Should You Get an ISA Firewall or the IAG 2007?
At the Worldwide MVP conference last week we had almost a full day of presentations on the IAG 2007. For those of you who don't know what the IAG is, it's the Intelligent Application Gateway -- an industrial strength SSL VPN solution that enables secure remote access to both webified and non-Webified applications, in addition to providing secure network firewalling provided by the ISA Firewall, which is installed on the same box as the IAG. The IAG is a Microsoft update to the last version of the Whale SSL VPN product. Microsoft acquired Whale around the middle of 2006.
One of the questions that came up last week was when should you get an ISA Firewall, when should you get an IAG, and when should you get an ISA Firewall and and IAG?
It's a good question because there is a lot of overlap between the ISA Firewall and the IAG. Both products include the ISA Firewall product, which makes them similar. However, the IAG also includes the upgraded Whale SSL VPN components.
The decision on whether to get an ISA Firewall versus an IAG is not always a straightforward one, but I think the decision isn't as hard as it might seem. Here are some key considerations:
- The IAG is designed as an inbound access gateway for SSL VPN, PPTP VPN and IPSec VPN. It can also be used as a site to site VPN gateway. The IAG is not designed for outbound access control.
- The ISA Firewall is designed to be a network stateful packet and application layer inspection firewall, VPN server and site to site VPN gateway, Web proxy and caching server, and secure application publishing server. The ISA Firewall is designed to perform strong user/group access controls for both inbound and outbound access.
- Both the ISA Firewall and the IAG can be configured to provide strong inbound access control via Publishing Rules. For Web Publishing Rules, the IAG is orders of magnitude more sophisticated and more secure than the ISA Firewall. The IAG does not support Server Publishing Rules, so an ISA Firewall would be preferred in this scenario, as it performs application layer inspection on these connections.
- For Web Publishing scenarios, the IAG supports granular policy controls, so that user access is customized based on what type of device is connecting; application functionality can also be controlled based on the security state of the connecting machine, as the IAG has a very powerful endpoint checking feature (probably the best endpoint checking feature in the SSL VPN industry). The ISA Firewall does not perform any type of endpoint checks for Web Publishing scenarios; endpoint checking is only supported for VPN connections using Remote Access Quarantine Control, which is absurdly complex to configure and typically requires a third party application such as Winfasoft VPN-Q 2006 or Fred Esnouf's QSS v4
- The IAG supports three types of "SSL VPN". The first type is Web publishing of Webified and non-Webified applications, the second is socket and/or port forwarding, and the third type is a true SSL VPN, which is network layer VPN connectivity over an SSL tunnel (called the "network connector", similar to what SSTP will provide with Longhorn Server and Vista SP1 https://126.96.36.199/rrasblog/archive/tags/SSTP/default.aspx). The ISA Firewall does not support SSL port/socket forwarding or network level SSL VPN.
- The IAG is significantly more costly than the ISA Firewall. While pricing is not available yet, you can expect to pay at least twice as much (more likely three times as much) for an IAG 2007 appliance compared to an ISA Firewall appliance or software solution.
Given these observations, I think we can come up with the following conclusions:
- If you only need inbound access control (Web publishing and SSL VPN), then the IAG 2007 is the product of choice
- If you only need inbound access control but are extremely price sensitive, then the ISA Firewall is the product of choice
- If you need both strong inbound and outbound access control, then the ISA Firewall is the product of choice
- If you need only strong outbound access control, then the ISA Firewall is the product of choice
- If you need application layer inspection for non-Web application protocols, then the ISA Firewall is the product of choice
- If you need strong inbound and outbound access control and the highest level of security for both, then you should purchase both an ISA Firewall and an IAG appliance
- If you need a network layer SSL VPN, then the IAG is the right decision, regardless of any other considerations, because the ISA Firewall does not support SSL VPN
In the very near future I'll start posting articles on the IAG 2007 on the ISAserver.org Web site and we'll start supporting it on the Web boards. Remember, the IAG has the ISA Firewall on it, so it's completely appropriate as an edge device as the ISA Firewall has never been compromised and has no security issues reported on the www.secunia.com Web site (unlike most of the "hardware" firewalls you might be familiar with). Given that the IAG is an ISA Firewall based device, it's appropriate that we cover it here on ISAserver.org.
If you want to play with the IAG 2007 now, you can download the IAG 2007 hands on labs over at http://www.microsoft.com/forefront/edgesecurity/privacy.mspx