لطفا منتظر باشید ...
Comparing ISA 2004 to Other Firewall Products
In this section, we will compare ISA Server 2004’s specifications, features and functionality to selected competitive products. Because many vendors market multiple models of firewalls, we have attempted to choose each vendor’s product that is most similar in usage, target market, and price point to ISA Server 2004. Comparing ISA Server, which is designed for the medium-to-large business network, to personal and SOHO firewalls would be meaningless. Likewise, we have not attempted to compare ISA Server to high-end enterprise level firewalls that cost ten times as much.
Specifically, we will look at how ISA Server 2004 stacks up against selected models of the following vendors’ firewall products:
CheckPoint
Cisco PIX
NetScreen
SonicWall
WatchGuard
Symantec Enterprise Firewall
BlueCoat SG
ISA Server 2004 Comparative Points
Microsoft defines ISA Server 2004 as “an advanced application layer firewall, VPN, and Web cache solution that enables customers to easily maximize existing IT investments by improving network security and performance. ISA Server 2004 is a member of the Microsoft Windows Server System™, a comprehensive and integrated server infrastructure designed to meet the needs of developers and IT professionals.” Let’s quickly review some of its key features and specifications in the context of our comparative analysis model.
Key Features and General Specifications
ISA Server 2004 offers the following key features for advanced protection against hackers, crackers, and network attackers:
Multi-layer inspection helps protect IT assets and corporate intellectual property such as IIS, Exchange Server, Sharepoint, and other network infrastructure from hackers, viruses, and unauthorized use with comprehensive and flexible policies, customizable protocol filters, and network-routing relationships.
Advanced Application Layer Filtering (ALF) enables complex application traffic to access the Internet while ensuring high levels of security, performance, and protection against the latest types of attacks.
Secure inbound traffic and protection from “inside attacks” via VPN client connections are achieved through unified firewall and VPN policy management, deep content inspection, and VPN Quarantine integration.
Integrated multi-networking capabilities, network templates, and stateful routing and inspection make it easy to deploy ISA Server into existing IT environments as an edge, departmental, or branch office firewall without changing the network architecture.
ISA Server 2004 provides enhanced ease-of-use features that include:
Simple, easy to learn and use management tools that shorten ramp-up time for new security administrators while making it easier to avoid security breaches due to firewall misconfiguration.
Prevention of network access downtime by allowing administrators to securely and remotely manage firewall and Web cache services.
Savings on bandwidth costs by reducing outbound Internet traffic and serving content locally, and the ability to distribute the content of Web servers and e-commerce applications closer to customers efficiently and cost-effectively.
Integration with Windows Active Directory, third-party VPN solutions, and other existing infrastructure that simplifies the task of securing corporate applications, users, and data in a pure Windows environment or in a mixed environment.
ISA Server’s thriving community of partners, users, and Web resources that, along with Microsoft’s formal support programs, provides multiple avenues for support and information.
High performance is a high priority in today’s business environment, and ISA Server 2004 offers the features most wanted by performance-conscious organizations:
Ability to provide fast, secure anywhere/anytime access to corporate applications and data, such as Microsoft Exchange Server.
A safe, reliable, and high-performance infrastructure for enabling both inbound and outbound Internet data access and single sign-on through multiple Internet-standard authentication mechanisms.
An integrated single-server solution that puts only the necessary services at the edge of the network, including firewall security, VPN, and Web cache.
A way to scale out the security infrastructure as networking needs grow with a flexible multi-network architecture.
Enhanced network performance and reduced bandwidth costs with Web caching in corporate data centers and branch offices.
Next, we’ll look at some of the general specifications we discussed as points of comparison and how ISA Server 2004 fits into those specifications.
