ISA as a Full-Function Security Firewall
To better understand ISA Server 2004 as a product, it is important to understand its beginnings and the environment around which it was designed. First and foremost, general security concepts relating to ISA should be reviewed.
Defining the Concept of a Firewall
The idea of a computer firewall has evolved over time. In the beginning, the first networks were isolated and unconnected. With the rising need to collaborate between different organizations, the networks were joined together, eventually creating a worldwide network defined as the Internet. Along with the advantages of being able to communicate with systems all over the world came the disadvantages of being exposed to those same systems.Thus was born the network firewall, named to reflect the concept of an architectural barrier constructed to slow the spread of fires from one part of a building to another. Initially, firewalls simply blocked all access from the "untrusted" network to the "trusted" internal network, and allowed only traffic out of the network. As technology progressed, however, the need to share internal information with outside clients and vendors arose, driving the need for firewall administrators to "open ports" on the firewall to allow for specific types of traffic, such as HTTP web traffic, into the internal network.Initially, filtering traffic at the packet layer proved to be successful in thwarting hacking attempts, which traditionally required for certain "dangerous" ports to be open to succeed. Eventually, however, virus and exploit writers realized that if their dangerous payloads were encased in commonly allowed protocols such as HTTP, they could freely pass through packet-filter firewalls and into the internal network unobstructed.These types of exploits gave rise to extremely damaging viruses such as Code Red, Nimda, and Slammer. Many of these viruses and exploits sailed right through traditional firewalls and wreaked havoc upon internal servers. To make matters worse, internal "trusted" clients would get infected with a virus, exploit, or spyware application, which would then launch a set of attacks behind the firewall at unprotected servers and other workstations.It quickly became obvious that some type of solution was needed to determine what type of traffic was legitimate and what was a potential exploit. This gave rise to firewall technologies such as ISA Server 2004, which provided for stateful inspection of the traffic at the Application layer of the TCP/IP stack.
Filtering Traffic at the Application Layer
Network traffic is logically divided into multiple layers of what is called the Open System Interconnection (OSI) Reference Model. Each layer in the OSI model provides for different types of TCP/IP functionality as follows:Layer 1: Physical
The Physical layer is the lowest layer in the OSI model and it deals with the actual ones and zeros that are transmitted to and from network devices.Layer 2: Data Link
The Data Link layer deals with error detection and handling, basic addressing at the hardware (MAC address) level, and conflict avoidance. It is at this layer that the boundaries of the local network are defined.Layer 3: Network
The Network layer of the OSI model encapsulates information into multiple logical "packets" of information, and deals with routing them to specific IP addresses across multiple networks.Layer 4: Transport
The Transport layer of the TCP/IP stack is where the information about the specific "port" that the packets are to utilize is identified. Standard packet-filter firewalls can deny or accept traffic at this level.Layer 5: Session
The Session layer deals with establishing individual sessions between client and target systems. It is at this layer that services such as NetBIOS and RPC operate.Layer 6: Presentation
The Presentation layer (which, depending on the protocol, is not always used) deals with translating the way data is presented between disparate platforms. It is also where some compression and encryption (SSL, for example) can take place.Layer 7: Application
The Application layer is the top layer in the stack, and the one that deals with providing services and programs that use the network for specific functionality. It is at this level that protocols such as HTTP, FTP, and SMTP exist and are processed. Application-layer firewalls such as ISA Server 2004 can understand the specific protocols at the application layer.
The deficiency in firewall devices that use packet filtering technologies only is that the true nature of the traffic cannot be determined at this layer. A standard exploit, for example, can include a simple HTTP header, with the exploit itself hidden in the body of the packet. If that packet is scanned at the Application layer with ISA Server 2004, however, it can be determined whether a packet is truly legitimate. In addition, filters can be written to look for specific types of traffic in Application-layer protocols. For example, the HTTP filter in ISA server can be modified to block directory traversal attacks that include HTTP strings that include multiple dots (..).Deploying ISA Server 2004 as a firewall device gives an environment Application-layer inspection capabilities. Indeed, this is one of the most distinct advantages to deploying ISA in this fashion. All traffic that passes through the ISA box is scanned at the Application layer, providing for a great degree of flexibility in what type of traffic is allowed and what is denied.
Understanding Common Myths and Misperceptions About ISA
ISA Server 2004 has always faced an uphill battle for acceptance, based mainly on the fact that Microsoft has only recently put a strong emphasis on security in its products. Since the Trustworthy Computing initiative a few years back, however, the emphasis has shifted to "Security first, functionality second." How big of an effect the Trustworthy Computing initiative has had is debatable, but needless to say, the security provided by ISA Server 2004 is quite respectable.Despite this fact, however, there is a great deal of confusion and misunderstanding of what ISA really is and what type of functionality it supports. It's easy to dismiss ISA as simply another "Microsoft BOB," but the reality is that a growing number of organizations are finding that ISA Server 2004 provides an excellent fit into their environments, and allows for a degree of security previously nonexistent. At a minimum, ISA should at least be evaluated for inclusion into an environment, particularly for functions in which it currently excels, such as securing Outlook Web Access or providing for secured web proxy functionality.Keeping this in mind, several key misconceptions about ISA Server 2004 should be dispelled. These misconceptions are as follows:ISA Server 2004 is only a proxy server
This misconception often stems from the history of ISA Server, when it was named Proxy Server 1.x/2.x. One of the reasons for the name change to the Internet Security and Acceleration Server was to move away from this concept, and highlight the fact that ISA is a security device at heart.ISA clients require special client software
Some organizations avoid looking at ISA as a solution under the mistaken belief that if clients are to utilize ISA server that they need special client software. Although there is an ISA Firewall client that provides for advanced securing and auditing functionality, it is not required to utilize this type of client to use ISA server. ISA can easily scan and filter traffic from any type of client on any connected network.ISA Server is not a real firewall
This misconception is often manifested in the fact that ISA is often referred to as simply "the ISA server," and packet-filter solutions are referred to as "the firewall." In reality, ISA owns as much or more of a claim to the title of "firewall" as it filters network traffic across all layers of the network model, and not just the lower layers as traditional packet filter firewalls provide. If a distinction needs to be made between the technologies, a good term to use to describe ISA could be an Application Layer Firewall (ALF).ISA can't be deployed unless it completely replaces existing firewalls and security infrastructure
Microsoft is partly to blame for this misconception. The marketing push for ISA and the examples that are used on their websites essentially position ISA as the end-all security solution, meant to replace all other firewalls, stateful inspection devices, and intrusion detection systems. In reality, however, a large number of ISA servers currently deployed exist in the DMZ of an existing firewall and provide an additional layer of security to existing security and firewall protections. In reality, it becomes much easier to sell ISA as a solution if security administrators understand that existing security is not touched, but only added to.ISA servers have to be domain members
This misconception alone has kept many organizations away from deploying ISA in their environments. The truth is that ISA 2000 was severely limited if it wasn't a domain member, and Microsoft sought to fix this with ISA Server 2004. Fortunately, Microsoft has provided for much improved support of ISA servers that are not domain members. The capability to use RADIUS servers for authentication and Active Directory in Application Mode (ADAM) for storage of Enterprise arrays allows for workgroup member ISA Servers to have the same capabilities as domain members.