When you work closely with a product you tend to take certain things for granted. This became clear to me when speaking with a number of people at this year’s TechEd. More than a few people mentioned that they needed to put a stateful packet inspection firewall in front of the ISA firewall because they thought the ISA firewall was a proxy device only. This was very strange for me to hear because I’ve known for years that the ISA firewall is a extremely robust stateful packet inspection firewall, on par with any other SPI firewall like PIX, Juniper/Netscreen and Check Point.
I think part of the problem with people not understanding that the ISA firewall is a stateful packet inspection firewall is that there hasn’t been a lot of publicly available information on the ISA firewall’s core firewall feature set. That problem is now solved! Microsoft now has a white paper that you can throw at your auditors and examiners proving the ISA firewall is an industrial strength SPI firewall.
You can find that white paper at: http://www.microsoft.com/isaserver/2006/prodinfo/Firewall_Corewp.mspx
Let me know if there’s more information you’d like to know about the ISA firewall’s core firewall services and stateful packet inspection capabilities and I’ll make sure that information gets to the right people. Send me a note at email@example.com and I’ll do what I can do.