Data Centers

Decision Support: Evaluating Microsoft's ISA Server firewall product

Determine if ISA Server will work as a firewall on your network


With Internet Security and Acceleration (ISA) Server, Microsoft has developed a solid firewall and Web-caching product that simplifies the management of firewall security yet offers robust, flexible, and advanced features. This article will provide an overview of the product and highlight some of the best improvements of ISA Server over its predecessor, Proxy Server 2.0.

What can ISA server do?
ISA Server is meant to be an enterprise-class firewall and high-performance Web-caching server. It offers packet filtering, application filtering, and circuit-level filtering in order to provide a dynamic firewall that is difficult for hackers to target. Speaking of being dynamic, it is also a stateful inspection firewall, in that it provides dynamic packet filtering. This means that it opens and closes ports as needed rather than leaving them open where hackers can identify and target them.

ISA Server can also act as a traffic cop by allowing or denying traffic from specific users and/or groups to and from the Internet. With the use of policies and rules, administrators can set detailed guidelines for users and groups to prevent unauthorized Internet access, to control bandwidth, and to implement usage policies and scheduling. In a Windows 2000 environment, these policies can also be tightly integrated with Active Directory.

Other advanced features in ISA Server include intrusion detection, secure publishing of mail and Web servers, VPN integration, easy scalability with clustering via Cache Array Routing Protocol (CARP), advanced caching options such as active caching and hierarchical caching, bandwidth prioritization, remote administration, and Windows 2000 network integration.

Microsoft has also designed ISA Server for extensibility. As a result, numerous vendors are in the process of developing modules to extend the functionality of ISA Server.

Enhancements over Proxy Server 2.0
While Proxy Server 2.0 was a major improvement over Proxy Server 1.0, ISA Server goes far beyond the functionality of Proxy Server 2.0, as well as improving manageability with a better user interface and more logical administration features. The following list details some of the most significant improvements of ISA Server:
  • Better client functionality
    Proxy Server 2.0 functioned only as a proxy server and required clients to connect via the Winsock proxy or SOCKS proxy. ISA Server allows clients to connect using its proxy feature, but it also has a SecureNAT client, which allows network clients to simply use the internal network address of the ISA Server as their default gateway. This simplifies administration and provides a better cross-platform solution.
  • Improved security features
    ISA Server has added powerful intrusion detection features based on software licensed from Internet Security Systems. This includes monitoring for ports scans and DoS attacks. ISA Server also includes more powerful and detailed packet, circuit, and application filtering capabilities.
  • Much-improved interface
    Proxy Server required that you have Internet Information Server (IIS) installed, and it actually functioned as a module of the Web server. Thus, you had to open up the IIS administration application in order to manage Proxy Server. Additionally, the Proxy Server administration modules themselves were clunky and counterintuitive. However, ISA Server has a separate Microsoft Management Console-based administration application that provides hierarchical menus and a logical management structure. In the next section, you’ll get to take a closer look at the user interface.

Management services
As you can see in Figure A, the ISA Management tool gives administrators total control over the users, groups, policies, and rules that are running on a local or remote ISA server. Administrators have rights to control settings such as user bandwidth, cache configuration, client configurations, network configuration, server policies, and rules.

Figure A
The ISA Management tool allows administrators to control single or multiple ISA servers.


Administrators can also monitor the server performance of the ISA Server by using the ISA Server Performance Monitor. With this tool, shown in Figure B, administrators can keep an active eye on the resources being used within the network to understand what issues need to be addressed and to make or remove specific rules and policies from the ISA Server to help increase performance on the network.

Figure B
Administrators can use the ISA Server Performance Monitor to monitor the performance of the firewall, noting such items as active client sessions, URLs in cache, and the number of requests received per second.


Conclusion
If you’re currently running a version of Proxy Server, you should definitely consider upgrading to ISA Server. It’s more secure and much more manageable. Microsoft has provided an upgrade path from Proxy Server so you’ll save some money, and you’ll be able to save many of the settings you’ve laboriously tweaked on Proxy Server. However, be forewarned that during the upgrade from Proxy to ISA, filters are sometimes lost or misconfigured. Make sure you carefully document all of your filters before upgrading so that you can reconfigure them under ISA Server if you run into problems.

If you’re running another firewall product or searching for your first firewall, you should certainly give ISA Server due consideration. Microsoft offers a competitive upgrade from many popular firewall products. The robust features of ISA Server make it a solid product, and the price, although more than Proxy Server, is competitive for products with a similar feature set.
Is your organization currently using Proxy Server or ISA Server as your firewall? If so, what do you think about it? We want to hear your experiences and input on this subject. Feel free to leave a post below or send us a note with your comments.

Editor's Picks