Chapter 3: Stalking the Competition: How ISA 2004 Stacks Up
Firewall Comparative Issues
Chapter 1 ('Is ISA Server really a firewall?'), the next thing potential users want to know is inevitably, 'How does ISA Server compare to other firewalls?'
Often, the question comes as a challenge from CheckPoint or PIX aficionados. Other times it comes from new or experienced network administrators who have been tasked with the responsibility of selecting or recommending a firewall solution for their companies and who are confused and overwhelmed by the plethora of marketing material, claims of firewall vendors, and kudos or complaints they hear from other firewall users.
In order to intelligently answer the question, we've had to become acquainted not only with ISA Server 2004 itself, but with the features and pricing/licensing structures of competing products. This chapter is designed to serve three main purposes:
Provide answers to some common questions for readers who are responsible for selecting a firewall and/or caching product for their networks.
Provide a rational basis for selecting ISA Server 2004 that is predicated on evidence and fact, rather than bias.
Provide 'ammunition' for readers who already know they want to implement ISA Server 2004 on their networks and need to convince their companies' management.
If you take a look at the product lines of most of the major firewall appliance vendors, you'll find several different models, not to mention a variety of different licensing schemes, as well as plenty of add-ons that enhance functionality and come at extra cost.
Constructing an intelligent comparison of the products of different vendors can be a daunting task, and often there is no clear-cut 'winner' in such a comparison. Instead, you find that making the right choice depends very much on your existing network infrastructure, the role you want the firewall to play, and a tradeoff of some features for others.
We often hear network administrators lament, 'I can buy a SonicWall firewall for under $500. ISA Server costs three times that and doesn't even include the hardware.' That's true - as far as it goes. Here is the rest of the story:
The under-$500 SonicWall (or NetScreen, or WatchGuard) is not intended for use on a large or even medium-sized business network. These low-cost firewall appliances are the SOHO (Small Office/Home Office) and 'telecommuter' models.
SOHO firewalls are limited to a small number of users (usually 10-25), and telecommuter firewalls are designed to protect the single computer of someone working from home and connecting to the company network remotely (more like a personal firewall).
SOHO and telecommuter firewalls may not support remote access VPN, or may come with only a single VPN license; additional VPN clients will cost extra. They may support a limited number of VPN tunnels (5-10), even with extra licenses.
Low-end firewalls run on low-powered hardware. For example, the SonicWall SOHO 3 uses a 133MHz processor and 16MB of RAM, whereas you can select the hardware on which to install ISA Server and other software-based firewalls (as long as it meets the minimum requirements needed to run the OS and firewall).
Performance/throughput for low-cost firewalls is often very low (for example, 75Mbps firewall throughput, in comparison to ISA Server's tested throughput of up to 1.5Gbps).
As you dig deeper into the comparative features, you begin to realize that a simple cost comparison is meaningless. A comparative analysis must also take into account the administrative overhead, licensing structure, and feature sets of the products being compared. To say, 'I can buy a firewall for under $500' is like saying, 'I can buy a watch for $5,' or 'I can buy a new car for $10,000.' All of those statements are true, but many consumers still choose to spend $50 or $500 or even $5000 for a watch and $20,000, $30,000, or much more for a new car. Why? Most would tell you that issues of reliability, features, and longevity are important factors. Of course, status may also play a part in their decisions, especially at the extreme high end of the price scale.
Of course, if the under-$500 firewalls were all anyone needed to protect their networks, the same vendors wouldn't also offer firewalls that cost three, five, ten, or sometimes twenty times as much as their low-end products.
This chapter does not attempt to make the case that ISA Server is 'the best' firewall product for every network in every situation. It does provide facts supporting our contention that ISA Server is a serious contender in the business firewall market and can hold its own in a competition with the 'big boys' (Cisco and Check Point) and the many low-cost firewall/VPN appliances currently in use.