Hardware Platform Support and System Requirements
ISA Server 2004 is a software firewall, which can be installed on Windows 2000 Server (service pack 4 or above) or Windows Server 2003. Internet Explorer 6 or later must be installed. Minimum hardware requirements are as follows:
300 MHz processor
256MB RAM
NTFS formatted disk with 150MB free space
One NIC for each network connected to the ISA server
| Note | The minimum supported hardware requirements listed by Microsoft should be considered an absolute minimum for installing ISA Server 2004; these are not optimum hardware specifications. ISA Server 2004 performance will increase dramatically with upgraded hardware. We recommend, as a realistic base hardware specification, at least an 800MHz processor and 1GB of RAM. Also, note that if you are using ISA Server as a Web-caching server, you’ll need more disk space for the cache. |
Reliability
System reliability is a very important consideration for a mission-critical device such as a network firewall. Some factors supporting ISA Server 2004’s reliability include the following:
Windows Update can be used to automatically update the ISA Server 2004 underlying operating system.
There are plans to add functionality to the Windows Update site that will enable the ISA Server 2004 firewall software to update itself. When this feature will be available is not known at the time of this writing.
Underlying hardware quality is a major factor in system reliability. Redundant hardware components, such as power supplies, network interfaces, and software or hardware RAID can significantly improve overall reliability of the firewall.
Firewall configuration backup tools are included in the ISA Server 2004 firewall’s user interface. These are easy to use and allow the firewall administrator to back up the entire firewall configuration and restore it to the same machine or to another machine.
Scalability
Scalability can be divided into at least two common categories:
Outward scalability refers to the ability to adapt to expansion of the network as it grows beyond the original location and adds remote offices, telecommuters, and more.
Upward scalability refers to the ability to adapt to the growing number of users and increase in traffic as the network grows larger.
ISA Server 2004 can scale outwards and upward by using the built-in Network Load Balancing Service that is included in the underlying Windows Server 2003 operating system. ISA Server 2004 can also scale upwards by adding memory (RAM), disk space, a more powerful processor and more processors. The number of processors supported in the final version of the product has not yet been announced.
Extensibility
Extensibility refers to the product’s ability to add features and functionality through vendor-provided, third-party or in-house software add-ons, scripts, and other components. Because ISA Server 2004 is a “software” firewall, it supports almost unlimited extension of its application layer filtering and other access control and networking components. Many of its competitors in the hardware firewall market require the customer to upgrade to an entirely new hardware device, or require a separate off-box hardware/software solution, to add new features and functions.
The ISA Server 2004 firewall can be extended by the customer at no added cost by using the free ISA Server 2004 Software Development Kit (SDK).
The ISA Server 2004 firewall can likewise be extended by third-party vendors, and the customer can purchase third-party solutions from these vendors. Add-ons can provide such extra or enhanced features as virus detection and blocking, high availability and load balancing, access controls, content security, advanced intrusion detection, authentication (for example, ability to use RSA SecurID tokens), caching enhancement, and more sophisticated monitoring, logging and reporting.
High Availability
High availability refers to the product’s ability to recover from a failure with minimal or no downtime for the network and its users. The Windows Server 2003 Network Load Balancing (NLB) service supports high availability NLB arrays. If one member of the ISA Server 2004 NLB array becomes unavailable, another machine in the NLB array can service requests for inbound and outbound connections. This provides fault tolerance in case of hardware or software problems that put one of the servers out of commission.
Third-party vendors can augment the Windows NLB service with their own custom software solutions. There are also a number of hardware vendors that provide high-speed application layer-aware high-availability solutions for ISA Server 2004 firewalls.
Compatibility/Interoperability
Compatibility and interoperability issues for comparison include (but are not limited to) the following:
Active Directory integration
Exchange integration
Operation in a mixed network environment
We take a closer look at each of these in the following subsections.
Active Directory Integration
ISA Server 2004 firewalls machines can join the Active Directory domain on the internal network and use the user database contained in that domain, or other trusted domains, to authenticate users for inbound and outbound access.
