Product Reviews

Ready for the Big Time

The Enterprise Edition of ISA 2004 provides centralized management and unmatched scalability.

• By Chad Todd
• 01/01/2006

One size rarely fits all. Microsoft has clearly realized this with its software-based firewall called Internet Security and Acceleration Server. ISA Server 2004 comes in two editions: Standard and Enterprise. The Standard Edition is suitable for smaller companies that only need one firewall. The Enterprise Edition is aimed at larger organizations that need fault-tolerant firewalls and the ability to centrally manage multiple firewalls.

REDMOND RATING Documentation 15% 8 Installation 10% 10 Feature Set 35% 9 Performance 30% 9 Management 10% 10 Overall Rating: 9.1 —————————————— Key: 1: Virtually inoperable or nonexistent 5: Average, performs adequately 10: Exceptional

ISA Server 2004 Enterprise Edition (ISA) fills three needs: firewall protection, Web caching and VPN services. ISA’s firewall service provides application-layer filtering, which lets ISA make intelligent decisions based on a packet’s contents instead of just looking at the IP address and port number.

Most firewalls, especially traditional hardware firewalls, only inspect packets at layer three (IP) and layer four (TCP and UDP). This leaves them susceptible to application layer attacks like CodeRed and Nimda. Because ISA functions at the same application layer, you can easily configure it to block those types of attacks.

By default, ISA doesn’t cache Web pages. If you choose to enable caching (and I suggest that you do), you must have at least one NTFS-formatted drive in your system. Also, the more RAM you have the better, because ISA caches to disk and RAM -- 10 percent of RAM is used for caching; everything over this amount is cached to disk. Caching reduces the bandwidth needed to serve your clients if your users regularly visit the same Web sites.

ISA really shines as a VPN. You can configure ISA as the end point in a site-to-site VPN and as a VPN server for remote clients. ISA treats VPN connections as a separate network, which lets you apply unique firewall rules to each connection. ISA will then apply stateful filtering to all incoming connections based on those rules.

To Serve and Protect
ISA offers a choice of five general network templates for initial configuration that correspond to common network topologies. You can define your server as an edge firewall, three-leg perimeter firewall, front-end firewall, back-end firewall or single network adapter firewall. These are defined as follows:

• Edge firewall: Sits between your network and the Internet -- aka a bastion host firewall.
• Three-leg perimeter firewall: Protects your network from attacks like an edge firewall, but uses an additional network to securely publish services to the Internet.
• Front-end firewall: Used when you have two firewalls separating your network from the Internet (known as a back-to-back firewall topology). This firewall has a connection to the Internet and a connection to your DMZ (the shared area between your two firewalls).
• Back-end firewall: Also used when you have two firewalls, this firewall would have a connection to your DMZ and a connection to your internal LAN.
• Single network adapter firewall: Used as a caching proxy server to cache content from the Internet for use by clients on the local network.

Apply the template that best matches your topology and ISA automatically configures itself. Depending on your chosen template, ISA also gives you anywhere from five to eight choices of firewall policies to apply, like “block” or “allow all Internet access.”

The ISA installation and configuration process uses wizards to accomplish most tasks like creating access rules, networks and protocol definitions. This makes ISA very intuitive to those new to firewall management.

Reporting In
ISA’s reporting features are helpful for analyzing and summarizing traffic patterns. You can run a variety of built-in reports, such as which sites are accessed the most and who is accessing them. You can also determine which protocols and applications your users are using most. You can even report on the percentage of Web pages being retrieved from the ISA Web cache as opposed to live from the Internet.

You can run traffic reports manually or schedule them as recurring jobs. To schedule a job, simply specify the length of time the report will cover and how often the report will be generated. You can run reports on a daily, weekly, monthly or yearly basis, and get an e-mail copy of the complete report.

Figure 1. A live monitor lets you see incoming network traffic, the action ISA Server 2004 is taking and the rule governing that action. (Click image to view larger version.)

My favorite ISA 2004 feature is the monitoring. ISA includes a live monitor of the traffic your server’s processing (see Figure 1). You can see in real-time which traffic is being allowed or rejected and which rule is responsible for the decision. This makes troubleshooting much easier: Just watch the traffic and go straight to the problem-causing rule.

Capital Improvements

• ISA 2004 Enterprise Edition is an improvement in a number of ways over its predecessor, ISA 2000.
• ISA 2004 puts all firewall rules in one place and processes sequentially from top to bottom. This refinement makes it much easier to troubleshoot problems.
• ISA 2004 lets you create any number of networks. You can then define the routing relationship between the networks choosing to either route the traffic as is or route it using Network Address Translation (NAT).
• In ISA 2004, you can back up your configuration and restore it to an alternate server. This makes it very easy to recover from hardware failure or to migrate to a new ISA server.
• You can now use ISA as the endpoint for an IPSec site-to-site VPN with a third-party VPN product.
• ISA 2004 supports creating groups on the firewall. You can either use Active Directory groups or create your own. You can then populate your ISA groups with Active Directory user accounts.

Scale Away
There are two ways to beef up your ISA server deployment. You can scale up by adding more hardware to your firewall, or you can scale out by adding more firewalls. While the Standard Edition of ISA 2004 is limited to four processors and 2GB RAM, the Enterprise Edition doesn’t have a cap on supported hardware, so you can scale up as needed.

"The ISA installation and configuration process uses wizards to accomplish most tasks like creating access rules, networks and protocol definitions. This makes ISA very intuitive to those new to firewall management."

The ISA Array lets you centrally manage all your ISA servers. Installing your ISA servers in the same array will let you do centralized logging and reporting. It also lets you enforce enterprise-wide firewall policies with all members of the array, making it much easier to change rules on multiple firewalls at the same time.

You can scale out with ISA by having all members of the array support Network Load Balancing (NLB). Using NLB lets online ISA servers take over for failed ISA servers without disrupting client access. This lets you dynamically expand or reduce the number of firewalls you’re using and do so completely behind the scenes.

ISA also supports the Cache Array Routing Protocol (CARP), which improves Web performance by providing load balancing and failover for Web proxy browser connections. CARP provides shared caching across the servers in the array, letting your system cache more information and improving overall performance.

ISA 2004 Enterprise Edition provides all the security and functionality of the Standard Edition, plus some features and flexibility that make it suitable for larger organizations. Its centralized management and logging is great for companies with geographically disperse firewalls. The built-in NLB and CARP support provide fault tolerance and improved performance that will scale as much as needed to handle most companies’ Internet connections.

Once you’re familiar with ISA Server’s user interface, live monitoring, reporting, centralized management and scalability, you may find it difficult to use any other firewall.