Note | In an enterprise environment, it is often neither necessary nor desirable to choose a single firewall solution for all applications. A good 'defense-in-depth' strategy will often 'mix and match' products from multiple vendors for the most effective protection against modern threats. For example, a company might decide to deploy one or more fast packet filtering firewalls, such as PIX, at the Internet edge and put a deep application layer filtering firewall, such as ISA Server, within the DMZ or in front of each departmental subnet. |
In the following sections, we examine some factors that you should take into consideration when comparing different firewall products. These are separated into three broad categories:
Cost and licensing. This includes not only the initial capital investment in the software, hardware, or appliance, but also special licensing considerations (such as the requirement for separate licenses for VPN clients), add-on modules and enhancements that are required to provide full competitive functionality, support contracts, the comparative cost of upgrading, and other factors that impact Total Cost of Ownership (TCO), such as administrative overhead, training requirements, and so on.
Specifications and features. This refers to architecture and operating system, throughput and concurrent sessions supported, filtering features, and intrusion detection and prevention features, VPN features (protocol support, client support, number of tunnels supported, VPN quarantine/security), Web caching functionality (if any), and integration and interoperability with Windows and other servers.
Certification. Certification by independent entities such as ICSA Labs in the U.S. and Checkmark in the U.K. can ensure that firewalls meet minimum criteria based on standardized testing.
The comparative analysis in this chapter is based on information gathered from vendor documentation, vendor queries, questionnaires targeting administrators who use the various products, and hands-on evaluation of (some of) the products.
Warning | The information in this chapter is current as of the time of the research and writing, but the security software market is constantly changing. New products are introduced and existing products are upgraded on a daily basis. Changes in business structure or ownership are common (for example, one of the major companies addressed in this analysis, NetScreen, was bought by Juniper Networks a short time before the writing of this document) and might or might not result in changes to the products themselves. |
The following analysis will compare ISA Server 2004's cost, features, and functionality with some of its primary competitors in the firewall market. The competitors we address in this chapter are:
CheckPoint (including Nokia appliances)
Cisco's PIX security appliances
NetScreen security appliances (now owned by Juniper Networks)
SonicWall security appliances
Watchguard security appliances
Symantec's Enterprise Firewall software (including Symantec appliances)
Blue Coat Systems ProxySG appliances
Open source firewalls (IPchains, Juniper FWTK, IPCop)
This by no means includes all available firewall products on the market today; however, it does include those with the largest market shares.
The Cost of Firewall Operations
To the network/security administrator, the cost of a firewall may not be first on the list of priorities in selecting the best product for your situation. You want the one that will get the job done most effectively and efficiently, and that will be easiest for you and your staff to deploy, manage, and update. However, to those who may have the ultimate decision-making authority (the Chief Financial Officer, purchasing agent, or small business owner), cost is a very important consideration.
It's important to remember, however, that cost involves a lot more than just the initial purchase price of an appliance or software/hardware package. Budget-minded decision-makers are concerned with the 'bottom line,' or the entire financial impact of the decision spread over the lifetime of the product. In comparing different products, you need to address each of the following:
Capital investment
Add-on modules and enhancements
Licensing structures
Support
Upgrade
Total Cost of Ownership
We address each of these in the following subsections.
Capital Investment
By 'capital investment,' we refer to both the initial cost of the software license and/or the hardware device, plus any additional add-on modules, client licenses, or other components that are required to deploy the firewall or caching solution with full functionality on your network. Many vendors advertise a 'base price' that doesn't necessarily include everything that's required for what you want to do (for example, if you want to use the firewall as a VPN gateway, you may have to purchase licenses that are not included in the price of the firewall for each VPN client).
Add-on Modules and Enhancements
Many firewall products provide some of their functionality through add-on modules or additional 'off-box' devices or software. For example, most firewall vendors don't provide Web caching as a standard feature of the firewall, but some allow you to add it through a software module (for example, CheckPoint) or offer an additional hardware device that performs the function (such as Cisco). ISA Server 2004, along with BlueCoat, builds Web caching into the firewall so that you save hundreds or even thousands of dollars because you don't have to buy additional software and/or devices to get that functionality.
To accurately compare the cost of ISA Server with these devices, you must also factor in the cost of add-ons required to give the same level of functionality ISA Server has 'out of the box.'
Some features and functionalities provided by vendors through add-ons include:
Web caching
IDS/IDP
Virus scanning and detection
Centralized management of multiple firewalls
Report generation
High availability/load balancing
PKI/Smart card authentication
ISA Server 2004 includes many of these features right out of the box, so they don't add any extra cost.
