• Sidebar: ISA Server Firewall and Caching Technology Background
• Illustration: Improved User Interface
• Illustration: Multinetwork Support

Internet Security and Acceleration (ISA) Server 2004 Standard Edition, a firewall and content caching application, supports more network configuration options than its predecessor, ISA 2000, and contains incremental improvements to its overall security, virtual private network (VPN) support, administrative interface, and more. However, the product, which is now in beta and is expected to ship in mid-2004, has no provisions for selectively filtering Web services, and it also lacks support for some Voice-over-IP (VoIP) scenarios, areas particularly important to Microsoft’s broader strategy.

Firewalls Critical to Trustworthy Computing

Microsoft is attacking security on many fronts, such as discovering and fixing code vulnerabilities, removing or disabling unneeded services in its products, blocking unsafe e-mail file attachments, providing hooks for virus scanners, supporting stronger authentication methods, attacking spam, and supporting the signing and encryption of both networked and stored data.

Protecting the boundary between private networks and the Internet still remains a crucial element in the overall security equation. Firewalls—servers or appliances that inspect Internet traffic to and from corporate networks and allow it to pass only if it meets a set of rules—play a key role here. (For a review of ISA Server concepts, see the sidebar "ISA Server Firewall and Caching Technology Background".)

ISA Server is Microsoft’s primary firewall product and has evolved into a sophisticated product with most of the capabilities needed by large organizations with heterogeneous computing environments.

However, the demands placed on firewalls are increasing. VPNs, increasingly used by mobile users accessing corporate networks, can introduce security vulnerabilities if the connecting machine has been compromised. Web services and other protocols that tunnel inside of the Hypertext Transfer Protocol (HTTP), such as Exchange 2003's new RPC-over-HTTP protocol, can expose application code to the Internet while appearing to be normal Web-browsing traffic. Today’s firewalls must be able to work together with VPNs and discriminate between legitimate and illegitimate use of HTTP.

What’s New in ISA Server 2004?

As with other new server products that have undergone a full development cycle since Microsoft launched its Trustworthy Computing initiative, ISA Server 2004 is the first version of the product to have undergone a full security review. Although it is still too early to evaluate the results, the review should reduce the likelihood of security vulnerabilities cropping up and the corresponding need to apply patches.

ISA Server 2004 is essentially an incremental upgrade to ISA Server 2000 with one major exception—multinetwork support—that involves a more substantial architectural change.

Multinetwork Support Improves Flexibility, Security

ISA Server 2004 now has the ability to fully support more than two network interfaces, which is useful when creating a perimeter network (also known as a demilitarized zone, or DMZ) that isolates Internet-accessible servers from the organization's internal network. Although a DMZ can be built by placing two firewalls in a series with the Internet-accessible servers located between them, connecting the DMZ with a third adapter on a single firewall is easier to administer, creates fewer points of potential failure, and costs less. Multinetwork support is also useful when the firewall needs to filter data communications among different branches of an organization’s network.

Although ISA Server 2000 also can support a third network adapter, this configuration has several serious shortcomings. ISA Server 2000 could not perform network address translation (NAT) between private DMZ IP addresses and the public Internet, so the DMZ subnets had to use more costly public IP addresses. Furthermore, the firewall’s application-level proxies and dynamic packet filters could not process or even log traffic between the Internet and the DMZ, which left only ISA Server’s weaker static packet filters to provide security. Unfortunately, the end result was that the security between the Internet and the DMZ was no better than that provided by a typical router.

ISA Server 2004’s new multinetwork support makes it both more flexible and more secure. Different access policies can be applied to traffic to or from each interface’s network, administrators can configure the inspection rules to use any of ISA Server 2004’s packet filters and proxies, and private IP addresses can be used without restriction on multiple interfaces. Depending on their specific needs, administrators can decide whether to route packets or use NAT when passing data from one interface to another. Users connecting from the Internet over a VPN can also be treated as though they were on a separate interface with its own distinct access policy. (See "Multinetwork Support" for an illustration showing how multiple network interfaces can be configured.)

Additionally, ISA Server 2004 can use its dynamic packet filters and proxies to secure network communications with applications running on the firewall. In contrast, ISA Server 2000 could use only static packet filters for this task. Although a firewall should normally run only those services it absolutely needs to do its job, some services, such as backup agents and virus scanners, need higher levels of privilege and must be able to communicate with other servers without introducing a point of vulnerability. This capability will be important when ISA Server 2004 ships with Small Business Server (SBS) Premium Edition, which runs major applications (Exchange, SQL Server, SharePoint) on the firewall server.

