I’ve had a number of encounters with customers and consultants lately that remind me of a situation that I’ve been aware of for years. Did you know that most people don’t actually know what the ISA firewall is and what it does? I think some of the confusion is related to the name of the product. First, there is the “Internet Security and Acceleration” which doesn’t really give you a good idea as to the product’s purpose and function, and second, appending the term “Server” at the end of the product name is confusing, because most people don’t associate firewalls as “firewall servers”.
Of course, people could go to the Microsoft Web site and try to figure out what the ISA firewall is and does. But like most of the home pages on the Microsoft.com Web site, it’s very hard to determine what the product is and does from the information on those pages. You see it promoted as a “security gateway”, which is the latest buzz term in the business. You also see it promoted as a “secure application publishing” solution. OK, what’s that in the big scheme of things? The problem that customers and consultants have is that they don’t understand the marketing speak and just need to know what the ISA firewall is and does.
ISA Server 2006 is Microsoft’s newest version of its Internet Security and Acceleration Server product line. Initially introduced in December 2000, ISA Server 2000 was the first version of the ISA Server product. A major revamp of ISA Server was released in May 2004 and christened ISA Server 2004. This major overhaul included significant improvements and put it on par with other major firewall and security gateway products, such as Check Point NG, Cisco PIX/ASA and Blue Coat. ISA Server 2006 was released to the general public in August of 2006.
ISA Server 2006 is a multi-featured and multi-purpose product that can be deployed in a variety of ways to meet the unique requirements of virtually any organization. As an integrated firewall, Web proxy and VPN server and gateway, ISA Server 2006 can be configured to act in each of these roles or be set up to provide only a subset. This flexibility enables you to introduce ISA Server into your network with minimal disruption to your current infrastructure and provide the security services you need.
In order to help you understand what ISA Server or an NS9200 series security gateway appliance can do for you in securing your core network applications and servers, we’ll discuss the following topics:
- What is ISA Server 2006?
- What’s new and improved in ISA Server 2006
- What’s the difference between ISA Server 2006 Standard Edition and Enterprise Edition?
What is ISA Server 2006?
ISA Server 2006 is many products in one. In a single software package you get:
- A network layer firewall
- An application layer inspection security gateway
- Forward and reverse Web proxy and caching server
- Remote access VPN server
- Site to site VPN gateway
A Network Layer Firewall
ISA Server 2006, like Check Point NG and the Cisco PIX/ASA firewall product lines, is a stateful packet inspection firewall. A stateful packet inspection firewall is able to look at the IP (Internet Protocol) information and make sure that attackers don’t take advantage of inherent security vulnerabilities at the network layer. ISA 2006 is able to check and prevent prevalent network layer attacks so that attackers on the Internet, or even in your own organization, are not able to disable or take over the ISA 2006 firewall.
Stateful packet inspection firewalls were state of the art in the 1990s. However, the threat landscape has changed significantly since that time. While malicious users at the end of the 20th century were interested in disabling the firewall and defacing Web sites for personal ego gratification, modern day hackers are more interested in obtaining or destroying corporate information for personal gain. Today’s network criminal is not interested in attacking the firewall or defacing a Web server; he’s more interested is “going under the radar” to steal, change, or destroy data.
Application Layer Inspection Security Gateway
Stateful packet inspection firewalls are unable to determine if there is an attack against a Web server, mail server, FTP server or any other kind of network application. All the stateful packet inspection-only firewall can do is protect you against simple network layer attacks. For this reason, an application layer inspection firewall or security gateway is required.
After ISA Server 2000 was released in December 2000, it quickly became the thought leader in application layer inspection space. Prior to the release of ISA Server 2000, the Gold Standard for firewalls was the Cisco PIX. The PIX was a simple stateful packet inspection firewall and could not protect networks against complex application layer attacks that modern hackers were using to steal, change and destroy corporate data.