The ISA Server 2004 Firewall client application enables the ISA Server 2004 firewall to authenticate all Active Directory domain and trusted domain users. This authentication is transparent to the user and enables the firewall to obtain user and application information for all TCP and UDP connections. This information is stored in the ISA Server 2004 firewall logs and can be implemented to audit user Internet activity and to track applications with which the user has accessed the Internet.
ISA Server 2004 firewalls support RADIUS authentication. The Windows 2000 Server and Windows Server 2003 operating systems include the Internet Authentication Server (IAS) service, which is Microsoft’s implementation of RADIUS. An IAS server can forward inbound and outbound authentication requests to an Active Directory domain controller for authentication. When IAS or another RADIUS server is implemented to authenticate users, the ISA Server 2004 firewall does not need to join the Active Directory domain to perform authentication.
| Note | RADIUS authentication is supported for inbound and outbound Web proxy communications and inbound VPN connections only. Note that the Firewall Client cannot use RADIUS to authenticate to an Active Directory domain. |
Exchange Integration
Exchange Integration is one of the major selling points for ISA Server 2004 and provides a major competitive advantage over competing firewalls. Here are some of the key factors that play into ISA Server 2004’s superior ability to integrate with Exchange servers:
ISA Server 2004 SSL-to-SSL bridging allows remote access to an Outlook Web Access (OWA) site located behind the ISA Server 2004 firewall. Most competing firewalls are not able to filter HTTP communications hidden inside an SSL tunnel and pass those through the firewall. In contrast, the ISA Server 2004 SSL-to-SSL bridging feature enables the ISA Server 2004 firewall to “unwrap” the encrypted SSL communication, expose the HTTP content to ISA Server 2004’s sophisticated application layer filters, and then wrap the HTTP communication back into an SSL tunnel and forward the SSL-secured information to the OWA site. Unlike competing firewalls, ISA Server 2004 will not let hackers hide their exploits in an SSL-encrypted tunnel. The ISA Server 2004 SSL-to-SSL bridging feature can be extended to support the Outlook 2003/Exchange Server 2003 RPC over HTTP protocol. We anticipate that in the future, hackers will come up with a method to attack Microsoft Exchange Servers using communications hidden inside an RPC over HTTPS (SSL) communication. Competing firewalls that don’t support SSL bridging will not be able to protect against these attacks because they are not able to ascertain the contents of the RPC over HTTPS (SSL) communication. In contrast, the ISA Server 2004 firewall will be able to use its SSL-to-SSL Bridging feature to inspect the RPC over HTTPS (SSL) communication and block these exploits.
The ISA Server 2004 Secure Exchange RPC filter enables Exchange Server organizations to provide remote access to the company Exchange Server using the native Outlook 2000/2002/2003 client. No matter where the user is located, whether on the intranet or at a remote site a continent away, the user can open his laptop, open Outlook and “Outlook Just Works.” Significant enhancements in user satisfaction and productivity are realized when using ISA Server 2004 firewalls to publish Microsoft Exchange using Secure Exchange RPC Publishing. The only competitor at the time of this writing that provides this feature is Checkpoint’s Firewall-1, which recently licensed this RPC filter from Microsoft.
ISA Server 2004 firewalls support forms-based authentication is supported for all versions of Microsoft Exchange Server. Forms-based authentication uses a logon form that is normally generated by the Exchange Server machine. Many competing firewalls allow the initial connection to reach the Exchange Server so that the Exchange Sever can generate the logon form to return to the user who wants to log onto the OWA Web site. In contrast, ISA Server 2004 firewalls generate the logon form at the firewall and send the firewall-generated logon form to the user on the Internet. The user fills in the form and sends the credentials to the firewall, where the firewall authenticates the user. Only after the user authenticates with the firewall via the firewall-generated logon form is the user allowed access to the Exchange OWA Web site. In addition, ISA Server 2004 is a significant “value-add” for owners of Microsoft Exchange 2000 and Exchange 5.5 because these versions of Exchange do not support forms-based authentication; in this case, the ISA Server 2004 firewall can generate the logon form for these previous versions of Exchange. In addition, you can use forms-based authentication to prevent users from accessing attachments from OWA sessions and prevent cookies and cached information from remaining on the client machine from which the remote user accesses the OWA site.
