Get in the Security Door with ISA

With Deep Ties to Microsoft apps and a bevy of functions you can make a solid case for ISA Server 2004.

• By Doug Barney
• July 01, 2005

The words Microsoft Internet Security and Acceleration Server 2004 don't exactly roll off the tongue, which is why anyone who is anyone in security simply calls it ISA, ISA Server or maybe ISA 2004.

But the long version of the name does indicate what the product is all about—it acts as an application-layer firewall (while also performing stateful and packet-level filtering) and improves Web performance through caching and by acting as aproxy server.

Layer 7 application filtering is perhaps ISA Server 2004's most dramatic feature. It lets IT block downloads, sidestep peer-to-peer file sharing, be on the look-out for worms and viruses that attack at the application layer and even block spam. It can also block application-layer attacks like the notorious and destructive Nimda and Code Red.

On the Web acceleration side, customers can configure ISA 2004 as a central cache for an entire small company, department or site. Where Layer 7 filtering slows down the network, central caching can speed Web performance. And customers report that ISA 2004's vastly improved interface makes it a breeze to configure.

Microsoft Internet Security and Acceleration Server 2004 Release: Standard Edition shipped July 2004, Enterprise Edition shipped March 2005 Base Price: $1,499 per CPU for Standard Edition; $5,999 for Enterprise Edition Microsoft.com/IsaServer

Finally, ISA can be used in place of a dedicated virtual private network (VPN) application or appliance, and takes advantage of the free VPN client already built into Windows. The VPN also works with Outlook Web Access (OWA) and can protect remote OWA users' mail.

Microsoft claims that ISA 2004 outperforms other firewalls by a considerable margin. It can filter at 1.59 Gbps, while its closest performance competitor Check Point clocks in at 350 Mbps, according to Microsoft's own competitive analysis.

ISA 2004 really shines when it runs in conjunction with—surprise, surprise—other Microsoft applications, including SharePoint Portal Server, Exchange and IIS. ISA uses Active Directory for authentication and is compatible with Group Policy.

For heavyweight applications, opt for ISA 2004 Enterprise Edition, which boasts Network Load Balancing along with centralized administration and monitoring, enabling a central IT group to manage remote systems.

ISA 2004's security model takes a page from the Windows Server 2003 playbook in that features are turned off by default, and thus can't be exploited, and IT only turns on what it needs. Similarly, ISA blocks all traffic out of the box, only allowing what the IT administrator tells it to.

And by directly supporting the Windows VPN client, ISA can create Penlight out of the box, without the cost of dedicated VPN clients and with an unlimited number of sessions.

Market Positioning
Microsoft, mindful of the success of Check Point and Cisco with PIX, is putting its considerable weight behind ISA, and that means it provides plenty of resources to help you position and sell the tool.

A quick stroll of the Microsoft Web site reveals a wealth of materials to help you position ISA and answer technical questions, right down to scripts for telemarketing. You'll find Word docs and PDFs that position ISA against the competition, detail the appliance options and explain application-layer security.

Microsoft is serious about ISA, though not as aggressive as its mega-million dollar XP ad campaign. For instance, ISA's PR team has been relentless in getting the word out to the press (they've met with us twice in the last year).

Microsoft argues that ISA 2004 offers more features, better performance and ease of use, and tighter integration with Windows apps than anything else on the market. But let's face it, CheckPoint, Cisco and SonicWALL all have more experience and far better visibility in the firewall space.

Spotlight Highlights Key Features Application-Layer Firewall Web Caching VPN Integrates tightly with Windows Server, Exchange and other key Microsoft server applications Competitors Cisco PIX 515E Check Point NG/Nokia 350 Symantec 5420 NetScreen-50 SonicWALL Pro 230 Opportunity Assessment Good choice for smaller shops with immature firewall implementations More easily sold to Windows shops because of its integration capabilities Uphill fight against Cisco, Check Point and others with strong established firewall reputations—especially when approaching large enterprises

Many competing products are based on proprietary operating systems, or, in some cases, Linux. Proprietary operating systems, one could argue, are harder to manage and integrate, while Linux is more complex and can be tougher to support with so many distributions.

To make these arguments stick, though, you've got to do your homework, because Microsoft is simply not known as a firewall company. According to market researchers at International Data Corp. in Framingham, Mass., ISA 2004 has about 10 percent of the firewall market, while Check Point commands 45 percent.

You may hear complaints that Microsoft is new to the firewall market. This is partly true in comparison to the likes of Check Point, but Microsoft has been in the firewall game with ISA for half a decade. And who knows more about Windows Server and core Windows Server System applications than Microsoft?

Some partners and reviewers also complain about ISA's lack of integration with the lower-end Small Business Server. This is a shame, as many small business customers lack a proper firewall, never mind a layered defense.

Licensing
The good news is that ISA 2004 is relatively inexpensive. Standard Edition costs $1,499 per CPU and needs no client licenses (because Windows comes with a VPN client), while Enterprise Edition costs $5,999.

A key economic benefit is the array of features such as caching and a VPN client that users would otherwise have to buy piecemeal, at greater expense.

Customers can buy ISA 2004 in a variety of ways. Small first-time customers can nab a retail version or an OEM product and then add services like installation,configuration and management on top. This is not the ideal customer, however.

You can lead larger customers that are buying five or more licenses to Open Business, where they'll get sophisticated license management and the flexibility to move the software from one machine to another.

Better yet is Open Value, or even a subscription program, with annual payments and the benefits of Software Assurance (SA) built in (for more on SA and how to get the most value for your customers' investments, see "Selling—and Profiting—from SA").

Quick Tip To ease the sale and installation of ISA Server 2004, consider ISA-based appliances offered by Network Engines and other vendors.

Who Needs ISA?
ISA is not for every shop, so take careful aim. Hot prospects include companies with remote employees, firms with partners that need to connect, or outfits with branch offices. In all three scenarios, ISA offers secure remote e-mail access, the ability for branch offices to connect to headquarters, and secure access to core applications over the Internet.

And, of course, those with ISA 2000 are immediate upgrade prospects.

Smaller shops could use ISA on the perimeter as their basic firewall defense, and take advantage of its other features.

For larger shops with multiple firewalls installed, Microsoft suggests using ISA as an application gateway, or as an extra firewall or set of firewalls to set up a DMZ.

Engaging a customer in a discussion of ISA 2004 is by definition a discussion of security. Guide them toward building a richer, defense-in-depth infrastructure, where they can layer anti-everything—spam, virus, spyware—on top of a good multi-tier firewall and intrusion detection system (IDS).

And because ISA 2004 natively supports key Microsoft apps, the ISA discussion is a perfect time to position tools like Exchange 2003—which is far more secure than previous versions—and IIS, for which ISA 2004 can improve performance and security.

Added Value
A range of third-party tools can also add value to ISA, including anti-virus, IDS, instant-messaging filtering and load balancing from vendors such as RSA Security, McAfee and SurfControl.

While still a relatively new area for Microsoft, ISA 2004 gives partners an opportunity to install a Windows-centric solution, which can be the start of a deeper, longer security relationship.