When Microsoft introduced its Internet Security and Acceleration (ISA) Server in 2000, it was hailed as much more than just an upgrade to Proxy Server. At last, Microsoft had a true firewall product on the market that provided application filtering, circuit-level filtering, and traditional packet filtering.
The goal was to compete with established firewall products such as Check Point and Cisco's PIX, and ISA Server has steadily increased its market share since its release.
This year, Microsoft released a new and improved edition of its firewall. Does ISA Server 2004 offer as many dramatic improvements over its predecessor as ISA Server 2000 did when compared to Proxy Server? In this article, we'll examine what's new and different in ISA Server 2004, and why users of both Proxy Server 2.0 and ISA Server 2000 should consider upgrading. We'll also discuss a few ISA 2000 features that didn't make it into the new version.
ISA Server 2004 is still a multilayered filtering firewall, a secure VPN gateway, and a Web caching server like ISA 2000, but Microsoft introduces a multiplicity of new features, along with new functionality. Let's look at some of the most prominent new attractions: the interface, multiple network support, firewall enhancements, and VPN features.
New intuitive interface
The "advanced" graphical interface for ISA 2000, used by most ISA administrators, is a simple two-paned Microsoft Management Console (MMC), as shown in Figure A.
|ISA 2000's simple MMC interface|
Alternatively, you can select the Taskpad view, shown in Figure B. This view attempts to provide a more intuitive look, but many ISA administrators find it confusing.
|ISA 2000's Taskpad view|
ISA 2004 does away with the dual-view interface and adds a Tasks pane on the right side of the console, as shown in Figure C. The tree structure in the left pane is similar to that in the ISA 2000 interface, but the middle pane is richer, giving you tabbed pages that make it much easier to gather information and perform common tasks.
|The new ISA 2004 three-paned interface|
The new interface combines the advantages of ISA 2000's graphical Taskpad view with the easy navigability of its Advanced view.
We're especially pleased with the improvements to the Monitoring node interface. In ISA 2000 (even in Taskpad view), this interface consisted of three folders representing alerts, logs, and report jobs. The new Monitoring node provides tabbed pages for each of six functions: alerts, sessions, services, reports, connectivity, and logging. A seventh tab displays the Dashboard, shown in Figure D, which summarizes information from the six functions detailed in the other tabs. This gives administrators a quick overview of what's going on.
|ISA Server now includes a Dashboard.|
One of the best things about the new interface is that you seldom need to leave the ISA Server 2004 console to perform configurations that are related to configuring the ISA Server.
Multiple network support
Perhaps one of the biggest differences between ISA Server 2004 and ISA Server 2000 is the former's support for multiple networks. Business networks today are not simple, and multinetworking lets you define relationships between interconnected networks. There are already built-in definitions for such default networks as:
- The Internal network, which includes the IP addresses on the ISA Server's primary protected network
- The External network, which includes all of the IP addresses that don't belong to any other network
- The VPN clients' network, which includes the IP addresses that are assigned to VPN clients using the ISA Server VPN gateway
- The Local host network, which includes the IP addresses on the ISA Server's network interfaces
ISA 2000 inspected the network traffic based on the local address table (LAT). The LAT included only addresses on the internal network. With ISA 2004, you can apply firewall security to the traffic transferred from any network to any other. You can set policies on a per-network basis, and you can define whether the relationship between networks is NATed or routed.
Multinetworking is easy to configure because Microsoft has included templates for configuring the firewall policies between networks. There are templates for many different situations, including using ISA as an edge firewall or a front-end firewall, creating a perimeter network with two ISA servers, putting ISA between the perimeter network and the internal network, and deploying ISA as only a Web Proxy caching server (single NIC configuration). You can select a network in the middle details pane and then select a template from the right pane, as shown in Figure E.
|Apply network templates to configure firewall policies between networks.|
New firewall features
In keeping with its overall focus on security, Microsoft is emphasizing the "S" in ISA Server 2004 even more than in 2000, and is including several new firewall features. There are a number of new Application Layer Filtering (ALF) features, such as the following:
- You can configure deep HTTP stateful inspection on a per-rule basis to create custom constraints for inbound and outbound HTTP.
- You can block access to executable files based on the first word of the binary (MZ) through the HTTP policy, or you can block or allow file types based on file extension; you can apply the policy to specific users or groups.
