This article can also be found in the Premium Editorial Download "Information Security magazine: Screen test: App-layer controls beef up perimeter firewalls."
Download it now to read this article plus other related content.
WMDs, wardrobe malfunctions and Microsoft security. What do these three things have in common? They all suffer from poor public perception.
Whether it's mythical weapons in Iraq, a bursting bustier at the Super Bowl or the failures of OS security, perception is king and can play a large part in purchasing. Well, at least when it comes to Microsoft products.
Whether it's a
This isn't the same ISA Server 2000 you bought a couple of years ago. Microsoft has made many improvements, including an easier-to-use management interface, IPSec VPN (IPSec from site to site, anyway) and a remodeled application-layer firewall. (A beta version is available at http://www.microsoft.com/isaserver/beta/default.asp.)
You're probably asking yourself, "What's the point?" Why not go out and buy a dedicated piece of hardware from Cisco, Check Point Software Technologies or WatchGuard? If you're going to spend several thousand dollars for ISA and the hardware to run it on, why not just go out and get a battle-tested appliance? These questions are especially pertinent if your enterprise infrastructure is standardized on a single firewall vendor.
Well, there are actually two reasons. First, ISA is a hydra, a multiheaded beast with firewall, Web caching and VPN services that integrate easily and directly with Microsoft Exchange, Outlook Web Access (OWA) and IIS.
Second, as Microsoft correctly states, having just one firewall vendor isn't the best practice. A mix of firewalls is a better approach to securing valuable data. I wouldn't want to worry about having a single point of failure for any enterprise infrastructure component, so why have a single vendor for the firewalls protecting enterprise data? It's hard to argue against that logic.
I know what you're thinking: Having an ISA server means having yet another interface for employees to learn and more logs to manage. Well, Microsoft has created a simplified interface for implementation, management and maintenance while creating another hurdle for those with malicious intent.
If you combine an enterprise firewall appliance with an ISA server, you're less likely to be compromised with both boxes running than just one. That's pretty good justification for purchasing ISA, especially when you consider that data regulated by Sarbanes-Oxley will be doubly secure.
I like that if you buy the ISA 2000 server with the software assurance package, you get 20% off the current price, which means that you get the free ISA 2004 Server upgrade. Not a bad deal.
If you're like me, you're always looking for ways to fortify your infrastructure and ensure data integrity. ISA 2004 isn't going to replace mainline, perimeter firewalls, nor is it intended as a sole layer of protection for Microsoft apps. But, it's a pretty good addition to the layers of the security onion.
If perception is everything, Microsoft still has a long way to go. From my perspective, though, ISA 2004 may ease the journey.
About the author
Victor R. Garza is a freelance author and network security consultant in the Silicon Valley.
This was first published in March 2004