The security improvements of Microsoft ISA Server 2004


This article can also be found in the Premium Editorial Download "Information Security magazine: Screen test: App-layer controls beef up perimeter firewalls."

Download it now to read this article plus other related content.

WMDs, wardrobe malfunctions and Microsoft security. What do these three things have in common? They all suffer from poor public perception.

Whether it's mythical weapons in Iraq, a bursting bustier at the Super Bowl or the failures of OS security, perception is king and can play a large part in purchasing. Well, at least when it comes to Microsoft products.

Whether it's a

    Requires Free Membership to View

buffer overflow in Internet Explorer or a new worm crippling Outlook, each successive security incident takes a toll on Microsoft's credibility. Microsoft is trying to make things better, though, both through improved code and a defense-in-depth strategy. To that end, Microsoft will release Internet Security and Acceleration (ISA) Server 2004 later this year.

This isn't the same ISA Server 2000 you bought a couple of years ago. Microsoft has made many improvements, including an easier-to-use management interface, IPSec VPN (IPSec from site to site, anyway) and a remodeled application-layer firewall. (A beta version is available at http://www.microsoft.com/isaserver/beta/default.asp.)

You're probably asking yourself, "What's the point?" Why not go out and buy a dedicated piece of hardware from Cisco, Check Point Software Technologies or WatchGuard? If you're going to spend several thousand dollars for ISA and the hardware to run it on, why not just go out and get a battle-tested appliance? These questions are especially pertinent if your enterprise infrastructure is standardized on a single firewall vendor.

Well, there are actually two reasons. First, ISA is a hydra, a multiheaded beast with firewall, Web caching and VPN services that integrate easily and directly with Microsoft Exchange, Outlook Web Access (OWA) and IIS.

Second, as Microsoft correctly states, having just one firewall vendor isn't the best practice. A mix of firewalls is a better approach to securing valuable data. I wouldn't want to worry about having a single point of failure for any enterprise infrastructure component, so why have a single vendor for the firewalls protecting enterprise data? It's hard to argue against that logic.

I know what you're thinking: Having an ISA server means having yet another interface for employees to learn and more logs to manage. Well, Microsoft has created a simplified interface for implementation, management and maintenance while creating another hurdle for those with malicious intent.

If you combine an enterprise firewall appliance with an ISA server, you're less likely to be compromised with both boxes running than just one. That's pretty good justification for purchasing ISA, especially when you consider that data regulated by Sarbanes-Oxley will be doubly secure.

I like that if you buy the ISA 2000 server with the software assurance package, you get 20% off the current price, which means that you get the free ISA 2004 Server upgrade. Not a bad deal.

If you're like me, you're always looking for ways to fortify your infrastructure and ensure data integrity. ISA 2004 isn't going to replace mainline, perimeter firewalls, nor is it intended as a sole layer of protection for Microsoft apps. But, it's a pretty good addition to the layers of the security onion.

If perception is everything, Microsoft still has a long way to go. From my perspective, though, ISA 2004 may ease the journey.

About the author
Victor R. Garza is a freelance author and network security consultant in the Silicon Valley.

This was first published in March 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.