Product Reviews

ISA Server at Your Service

The latest incarnation of Microsoft's primary firewall offering is more secure and easier to use.

• By Chad Todd
• 12/01/2004

As the range of threats to secure Internet communications evolves, so too must the defenses against those threats. Microsoft's Internet Security and Acceleration (ISA) Server 2004, the company's primary firewall offering, provides tighter security than its predecessor and features a more intuitive interface. There are wizards that walk you through most tasks like initial firewall configuration, server publishing and rule creation, which makes it easier to install, configure and operate.

Microsoft provides four templates (see Figure 1) for configuring ISA Server 2004 as an edge firewall, three-leg perimeter, front firewall or back firewall, so you can get your firewall up and running quickly. Simply apply the template that best fits your situation. ISA Server then clears the existing configuration and replaces it with the template configuration.

When using ISA Server as an edge firewall, it connects to both the internal LAN and the Internet and is the sole firewall in use. The three-leg perimeter configuration again has ISA as the only firewall. However, this time ISA Server is connected to three networks—the internal LAN, the Internet and a perimeter network. The perimeter network is used as a "DMZ" for securely publishing servers.

In a back-to-back configuration, you can set up ISA Server as either the front or back firewall. In this topology, each firewall has two interfaces. The front firewall is connected to the Internet and the shared perimeter network, which is in turn connected to the back firewall. The back firewall is connected to the internal LAN and to the shared perimeter network.

Figure 1. Microsoft provides four firewall templates to help with initial configuration of ISA Server 2004. (Click image to view larger version.)

Forceful Filtering
ISA Server 2004 enforces firewall security by filtering all traffic. It provides three levels of filtering: packet filtering, stateful filtering and application filtering. Packet filtering works at the network and transport layers of the OSI model (layers 3 and 4, respectively). It inspects packet headers and permits or denies traffic based on source and destination IP address, IP protocol and protocol number, source and destination port number and the direction of the traffic (inbound or outbound).

Packet filtering is not as advanced as stateful filtering or application filtering, but it does have its advantages. It is fast, because it only has to inspect layer 3 and 4 headers. It also provides egress and ingress filtering. Egress filtering denies outbound network traffic from all addresses that aren't internal to your network. Ingress filtering does the opposite. It blocks all inbound traffic on the external interface for all IP addresses that are internal to your network.

Stateful filtering examines the status of a packet and its header. It uses information about the TCP session to determine if the packet should be allowed or denied. This lets ISA Server do dynamic packet filtering by opening ports only when a valid session exists. If a client makes a request to a server on the outside, that server is allowed back through the firewall as long as the session is intact. Once the session is over, the server can no longer get back inside.

Application filtering lets ISA inspect traffic at the application layer of the OSI model (layer 7). In other words, ISA makes intelligent decisions based on packet contents. This protects against viruses, worms and peer–to-peer file sharing programs, among other things. You can use application filtering to filter Internet downloads and scan all incoming and outgoing e-mails. The only drawback to application filtering is speed. Because application filtering examines the entire packet, it's much slower than packet and stateful filtering. This isn't a huge concern, as application filtering will only apply to traffic not dropped by packet filtering and stateful filtering.

Any firewall controls both outbound (through the Internet) and inbound (heading for servers published on your internal network) traffic. ISA makes publishing servers very easy using Web publishing and server publishing. Both types support application filtering.

You would use Web publishing to publish HTTP and HTTPS servers. Web publishing rules provide for path mapping (which lets ISA Server change the URL path requested from the Internet and redirect to the correct internal path), user authentication, content caching and publishing multiple Web sites with one IP (using host headers). You typically use server publishing for protocols other than HTTP and HTTPS. It passes all traffic destined for a given IP and port to the published server. Unlike Web publishing, it can't make decisions based on the name of the server being accessed.

Serving Other Purposes
Besides its primary function as a firewall server, you can also configure ISA Server 2004 to function as a proxy and caching server or a Virtual Private Network (VPN) server. Like the firewall templates, Microsoft provides a template for proxy and caching called Single Network Adapter. In this mode, ISA Server provides Web proxying, caching and Web publishing, but it does not do packet filtering, application filtering, VPN or server publishing. By configuring your clients as Web proxy clients, they send all HTTP, HTTPS, and FTP traffic to the ISA Server, which then authenticates Internet access based on Digest, Basic, Integrated, RADIUS or SSL authentication.

By sending all Web requests to ISA Server, you can take advantage of central caching. As everyone searches the Internet, their requests are cached. When someone else requests the same information, ISA Server retrieves the information locally without having to go back to the Internet. ISA Server also supports scheduled caching. This lets you preload entire Web sites into the ISA Server cache and have it refreshed on a set schedule.