Deeper VPN Integration

ISA Server 2004 integrates better with the VPN access functions provided by Routing and Remote Access Services (RRAS), a standard feature of Windows Server. Its predecessor, ISA Server 2000, includes wizards that make it easier to properly configure RRAS and add the appropriate packet filters to ISA Server so that VPN connections can get through the firewall. However, after that point ISA 2000 and RRAS operate independently of each other, and ISA 2000 does not log VPN connections.

With ISA 2004, in contrast, VPN-firewall integration goes much further, providing more stringent security, integrated logging, quarantine support, and more VPN tunneling options.

Stateful VPN inspection. ISA Server 2004 checks requests from VPN clients and then dynamically opens connections based on the access policy defined for users permitted to use the VPN. This further tightens security and gives administrators finer-grained control over how they want to provide Internet access to their networks.

Integrated logging. VPN connections to the firewall are now recorded in the ISA Server 2004 firewall log, which aids security auditing and makes it easier for administrators to troubleshoot connectivity problems.

Quarantine support. Building on technology first introduced as a new RRAS feature in Windows Server 2003, ISA Server 2004 can "quarantine" inbound VPN clients. A quarantined client computer is limited to a restricted area of an organization's network until the client meets specific security requirements. For example, clients that lack specific security patches or antivirus software might be only allowed to access servers from which they could install those components. After the client computer configuration is determined to be in accordance with the organization’s specific quarantine restrictions, standard ISA Server VPN policy is applied to the connection.

While ISA Server 2004 supports quarantining VPN users, implementing the feature is complex and requires either a third-party solution or a significant amount of custom development and integration.

IPSec Tunnel Mode. ISA Server 2004 now supports network-to-network VPNs using Internet Protocol Security (IPSec). Although ISA Server 2000 could link remote office networks over the Internet using either PPTP or L2TP, it requires ISA Server on both ends. The new version allows any device that supports IPSec tunnel mode, such as a router or third-party firewall, to establish a VPN connection to an ISA server.

Enhanced Administrator Console

The ISA team completely rewrote the Microsoft Management Console (MMC) administrative interface for ISA Server 2004, making it much more intuitive and added many more wizards to ease configuration tasks. (For more on the new interface, see the illustration "Improved User Interface".)

In addition to being easier to use, the new interface adds new functionality. The two most important features are the real-time log viewer and the status dashboard.

Real-time log viewer. Unlike its predecessor, which logged firewall and cache activity to text files, ISA Server 2004 installs the Microsoft SQL Data Engine (MSDE) and logs the information in a database. This makes it easier for administrators to view, filter, and query the logs in real time.

However, the MSDE version included with ISA Server 2004 has a 2GB data limit (as do most MSDE versions), so customers can either let it automatically create a new database when the limit is reached or they can purchase and install the full version of SQL Server. In either case, the viewer displays and filters log content from multiple database files, so administrators do not have to select the appropriate database.

Status dashboard. The new interface has a pane that shows the health status and workload of the ISA Server components, which makes it easier for administrators to spot problems.

Although it will not ship together with the initial release of ISA Server 2004, the ISA Server team is working on a Microsoft Operations Manager (MOM) application pack that will allow MOM to remotely monitor the health of ISA Server computers.

What’s Unchanged?

Other than the aforementioned introduction of multinetwork support and the addition of a kernel-mode data pump for passing known traffic, such as File Transfer Protocol (FTP), at greatly increased speeds, the basic architecture of ISA Server 2004 has changed little from that of its predecessor. Of particular note is that caching and extensibility are nearly the same as in ISA Server 2000, as follows:

Caching. ISA 2004 inherits its predecessor’s high-performance caching mechanisms with little change. Although ISA can perform both passive and active caching of static content, reducing bandwidth use while providing faster average response times to users, it still lacks the ability to cache more dynamic content types, such as streaming multimedia.

Extensibility. Microsoft and third parties offer a variety of application and Web filter extensions that can perform tasks such as intrusion detection or content filtering. However, most third-party Web and application filters written for ISA Server 2000 will require upgrading to run on ISA Server 2004.

