Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Jun 13, 2005 (Vol. 10, #24 - Issue #529)
W2KNews ISA 2004 Special Edition
This issue of W2Knews contains:
- EDITORS CORNER
- W2KNews ISA 2004 Special Edition
- What Version of ISA 2004 is Right for You?
- What You Get with the ISA 2004 Firewall
- ADMIN TOOLBOX
- Admin Tools We Think You Shouldn't Be Without
- TECH BRIEFING
- Use RADIUS Authentication for ISA 2004 Forms-based Authentication
- Automate Deployment of the ISA 2004 Firewall Client
- What You Lose When ISA 2000 is Upgraded to ISA 2004
- Optimize ISA 2004 Firewall Performance
- NT/2000 RELATED NEWS
- SBS 2003 Service Pack 1 Upgrades ISA to 2004
- ISA 2004 Firewall Webcast Series
- Ramp Up in Record Time with ISA Firewall Virtual Labs
- NT/2000 THIRD PARTY NEWS
- ISA Hardware Firewall Bonanza
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- The Ultimate Job Security Tool: Double-Take
SPONSOR: Time's Running Out to Make the Switch!
If you are using an Internet filtering solution other than iPrism
from St. Bernard, there has never been a better time to make a
switch. Until June 30th, you can get great savings by switching to
the award-winning iPrism Web filtering appliance. iPrism is a true
hardware solution that's easy-to-install and administer and has a
very low total cost of ownership. Don't delay, make the switch to
better performance today and save! Plus, find out more by downloading
iPrism's FREE TOOLS!
Visit Time's Running Out to Make the Switch! for more information.
W2KNews ISA 2004 Special Edition
This week you're in for a treat. This issue is dedicated to ISA Server 2004 (which I'll refer to as the ISA firewall for the rest of the newsletter). The ISA firewall is the latest version of Microsoft's flagship security product, ISA Server. The ISA firewall had distant roots in a proxy server (Proxy 1.0) but has grown up to a full-fledged network firewall with sophisticated stateful packet and application layer inspection mechanisms.
What Version of ISA 2004 is Right for You?
The ISA firewall is available in two flavors (editions): Standard (SE) and Enterprise (EE). Both versions are network firewalls supporting an unlimited number of network interface cards (OK, to the hardware limits that you have), an unlimited number of networks and an unlimited number of users (no per user license fees). Both versions of the ISA firewall perform stateful packet and application layer inspection. Both versions enable deep application layer inspection of multiple application protocols to prevent attackers from compromising your network after they've bypassed the "hardware" firewall's network layer packet inspection.
Features included in the Enterprise version of the ISA firewall that you won't get with the ISA 2004 Standard Edition are:
- Cache Array Routing Protocol (CARP) - CARP allows you to create caching arrays to speed up Internet access and reduce bandwidth usage on your Internet connection.
- Integrated Network Load Balancing (NLB) - ISA Enterprise Edition tightly integrates with the NLB service to provide real-time failover and load balancing for members of an ISA firewall array. If a firewall array member goes offline, other members of the array automatically take over for the downed member.
- Enterprise Policies - The Enterprise Edition ISA firewall enables you to create enterprise policies that are easily pushed out to firewalls located anywhere in the world. Just configure them at your workstation and they're automatically deployed around the globe.
- Configuration Storage Server (CSS) - The Enterprise Edition uses ADAM-based policy storage. Think of ADAM (Active Directory Application Mode) as boiled down version of Active Directory. CSS policy storage allows fast and network bandwidth efficient replication of firewall policy to all ISA firewalls regardless of location and link speed.
SE is aimed at small to medium sized biz while the enterprise version is targeted at distributed organizations who need to deploy and manage ISA firewalls in a geographically distributed organization.
What You Get with the ISA 2004 Firewall
Both versions of the ISA firewall include these firewall goodies:
- Network and firewall security - The ISA firewall is locked down by default. No connections are allowed to or through the ISA firewall until you allow them. The new ISA firewall architecture loads very low in the network protocol stack so that no network communications move to or through the ISA firewall without the firewall statefully inspecting the packets. And yes, the firewall fails closed!
- Performance - The ISA firewall is a gigabit firewall. Tests with large packet sizes (like those all the other firewall vendors do) show that an appropriately provisioned ISA firewall can reach over 1.5Gbps throughput.
- Management - Both SE and EE are managed via the intuitive and easy to use ISA firewall console. Easy to use means fewer firewall configure errors. Given that firewall configuration errors are the most common reason for network compromise related to firewall issues, this is a good thing.
- Site to Site VPN - Join entire networks to each other via site to site VPNs. Both versions of the ISA firewall support hub and spoke, and mesh VPN configurations.
