• Sidebar: Firewall and Caching Technology Overview

Beta 3 of the Microsoft Internet Security and Acceleration (ISA) Server 2000, a Windows 2000 Server application that insulates corporate networks from the Internet and speeds viewing of Internet content, was released in May. ISA Server offers small and medium-size businesses an economical all-in-one Internet firewall and caching solution, but it faces serious challenges in markets demanding high-end firewalls and caching services. Formerly code-named Comet, ISA Server is an upgrade to Microsoft’s Proxy Server 2.0 and is expected to ship by the end of summer. It will be available as a stand-alone product and as a component of the BackOffice and Small Business Server suites.

This article provides background information on Proxy Server and ISA Server, details on ISA Server’s improvements, and information on how ISA Server compares with competitive offerings.

Background and Product Positioning

Today, nearly all organizations must connect their LANs to the Internet to perform business tasks ranging from simple inter-organizational e-mail to sophisticated e-commerce, business-to-business data exchanges, and streaming of multimedia content. These organizations clearly need to protect their LANs while optimizing their connection to the Internet. In some cases, larger organizations face similar internal security and performance issues when interconnecting autonomous divisions.

A class of devices named "firewalls," "proxy servers," and "caching servers" has evolved to perform these functions. Proper selection and configuration of these devices greatly affects an organization’s security, communications costs, Internet capabilities, and user response time. As the Internet’s importance and Internet security threats both increase, sales of these devices will continue to grow rapidly.

Microsoft created Proxy Server to provide a low-cost all-in-one product that would help businesses get on to the Internet, without requiring them to purchase additional third-party software or hardware beyond the server operating system itself. By bundling it into the BackOffice and Small Business Server suites, Microsoft gained a large firewall market share (measured by numbers of servers), primarily in small organizations. With ISA Server, Microsoft hopes to expand into larger organizations without losing its low-end base.

Proxy Server 2.0

Proxy Server 2.0’s low cost and effectiveness made it a popular choice for small businesses that might otherwise forgo a firewall completely. (For more information on the basic functions provided by Proxy Server 2.0, see the sidebar "Firewall and Caching Technology Overview.") Microsoft improved Proxy Server’s caching capabilities when it released version 2.0, and began positioning it as a Web caching solution for organizations of any size, while maintaining its position as a cost-effective firewall. However, Proxy Server 2.0 has had relatively little impact in the high-end market. More than 80% of Proxy Server 2.0’s installed base is still in small and medium-size organizations.

ISA Server 2000

Microsoft's Haifa, Israel, development team rewrote nearly all the Proxy Server 2.0 code so that ISA Server could exploit the power and features of Windows 2000. ISA Server's biggest pluses are still its deep integration with the Windows 2000 security model and its relatively low software cost (especially when bundled with BackOffice or Small Business Server). Microsoft anticipates that improvements in performance and reliability will finally make it a serious contender for the high-end firewall and content caching markets. While the new name indicates that Microsoft wants to reposition the product, and while performance and reliability should be better than in Proxy Server 2.0, ISA Server still appears to be more of an upgrade than a major shift in direction. It remains a combination firewall and caching product that is still missing features needed by larger organizations, and will consequently be most useful to its installed base and to small businesses.

What's New in ISA Server 2000?

ISA Server's improvements over Proxy Server 2.0 fall into three general categories: reliability and performance, security, and administration.

Reliability and Performance

One of the biggest complaints about Proxy Server 2.0 was that it was essentially a set of additional "filters" that hooked into Internet Information Server (IIS) 4.0, Microsoft's Web server software. If IIS 4.0 crashed, it took down Proxy Server with it. Furthermore, since Proxy Server was running inside a single IIS process, it could not exploit multiple CPUs or recover gracefully from errors, especially when IIS was also hosting Web pages. One of the key design goals of ISA Server was to boost performance and reliability, but until the final product ships it is still too early to tell whether this was accomplished. The following are some of the main areas of improvement:

Separation from Internet Information Services. Although ISA Server still makes use of IIS, ISA Server is now a distinct service component. Combined with IIS 5.0's improvements in architecture and stability, this should make the system more scalable and stable. This will not only benefit large organizations but will also benefit small organizations that host an Internet or intranet Web site on the ISA Server machine.