ISA 2006 continues in the tradition of ISA Server as the leading edge application layer inspection firewall and security gateway. In fact, you’ll see ISA Server described as a “secure gateway” instead of a firewall, because the term firewall is losing it’s luster due to it’s heritage as a stateful packet inspection-only device. The ISA 2006 firewall takes both stateful packet inspection and application layer inspection and combines them into a powerful network security gateway solution.
Forward and Reverse Web Proxy and Caching Server
A Web proxy server is a machine that accepts Web connections from Web browsers and other Web enabled applications and forwards those connections to the destination Web server on the behalf of the user making the request. The Web proxy server can accept connections from users on your corporate network and forward them to an Internet Web server or it can accept incoming connections to Web servers and services on your corporate network and forward them to company servers.
When the ISA Server 2006 firewall acts as a Web proxy server, it has full knowledge of the communications being made through it. This enables the ISA firewall’s Web proxy services to provide a significant level of security for Web connections and protects your network from viruses, worms, hacking attempts and more, including identifying and authorizing users before allowing Web connections through the ISA firewall and Web proxy and caching server.
When the ISA firewall’s Web proxy service intercepts Web connections, it can perform many security checks to protect your network. Some of these include:
- Pre-authenticating the user at the ISA firewall and Web proxy and caching server for incoming connections to corporate Web and mail servers. When pre-authentication is enforced by the ISA firewall, it prevents anonymous users on the Internet from connecting to your corporate assets. Since attackers don’t have access to legitimate user credentials, they are unable to attack your Web servers
- Transparently authenticate users on the corporate network before their connections are allowed to the Internet. This allows the ISA Server to record the user names for all connections made through the ISA firewall and includes this information in logs and reports for forensics and regulatory purposes
- Perform deep application layer inspection on all the Web connections made through the ISA firewall using ISA’s HTTP Security Filter. This application layer inspection filter enables the ISA firewall to “scrub” Web sessions to make sure suspicious and potentially dangerous HTTP commands and data do not compromise your network
- Control what Web sites users are allowed to access, the time of day the users are able to connect, and even control the types of information users can download from the Web. For example, you can use the ISA firewall’s Web proxy features to block access to executable files, streaming media, and documents, such as Microsoft Word files
- Cache information requested by users to accelerate the Internet experience. When a user on the corporate network requests a Web page, ISA 2006 places that Web page in its Web cache. The ISA firewall stores that information and when another user makes a request for the same Web page, the Web page is returned to the user from the Web cache. This removes the requirement of having to connect to the Internet Web server to retrieve the same page again and reduces the amount of bandwidth needed on the Internet connection and provides users much faster access to the information.
This is just a short list of what the ISA 2006 Web proxy and caching component can do for your company. For comprehensive information on how the ISA firewall’s Web proxy component can secure and accelerate your organization, please see the document Secure Remote and Outbound Internet Access Using ISA Server 2006 Web Proxy.
Remote Access VPN Server
An increasing number of employees need access to information contained on the corporate network when they’re out of the office. Employees need to access Word documents, PowerPoint files, databases and more when on the road or when working from home. Even more important to business continuity is the ability to provide off-site workers access to corporate information in the event of an emergency, when workers might not be able to leave their homes. One of the most secure ways you can provide employees access to this information is by using a remote access VPN server.
A VPN (virtual private networking) server allows users outside the office to connect to the corporate network from a laptop or workstation from anywhere in the world. Once the user creates the secure VPN connection, that user’s computer is like a computer located at the office and can potentially access information from any server within the corporate network.
One of the drawbacks of traditional VPN solutions sold by major VPN server vendors is that once the user connects to the VPN server, that user has access to any resource on the corporate network. The problem with this is that the computers remote access users used to connect to the corporate network are typically not managed machines and therefore are at a higher liability for worm, virus and trojan infection.
