 |
|
| Microsoft
ISA Server 2000
by Bob Walder
Microsoft security has always been thought of as something of an oxymoron. Yet here we have the Internet Security and Acceleration Server which is a packet filter and proxy-based firewall and Web cache rolled into one. Microsoft producing an actual security product? Read on… There are two versions of the ISA Server – Enterprise and Standard – and the security, caching, extensibility, management, and performance capabilities are the same in both versions. The Standard edition, however, is limited to a stand alone server, with a local policy only, and will support no more than four processors. The Enterprise edition supports multi-server arrays with centralised management, enterprise-level and array-level policy, and has no hardware limits. In order to support the centralised policy management capabilities, however, it does need to be installed into an Active Directory domain, whereas the Standard edition does not rely on AD. The Enterprise version (as reviewed here) is thus better suited to large multi-site organisations where it is important to be able to manage multiple firewall and cache servers from a single, central console. During installation, it is possible to specify that the host be a dedicated firewall, dedicated Web cache or that both functions be integrated on the same host. The Web cache capability can minimise performance bottlenecks and save network bandwidth resources by serving up locally cached Web content. This ensures that each Web page is only retrieved once from the Internet, and then served to multiple users internally directly from the cache.
On the security front, ISA Server includes an extensible, multi-layer firewall featuring packet, circuit and application level (proxy) traffic screening, stateful inspection, Network Address Translation (NAT), integrated VPN and basic intrusion detection (based on technology from ISS), smart application filters, authentication and secure Web publishing. As with most firewalls, ISA Server uses rules to determine whether users, services, ports or domains are granted access to computers on the protected network and on the Internet. Four types of rules are available: Access Policy rules, Bandwidth rules, Protocol rules and Publishing rules. In addition, ISA Server can apply policies to users and groups in NT and Windows 2000 domains for an integrated approach to user management. Access Policy rules define which Internet sites can be accessed by clients behind the ISA Server, as well as which protocols internal clients can use. They also implement the usual packet filter rules that block or allow traffic depending on source and destination address, source and destination port and protocol. Bandwidth rules build on the Windows 2000 QoS (Quality of Service) features to determine bandwidth priorities for any specific Internet request. Publishing rules allow internal servers (Web server, or even Exchange 2000, for example) to publish securely through the ISA Server. These rules map incoming requests to the appropriate servers behind the firewall, and support for multiple network cards in the host PC allows the administrator to create a secure DeMilitarised Zone (DMZ) if required.
Each of the rules are built from a number of different “Policy Elements”, which include schedules, bandwidth priorities, destination sets (remote sites), client address sets (hosts, networks, servers, etc), protocol definitions and content groups (video, audio, images, etc). This modularity provides plenty of flexibility when defining rules, but unfortunately, we found the process of rules definition to be the least intuitive of any firewall we have seen. It may be that the ISA Server approach is geared towards the security novice, to whom it may make more sense (though we doubt it). To anyone who is used to working with firewalls, however, ISA makes hard work of configuration tasks. The Console is the usual MMC interface, which at least makes it familiar in terms of look and feel. The “scope pane” down the left of the screen provides a hierarchical menu tree, whilst the “results pane” on the right shows the results of selecting a menu option, and the Taskpads. Taskpads provide a high level of hand-holding for the administrator which makes the completion of individual tasks – such as enabling Intrusion Detection – fairly straightforward. However, the overall layout is such that it is very difficult to know just which Taskpads you need to use in order to achieve the desired effect. We found ourselves fiddling about in two or three different places just to allow outgoing Web access for our internal users, and inbound access to our Web server on the DMZ for external users. A couple of useful Taskpads are the ones to enable a range of basic Intrusion Detection capabilities (which detect such things as port scans, WinNuke, Ping of Death, and a few other common Denial of Service attacks), and OS hardening. The system Hardening Wizard allows the administrator to lock down� the Windows 2000 OS by setting the appropriate levels of security (auditing levels and access controls on key directories and Registry entries, for example) depending on how the ISA Server is expected to function on the network. For example, different levels of hardening are applied depending on whether the ISA machine is a dedicated firewall, or is also expected to function as a Domain controller. Finally, it is worth noting that most of the ISA Server features are available without installing the firewall client that is supplied. However, should the administrator wish to go to the trouble of installing said client on end-user’s desktops, it offers additional high-level protocol support and user-based authentication. Verdict Whilst this is not a bad attempt by Microsoft to produce a firewall and cache – and is certainly a huge improvement over the previous Proxy Server product - it will probably appeal mainly to those “Microsoft-only” shops. It is not as easy to configure as the best-of-breed Windows-based firewalls already on the market, and we have not tested it to Checkmark certification level so there is no telling how it will stand up to a serious attack. Product:� Internet Security and
Acceleration Server 2000
|
|
Send mail to webmaster
with questions or�
|