In addition, it's important to note that because they don't include a hard disk to which log files can be written, ASIC devices often require separate computer hardware for logging. For example, you may need to set up a server to collect the PIX logs. This is often forgotten in cost considerations. People often complain that ISA requires the purchase of computer hardware and an OS license, but recording ASIC-generated log files frequently requires this expenditure, too.
Licensing Structures
Software licensing structures can be confusing, at best. However, it's important to understand each product's licensing structure in order to make a valid comparison. The licensing structure can greatly affect the total cost of the firewall/security device. Some vendors grant licenses on a subscription basis, requiring that you pay for the software license again each year. Others charge an initial licensing fee, with no additional fee required unless/until you upgrade to a new version of the product (and you may get a discounted licensing fee when you upgrade versus someone who is buying the product for the first time).
Licenses may also vary in price depending on how you intend to use the firewall. For example, the license for a second firewall in a failover/fault tolerance cluster may be lower than for the first license for the active firewall. Vendors may use different terminology to distinguish between licensing levels. For example, Cisco makes its PIX licenses available as either Restricted (R) or Unrestricted (U) licenses, in addition to Failover mode (FO) licenses. The licensing mode is defined by your activation key. A Restricted (R) license puts a limit on the number of interfaces that are supported, as well as the amount of RAM that will be available to the software. An Unrestricted (UR) license allows you to use all of the RAM that the hardware supports and the maximum number of interfaces supported by the hardware. A Restricted license does not support Failover configuration, while an Unrestricted license does. You can also buy a special 'R to UR' license to upgrade from a Restricted license to an Unrestricted one or an 'FO to R' or 'FO to UR' license to upgrade from a Failover license to a Restricted or Unrestricted license.
Some firewalls are licensed according to number of 'users.' The firewall may enforce this by sending a ping and counting the replies from responding hosts (in which case, network printers and other devices that are assigned IP addresses might be counted as 'users') or by keeping track of the number of internal nodes that are accessing the Internet on the external interface. For example, Check Point FireWall-1 (FW-1) listens for IP traffic on all internal interfaces and keeps count of the different IP addresses. When the number of IP addresses exceeds the license limit, e-mail notifications will be sent to administrators and the event will be logged.
Many vendors also have volume licensing plans or corporate licensing plans that offer lower rates to large customers or those who buy a large number of firewalls. Software firewall vendors may also offer evaluation licenses that expire after a specified number of days.
Note | One notable advantage of software firewalls such as ISA Server 2004, Check Point and Symantec Enterprise firewall is the ability to easily 'try before you buy' by installing an evaluation version of the product. |
You'll also want to consider whether additional licenses, other than for the firewall software itself, are needed for full functionality. Some vendors charge extra for VPN licenses for each VPN connection. Even when the cost is relatively low ($15-35 per license is typical), this can add up fast if you have hundreds of VPN users. You might also have to obtain an extra license to use certain features, such as 3DES encryption. Finally, you may need additional licenses to run add-on modules. For example, running the Motif GUI to connect to a Check Point FW-1 management console in FW-1 4.1 and above requires that you pay extra for a Motif license. LDAP (Lightweight Directory Access Protocol) functionality also requires an extra license if you want to use it with FW-1.
Support Costs
Another 'hidden' cost factor that you should consider in comparing the cost of various solutions is the cost of support, which can vary widely depending on the vendor. Support contracts can cost from less than a hundred to several thousand dollars per year.
Some vendors include free support for a set period of time. For example, Cisco provides free tech support for 90 days, while Check Point FW-1 requires that you purchase a support/upgrade contract to access their tech support, with such contracts costing as much as 50 percent of the original software price, per year.
Some vendors have different levels of support contracts. For example, Symantec offers Gold, Platinum, and Premium Platinum Maintenance and Support contracts on their firewall products. Gold support provides telephone support during regular business hours, Monday through Friday, while Platinum support provides after-hours support. With Premium Platinum support, you get a Technical Account Manager and three additional technical contacts (Gold and regular Platinum provide for two technical contacts).
If you plan to purchase a support contract, the cost should be factored into your comparison.
