The role of the firewall in the world of security has and is continuing to change dramatically. It is not just about managing connections over specific ports at the perimeter anymore. We have ‘security’ devices protecting DMZ’s, providing remote access, securing applications and web services, segmenting off parts of internal networks and even on our clients/servers just to name a few examples. Many of the more damaging worms and exploits are traversing over the same connections/ports that we have to allow for our users to use the applications and systems their jobs require. They are operating at the ‘Application Layer’. What is an example of an ‘Application Layer’ attack? It is an attack that is occurring within data that is ‘above’ the TCP/IP protocol in a packet/communication. A buffer overflow is a great example of a typical application layer attack.
How is the industry responding? We need smarter ‘firewalls’ and Application Layer Security! Many of the devices providing additional security here aren’t even calling themselves firewalls. They may be calling themselves gateway devices, proxy servers, caching servers, content switches. They may not all be designed as ‘security’ devices – but they are doing things at the application layer. This is the future of ‘firewalls’ and will change the way we architect our network infrastructures.
There aren’t many ‘traditional’ firewalls left out there. One way or another you will find that most ‘firewalls’ have added some level of application security. ISA 2004 is Microsoft enterprise firewall solution and it was developed from the ground up to be a robust application layer firewall. I could write a whole article on why the infrastructure ISA provides to inspect traffic at the application layer makes it unique…but that is really not the most important thing. Concerned over a firewall from Microsoft or one that runs on Windows? That is another article in itself (and one you should stay tuned for from me soon. In summary though – don’t be!).
In the end - let's pretend that there is an Application Layer firewall on the market that has the ability to inspect all traffic at the application layer like ISA can and start the comparison right there. I like to use the comparison of these 2 firewalls to an x-ray machine at the airport. You walk up to the first x-ray machine (the non-ISA machine) and run your bag through. The machine can look in the bag and ‘see’ everything. But on this machine I (Tom Bartlett) am the person looking at the screen of what is inside. Well I am seeing everything – but I have no idea what is or isn’t allowed on a plane and I sure can’t make out objects on those screens. Now the other machine has a trained TSA agent reviewing the contents and he knows what is allowed on a plane, what isn’t and how to identify those in that screen. Which makes you feel more secure? THAT is what is so great about ISA 2004 - the way it handles intelligence!
Without the ability to make intelligent decisions based on what you look at - an application layer firewall is COMPLETELY USELESS! Microsoft has provided a solution with a ton of ‘intelligence’ around a variety of common scenarios and protocols in addition to an awesome roadmap (wait until RSA next week in San Jose!). The filter model ISA uses to provide this intelligence is easy to extend. Anyone can create a filter for ISA and we provide an SDK and examples to help people get started! This has led to a HUGE partner community that provides ‘filters’ for a variety of scenarios (there are more partners for ISA than any other single competing product). Just a few examples of ‘intelligence’ you will find either out of the box or with partners include: Advanced Pre-Authentication options, multi-factor authentication options, integrated seamless AD authentication options, URL filtering, XML/SOAP security, Anti-virus scanning, enabling Peer 2 Peer collaboration scenarios, managing/monitoring access based on users/groups, SIP inspection and fix-up, http caching, compression and prioritization, BITS caching, RPC filtering, IM auditing, Intrusion Detection, HTTP filtering, SSL bridging, appliance options, reporting, MOM management pack, advanced scalability/availability options, advanced manageability options, hardware SSL acceleration, enterprise VPN services, site-site VPN services, user access control/monitoring across multiple protocols, content filtering, NAT, routing, VPN quarantine and even traditional stateful inspection firewall services. That is just off the top of my head! I also know many customers that create their own custom filters for unique needs. Extensibility allows you to make sure it can meet the needs of your organization, your applications and your deployment needs! There is also a great community around ISA Server – check out www.isaserver.org to get started!
Most of these things can be done without having to deploy separate devices to perform different functions (if you don’t want to). Meanwhile you get a device that offers great price per performance, is an enterprise class security device, is extremely easy to deploy and manage, has a variety of acquisition and deployment options and can offer tight integration into your existing Microsoft infrastructure (if desired!).
Defense in depth strategies are the future of security and this is an important part of planning secure access to applications, web services, secure internet access, branch office scenarios and WAN optimization.