performance head to head over at http://www.bluecoat.de/CMS/imagescms/pressemitteilungen/fallstudieID_23.pdf. There are a number of flaws in the testing scenario that obviate the validity of their conclusion that Blue Coat provides uniformly superior performance over a comparably priced ISA firewall solution:
- They used a white box installation of ISA 2004 without any intelligence applied to the configuration. This is an unrealistic scenario
- They compared a white box installation of the ISA firewall to a vendor hardened and optimized Blue Coat proxy product. This is invalid because a valid test would have compared the vendor optimized Blue Coat product with a vendor optimized ISA hardware firewall product, such as the one provided by Network Engines
- They compared the $20,000USD+ Blue Coat ProxySG 800-2 solution to a sub-$10,000USD ISA hardware and software solution (white box hardware, Windows and ISA)
- They used Windows 2000 SP4, rather than the more secure Windows Server 2003
- They provide no details on how the ISA firewall was configured (or misconfigured) to achieve the results they claim
- They provide no details regarding how the clients were configured (or misconfigured) to achieve the results they claim
It would be sheer conjecture on my part to make assumptions as to how the ISA firewall and client were configured on this test. I am aware that you can configure the ISA firewall and ISA clients to provide the worst possible performance, and there are ways to configure the ISA firewall and ISA clients to provide the best possible performance. You then need to ask yourself, "What is the likely configuration of the ISA firewall and ISA clients in the tests of the ISA firewall against the Blue Coat proxy?"
In addition, you should compare two comparably priced devices. As mentioned, one of the Blue Coat proxy devices is priced at over $20,000USD. A fair comparison would use an optimized ISA firewall, both in hardware and software, at a comparable price. Since the software cost for a white box installation would be about $2500USD, that leaves us to spend $17500 on the hardware. Think about the hardware power you could throw at an ISA firewall solution with that much money left over just for hardware.
For more information on how the ISA firewall should be configured for optimal performance, check out Best Practices for Performance in ISA 2004 at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/bestpractices.mspx
In this review of the assertions made by Blue Coat in their webinar advertised in last month’s ISAserver.org newsletter, I hope that I have been able to achieve my goal of countering what I consider to be inaccuracies and false statements regarding the capabilities of the ISA firewall.
What I did not intend to do is convince you that the ISA firewall is superior to the Blue Coat proxy solution (although this is my belief) or that the ISA firewall is capable of a much more multilayered and sophisticated protection for corporate networks of all sizes (although this is also my belief). What I hope I have accomplished is to provide the intelligent and discriminating ISA firewall administrator with the facts to correct the Blue Coat assertions regarding the ISA firewall’s features and capabilities.