Much Improved, but Some Limitations Remain

The 2004 release of ISA Server could allow Microsoft to join the firewall vendor big league, but it still has a few deficiencies of which prospective buyers should be aware:

No Web service XML proxy. Even though Microsoft is one of the strongest proponents of Web services, ISA Server 2004 lacks the type of XML-level Web Services inspection and filtering offered by its competitor CheckPoint. Although Web services can be permitted to pass through ISA Server via its Web proxy, administrators cannot configure it to check attributes of the XML data inside the HTTP payload. Such support would enhance the firewall’s ability to detect and block intrusions and denial-of-service attacks targeting Web services.

Microsoft claims that this is not a major need today, given that business-to-business Web services are still rare, and says it intends to offer deeper Web service inspection in a future release.

ISA Server 2004 does, however, incorporate and improve on the HTTP scanning features of ISA Server 2000 Feature Pack 1, which helps block attacks by worms such as Code Red that rely on malformed HTTP requests.

No SIP application proxy. The Session Initiation Protocol (SIP) is used by Microsoft’s Live Communications Server (LCS) to exchange instant messages and presence information with other LCS servers and Windows Messenger clients. SIP is crucial to the plans of Microsoft and many other vendors to expand voice, video, and other kinds of real-time communication over Internet infrastructure. However, ISA Server 2004 lacks the SIP application-level proxy component needed to route and filter SIP-based voice and video traffic.

No IPv6 support. ISA Server 2004 does not support IPv6, the next generation of the Internet Protocol, which supports larger address spaces, more dynamic configuration, and many other features. The company feels that the product team will have time to release an IPv6-compatible successor to ISA Server 2004 long before there is any significant demand for the feature, especially given the fact that almost no ISPs offer IPv6 today. However, Windows XP and Windows Server 2003 already include IPv6 support, and IPv6 firewall support is already offered by rival CheckPoint. Some organizations have already begun testing with it, so demand may start to come soon in some segments, especially from Asia, where the shortage of IPv4 addresses is particularly acute.

No bandwidth-allocation controls. With ISA Server 2004, administrators cannot grant certain protocols more bandwidth than others. Since the connection to the Internet is a common bottleneck, the lack of this feature means that casual Internet use, such as internal users listening to streaming media from the Internet, could degrade more vital business communications. It also means that real-time communication protocols, particularly Voice-over-IP, could be disrupted by other less latency-sensitive traffic.

Enterprise Edition Coming

ISA Server 2000 was released in two editions, Standard and Enterprise. The most important difference between the two editions is the Enterprise Edition's support for centrally configured firewall arrays, which improve availability by ensuring that traffic continues to flow even if individual firewall servers fail or are taken offline for service. ISA 2000 Enterprise also simplifies configuration by letting administrators define security policies in Active Directory that span multiple ISA Servers, which could be parts of an array or located in different sites within the organization. ISA 2000 Enterprise can also support up to 32 processors (on Windows 2000 or Windows 2003 Datacenter Server), while Standard supports only four processors per server.

The current ISA Server 2004 beta is for the Standard Edition, and Microsoft has not even announced the feature set of ISA Server 2004 Enterprise Edition. The company plans to release a new ISA Server 2004 Enterprise Edition later, and its positioning and general features will be in line with those of the current release. Most current ISA Server 2000 Enterprise Edition customers will want to hold out for the new ISA Server 2004 Enterprise Edition.

Although the Enterprise Edition provides better firewall availability, most customers who simply need high capacity may not need to wait for it. Relatively few enterprises have Internet connections exceeding the bandwidth of a T-3 (45Mbps, which is substantially less than that of the typical 1Gbps Ethernet corporate backbone), and even the largest users rarely exceed that of an OC-12 (622Mbps). Since ISA Server 2000’s raw throughput can exceed 1.5Gbps, a single Standard Edition ISA Server can do the job in most firewall situations.

Availability and Resources

ISA Server 2004 runs either on Windows 2000 Server with at least Service Pack 4 and Internet Explorer 6 or on Windows Server 2003, and both editions will support in-place migrations from their respective ISA Server 2000 counterparts. The Standard Edition will ship in mid-2004 and will be available in English, German, French, Japanese, Spanish, and standard and traditional Chinese versions. The Enterprise Edition is due out toward the end of 2004.

Microsoft is also in negotiations with several hardware vendors interested in building ISA Server 2004-based firewall appliances.

The ISA Server 2004 beta and additional information about the product is at www.microsoft.com/isaserver/beta.

More background on ISA Server 2000 can be found in "ISA Server Steps onto Internet" on page 11 of the Apr. 2001 Update and "Comet Becomes Internet Security and Acceleration Server 2000" on page 9 of the July 2000 Update.