Teaching the Boss and the Network Guys About the ISA Firewall (Part 2)

If you would like to read the other parts in this article series please go to:

• Teaching the Boss and the Network Guys About the ISA Firewall (Part 1)
• Teaching the Boss and the Network Guys About the ISA Firewall (Part 3)

A perimeter network (sometimes called a “DMZ” or “screened subnet”) is a network segment directly connected to the ISA firewall that allows primary inbound connections to resources contained on it. Perimeter networks typically host publicly accessible resources such as Web, FTP, SMTP and NNTP servers. Hosts on the perimeter network receive inbound connection requests from external network hosts.

You can use ISA Firewall’s Firewall Rules to publish services hosted on the perimeter network segment or the internal network. Servers that need to be available to Internet users, and that do not need to communicate with internal network services, should be placed on a perimeter network segment. This provides high security because only limited access is allowed between the internal network and the perimeter network segment. In the event that a host on the perimeter network segment is compromised, the internal network is safe because traffic between the internal network and the perimeter segment is severely constrained.

Two ISA Firewalls can be used in a “back to back” configuration at each end of the perimeter network, as shown in the figure below.

Figure 1

Features that make the ISA 2006 firewall the perfect solution for creating a back to back perimeter network include the following:

• Stateful packet inspection on all interfaces of both the front-end and back-end ISA firewalls
• Application layer inspection on all interfaces, including VPN client and gateway connections
• VPN client and server connections on all interfaces
• Ability to authenticate on all interfaces
• Comprehensive logging and reporting for all traffic moving through the ISA firewall’s interfaces

How the ISA Firewall Functions as an Application Layer Filtering Forward or Reverse Web Proxy

Your organization might already have an existing firewall infrastructure that includes both front-end and back-end firewalls. If so, the organization has a large investment in the current firewall infrastructure and will probably prefer to leave it intact. You can still introduce an ISA Firewall by leveraging ISA Firewall’s application layer filtering features by making it an application layer inspection Web proxy.

A forward Web proxy allows corporate Web clients access to resources on the Internet. The forward Web proxy accepts connections destined to Internet Web servers and forwards them on the behalf of the Web clients on the corporate network. The forward Web proxy allows you to configure per user/group access controls on what sites users can access through the Web proxy. This enables the customer to limit user access to only those sites the users need access to in order to complete their work.

A reverse Web proxy allows incoming connections to Web sites hosted by your company. The most popular reverse proxy scenarios for ISA Firewall are those that allow incoming connections to Outlook Web Access, Outlook Mobile Access, Exchange ActiveSync, and SharePoint Portal Servers.

This “cache mode” or “single NIC” configuration is most popular with large organizations because no changes need to be made to the existing network infrastructure. This reduces the political overhead involved with fully deploying ISA Firewall in full firewall mode. In most large organizations, the “network guys” will demand that a “hardware” based device be used for firewall duties and they to not understand or trust ISA Firewall because they do not understand it and may have pre-existing fiduciary relationships with hardware firewall vendors. However, you can easily introduce the ISA Firewall into this type of environment by emphasizing the forward and reverse Web proxy feature sets included with the ISA 2006 firewall.

The ISA 2006 Web proxy can be placed on the perimeter network between front-end and back-end third party packet filtering firewalls (as shown in the figure below), in a “hardware” firewall’s DMZ, or it can be placed on the corporate network.

Figure 2

Advantages of using the application layer filtering proxy configuration with third party firewalls include the following:

• The ability to leave the current firewall infrastructure intact; you can “drop in” the ISA Firewall’s application layer filtering proxy virtually anywhere
• The third party front-end and back-end stateful packet inspection firewalls can pass packets at high speed while allowing the ISA Firewall to provide a very high level of security for Web communications passed through its application layer inspection filters
• A hardened ISA Firewall Web proxy can be placed on the perimeter network segment to reduce the attack surface. Inform the boss and network guys that even if the ISA firewall isn’t providing full firewall services to the network, the same enterprise level firewall components are protecting the ISA firewall device itself, making it the most secure device on the corporate network.
• In reverse Web Proxy scenarios, the ISA Firewall’s application layer filtering proxy can forward user credentials across the back-end firewall to pre-authenticate remote users. This type of pre-authentication at the ISA firewall prevents anonymous connections to the back-end Web servers and services
• In addition to the security provided by pre-authentication, the ISA firewall includes an HTTP Security Filter that inspections all aspects of the HTTP communications and can be configured to allow only legitimate Exchange and SharePoint Portal Server Web access.
• Reverse proxy for Microsoft Exchange Servers are the most popular implementation for large organizations. The ISA firewall was built from the ground up to provide a high level of security for remote access connections to all Exchange Server services, including Outlook Web Access, Outlook Mobile Access, Exchange ActiveSync, SMTP/S, POP3/S, and IMAP4/S. In addition, the ISA 2006 firewall acting as reverse proxy provides a superior level of security for remote access connections using Outlook 2003/2007 RPC/HTTP, providing “Access Anywhere” for Outlook clients
• Another very popular implementation for ISA firewall reverse proxy is providing remote access connectivity to Microsoft SharePoint Portal Server service. The ISA 2006 firewall includes significant enhancements that provide unique support for the potentially complex task of publishing SharePoint Portal Servers. Complexities that could possibly take dozens of hours to troubleshoot using other products are completely handled by ISA 2006’s built SharePoint Portal Server wizards and link translation technologies.