Upgrade Costs
The cost to upgrade the firewall is another important cost factor you must consider when doing a cost comparison. Software firewalls that are installed on standard hardware can easily take advantage of the addition of a faster or additional processor, faster network cards, more RAM, or installation on a new, more powerful machine. Hardware appliances, on the other hand, may have to be replaced completely, or may be more costly to upgrade. For example, the Cisco PIX Firewall Classic, 10000, and 510 models have been discontinued and cannot run PIX firewall software version 6.0 or later. This means if you want the features of the new software, you'll have to purchase a new PIX appliance.
Note | Another important consideration is if/when you need to upgrade to more powerful hardware for your software-based firewall, you can 'repurpose' the original hardware to act as a file server, workstation, or in another role on the network. A hardware-based security appliance running a proprietary operating system has less potential for reuse. |
Whether you have a 'hardware firewall' or a 'software firewall,' the cost of upgrading the software at periodic intervals is also important. You'll want to consider the following:
Are updates and fixes available free, or do you have to pay for them?
Are there discounts for upgrade versions of the software, or must you buy the full version?
Another consideration might be the administrative overhead required to perform the upgrade. For example, upgrading a PIX running version 5.0 or earlier doesn't provide a way to use Trivial File Transfer Protocol (TFTP) to transfer the software image directly to the device's flash memory, so you have to enter boothelper or monitor mode. Newer versions of the PIX software support a command that allows you to copy the software image directly from the TFTP server to the device. Either way, you'll have to use a command line interface to enter the appropriate commands to upgrade the software.
Total Cost of Ownership
When all of the cost factors are taken into consideration, you can come up with a Total Cost of Ownership (TCO) for each product in order to make a more accurate price comparison. In calculating the TCO for each of the competing products, you must consider not only each of the direct costs we discussed in the preceding paragraphs, but also indirect costs such as:
Learning curve: cost of materials, training courses, and such, required for administrators to learn to configure and manage the firewall.
Administrative overhead: relative amount of administrative time required to configure and manage the firewall; level of administrative expertise required (which can increase personnel costs).
Productivity costs: affect on productivity of network users.
Downtime costs: both productivity losses and loss of revenues, for example from potential e-commerce sales, related to the deployment and reliability of the firewall.
Most TCO models divide all cost factors into two broad categories: acquisition costs and on-going or operational costs. The first category includes the purchase price of the hardware, the initial licensing fees for the software, and one-time installation costs, including the cost of administrative time, hiring of consultants if applicable, initial training, and so on. The second category includes vendor support contracts, internal IT administrative costs, hiring of independent consultants for troubleshooting and maintenance, hardware maintenance and upgrades, software updates and upgrades, on-going training, and other support costs. Of course, some of these costs will vary from one customer to another, depending on the way the firewall will be deployed and the experience and skill sets of current personnel.
Note | There is more price flexibility and you have more control over TCO with software firewalls because you can take advantage of competitive pricing among different hardware vendors, whereas with hardware-based firewalls, you may be limited to a small selection of different hardware configurations with less of a price variance between different resellers. |
Specifications and Features
Once cost issues are out of the way and a budget is determined, the second broad category for comparison deals with features and functionalities for each product. We can divide this category into the following subcategories:
General specifications (both hardware and software specs)
Firewall features (including related features such as intrusion detection)
VPN gateway functionality
Web-caching features (if included)
Firewall certification
Let's look at each of these separately.
General Specifications
General specifications relate to the included hardware (for appliances) or the minimum hardware requirements (for software firewalls), as well as how scalable, extensible, and reliable the product has proven to be in deployment, and whether and how it supports high availability/fault tolerance features such as clustering/failover and load balancing. Other important points of comparison include compatibility and interoperability with other software and devices on the network, and ease of use (which directly affects administrative overhead). The list below provides a starting point for comparing these specifications:
Hardware specifications. This includes hardware architecture (software firewall, hard disk-based appliance, ASIC appliance). For software firewalls, you'll want to know the minimum system requirements as well as the maximum hardware resources that the firewall can utilize. This subcategory also includes processor speed, amount of memory, number of ports (and port type: 10/100 Ethernet, gigabit Ethernet, and so on), disk size (for hard disk-based devices), and other physical factors. This is an especially important point of comparison for hardware-based firewalls, since you may not be able to easily upgrade the hardware.