- Remote Access VPN and VPN Quarantine - ISA firewalls provide a unique level of security and accountability (through advanced logging) for remote access VPN connections. You get fine-tuned per user/per group access control and logging for remote access VPN connections. And, when you load the ISA firewall on Windows Server 2003 SP1, you get VPN quarantine at no extra charge. VPN Quarantine allows you to segregate VPN clients into a sandbox network while they are tested for security configuration compliance. Only after the VPN client passes security configuration compliance tests is it allowed access to resources on the corporate network, and the VPN client will only have access to servers and protocols to those servers that you've given that user access to.
- IDS/IPS - All versions of the 2004 ISA firewall include built-in and turned on by default IPS and IDS to protect against common network level attacks.
- Other Cool Things - The ISA firewall hosts an assortment of other cool things such as Active Directory integration for transparent authentication, OWA forms-based authentication, RADIUS user mapping for VPN connections, the HTTP Security Filter for granular HTTP access control, encrypted firewall client control sessions, built-in RSA SecurID support, user certificate authentication, secure Exchange RPC publishing (enables the "Outlook Always Works" scenario), robust firewall logging options (both on and off-box) and much more.
If you haven't had a chance to check out the ISA 2004 firewall yet, then head on over to:
And get a fully functional trial version.
(email me with feedback: [email protected])
Admin Tools We Think You Shouldn't Be Without
Use RADIUS Authentication for ISA 2004 Forms-based Authentication
The ISA firewall provides an enhanced level of protection for remote access connections to Exchange Server services using a number of technologies. One of the slickest is the ISA firewall's Forms-based authentication filter (FBA). The FBA filter enables the ISA firewall to generate the OWA site log on form. This prevents potentially malicious unauthenticated connections from ever reaching the OWA sites. The FBA filter also allows you to control what users can access attachments, force log off if the user moves away from the OWA page, and force log off after a set period of time.
The ISA firewall generates the form and pre-authenticates the user. Only after successfully authenticating to the ISA firewall will the remote access client's OWA request be forwarded to the OWA site. You can bump up security by pairing up RADIUS authentication with the ISA firewall's FBA filter. Go here for the details:
Automate Deployment of the ISA 2004 Firewall Client
The ISA firewall's Firewall client application is a generic Winsock proxy client that enables Firewall client enabled systems to "remote" connections to the Internet to the ISA firewall's Firewall Service. The Firewall client significantly enhances ISA firewall security and flexibility because it can be used to insure that all connections issued through the ISA firewall as transparently authenticated and provides support for complex protocols requiring secondary connections. Not only are all connections authenticated, but the name of the application the user used to connect to the resource through the ISA firewall and the machine name the user used to connect to the resource are included in the ISA firewall's log files along with the user name.
The trick to getting the most out of the ISA firewall is mastering deployment of the client software. Once you get it installed, the rest of security gravy. Check out this doc for details on automating deployment and provisioning of the Firewall client in your organization.
What You Lose When ISA 2000 is Upgraded to ISA 2004
While there's no doubt that the 2004 ISA firewall beats the pants off ISA Server 2000, the enhanced firewall security and application layer inspection comes at a price for dyed in the wool ISA Server 2000 firewall admins. With the new ISA firewall, you get a lot, but have to give up a little. A few things you'll encounter when you upgrade ISA Server 2000 to the 2004 ISA firewall include:
- Bandwidth Rules are gone (they never worked very well anyhow)
- The H.323 Gatekeeper is no more (did anyone ever really use it?)
- Active caching is caput (we'll miss this one)
Check the following KB article for a complete rundown on some of the settings and features you'll do without:
Optimize ISA 2004 Firewall Performance
The firewall's job is to provide network level security for your organization. Its job is not to pass exploit packets as fast as possible. Nevertheless, it would be great to squeeze out every bit of network performance possible from the ISA firewall. A couple things you can do to improve performance right off the bat include:
- Use the Firewall and Web proxy client configurations
- Load as much memory you can afford into the ISA firewall if you plan on using the Web caching feature
- Use SSL offload cards if you plan on providing secure remote access to SSL Web sites (such as OWA, OWA and Exchange ActiveSync
- Bind each adapter to a different processor
For more tips and tricks on optimizing the ISA firewall's performance, check out:
NT/2000 RELATED NEWS
SBS 2003 Service Pack 1 Upgrades ISA to 2004
SBS 2003 Service Pack 1 has hit the streets and if you have the Premium edition, you're in for some great news! The SBS 2003 SP1 includes an upgrade so that now you can cast off your aging ISA Server 2000 firewall and upgrade to the ISA 2004 firewall. Sweet! The SBS team spent thousands of hours testing and tweaking the ISA firewall so that it would work correctly on the SBS platform. This was no mean feat (and I don't mean angry toes) because the ISA firewall was designed as a network firewall, not ZoneAlarm for Windows Servers. Looks like they've done a darned good job, because I haven't heard of any serious breakages. Check out the link below for what's new and improved with SBS 2003 SP1:
ISA 2004 Firewall Webcast Series
I had the unique opportunity to work with Microsoft during their ISA 2004 Webcast week. A number of excellent Webcasts on the ISA firewall's VPN, caching and firewall feature set were done that week, with mine being on the ISA firewall's application layer inspection features. If you're thinking about getting into the ISA firewall scene, definitely check out these Webcasts. Make sure to put the Webcast on how Microsoft has deployed the ISA firewall in their worldwide organization at the top of your list!