How the ISA Firewall Functions as a Forward Web Caching Server

You can deploy the ISA Firewall as a forward caching server to provide internal clients with faster access to Web content on the Internet. ISA 2006 maintains a centralized cache of frequently requested Internet content that can be accessed by any Web browser. Obtaining objects from the memory or disk cache requires significantly less processing time than downloading the same objects from the Internet.

ISA 2006 can be deployed as an array of Web caching servers where the array presents a single logical cache to the clients. This enables your company to benefit from a much larger cache of Web content than a single server could provide, and also provides the benefits of load balancing and fault tolerance using the ISA Enterprise Edition’s Cache Array Routing Protocol (CARP) feature set. In addition, because the array represents a single logical Web proxy device, performance is significantly enhanced because the total throughput through the ISA firewall array is equal to the throughput possible through a single array member multiplied by the number of array members.

Forward Web caching improves client browser performance, decreases user response time, and reduces bandwidth consumption on Internet connections. This can save you money if bandwidth is purchased by the megabit. Even if bandwidth isn’t metered in this way, the company can save money by either temporizing upgrades to the connection or avoiding the need to upgrade the connection completely. This feature is especially beneficial to small and medium sized organizations that may have limited or measured T-1 service that limits the amount of bandwidth used per month for a specified fee.

Features that make ISA 2006 shine as a forward Web caching solution include the following:

• Fast in-memory RAM caching allows exceptionally fast access to Web content stored in the Web proxy cache stored in RAM memory
• Optimized cache database for on-disk caching enables the ISA firewall and arrays of ISA firewalls to store hundreds of gigabytes of content in optimized disk cache files.
• Scheduled caching content downloads. This feature enables you to “pre-load” the Web cache with content of their choice. Many times company’s require content to be available at all times, even when the Internet link or content server is down. Content Download Jobs provide companies the ability to pre-populate the cache so that employees are able to access this content around the clock.Hierarchical Web Proxy cache chaining. This feature allows you to set up forward ISA 2006 forward proxy servers at the branch offices and connect them up with ISA 2006 Web proxy arrays at the main office. This enables the branch offices to benefit from the large amount of cached content contained in the main office Web proxy arrays, and reduces bandwidth requirements on the mail Internet pipe at the main office. In addition, it brings this content closer to the users at the branch offices by keeping content in the branch office Web cache.

How ISA Server Functions as a Reverse Web Caching Server

You can deploy ISA 2006 in front of an organization’s Web servers that host an e-commerce site, providing information to customers or providing access to business partners. With incoming Web requests, ISA 2006 can act as a Web server fulfilling client requests for Web content from its cache. The firewall then forwards requests to the Web server only when they cannot be served from its cache. This helps to take the load off the Web server(s) and reduce bandwidth usage on the LAN between the ISA Server and the Web server(s).

Features that make ISA Server 2006 an ideal solution for reverse Web caching include the following:

• Web publishing wizards that take the guesswork out of providing a high performance and secure connection to published Web sites
• Fast in-memory RAM caching enables the ISA 2006 reverse Web proxy to quickly return requested information to the Web users
• Optimized cache database for on-disk caching allows gigabytes of Web content to be stored in the ISA firewall’s Web proxy cache files for quick responses to Web users request Web site content
• Transparency for all clients. External users are never aware that there is a reverse Web proxy server in place. At all times the users experience a direct connection with the destination Web server. Even when the destination Web server is down, the ISA firewall can continue to return content from the Web proxy cache.
• Scheduled content downloads can pre-load sites into cache. When the Web proxy cache is pre-loaded with Web site content, the ISA firewall does not need to wait for a user to request the content before placing it in cache. This can significantly increase both the speed and availability of content.

Summary

In this, the second part of our series on how to teach the boss and the network guys about the ISA Firewall, we focused more on the Web proxy features that make it easier to get around the politics of introducing the ISA Firewall into an existing firewall environment. In the last part of this series, we’ll look deeper into the advantages the ISA Firewall provides for companies that have deployed Exchange Server, SharePoint Server and IIS-based Web sites. See you then! –Tom.