Scalability. This refers to the ability of the software firewall or device to scale up as the organization and network grow. You'll want to consider such factors as how many connections the firewall can handle and how many simultaneous VPN tunnels are supported, as well as other factors, depending on your particular network setup. You'll also want the ability to configure multiple devices to work together and to provide for centralized management.
Extensibility. This refers to the ease with which in-house developers or third parties can create add-ons to enhance the functionality of the firewall.
Reliability. This refers to minimizing downtime and is a product of several factors, including hardware and software factors. For example, a reliability advantage of ASIC-based devices is the lack of moving parts, which eliminates the possibility of mechanical failure. Software reliability depends on programming accuracy and complexity of both the firewall application and the underlying operating system, as well as interoperability with any other applications (add-on modules, third-party enhancements, or other applications) running on the box. One element of reliability is fault tolerance, which refers to the ability of a system to continue to operate after a failure of one or more components.
High availability. This is closely related to reliability and refers to redundancies (such as redundant power supplies or clustering of multiple firewalls with automatic failover) to ensure that functionality continues in case of hardware or software failure.
Load balancing. This refers to the ability to spread the processing load across multiple firewall devices to enhance performance and accommodate increases in traffic.
Compatibility/interoperability. This refers to the firewall's ability to interoperate with other devices, servers and clients on the network; for example, can the firewall integrate with your mail server to provide protection for RPC communications? In particular, if you are operating in a Windows network environment, you'll want to know how well the firewall integrates with Active Directory (can it use AD user and group accounts for authentication?), Exchange, SharePoint, and other Microsoft server products you have deployed on the network.
Ease of use. This refers to simplicity of installation and configuration (applicable to software-based firewalls), user-friendliness of the management interface (GUI, Web-based, or CLI), and how easy it is to remotely manage the firewall and to centrally manage multiple firewalls.
Tip | Some factors, such as ease of use, are not quantifiable, but are rather the result of subjective assessment. An interface that seems friendly to one user might be confusing to another. Unlike hardware specifications or software features, such as number of VPN tunnels supported, you can't depend on vendor documentation to determine how easy an interface is to use. We recommend that when evaluating this factor, you talk with firewall administrators who have been using the product, or ideally, try the product yourself in a test lab environment. This is especially easy in the case of software firewalls that offer trial versions, and it is a step that shouldn't be skipped, as you'll be dealing with the interface every day. |
Firewall and Related Features
There are several firewall-specific features that you should look for when comparing different vendors' products. Product data sheets from vendor Web sites can provide a starting point, but as you narrow your choices, you'll want to dig deeper and read independent product reviews and/or talk to IT professionals who have personally worked with the particular products you're considering.
Keep in mind that a vendors' claim that it supports a particular feature might not tell the full story; you must also evaluate how that feature is implemented. For example, Application Layer Filtering (ALF) might mean only that there are filters to detect a few application layer attacks, such as DNS or POP3 buffer overflows. The firewall might not support deep ALF (examination of the contents of data packets for particular administrator-defined text strings, for example).
Tip | Advertising material will always be slanted to show the product in the best light. Also note that different vendors often use different terminology to describe the same features, which makes it more difficult to compare products based only on vendor documentation. For example, the feature that Microsoft calls 'SSL bridging' is referred to as 'SSL termination and initiation' by some other vendors. |
Some important firewall features to compare include the following:
Application Layer Filtering: Most modern firewall products now incorporate some form of ALF, but the level of ALF support can vary widely from one product to another. The most common implementation provides filters that check for application level attacks, such as those that exploit DNS and POP3. Another type of ALF is URL scanning, which allows you to screen Web requests and reject those that don't comply with administrator-defined rules based on content, character set, length, HTTP methods (verbs), headers, extensions, and so on. SMTP filters and screeners can inspect e-mail traffic and can be used as an anti-spam mechanism to block messages from particular domains, source addresses, or containing particular content.