Improved use of memory. ISA Server can now cache frequently requested Web objects (HTML pages, graphics, streaming media, and other files) in memory rather than to disk. With enough physical memory and a high percentage of cacheable content, this could improve Web viewing significantly.

Kernel mode processing. Much of ISA Server's core engine runs in Windows 2000's kernel mode. When performing basic network address translation (see SecureNAT below), ISA Server does not employ any "user" mode components. Because kernel mode processing consumes fewer CPU cycles and system resources, performance and throughput should improve.

Cache pre-fetching. Administrators will be able to schedule ISA Server to pre-cache designated Web pages, rather than requiring a user to first request the page before it is downloaded and cached. When many users frequently access the same content (e.g., a corporate news page), this feature could improve performance, especially when network bandwidth to the Web server is low and when the objects have short time-to-live tags (causing them to be quickly dropped from cache).

Bandwidth control. Administrators will be able to set policies that control ISA Server's use of bandwidth. These policies can be based on the type of protocol (HTTP, FTP, streaming audio, etc.) or on the identity of the user. This allows administrators to allocate bandwidth and preserve it for the most critical network usage. For example, administrators could prioritize inbound traffic to their Web site over outbound Web browsing traffic, such that the customers' response time does not suffer during periods of heavy Internet access by employees, especially if they are permitted to access streaming media.

Security

One of Microsoft's design goals for ISA Server was to make it more competitive with the best-of-breed enterprise firewalls. To accomplish this, Microsoft added the following new features and capabilities:

Secure Network Address Translation (SecureNAT). The biggest new feature of ISA Server is its ability to perform generic bidirectional network address translation without needing application-level or circuit-level proxies (for an explanation of these concepts, see the sidebar "Firewall and Caching Technology Overview").

SecureNAT is ISA Server's term for standard NAT, but with hooks for filters that can do additional types of inspection. SecureNAT hides private internal IP addresses from the Internet, substituting a legitimate public Internet address and performing all the necessary mapping of port numbers so that packets arriving from the Internet are routed to the correct computer and application. When application- or circuit-level gateways either do not exist for protocols that need to pass through the firewall or generate unnecessary overhead, SecureNAT provides a fast, moderately secure way to pass traffic through the firewall. SecureNAT is transparent to both the client and server, and neither side requires special software to take advantage of it. SecureNAT is normally off by default, but administrators can open up specific protocols to pass through to specific addresses on either side of the firewall. Because SecureNAT cannot do authentication, access rules cannot be based on user or group identity.

Some protocols present problems for address translation because critical IP address and port number information is contained within the data payload rather than in the IP header. Through the use of a function called a "NAT editor," SecureNAT is able to examine the data fields of certain higher-layer protocol packets and determine from that data how to properly set up its port and address translations. ISA Server provides NAT editors for Point-to-Point Tunneling Protocol (PPTP), Internet Control Messaging Protocol (ICMP), FTP, and NetMeeting.

Filters. ISA Server provides a new set of filters that augment some of the proxies. When combined with SecureNAT, the Simple Mail Transfer Protocol (SMTP) filter watches traffic for address validity, forbidden addresses, and Telnet and buffer overrun attacks. The HTTP/FTP filter lets Remote Winsock and SecureNAT clients benefit from cached data, even if they are not actually configured to use the HTTP or FTP application proxies. For example, if a user uses FTP to download a file via SecureNAT, the next user to download the same file will get a cached copy immediately, even though neither user was configured to use the FTP application-level proxy. Streaming media filters support the passage of Windows Media, RealAudio/Video, and Apple QuickTime protocols. The RPC/DCOM filter allows remote procedure calls (RPCs) and Distributed Component Object Model (DCOM) communications to pass through the gateway securely, opening and closing the proper ports dynamically. Users connecting Exchange clients to servers across the firewall particularly benefit from this feature.

H.323 Protocol gateway and Gatekeeper. Most firewalls (Proxy Server 2.0 included) are unable to handle NetMeeting and Voice- over-IP traffic without opening up security holes. ISA Server handles this traffic properly, making it much more feasible to do secure audio and video conferencing across the Internet.

