Internet Security and Acceleration (ISA) Server 2006 overview
Prior to Internet Security and Acceleration (ISA) Server, we had a product called ‘Proxy Server’, which was our web caching solution. Unfortunately for us, most people associate ISA Server with its long distant relative Proxy Server – If asked about ISA Server, they ‘normally’ reply along the lines of “That’s a nice Proxy solution – which I’ll put behind a ‘real’ firewall”. Internet Security and Acceleration (ISA) Server 2006 is actually the third generation of our fully functional firewall, VPN, web caching proxy, and an application reverse-proxy solution (Previous versions were in 2004 and 2000). In the last seven years of ISA, there have only been ten security updates and only three of them where flagged as critical (there was one for ISA 2004 and there hasn’t been any for ISA 2006).
ISA Server’s core firewall component focuses on the application-layer (layer 7) filtering, and especially on the HTTP/FTP/SMTP services. What does that mean? It simply means that ISA will not only open or close a network ports, it will also screen for malformed or malicious network packets.
Application Layer Filtering (ALF) is nowadays the mandatory extra component that makes your network way more secure that it used to be. Relying on a single firewall without having any ALF mechanism either for inbound or outbound connection is really dangerous. Many hackers actually use opened ports on firewalls to send malicious code to an internal server. A DNS attack for example could be performed through any opened port. A malicious piece of code will successfully pass any basic Packet or Circuit Filtering Firewall while having the appropriate ALF solution in the way will simply drop these kinds of packets. There are even ‘solutions’ out there that will let you run any application (that may use any port) through your firewall over port 80 (the port that’s always open, as it’s for HTTP).
You might think ISA Server would be slow, as it scans the network traffic - it is actually very fast, as it is able to handle up to 1.5GB/s. A basic ASIC chip optimized to run a packet filer (this is the case with many firewall vendors) is most of the time a lot slower than ISA. The average speed of an entry level Cisco Pix firewall for example would be around 300MB/s. It is worth pointing out here, that you can either purchase ISA as a dedicated appliance, or ‘build your own’ – in which case the underlying hardware can be as powerful as you need (you can even configure an array of ISA Servers, which will load balance the traffic).
ISA Server can act very well as a Frontend or Backend firewall (or simply as ‘the firewall’ in small to medium environments), but for bigger network environments it is highly recommended to use ISA Server as a Backend solution in conjunction with another third party firewall. There are three reasons for this: Firstly a frontend firewall will take off most of the network load by reducing dramatically the amount of traffic being sent to the DMZ or internal network. Secondly is a good practice to use different vendors for your front and back end firewalls, because if one layer in your defence is compromised, you have another (Defence in Depth). And lastly, because ISA Server is designed to offer an extra layer of security to Exchange, SharePoint, and IIS mainly (we understand exactly what that traffic looks like and are able to work with it on its way through). It is obviously able to provide extended security to any web server or application.
In the Exchange case for example, the authentication mechanism is performed by the ISA Server itself and no longer by the Exchange server. That gives you the insurance of only legitimate traffic being sent to your Exchange server, lowering your Exchange server load in the mean time.
ISA is also able to counter many attacks out of the box such as Windows out-of-band (WinNuke), Land, Ping of Death, IP half scan, UDP bomb, Port scan, DNS host name overflow, DNS length overflow, DNS zone transfer, POP3 buffer overflow, SMTP buffer overflow. This feature is providing an enhanced way to protect your backend servers from external but also internal attacks, from employees, as we see more and more nowadays.
Michael RIVA, MCSE: Security, MCT