The ISA Server 2006 plugs this security hole found in typical “hardware” VPN servers using three powerful methods:
- Strong user/group-based access control and least privilege access for remote access VPN connections
- Application layer inspection on all remote access VPN connections
- ISA 2006 VPN Quarantine Control
Strong User/Group based Access and Least Privilege for Remote Access VPN Connections
ISA 2006 allows you to control user access based on the user account or the users group membership. Access policy is enforced on the user so that, in contrast to traditional “hardware” VPN servers, users are allowed access only to applications the user is given permission to use and no more. VPN users aren’t allowed free access to the entirety of the corporate network – only to resources they require to get their work done
Application Layer Inspection on all Remote Access VPN Connections
Survivors of the Blaster worm might recall that they had a false sense of security when they configured their Internet firewalls to block the worm from gaining entry to their network from the Internet. These companies were still infected by Blaster, not from the Internet, but from VPN users. These companies used traditional “hardware” remote access VPN servers that could not perform application layer inspection on the VPN users.
In contrast to the traditional remote access VPN server, ISA 2006 performs both stateful packet and application layer inspection on all traffic moving over the VPN link. Worms like Blaster cannot infect the corporate network over ISA 2006 VPN connection because the ISA firewall’s smart RPC application layer inspection filter blocks the worm traffic. This ability to inspect application traffic enables the ISA firewall to protect you against compromised VPN client computers in the same way that it protects you from Internet based exploits.
ISA Server 2006 VPN Quarantine Control
For a comprehensive remote access VPN client defense in depth solution, the remote access VPN server should be able to pre-qualify the security status and general system health of the machine connecting through the remote access VPN link. This enables you to be more confident that even unmanaged machines meet minimal security configuration requirements before being allowed to connect to the corporate network.
ISA Server 2006 solves this problem by implementing Remote Access VPN Quarantine (VPN-Q). The VPN-Q feature allows you to configure a set of parameters that the VPN client systems must meet before being allowed to access resources on the corporate network. If the VPN client system is not able to pass these security and health checks, you can configure the VPN-Q feature to automatically update and configure the VPN clients so that they pass inspection and then allow them into the system. If the VPN clients are unable to be completely updated, then the connection is dropped. This protects your company from fatally flawed and compromised computers that could attack and destroy your company’s core information assets.
Site to Site VPN Gateway
We all hope that our companies grow large enough to require branch offices. But with the expansion into branch offices is the increased complexity and expense required to connect those branch offices to the main office network’s resources.
There are a number of options available to provide branch office connectivity to the main office, these include:
- Dedicated WAN links provided by telco providers
- Managed VPN networks provided by telco providers and ISPs
- Corporate managed VPN site to site VPN networks terminated at company VPN gateways
- Limited connectivity via “publishing” of corporate resources
Dedicated WAN links and managed VPNs are a good solution for companies who are immune from cost considerations. These options can be prohibitively expensive and organizations who are interested in cost-control prefer to use corporate managed site to site VPN connections between corporate managed VPN gateways.
A VPN gateway allows you to connect your main office to all of your branch offices over inexpensive Internet connections and do so in a secure fashion. Each ISA firewall and security gateway, at the branch offices and the main office, enforce strong stateful packet and application layer inspection over the information moving over the site to site VPN links. In addition, all connections made by branch office users is logged and recorded so that you have a comprehensive history of what users at the branch offices have been doing with main office resources.
The ISA 2006 site to site VPN feature set is an integral part of the ISA 2006 branch office gateway role. For a detailed discussion of the using ISA 2006 as a branch office security gateway, please refer to the white paper Securing and Accelerating Branch Office Communications Using ISA Server 2006.
What’s New and Improved in ISA Server 2006?
ISA Server’s roots were originally in Microsoft Proxy Server 2.0. ISA Server 2000 represented a major revamp of the Microsoft Proxy Server product and transformed it from a simple proxy server to a full featured network firewall and application layer security gateway. Another major reconstruction of the ISA firewall product line took place, with over 100 improvements and changes, with the introduction of the ISA 2004 firewall. In contrast to previous versions of ISA Server, the new ISA 2006 firewall and Web proxy and caching product represents an incremental change.
The major improvements included with ISA 2006 are focused on secure Web publishing, enhanced branch office performance and reliability and worm/flood protection. Table 1 provides some details of these improvements.