Intrusion detection. Administrators will be able to configure ISA Server to monitor for port scans and other common types of security hacks and denial of service attacks, and to trigger alerts and other actions as needed.

Kerberos support. ISA Server will support Windows 2000 Kerberos authentication, in addition to NT LAN Manager (NTLM) authentication, when security rules require knowing the identity of the user before allowing the requested traffic.

Virtual Private Networking. Although support of VPNs is usually considered a firewall function, in Windows 2000 the VPN service is really provided by Windows 2000’s Routing and Remote Access Service (RRAS), not ISA Server. For this reason, VPN support is outside the scope of this article. However, recent tests indicate that Windows 2000's VPN performance, scalability, and security are quite good.

Administration

Since Proxy Server 2.0 was an extension of IIS, administration was done through IIS's Internet Services Manager. Many administrators had difficulty properly configuring the system, especially when they managed multiple Proxy Servers. Microsoft made many changes to improve administration, most significantly in the following areas:

New administration interface. ISA Server has a new Microsoft Management Console–based interface consistent with the Windows 2000 administration model, and it is now completely separate from administration of IIS.

Integration with Active Directory. ISA Server simplifies configuration by letting administrators define security policies that span multiple ISA Servers. These policies can be either limited to an array of ISA Servers or applied globally to all ISA Servers in the enterprise. Once these policies are defined and stored in Active Directory, administrators can easily add more ISA Servers without having to re-create the rules on the new servers.

Wizards. ISA Server contains new wizards to guide administrators through configuration tasks. The two most significant are the Virtual Private Networking (VPN) and System Hardening Wizards. The VPN Wizard helps administrators properly set up ISA Server with Windows 2000's RRAS service on the same machine, allowing the firewall to be a termination point for PPTP and IPSec VPN tunnels from remote clients and remote office ISA Servers. The System Hardening Wizard helps administrators close security holes and backdoors by properly configuring the Windows 2000 operating system settings for use in a firewall role.

Improved logging and reporting. Like Proxy Server 2.0, ISA Server can write logs to SQL Server, but it now supports (and defaults to) the W3C Extended Log File Format. This allows administrators to use any analysis and reporting tool that supports this industry-standard text-based log format. ISA Server comes with a set of canned traffic and security reports that can be output as HTML for viewing with a browser.

Extensible COM interfaces. ISA Server now has a set of documented Component Object Model (COM) interfaces that will help administrators automate tasks and help third parties develop add-on products.

IntelliMirror client installation. Administrators can easily create Group Policy Objects that automate the installation and configuration of the Remote Winsock client software on Windows 2000 Professional workstations.

How Competitive Is ISA Server?

Because ISA Server is a combination firewall and caching solution, it competes with dedicated products in both areas and with several other all-in-one solutions. Although Microsoft plans to market ISA Server in the enterprise arena, it is not certain that its software-only, all-in-one approach is likely to win.

Firewalls

With the addition of SecureNAT, policies, and filters, ISA Server is now a more complete firewall solution than its predecessor, Proxy Server 2.0. It offers organizations a considerable amount of functionality and flexibility for a relatively low software price. However, when TCO is factored in, the price advantage may disappear. On the high end, where high availability, high throughput, and security granularity are paramount, ISA Server faces competition from the likes of CheckPoint Firewall-1, Cisco PIX, Raptor Eagle, and Network Associates Gauntlet (formerly from Trusted Information Systems). On the low end, where total system cost and operational simplicity are most important, ISA Server faces competition from economical firewall hardware appliances and small routers providing firewall features. ISA Server will not be best of breed in either of these segments for the following reasons:

Availability. On the high end, ISA Server still lacks some crucial capabilities needed by enterprise systems. Large enterprises and commercial Web sites must have firewall availability in the 99.9% or better range (including planned maintenance downtime), which mandates some form of clustering. Axent, CheckPoint, Cisco, and Network Associates support firewall clustering, but ISA Server cannot even take advantage of Microsoft's own Cluster Server and Network Load Balancing services. The StoneBeat firewall cluster solution used by Axent, CheckPoint, and Network Associates provides failover capability for even active connections, including VPN tunnels.