Protocol support: In comparing protocol support, you should not only determine which protocols are supported by a particular product, but how each is supported. For example, can access policies be applied to a particular application, service or protocol? What about VPN policy? Quality of Service (QoS), if applicable? Determine exactly which application filters are included with the product; find out which add-on filters are available for it, and look into how easy (or difficult) it is to create your own filters. Depending on your organization's needs, you might want to look for support for the following categories of applications, services and protocols: Authentication/security services (HTTPS, IPSEC, ISAKMP/IKE, LDAP, RADIUS, SecurID, TACACS/TACACS+, CVP), Mail services (POP3, SMTP, IMAP), Internet services (IM, file sharing, NNTP, PCAnywhere), Enterprise services (DCOM, Citrix ICA, Sun NFS, Lotus Notes, SQL), routing protocols (EGP, IGRP, GRP, OSPF, RIP), TCP/UDP services (Bootp, Finger, Echo, FTP, NetBEUI, NetBIOS over IP, SMB, RAS, PPTP), RPC services, ICMP services, and multi-media streaming services.
Intrusion Detection: Most modern firewalls include some level of built-in intrusion detection and prevention (IDS/IDP). Some products provide IDS as a separate module or offer an 'off-box' IDS solution. Other firewalls include rudimentary IDS but offer a more sophisticated version of IDS/IDP at extra cost. Compare the common attacks that the firewall's IDS is configured to detect (for example, WinNuke, Ping of Death, Teardrop, and buffer overflow attacks are common, but the first three are older attacks from which most modern systems with updated patches are already protected). You also might want to consider how IDS alerts are sent (for example, e-mail, pager), and you might also want to check availability of IDS add-on products (both from the firewall vendor and from third parties) to increase IDS effectiveness.
Note | An important element in evaluating IDS effectiveness is the number of 'false positives' that the IDS returns. |
Firewall throughput/Number of connections: The size of your organization will determine your needs when it comes to how many simultaneous firewall sessions are supported. This number can vary widely from vendor to vendor and from one product to another within a single vendor's line. You'll also want to consider firewall throughput in megabits per second or gigabits per second (Mbps or Gbps). Note that this will generally be a different (and higher) number than VPN throughput because of VPN overhead, especially when strong encryption such as 3DES or AES is used for VPN connections. Throughput and connection specs are often the primary differentiating factors between different appliance models made by the same vendor, but when you buy a software firewall, these numbers may also depend on the hardware on which you install it.
Logging/Reporting: Most modern firewalls include some level of logging, but the sophistication and scope of the logs varies. Consider the logging format and how easy it is to import the logs into spreadsheets or other programs, as well as your organization's logging needs. Will text logs do, or do you need to be able to log data to a SQL database? Some firewalls come with reporting functions that analyze and aggregate the information that's contained in the logs into configurable reports. Others offer this feature as an add-on module. Also, consider the availability of third-party log file analysis and reporting software.
VPN Features
Most modern firewalls, other than those intended only as personal firewalls or 'telecommuter' models, include integrated VPN gateways. Virtual private networking is an essential element of remote access communications for many organizations. Employees depend on VPN to work from home or when on the road. There are several factors to consider when comparing VPN support of different security devices.
VPN Protocol Support: What VPN protocol(s) are supported: IPSec, PPTP, L2TP, SSL VPN? Is NAT Traversal (NAT-T) supported? What authentication protocols are supported for VPN connections? Is two-factor authentication (ActivCard, Authenex, SecurID) supported? What encryption methods are supported (DES, 3DES, AES)? Some vendors require an extra license at extra cost to use strong encryption.
Remote access/site-to-site VPN: Organizational needs determine whether you need support for site-to-site VPN (connecting two networks), remote access VPN connections, also called client-server VPN (which allows an individual computer to connect to the network), or both. Some low cost firewalls support only site-to-site VPN.
VPN client: Remote access VPN connections require VPN client software on the client computer (SSL VPNs are made through the Web browser). All modern versions of Windows include Microsoft's PPTP and L2TP clients built into the OS. Many firewall/VPN devices require proprietary client software, which may have to be licensed at extra cost. In some cases, you can use the Microsoft clients with third-party firewalls for basic VPN operation, but you will need the vendor's proprietary software for advanced functionality.