And speaking of how Microsoft has deployed the ISA firewall worldwide, you might be interested in how they use the ISA firewall as their VPN server of choice, and how they've used it to deploy a powerful remote access VPN client quarantine solution to protect their own corporate networks. Check out this link for details on how Microsoft used the ISA firewall to whack VPN client sourced viruses, worms and insure that VPN clients met corporate security requirements for VPN client health:
Ramp Up in Record Time with ISA Firewall Virtual Labs
You might have run into Microsoft's virtual lab series for some of their other products. The Microsoft virtual lab series is a great way to get your hands dirty with Microsoft server products. There's a virtual lab for the ISA firewall where you can learn how to configure the ISA firewall's VPN server component, the ISA firewall's Outlook Web Access Publishing feature, and lots more. The ISA firewall's virtual lab series gets two fat thumbs up! Check it out at:
THIRD PARTY NEWS
ISA Hardware Firewall Bonanza
Seems like every network service provider is bundling up their wares and putting them in appliance form factors. The ISA firewall is no exception. There are a lot of advantages to purchasing an ISA firewall in an appliance package. These include:
- Pre-hardened ISA firewall device
- Tested hardware drivers for max performance
- Enhancements to the ISA firewall's application inspection feature set
- Improvements on the ISA firewall's networking features
Here's my matchbook cover sketch of the major players in the ISA hardware firewall space:
HP DL320 ISA Firewall/VPN Server appliance
You can't beat HP's reputation as a provider of high quality hardware. HP's approach to hardware ISA firewalls is to provide a hardened pre-install of the ISA firewall software on a high-powered HP DL320 hardware platform. They also include additional software that works at a very low layer in the networking stack to decommission hosts sending out worm packets. The HP DL320 is very easy to provision and high performance. They top off their ISA firewall offering with lights-out admin.
Network Engines NS Series
Network Engines has a bevy of ISA firewall appliances in their NS firewall series. Network Engines takes a unique approach to ISA hardware firewalls in that they've completely removed anything that might be Windows from the user interface. That means you use the NS firewall as a firewall and it's impossible to make the NS ISA firewall part of your server consolidation plan (as many hapless ISA firewall admins try to do). Provisioning of the NS firewall appliance can be a bit tricky, but compared to a PIX or Netscreen, it's a no-brainer. Network Engines includes a Web interface for firewall provisioning and management so that you can use an SSL encrypted session to connect to the NS firewall from a management station.
The Rimapp RoadBLOCK firewall is the swiss-army knife of ISA hardware firewalls. The RoadBLOCK includes many enhancements to the ISA firewall's application layer inspection mechanisms that allows you to control Web site access, block Web and e-mail virus downloads, and much more. In addition to improvements to the ISA firewall's application layer inspection mechanism, the RoadBLOCK beefs up the ISA firewall's networking feature sets by supporting multiple ISPs and by providing realtime failover and network load balancing. A unique feature of the RoadBLOCK is that they've completely abstracted the entire ISA firewall MMC into a Web interface.
Celestix MSA Series
The Celestix MSA series of ISA hardware firewalls are built on top-notch server hardware. Celestix includes some enhancements to the ISA firewall's application layer inspection by including SurfControl as an optional component. In addition, the MSA series of ISA hardware firewalls includes a Web interface that enables you to configure much of the firewall's feature set over an SSL encrypted browser session.
This Week's Links We Like. Tips, Hints And Fun Stuff
PRODUCT OF THE WEEK
The Ultimate Job Security Tool: Double-Take
For those admins wanting their file servers to be available again
within minutes of a crisis, Double-Take is the most popular tool.
Double-Take has over 50,000 licenses in production, including
12,000 on Exchange, 10,000 licenses on SQL, and nearly 10 years
of protecting Windows servers since 1996. This makes Double-Take
the undisputed leader in protecting Microsoft environments for
high-availability and disaster recovery in-one: 30-day eval at: