|
Microsoft
ISA Server 2000
by Bob Walder
Microsoft security has always been
thought of as something of an oxymoron. Yet here we have the Internet
Security and Acceleration Server which is a packet filter and proxy-based
firewall and Web cache rolled into one. Microsoft producing an actual
security product? Read on…
There are two versions of the ISA Server
– Enterprise and Standard – and the security, caching, extensibility,
management, and performance capabilities are the same in both versions.
The Standard edition, however, is limited to a stand alone server, with a
local policy only, and will support no more than four processors. The
Enterprise edition supports multi-server arrays with centralised
management, enterprise-level and array-level policy, and has no hardware
limits. In order to support the centralised policy management
capabilities, however, it does need to be installed into an Active
Directory domain, whereas the Standard edition does not rely on AD. The
Enterprise version (as reviewed here) is thus better suited to large
multi-site organisations where it is important to be able to manage
multiple firewall and cache servers from a single, central console.
During installation, it is possible to
specify that the host be a dedicated firewall, dedicated Web cache or that
both functions be integrated on the same host. The Web cache capability
can minimise performance bottlenecks and save network bandwidth resources
by serving up locally cached Web content. This ensures that each Web page
is only retrieved once from the Internet, and then served to multiple
users internally directly from the cache.
Configuring packet filter rules
On the security front, ISA Server
includes an extensible, multi-layer firewall featuring packet, circuit and
application level (proxy) traffic screening, stateful inspection, Network
Address Translation (NAT), integrated VPN and basic intrusion detection
(based on technology from ISS), smart application filters, authentication
and secure Web publishing.
As with most firewalls, ISA Server uses
rules to determine whether users, services, ports or domains are granted
access to computers on the protected network and on the Internet. Four types of rules are available: Access Policy rules, Bandwidth
rules, Protocol rules and Publishing rules.
In addition, ISA
Server can apply policies to users and groups in NT and Windows 2000
domains for an integrated approach to user management.
Access Policy
rules define which Internet sites can be accessed by clients behind the
ISA Server, as well as which protocols internal clients can use. They also
implement the usual packet filter rules that block or allow traffic
depending on source and destination address, source and destination port
and protocol.
Bandwidth
rules build on the Windows 2000 QoS (Quality of Service) features to
determine bandwidth priorities for any specific Internet
request.
Publishing
rules allow internal servers (Web server, or even Exchange 2000, for
example) to publish securely through the ISA Server. These rules map
incoming requests to the appropriate servers behind the firewall, and
support for multiple network cards in the host PC allows the administrator
to create a secure DeMilitarised Zone (DMZ) if required.
Configuring basic IDS settings
Each of the rules are built from a number
of different “Policy Elements”, which include schedules, bandwidth
priorities, destination sets (remote sites), client address sets (hosts,
networks, servers, etc), protocol definitions and content groups (video,
audio, images, etc). This modularity provides plenty of flexibility when
defining rules, but unfortunately, we found the process of rules
definition to be the least intuitive of any firewall we have seen. It may
be that the ISA Server approach is geared towards the security novice, to
whom it may make more sense (though we doubt it). To anyone who is used to
working with firewalls, however, ISA makes hard work of configuration
tasks.
The Console is the usual MMC interface,
which at least makes it familiar in terms of look and feel. The “scope
pane” down the left of the screen provides a hierarchical menu tree,
whilst the “results pane” on the right shows the results of selecting
a menu option, and the Taskpads. Taskpads provide a high level of
hand-holding for the administrator which makes the completion of
individual tasks – such as enabling Intrusion Detection – fairly
straightforward. However, the overall layout is such that it is very
difficult to know just which Taskpads you need to use in order to achieve
the desired effect. We found ourselves fiddling about in two or three
different places just to allow outgoing Web access for our internal users,
and inbound access to our Web server on the DMZ for external users.
A couple of useful Taskpads are the ones
to enable a range of basic Intrusion Detection capabilities (which detect
such things as port scans, WinNuke, Ping of Death, and a few other common
Denial of Service attacks), and OS hardening. The system Hardening Wizard
allows the administrator to lock down
the Windows 2000 OS by setting the appropriate levels of security
(auditing levels and access controls on key directories and Registry
entries, for example) depending on how the ISA Server is expected to
function on the network. For example, different levels of hardening are
applied depending on whether the ISA machine is a dedicated firewall, or
is also expected to function as a Domain controller. Finally, it is worth
noting that most of the ISA Server features are available without
installing the firewall client that is supplied. However, should the
administrator wish to go to the trouble of installing said client on
end-user’s desktops, it offers additional high-level protocol support
and user-based authentication.
Verdict
Whilst this is not a bad attempt by
Microsoft to produce a firewall and cache – and is certainly a huge
improvement over the previous Proxy Server product - it will probably
appeal mainly to those “Microsoft-only” shops. It is not as easy to
configure as the best-of-breed Windows-based firewalls already on the
market, and we have not tested it to Checkmark certification level so there is no telling how it will stand up to a serious attack.
Product: Internet Security and
Acceleration Server 2000
Supplier: Microsoft
Internet: www.microsoft.com
Tel: +44(0)208756 8000
|
|
