In-Depth

ISA 2004 Passes the Test

Early adopters laud GUI, VPN and administration features.

Firewalls generally require lots of low-level tinkering, but with Internet Security and Acceleration (ISA) Server 2004 Standard Edition, Microsoft promises to eliminate much of this—at least with respect to how it works with its own applications like Exchange Server, Internet Information Server and SharePoint Portal Server.

ISA Server 2004, released in July, is Microsoft's long-awaited follow-up to its ISA Server 2000. Like other firewall offerings, it's designed to keep the bad guys out and let the good guys through. Unlike other firewall offerings, however, ISA Server's added value is premised on its tight integration with the rest of Microsoft's technology stack.

To be fair, a full assessment of ISA Server 2004 must include the Enterprise Edition, which boasts load-balancing and high-availability features, and is expected later this year. That caveat aside, the users we heard from say that ISA Server 2004 Standard Edition has most of the security features they've asked for—including better support for application-layer filtering, improved ease-of-use and significantly enhanced VPN support.

ISA Server 2004 Standard Edition

$1,499 per processor
Microsoft Corp.
800-426-9400
www.microsoft.com

Only the Good Get Through
You can count Craig Nelson, director of IT infrastructure and applications with systems integrator Avanade Inc., as one satisfied user. Nelson has deployed ISA Server 2004 to support more than 1,000 users. While he cites a number of improvements in the revamped version, he particularly appreciates its new deny-everything-by-default security model, and says its improved support for application-layer filtering helps make it more secure than any other product in its price range.

"A lot of the peer-to-peer applications that ride over HTTP are identifiable in one way or another in the data stream," says Nelson. "You can easily inspect that in ISA, and I can't imagine too many protocols that you can not write a filter for."

Figure 1. ISA Server 2004 provides five network templates.
Figure 1. ISA Server 2004 provides five network templates that correspond to several commonly used network topologies. (Click image to view larger version.)

Frederic Esnouf, an ISA Most Valuable Professional, independent consultant and veteran of the Walt Disney Co., would agree. Esnouf, who has rolled out ISA Server 2004 at two international client sites, says that many organizations tap premium firewall offerings from CheckPoint Software and other best-of-breed vendors to support application-layer filtering. Now that Layer 7 filtering is available in ISA Server 2004, he says, customers get this functionality for a fraction of the price. "Now ISA 2004 can analyze the protocols and make a decision about whether or not to open the port," he explains.

Bruno Guerpillon, an ISA administrator with AFIB, a Microsoft systems integrator based in France, says users typically found all manner of ways to defeat ISA Server 2000's application blocking capabilities. Not so in ISA Server 2004, he says.

"Blocking apps in ISA 2000 was a pain in the rear," he declares. "Look at P2P apps for example: Users could change the .EXE name, so the firewall client configuration was useless, or change the port used by the application so any protocol rules we created were useless," he says. "Now with ISA 2004 and its filtering, blocking apps is such a dream. Simply put a rule to block an application signature and the job is done."

Figure 2. Simple Wizards help guide admins.
Figure 2. Simple Wizards guide administrators through setting up site-to-site VPN connections, making it fast and easy to securely connect distant parts of your organization.

Easier Out of the Box
For ISA Server 2004, Microsoft effectively rebuilt the user interface from scratch, consolidating features and functions and simplifying many onerous tasks. ISA's firewall policy editor is completely rebuilt, for starters, and there are new Getting Started and Network Template Wizards.

"With ISA 2000, it always seemed difficult to get things done," says Wayne Taylor, an ISA administrator with computer reseller and integrator Parity Computers ICT. "The new GUI is easier to understand, and it's easier to get things done. I really like Microsoft's approach to locking everything down out of the box—then you only have to allow or open what you require. It makes for fewer mistakes."

The new Getting Started Wizard brings point-and-click process to tasks like configuring client address sets; creating firewall, Web routing, packet filter, protocol and other rules; applying server security; and configuring firewall and Web proxy clients. The result, users say, is an ISA management environment that's far easier to navigate and use effectively. "Consolidating policy elements, site and content, protocol rules, and packet filters into one generic set of firewall rules is a major improvement in setup time," says Jack Peacock, an ISA administrator with SIMCO, a Las Vegas-based systems integrator.

Another ease-of-use enhancement is the new Network Template Wizard, which lets users rapidly publish ISA rules to their networks. In this respect, says Roger Crawford, a senior network engineer with Microsoft integrator Heartland Technology Solutions, the new version is a quantum improvement. "It took us probably a week to get ISA 2000 the way we wanted it when we first implemented it here, and it took me about two hours to get ISA 2004 to do what we wanted it to do," he says.

The Network Template Wizard provides out-of-the-box support for several common network topologies—such as 3-leg DMZ, VPN-to-VPN and two-leg firewalls. While larger shops will almost certainly opt to customize their ISA Server environments, Avanade's Nelson believes the Network Template Wizard makes ISA Server 2004 an almost turnkey proposition for small and even some medium-sized IT organizations. "If your network is based on a 3-leg DMZ or the two-leg firewall, it's absolutely sufficient. If you want to get into the more advanced configurations, certainly you'll have to do more stuff, but the bulk of firewalls are 3-leg DMZs, VPN-to-VPN or two-leg firewalls."

