Get in the Security Door with ISA
With Deep Ties to Microsoft apps and a bevy of functions you can make a solid case for ISA Server 2004.
- By Doug Barney
- July 01, 2005
The words Microsoft Internet Security and Acceleration Server 2004
don't exactly roll off the tongue, which is why anyone who is anyone
in security simply calls it ISA, ISA Server or maybe ISA 2004.
But the long version of the name does indicate what the product
is all about—it acts as an application-layer firewall (while
also performing stateful and packet-level filtering) and improves
Web performance through caching and by acting as aproxy server.
Layer 7 application filtering is perhaps ISA Server 2004's most
dramatic feature. It lets IT block downloads, sidestep peer-to-peer
file sharing, be on the look-out for worms and viruses that attack
at the application layer and even block spam. It can also block
application-layer attacks like the notorious and destructive Nimda
and Code Red.
On the Web acceleration side, customers can configure ISA 2004
as a central cache for an entire small company, department or site.
Where Layer 7 filtering slows down the network, central caching
can speed Web performance. And customers report that ISA 2004's
vastly improved interface makes it a breeze to configure.
|Microsoft Internet Security and Acceleration Server 2004
|Release: Standard Edition shipped July 2004, Enterprise Edition shipped March 2005
Base Price: $1,499 per CPU for Standard Edition; $5,999 for Enterprise Edition
Finally, ISA can be used in place of a dedicated virtual private
network (VPN) application or appliance, and takes advantage of the
free VPN client already built into Windows. The VPN also works with
Outlook Web Access (OWA) and can protect remote OWA users' mail.
Microsoft claims that ISA 2004 outperforms other firewalls by a
considerable margin. It can filter at 1.59 Gbps, while its closest
performance competitor Check Point clocks in at 350 Mbps, according
to Microsoft's own competitive analysis.
ISA 2004 really shines when it runs in conjunction with—surprise,
surprise—other Microsoft applications, including SharePoint
Portal Server, Exchange and IIS. ISA uses Active Directory for authentication
and is compatible with Group Policy.
For heavyweight applications, opt for ISA 2004 Enterprise Edition,
which boasts Network Load Balancing along with centralized administration
and monitoring, enabling a central IT group to manage remote systems.
ISA 2004's security model takes a page from the Windows Server
2003 playbook in that features are turned off by default, and thus
can't be exploited, and IT only turns on what it needs. Similarly,
ISA blocks all traffic out of the box, only allowing what the IT
administrator tells it to.
And by directly supporting the Windows VPN client, ISA can create
Penlight out of the box, without the cost of dedicated VPN clients
and with an unlimited number of sessions.
Microsoft, mindful of the success of Check Point and Cisco with
PIX, is putting its considerable weight behind ISA, and that means
it provides plenty of resources to help you position and sell the
A quick stroll of the Microsoft Web site reveals a wealth of materials
to help you position ISA and answer technical questions, right down
to scripts for telemarketing. You'll find Word docs and PDFs that
position ISA against the competition, detail the appliance options
and explain application-layer security.
Microsoft is serious about ISA, though not as aggressive as its
mega-million dollar XP ad campaign. For instance, ISA's PR team
has been relentless in getting the word out to the press (they've
met with us twice in the last year).
Microsoft argues that ISA 2004 offers more features, better performance
and ease of use, and tighter integration with Windows apps than
anything else on the market. But let's face it, CheckPoint, Cisco
and SonicWALL all have more experience and far better visibility
in the firewall space.
- Application-Layer Firewall
- Web Caching
- Integrates tightly with Windows Server, Exchange and other key Microsoft server applications
- Cisco PIX 515E
- Check Point NG/Nokia 350
- Symantec 5420
- SonicWALL Pro 230
- Good choice for smaller shops with immature firewall implementations
- More easily sold to Windows shops because of its integration capabilities
- Uphill fight against Cisco, Check Point and others with strong established firewall reputations—especially when approaching large enterprises
Many competing products are based on proprietary operating systems,
or, in some cases, Linux. Proprietary operating systems, one could
argue, are harder to manage and integrate, while Linux is more complex
and can be tougher to support with so many distributions.
To make these arguments stick, though, you've got to do your homework,
because Microsoft is simply not known as a firewall company. According
to market researchers at International Data Corp. in Framingham,
Mass., ISA 2004 has about 10 percent of the firewall market, while
Check Point commands 45 percent.
You may hear complaints that Microsoft is new to the firewall market.
This is partly true in comparison to the likes of Check Point, but
Microsoft has been in the firewall game with ISA for half a decade.
And who knows more about Windows Server and core Windows Server
System applications than Microsoft?
Some partners and reviewers also complain about ISA's lack of integration
with the lower-end Small Business Server. This is a shame, as many
small business customers lack a proper firewall, never mind a layered
The good news is that ISA 2004 is relatively inexpensive. Standard
Edition costs $1,499 per CPU and needs no client licenses (because
Windows comes with a VPN client), while Enterprise Edition costs
A key economic benefit is the array of features such as caching
and a VPN client that users would otherwise have to buy piecemeal,
at greater expense.
Customers can buy ISA 2004 in a variety of ways. Small first-time
customers can nab a retail version or an OEM product and then add
services like installation,configuration and management on top.
This is not the ideal customer, however.
You can lead larger customers that are buying five or more licenses
to Open Business, where they'll get sophisticated license management
and the flexibility to move the software from one machine to another.
Better yet is Open Value, or even a subscription program, with
annual payments and the benefits of Software Assurance (SA) built
in (for more on SA and how to get the most value for your customers'
investments, see "Selling—and Profiting—from SA").
|To ease the sale and installation of ISA Server 2004, consider ISA-based appliances offered by Network Engines and other vendors.
Who Needs ISA?
ISA is not for every shop, so take careful aim. Hot prospects include
companies with remote employees, firms with partners that need to
connect, or outfits with branch offices. In all three scenarios,
ISA offers secure remote e-mail access, the ability for branch offices
to connect to headquarters, and secure access to core applications
over the Internet.
And, of course, those with ISA 2000 are immediate upgrade prospects.
Smaller shops could use ISA on the perimeter as their basic firewall
defense, and take advantage of its other features.
For larger shops with multiple firewalls installed, Microsoft suggests
using ISA as an application gateway, or as an extra firewall or
set of firewalls to set up a DMZ.
Engaging a customer in a discussion of ISA 2004 is by definition
a discussion of security. Guide them toward building a richer, defense-in-depth
infrastructure, where they can layer anti-everything—spam,
virus, spyware—on top of a good multi-tier firewall and intrusion
detection system (IDS).
And because ISA 2004 natively supports key Microsoft apps, the
ISA discussion is a perfect time to position tools like Exchange
2003—which is far more secure than previous versions—and
IIS, for which ISA 2004 can improve performance and security.
A range of third-party tools can also add value to ISA, including
anti-virus, IDS, instant-messaging filtering and load balancing
from vendors such as RSA Security, McAfee and SurfControl.
While still a relatively new area for Microsoft, ISA 2004 gives
partners an opportunity to install a Windows-centric solution, which
can be the start of a deeper, longer security relationship.