One of the new server products Microsoft expects to release before the end of the year is the Internet Security and Acceleration Server 2000 (ISA Server).
This server could give companies an extra advantage because it provides the added security of an easy-to-configure firewall with the performance of a Web site proxy server.
According to Microsoft’s site, ISA Server will have two main functions for the enterprise:
- Smart security via a multi-layer firewall, application filters, and dynamic IP filtering
- Smart caching with a high-performance Web cache, scalability, and active caching
In this article, I will explain how your enterprise can benefit from these functions.
Securing your site
One of the problems with firewalls is they’re a real pain to administrate. I have worked at several companies, and nobody I’ve seen does firewalls really well. So I think it is important that Microsoft has improved the level of administration capabilities to make it easier to administrate the firewall in ISA Server.
This server’s firewall has a number of useful features, and being a multilevel firewall means it can maximize security with packet level, circuit level, and application level traffic screening.
There’s dynamic packet filtering, which will reduce the risk of external attacks by opening ports only when they’re needed.
When a valid application needs a port open, it will allow that port to be opened, and when it doesn’t need it, it will close the port. In a traditional firewall, whatever port you have open is open all of the time, and that increases the potential for attacks.
The server supports stateful inspection, which is the process of inspecting packets that reach the firewall, keeping state information, and then allowing or disallowing the packet to pass. It’s a way to screen packets coming in based on your access policies.
In addition, it provides application filters that offer filtering at even higher communication levels.
I wouldn’t say it’s as full-featured as some of the more extensive firewall products that are out there, but in many cases, it could have enough of what you need to be used in place of other firewalls.
ISA server joins a list of other servers Microsoft is rolling out this year, including:
- SQL Server 2000
- Exchange Server 2000
- BizTalk Server 2000
- Commerce Server 2000
- Application Center 2000
- Host Integration Server 2000
Filtering, caching, and management
ISA Server has a smart application filter, which allows the server to direct incoming requests to the proper Web server. The server figures out which is the most active data needed from the Web, and the server caches that. So if the data is a page that is commonly accessed, the server won’t even have to hit the Web server to get that page; the server can pull the page up off the cache in the ISA Server.
In addition, there is a new feature called Cache Array Routing Protocol (CARP). This feature dynamically load-balances the cache across multiple machines. It will scale along with the scalability capabilities of standard Windows NT.
Administration tools are a big part of ISA Server in terms of its graphical, Windows-like, and easy-to-use type of user interface.
There are capabilities for remote management, detailed logging, customizable alerts, and multiple graphical reports.
The Microsoft Management Console snap-in is available so that any of the Microsoft products, as well as third-party products like HP Open View, are managed from one screen.
Useful features and how they will help you
There are a few other built-in capabilities in the ISA Server 2000 that IT managers may find helpful.
For example, you can prioritize bandwidth allocation by groups, application, site, or content:
- If you have one customer that’s more important than another, you can give that customer a higher priority on this server in the proxy side, and that customer will get a bigger chunk of bandwidth or faster access to the Web form.
- If there’s certain content that is very important to you that you want to push, such as your latest annual report, you can make that a higher priority.
- If there’s a specific application or specific location on your site that you want to give a higher priority, you can do that through the integrated bandwidth control feature.
- Let’s say you’re presenting at a conference, and you’re going to access your Web site to show certain things. You don’t want your site to appear slow and cumbersome because your company is going to look bad.
You can prioritize those applications and those specific areas of the Web site that your company is going to be demonstrating by giving them a larger amount of the bandwidth, more parts of the cache, etc., so they will have higher performance and better availability.
Other features include:
- Streaming media support
- Migration tools for those who will upgrade from Proxy Server 2.0
- Support for HTTP, FTP, Internet Relay Chat, the H323 standard for multi-cache conferencing, mail, and news protocols
- Transparent ACCP and Windows media technologies like Real Audio and Real Video
- Simple Object Access Protocol, which allows access to XML data over a standard port 80 on a firewall with your standard HTTP transmission
Bill Valle is the principal architect of technology and research at Standard Register in Cincinnati, OH. He has spent more than 27 years programming and speaks at many national and international conferences.
Do you think it is a good idea to combine a proxy server and firewall in this manner? Would you feel safe doing it? Would you keep the whole thing on the “dirty” side with another firewall in between your enterprise and the world? Start a discussion below or send us a note.