Throughput. Since all traffic to and from the Internet funnels through the firewall, it must not become a bottleneck. At or below T-1 speeds, most firewalls can keep up with a fully saturated WAN link. However, many firewalls cannot keep up with faster connections, especially if the firewall is also performing VPN functions. Introducing multiple firewalls handling different tasks in parallel is not a good way to scale a firewall’s throughput—it adds administrative complexity and increases the likelihood of inadvertently opening security holes. Most high-end firewall products are designed to scale to very high throughputs while maintaining a single "virtual" firewall, and StoneBeat-based cluster solutions can easily scale by adding additional nodes.

DMZ support. All high-end firewalls can support multiple network adapters and allow the creation of rules to control access to each network interface. Most large Web sites reside in "demilitarized zones"; (DMZs) isolated from both internal and external networks. While ISA server allows more than one internal interface, it doesn’t offer the access control granularity needed to properly secure a DMZ.

Security. CheckPoint, Cisco, and several other vendors use an alternative to application-level proxies, termed "stateful inspection," that offers nearly the same degree of security but with much better performance. While ISA Server's application-level proxies for HTTP and FTP are very secure, communications using SecureNAT and Remote Winsock levels are theoretically vulnerable to certain types of spoofing and session hijacking. Some of the new ISA Server filters offer a form of stateful inspection for a few protocols, such as SMTP, but they offer nothing as comprehensive as the stateful inspection provided by CheckPoint’s Firewall-1.

Firewall appliances. For the foreseeable future, security will remain a complex task, and most small and even medium-size businesses simply do not have the budget or the staff to properly deal with the administrative overhead of a software-based firewall. An emerging breed of firewall appliances, many of which are bundled with security services, will threaten ISA Server. Cisco, Nokia, and WatchGuard offer compelling appliance-based firewalls, and WatchGuard has a complete small-office firewall appliance for under US$1,000.

Caching Devices

The market for content caching is currently experiencing annual growth of more than 100%. The hottest segment is the ISP market, but many large organizations are also building private internal caching infrastructures, especially for their remote offices. The caching market has become crowded with hardware-based solutions, including appliances from Akamai, CacheFlow, Cisco, Cobalt, InfoLibria, Inktomi, Network Appliance, Novell, and Persistence. These appliances typically run a special-purpose operating system and deliver exceptional performance while remaining simple to install and maintain. Novell has licensed its Internet Caching System (ICS) operating system to Compaq, Dell, and IBM, and recent benchmark tests show it to be the current performance leader. Low-cost or freeware software solutions based on Linux or BSD Unix further crowd the field.

Although Proxy Server 2.0 does a good job of caching static content, it has neither the simplicity nor the performance of caching appliances, and many of its competitors have already turned their attention to handling dynamic content, including Active Server Pages, Java servlets, and streaming media. ISA Server may have significantly better performance than its predecessor, but it has little chance of seriously challenging the leading caching appliances.

Microsoft could develop an optimized caching appliance built on Embedded Windows 2000, sold through OEMs in a manner similar to Novell's approach. Although the market might be fairly saturated by the time it could release such a product, Microsoft might have a chance if it could add a way to cache secure content. Today, Web objects coming from secure sites do not get cached because the caching devices cannot authenticate and authorize those users. If Microsoft could develop an efficient means to do this across the Internet, it could reclaim some of the lost ISP caching market.

Combination Firewall, Cache, and VPN Servers

As noted earlier, the one sector in which Proxy Server has established significant market share is with small businesses that need a single server to provide firewall security, content caching, and possibly a VPN access point. Microsoft sees Novell's BorderManager as its primary competitor in this segment. Both BorderManager and ISA Server offer many of the same capabilities, but it really boils down to the choice of underlying operating system. ISA Server runs only on Windows 2000 and Active Directory, while BorderManager runs only on Netware with Novell Directory Services. It is unlikely that either product offers a compelling enough reason to change the underlying server operating system; and the best-of-breed appliances described earlier threaten both solutions.

Netscape/AOL has recently decided to revive its dormant Proxy Server product through its IPlanet joint venture with Sun. Netscape’s Proxy Server will run on Windows 2000 in addition to Windows NT and many flavors of Unix, further crowding the low-end all-in-one segment.

References

For more information, see www.microsoft.com/ISAServer   and www.microsoft.com/proxy.