SOX and HIPAA compliance requires that you exercise tight control over information moving between the protected network and the Internet. In order to meet these requirements, you must use an advanced stateful packet and application layer inspection firewall, such as the ISA Firewall. Simple firewalls such as the outdated PIX or similar "hardware" firewalls clearly don't meet these requirements.
What makes the ISA Firewall so secure? Check out this list of checks and tests the ISA Firewall Team does to make sure your company meets the high security requirements suggested by SOX and HIPAA:
- Threat Modeling – Together with subject matter security experts we performed a security design review for each component to identify design weaknesses, evaluate security architecture, identify threats to be tested and ensure that default settings are secure.
- Manual and Automatic Code Reviews – We've ensured that all code undergoes human code reviews and that that all issues detected by static code analysis tools, such as PREfast, are fixed, to ensure code has no vulnerabilities.
- 3rd party penetration (pen-testing) – We employed the services of the best pen-test companies in the industry to perform security audit and penetration testing of the product.
- Pen-testing and fuzzing – Our internal pen-test team tested every component for security vulnerabilities, especially buffer overruns. Moreover, to facilitate this work the ISA Server team developed the FuzzGuru fuzzing framework that was later adopted by many other teams in Microsoft and is used to look for buffer overruns and access violations.
- Monitoring public security research – We track security research in areas relevant to ISA Server – HTTP, VPN, PKI, proxies, firewalls, etc. I personally spend hours reading mailing lists, such as BugTrack and DailyDave, reviewing security research papers from DefCon/BlackHat/Usenix and other conferences. I regularly monitor CVEs - security vulnerabilities of other products. For each of them I evaluate whether it or a similar one may affect ISA Server.
- We review the user interface and product documentation to ensure they clearly provide security best practices.
- We regularly ship service packs fixing security vulnerabilities for shipped products, when we find new ones using pen-testing methodologies and tools that emerged since the previous release.
For the complete story on how the ISA Firewall was designed as an edge firewall to protect large enterprises, check out this post by John Neystadt on the ISA Team Blog at http://blogs.technet.com/isablog/archive/2007/07/08/is-it-secure-to-put-edge-firewall-on-windows-box.aspx