VPN connections/throughput: Organizational needs will determine the number of simultaneous VPN connections needed. In firewall documentation, this is often expressed as number of VPN tunnels supported. If multiple VPN protocols are supported, check the number of allowed connections per protocol (for example, the number of PPTP connections supported may be different from the number of L2TP connections). VPN throughput is generally expressed in Mbps. Throughput will differ depending on the encryption method used. For example, AES throughput will be slower than 3DES.
VPN quarantine: This is the ability to block or allow VPN connections based on administrator-defined conditions (such as whether the client is running an anti-virus program or firewall, or whether security updates have been installed). Users whose machines don't meet the criteria can be forwarded to a Web site where they can download the needed updates. Some vendors refer to this as remote policy enforcement, client configuration verification, or by other terms, and offer it through a third-party software package or extra-cost VPN client software.
Note | NAT Traversal, or NAT-T, is a technology that makes it possible to use IPSec with Network Address Translation, something that formerly did not work. Microsoft defines NAT-T as 'a set of capabilities that allows network-aware applications to discover they are behind a NAT device, learn the external IP address, and configure port mappings to forward packets from the external port of the NAT to the internal port used by the application-all in an automated fashion so the user does not have to manually configure port mappings or other such mechanisms.' |
Web-Caching Features
There are a number of features to consider in comparing Web-caching solutions. Which features you need will be dependent on such factors as the size and structure of your organization, how and how much external Web access is used by those on your network, and whether your organization hosts its own Web servers.
Forward caching: All Web caching servers support forward caching. This is used to accelerate response to outbound requests when users on the internal network request a Web object from a server on the Internet. Frequently-requested objects are stored on the caching server, and thus, can be retrieved via the faster local network connection. Studies of ISA Server show that in the typical business network environment, 35 to 50 percent of requests can be retrieved from the forward cache.
Reverse caching: Reverse caching is used when the organization has internal Web sites that are available to external Internet users. The caching server stores objects that are frequently requested from the internal Web servers and serves them to Internet users. This speeds access for the external users and lightens the load on the internal Web servers, thus reducing traffic on the Internal network.
Distributed caching: This is a means of spreading the load over multiple caching servers that operate on a peer basis.
Hierarchical caching: This is a means of placing multiple caching servers on the network in an hierarchical arrangement so that requests are serviced first from the local cache, then from a centralized cache before going out to the Internet server for the request. Distributed and hierarchical caching can be used in combination.
Caching Rules: Caching servers can use administrator-defined rules to determine how to process requests from internal and external Web clients. Rules can control access to specific protocols, control bandwidth, or control content. Rules may be applied based on user accounts or group memberships.
Firewall Certification
Another factor that may or may not be important to your organization is whether the firewall product you're considering has been 'certified.' Certification means that some organization has determined that the firewall meets specific minimal standards. To be meaningful, certification should be done by an independent entity (not a vendor) based on a standardized course of hands-on testing in a lab (not just a 'paper' comparison of features).
ICSA Labs (a division of TruSecure Corporation) is the most well recognized organization providing testing and certification of firewalls and other network security products. ICSA testing is currently done against the Modular Firewall Product Certification Criteria version 4, as described at http://www.icsalabs.com/html/communities/firewalls/certification/criteria/criteria_4.0.shtml.
ICSA testing is based on hands-on evaluation of the firewall products using a 'black box' approach based on functionality.
In the United Kingdom, NSS Network Testing Laboratories provides Checkmark certification for computer security products. See http://www.nss.co.uk/Certification/Certification. Other testing/certification programs that have been developed to evaluate computer security products include the Information Technology Security Evaluation Criteria (ITSEC), recognized by France, Germany, the Netherlands and the UnitedKingdom, and the United States Department of Defense Trusted Computer System Evaluation Criteria (TCSEC). These government evaluation programs have given way to the Common Criteria Security Evaluation process, which was ratified as a standard through the International Organization for Standardization (ISO).
Note | ISA Server 2000 was certified under MFPCC version 3a, running on Windows 2000 Server. ICSA lab report (updated November 2001) is at http://www.icsalabs.com/html/communities/firewalls/certification/rxvendors/microsoftisas2000/labreport_cid303.shtml. At the time of publication, ISA Server 2004 had not yet undergone ICSA certification testing. |