- You can control HTTP access for all ISA Server 2004 client types (firewall client, SecureNAT client, or Web Proxy client), whereas ISA 2000 blocked Web content only by MIME type (Web) or file extension (FTP) for Web Proxy clients. You can also control the use of specific HTTP methods (verbs).
- You can use keywords or strings (called signatures) to block HTTP content, which allows you to use ISA Server 2004 for firewall-level control over applications and services that tunnel themselves through an HTTP channel.
- You can use FTP policy to restrict FTP downloads while allowing uploads (or you can allow both or block FTP altogether).
Link translation is an ISA Server 2004 application layer feature that was not originally included with ISA Server 2000 but was added with Feature Pack 1. It lets you map internal computer names and paths to public names and paths, which helps avoid broken links when you publish a SharePoint Web site or redirect connections to different servers on the corporate network based on the path in a Web request.
Firewall user groups
Another new firewall feature in ISA Server 2004 is the ability to create firewall user groups. ISA 2000 uses Active Directory users and groups or, on the ISA Server computer, local users and groups. The new firewall groups are important because they can be created by a firewall administrator who does not have to be a domain administrator.
ISA Server 2004 more easily handles complex protocols, such as those used by streaming media and voice/video applications. ISA 2000 required that you write scripts to create protocol definitions for protocols that needed more than one primary outbound connection. With ISA 2004, these definitions are created via the New Protocol Wizard. You can also control the source and destination port numbers for any protocols for which you have made a firewall rule.
With ISA 2000, it was often difficult for administrators to determine the order in which rules would be processed. ISA 2004 has simplified this greatly, using a unified ordered list that processes rules from top to bottom, regardless of client type and whether the rule is to allow or deny.
New VPN features
VPN functionality has been enhanced by several new features, including the following:
- Because the VPN clients are now placed in a separate network zone, you can apply access policies specifically to VPN clients.
- ISA 2004 does stateful filtering and inspection for the traffic going between two sites in a site-to-site (gateway-to-gateway) VPN. ISA 2000 did not apply firewall policy to site-to-site links because they were considered to be "trusted" networks.
- VPN clients that are configured as SecureNAT clients can access the Internet through the VPN connection. With ISA 2000, only firewall and Web Proxy clients could do so, which means you had to install the firewall client software and/or configure the Web browser on machines that needed Internet access through the VPN.
- You can publish PPTP VPN servers. ISA 2000 allowed you to publish only L2TP/IPSec VPN servers.
- ISA Server 2004 supports IPSec tunnel mode for site-to-site VPNs. ISA 2000 supported only PPTP and L2TP/IPSec for site-to-site links. IPSec tunnel mode allows the ISA firewall to participate in a site-to-site VPN link with third-party VPN gateways.
One of the most exciting new features in ISA Server 2004 is VPN Quarantine Control. This feature builds on Windows Server 2003's Network Access Quarantine Control feature. It allows you to control the configurations of VPN clients and ensure that they meet your specified security criteria. For example, you can require that the latest service packs and security updates be installed on the VPN client machine, that antivirus software be installed and running, or that a personal firewall be enabled.
If a VPN client doesn't meet the criteria, it is placed on a quarantined network where it can access limited resources. For example, the quarantined clients might be able to access a server from which they can download the required software.
This feature is similar to the managed VPN client or secure VPN client features of some other firewall vendors. Usually, you must use their proprietary VPN client software to have this control over your VPN clients, but ISA 2004 can do it for clients using the built-in Windows VPN client software.
Before you get too excited about VPN Quarantine Control, be forewarned that configuring it is not a point-and-click operation. You'll need to install additional components on the ISA Server (available in the Resource Kit) and create a quarantine script, which is then installed on the client computers using Connection Manager.
Enhanced SSL support
You can use the Secure Web Publishing Wizard to make SSL tunnels to Web sites on the internal network. SSL bridging makes it possible for the ISA server to decrypt SSL traffic so it can be inspected and HTTP policy applied. It can then be re-encrypted and sent on to its destination. This thwarts attackers who place malicious code inside SSL packets so they cannot be inspected by the firewall.
Many of ISA Server 2000's features have been improved in ISA Server 2004. We'll look at some enhancements to authentication, monitoring and logging, and Exchange integration.