Administrative Improvements
On the whole, early adopters say ISA Server 2004's ease-of-use enhancements have eliminated many of the biggest pain points associated with administration in the ISA Server 2000 environment.

Edward Forgacs, an ISA administrator with Quantum Software Solutions, an Australia-based developer of custom software solutions for Windows systems, says ISA Server 2004's new management interface brings a one-click approach—thanks to a new "Apply" button—to many of the tasks he once had to manually restart. One upshot of this, he says, is that ISA Server 2004 is more available than its predecessor. "We had issues where settings refused to apply and we were constantly rebooting the machine," he says.

Ditto for B.J. Daniels, director of technology with The Gunnery, a co-educational college prep school based in Connecticut. Daniels is quite taken with ISA Server's augmented system and network monitoring capabilities. For example, the new version includes a dashboard interface that gives users a quick summary of sessions, alerts, services and connectivity.

Figure 3. Blocking unwanted or dangerous traffic is easy with HTTP filtering.
Figure 3. Comprehensive HTTP filtering and signature scanning capabilities make it easy to block unwanted or dangerous network traffic, including rogue applications like file trading.

Integrated VPN
ISA Server 2004 includes a fully integrated VPN mechanism that's based on functionality built into Windows 2000 and Windows Server 2003. One upshot of that, some users say, is that ISA Server 2004 ships with one of the most standards-compliant VPN solutions available from any major vendor today.

"User VPNs have all evolved into vendor proprietary systems based on standards, and a lot of them implement extensions to IPsec that were explicitly denied by the IETF," notes Avanade's Nelson, who says Microsoft's implementation of both the Layer 2 Tunneling Protocol

and Network Address Translation-Traversal seem for the most part up to spec. "It feels good that Microsoft decided to have an easy user experience embedded in the operating system on a standards track protocol," he says.

One eagerly anticipated enhancement in ISA Server 2004 is support for IPSec tunneling, which finally lets organizations deploy site-to-site VPNs. Even though the revamped ISA Server has only been available for a few months, some users—like systems integrator Avanade—have already used this feature to reduce or eliminate their dependence on third-party offerings. "We basically wanted to have more cache performance between sites that were hooked together with an IPsec VPN," says Nelson. "We were using another IPSec VPN solution to do this, because ISA 2000 wasn't conducive to having an operationally viable IPsec site-to-site VPN."

For the most part, users say, it's a lot easier to configure VPNs in ISA Server 2004 than in other firewall offerings—including its predecessor. Avanade's Nelson, for example, says that configuring site-to-site VPNs is "absolutely easy," while several other users lauded the revamped ISA Server's drastically simplified VPN client configuration.

"The VPN configuration is basically a single .EXE file that the user installs on their computer," says Heartland's Crawford, who notes that in a few clicks, you can configure most client systems for an ISA VPN. As a result, he says, at least one of Heartland's clients—Montgomery County Memorial Hospital, in Red Oak, Iowa—was able to reduce its VPN support costs.

The new ISA Server also supports firewall must-haves like stateful packet filtering and inspection for all site-to-site VPN connections. When used with Windows Server 2003, ISA Server 2004 can exploit a new VPN Quarantine feature that vets client systems to ensure they meet corporate security policies before giving them access to a network. It's by no means a new idea—third-party offerings of this kind abound—but the fact is customers will opt for integrated functionality over point solutions in most cases.

Heartland's Crawford, for example, says VPN Quarantine was one of the two features that sealed the deal in ISA Server 2004's favor for Montgomery County Hospital. "The VPN setup was taking way too long, of course, but the other real driver was the ability to do the VPN Quarantine-type scenario, where they were actually able to make sure that the clients coming in were at some level of protection before they connected to the network," he says.

Crawford isn't the only ISA user who says Quarantine Control is a to-die-for addition to ISA Server. Milos Puchta, an IT technical manager with the Czech Technical University of Prague, says his organization has tapped an ISA Server 2004 VPN to help provide secure access to laboratory data. In this respect, he says, "the new … VPN [features] and the Quarantine Control are most welcome."

Staffing Stays Stable
Most users say they're using the same level of staff resources to administer ISA Server 2004 as they did for its predecessor. "We don't actually have a dedicated network administrator—we are a small software development company—but our staffing needs have not changed as a result of the upgrade," confirms Forgacs, explaining that a pair of developers typically takes care of the ISA Server 2004 administration in his shop.

Some users say the original ISA Server product lets them repurpose IT staff members, and a few expect more of the same from ISA Server 2004. "Since we have the advantage of building the networks from scratch for customers, we have full remote maintenance built in, which has drastically reduced our staff," says Peacock.

On the whole, users are excited by the promise of ISA Server 2004. Given the laundry list of new enhancements—a completely redesigned UI, better interoperability with Microsoft applications and enhanced VPN support—users say ISA Server 2004 is a more than worthy successor to ISA Server 2000.

Featured