لطفا منتظر باشید ...
Detailing Deployment Strategies with ISA Server 2004
What makes ISA Server stand out as a product is its versatility and capability to play the part of multiple roles in an environment. In addition to the capability to be deployed as a fully functional Application-layer firewall, ISA can also provide web caching, Virtual Private Network support, reverse proxy, and combinations of any of them. It is subsequently important to understand all the potential deployment scenarios for ISA when considering the product for deployment.
Deploying ISA Server 2004 as an Advanced Application-Layer Inspection Firewall
ISA Server 2004 was designed as a full-function firewall that provides for the type of functionality expected out of any other firewall device. At a base level, ISA enables you to block Internet traffic from using a specific port, such as the RPC or FTP ports, to access internal resources. This type of filtering, done by traditional firewalls as well, provides for filtering of Internet Protocol (IP) traffic at the Network layer (Layer 3). The difference between ISA and most other firewalls, however, comes with its capabilities to filter IP traffic at the more complex Application layer (Layer 7). This functionality enables an ISA firewall to intelligently determine whether or not IP traffic contains dangerous payloads, for example.
Because of the advanced IP filtering capabilities of ISA, it is becoming more common to see small to mid-sized organizations deploying ISA Server 2004 as a full-fledged edge firewall, similar to what is shown in Figure 1.3. ISA Server 2004 has passed many of the security tests that have been thrown at it, and it has proven to have firewall functionality beyond many of the more common firewall products on the market today.
Figure 1.3. Deploying ISA Server 2004 as a firewall.
Chapter 5.
Securing Applications with ISA Server 2004's Reverse Proxy Capabilities
Although ISA Server 2004 is marketed as an edge firewall, it is more common in organizations, particularly in mid-sized and larger ones, to see it deployed strictly for reverse-proxy capabilities. This functionality enables ISA to protect internal web and other application resources from external threats by acting as a bastion host.Part III.
Accelerating Internet Access with ISA Server 2004's Web Caching Component
The original function of ISA Server when it was still known as Proxy Server was to act as a simple web proxy for client web traffic. This functionality is still available in ISA Server, even as the focus has been directed more to the system's firewall and VPN capabilities. By enabling the caching service on an ISA Server, many organizations have realized improved access times for web and FTP services, while effectively increasing the available bandwidth of the Internet connection at the same time.
The concept of web and FTP caching in ISA Server 2004 is fairly straightforward. All clients configured to use ISA for caching send their requests for web pages through the ISA server, similar to what is shown in Figure 1.4. If it is the first time that particular page has been opened, the ISA server then goes out to the Internet, downloads the content requested, then serves it back to the client, while at the same time keeping a local copy of the text, images, and other HTTP or FTP content. If another client on the network requests the same page, the caching mechanism delivers the local copy of the page to the user instead of going back to the Internet. This greatly speeds up access to web pages and improves the responsiveness of an Internet connection.
Figure 1.4. Deploying ISA Server 2004 as a web caching server.
Chapter 8.
Controlling and Managing Client Access to Company Resources with Virtual Private Networks (VPNs)
Some of the more major improvements to ISA Server 2004 have been in the area of Virtual Private Networks (VPNs). VPN functionality has been greatly improved, and the flexibility of the VPN Networks for access rules is robust. Deployment of an ISA Server 2004 VPN solution is an increasingly common scenario for many organizations. The capabilities for clients to securely access internal resources from anywhere in the world is ideal for many organizations.Chapters 9 and 10.
Using the Firewall Client to Control Individual User Access
In addition to the default capability to support traffic from any Internet client (SecureNAT clients), ISA includes the capability to restrict, control, and log individual user firewall access through the installation and configuration of ISA firewall clients. Although it is a less common deployment scenario by virtue of the need to install and support a client component, using the ISA firewall client can create scenarios that are more secure, and also enable an administrator to control firewall policy based on individual users or groups of users.Chapter 11, "Understanding Client Deployment Scenarios with ISA Server 2004."