ISA Server 2004 supports authenticating users with Windows authentication through Remote Authentication Dial-In User Service (RADIUS) and other namespaces. It also lets you apply rules to users or groups in any namespace. An ISA 2000 computer had to belong to the Active Directory domain in order to authenticate Web proxy clients. Now, with RADIUS, the ISA 2004 machine is not required to be a member of the same domain because RADIUS can query the Active Directory.
A problem occurred in ISA 2000 when Firewall clients connected to Web sites where the ISA Server 2000 firewall required authentication for access. If user credentials were required by a Protocol Rule, the request would fail because the credentials were removed when the request was forwarded to the Web proxy service. With ISA 2004, separate authentication with the Web proxy service is not required because firewall clients can use the HTTP filter to access the cache.
Another welcomed improvement in ISA 2004 is built-in support for SecurID token authentication. On another front, unauthenticated users can't reach your published Web servers because the ISA 2004 firewall can authenticate users before their requests are forwarded to a published site. Finally, ISA 2004 improves security to Outlook Web Access (OWA) Web sites by generating logon forms for forms-based authentication.
Improved monitoring and logging
Monitoring, logging, and reporting are the weak points for many firewall products; that's the reason third-party add-ons in this area are so popular. Microsoft has improved this functionality in ISA Server 2004 in several ways:
- The new interface allows you to see real-time monitoring of entries into the Firewall, Web Proxy, and SMTP Message Screener logs. The console displays each entry as it is entered.
- You can use the built-in query tool to query for the information in any field in the logs, and you can narrow down the scope of the query by setting time ranges.
- You can monitor the connections from the ISA Server to a particular computer (by name or IP address) or to a particular URL by creating connectivity verifiers. You can also select from three ways of checking connectivity: PING, TCP connection to a port, or HTTP GET.
- You can automatically save copies of a report job to a specified local folder or network share, and you can map the folder or file to a Web site virtual directory to allow others to easily view the reports. You can also get e-mail notification when a report job is completed.
- You can log to a Microsoft Data Engine (MSDE) database on the server. This speeds up queries and allows you to create complex and sophisticated queries against the ISA firewall's Web Proxy and Firewall service logs.
- Finally, you can set the time when log summaries are to be created. (In ISA 2000, the time was hard-coded at 12:30 a.m.)
Improved Exchange integration
ISA Server 2004's Secure Exchange Server Publishing Rules make it possible for remote users to access the Exchange server across the Internet with the full Outlook MAPI client, rather than being limited to OWA. You use RPC policy to block non-encrypted Outlook MAPI connections for greater security (the Outlook client will need to be set up to use secure RPC to encrypt the connection). This ensures that both user credentials and data will be transmitted in encrypted format.
Microsoft has also made it easier to configure OWA, Outlook Mobile Access (OMA), and ActiveSync to work with ISA Server 2004. Wizards walk you through the process. Unlike with ISA 2000, you can create needed network elements within the wizard.
Missing in action
If you're an experienced ISA Server 2000 administrator, you're likely to notice a few features that were dropped in ISA Server 2004. These include:
- The H.323 gatekeeper for handling and routing Voice over IP (VoIP) calls
- Bandwidth control to give some connections priority over others
- Live media stream splitting for media streams using Windows Media Technology (WMT)
- Active caching to automatically update cache objects
Experienced ISA administrators will also recognize most of these as the features that were seldom used or that didn't work very well.
Better than the original
ISA Server 2004 builds on the feature set of its predecessor, ISA Server 2000, but there are so many changes, and the interface is so different, that there's a persuasive argument that it's more than a mere upgrade.
In reading this article, you may have noted that almost all the new features and improvements pertain to the firewall and VPN functionality. While ISA Server is a fully functional Web caching/proxy server, it's obvious that the emphasis in both technical and marketing areas is on security.
Microsoft has a history of taking about three tries to "get it right." (Windows took off with version 3; IE began to gain real popularity around the third version, etc.) If you think of Proxy Server as the first incarnation of Microsoft's venture into security, and ISA Server 2000 as the second, it's logical to think that ISA Server 2004 just might be the product that makes the firewall community sit up, take notice, and admit that Microsoft is a serious contender.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.