Table 1: New and Improved Features in ISA 2006
New and Improved in ISA 2006
Secure Web Publishing
ISA 2006 includes a number of improvements in providing secure remote access to Web servers and services on the corporate network. Some of these include:
- New SharePoint Portal Server Publishing Wizard
- Improved Outlook Web Access (OWA), Outlook Mobile Access (OMA), Exchange ActiveSync (EAS) and Outlook 2003+ RPC/HTTP Web Publishing Wizard
- Increased options for two factor authentication, including SecureID and RADIUS One-time passwords
- New Kerberos constrained delegation enables remote users with laptops and Windows mobile-enable devices to use secure user certificates to authenticate to the ISA firewall
- New LDAP authentication allows ISA 2006 to be placed in a high security DMZ and leverage Active Directory users/groups
- Web farm load balancing. This new feature enables you to publish a collection of Web servers that perform the same function or contain the same content and have the ISA 2006 firewall automatically load balance the connections. ISA Server is about to do this without requiring NLB or an hardware load balancer, with great increases the simplicity of deployment and greatly reduces the cost by removing the hardware load balancer
Branch office security gateway
ISA 2006 includes a number of new and improved features that makes it the ideal selection for a branch office security gateway. These include:
- HTTP compression of the link connecting the branch office to the main office
- Diffserv Quality of Service (QoS) enables the ISA firewall to participate in Diffserv service groups and provide preferential treatment to connections to mission critical servers
- BITS caching reduces the cost and the load on links connecting the main office to the branch office by reducing the number of requests required for Microsoft updates
- The new site to site VPN wizard makes it easy for a non-technical user to provision a branch office ISA firewall with the help of an answer file created by the main office ISA firewall administrator
Worm and flood protection
ISA 2004 included a basic worm and flood protection feature that prevented the ISA firewall and ISA firewall protected networks from being compromised by worm flood attacks. The ISA 2006 firewall builds on this flood protection and increases the level of security against network flooding by adding many new configurable worm flood protection settings.
Standard Edition or Enterprise Edition?
There are two versions of ISA Server 2006. These are:
- ISA Server 2006 Standard Edition
- ISA Server 2006 Enterprise Edition
ISA 2006 Standard Edition is aimed at the small and medium sized business market of 75-500 users. ISA 2006 Standard Edition is comparable to a PIX or ASA firewall that is being used at a single site either in a lone firewall configuration or a lone firewall with a hot or cold standby. Management of ISA 2006 Standard Edition firewalls is done on a per machine basis.
In contrast, ISA 2006 Enterprise Edition is designed with medium to enterprise sized businesses in mind, where there are several ISA firewalls located at the main office and potentially thousands of ISA firewall located in branch offices all over the world servicing 500-100,000 users. The Enterprise Edition of the ISA 2006 firewall and Web proxy and caching server provides features required for medium and enterprises sized business alike, including centralized management and configuration, throughput in the multi-gigabyte range, and intelligent load balancing and caching leading to optimal uptime and performance for even the largest enterprise environments.
The goal of this article was to let you know about the ISA firewall and help you define its features and capabilities. The ISA firewall is a comprehensive network security solution that provides network edge and perimeter firewall, remote access VPN server, site to site VPN gateway, and Web proxy and caching in a single product.
All of these features can be deployed at the same time on a single device, or you can deploy the ISA firewall using only one or two of these roles. At it’s core, the ISA firewall is a network firewall on par with Cisco PIX/ASA or Check Point, but with the additional Web proxy and caching functionality that the Cisco and Check Point offerings do not have (unless you want to pay rapacious licensing fees).
The ISA firewall is also a high performance solution, easily supporting over 1.5Gbps stateful packet inspection and over 300Mbps Web proxy application layer inspection. ISA firewalls come in two versions: a Standard Edition for mid-sized businesses without branch offices or HA requirements, and Enterprise Edition, designed for mid-sized to enterprise businesses, who require centralized support for deployment, configuration and management of a globally distributed firewall and Web proxy/caching solution.