The ISA Server 2004 SMTP Message Screener enables organizations to carry out a spam and virus attachment “e-mail defense in-depth” program beginning at the network perimeter. While most organizations will require more comprehensive spam and virus checking applications on the back end, such as on the Exchange Server machine or on an internal SMTP relay, the customer will be able to use the ISA Server 2004 SMTP Message Screener as a “front line” spam/virus screener to block e-mail based on keywords contained in the subject or body of a message and block attachments with defined sizes, file extensions, and file names. Both of these features can be used to reduce the load on the organization’s primary spam and virus filtering devices. At the time of this writing, no other firewall in ISA Server 2004’s price class offers this functionality at no additional cost.
The ISA Server 2004 HTTP filter exposes all HTTP communications to the restrictions set for the file on a per-rule basis. This filter can be paired up with the ISA Server 2004 SSL-to-SSL Bridging feature to provide protection for secure Exchange OWA Web Publishing to allow the firewall administrator total control over the HTTP traffic that moves into and out of the OWA Web site. None of the competitors in ISA Server 2004’s class provide this level of deep HTTP inspection for SSL-secured OWA connections.
Operation in a Mixed Network Environment
There are two primary factors involved in placing ISA Server 2004 in a mixed environment:
Mixed client operating systems
Mixed network infrastructure that is already in place
ISA Server 2004 works well with a mix of client operating systems. The Web Proxy and SecureNAT client configurations are supported by all operating systems. The Web Proxy client is a machine with its Web browser configured to use the ISA Server 2004 firewall as its Web Proxy server. All modern browsers support Web Proxy client configuration. The network administrator does not need to touch the client operating systems to make computers Web proxy clients. There are multiple methods available to automatically configure client browsers, such as DNS/DHCP wpad entries, Windows Group Policy, IEAK, and logon scripts.
On machines using the SecureNAT configuration, the client operating system has a default gateway configured that forwards Internet-bound requests to the ISA Server 2004 firewall machine. Again, the network administrator does not need to manually configure these systems, as the default gateway setting on client operating systems can easily be set using DHCP.
Ease of Use
An important element in ease of use for any software product is the user interface. ISA Server 2004 provides administrators with a friendly graphical interface that not only has many advantages over most of its competitors, but also is a big improvement over the ISA Server 2000 interface. The high points of the ISA Server 2004 graphical interface include the following:
Intuitive Interface The ISA Server 2004 firewall has major advantages over other firewalls in its class in this area. The ISA Server 2004 interface was designed to provide the administrator an easy to use and intuitive configuration and management system. This is a major advantage for ISA Server 2004, as the core firewall configuration interface is easily discoverable, and a secure firewall configuration can be set up in a matter of a few hours without requiring comprehensive experience and training courses. The ISA Server 2004 interface is also a big improvement over the ISA Server 2000 interface.
Management Scripts ISA Server 2004 allows the administrator to use scripts to manage the server. Virtually any feature that can be configured using the UI can also be set using an administrative script. The ISA Server 2004 CD-ROM includes the complete ISA Server 2004 SDK, free of charge. Organizations that have programmers on staff can create complex scripts and custom add-ons for their ISA Server 2004 firewall. This is a competitive advantage for those organizations that sport such expertise, since most other commercial firewalls do not provide such comprehensive development tools at no extra cost.
Easy to Use Management and Configuration Wizards Firewall configuration is an inherently difficult process. A single misconfiguration can lead to potentially disastrous results. In order to reduce the risk of misconfiguration, ISA Server 2004 includes dozens of configuration wizards that walk firewall administrators through what would otherwise be complex tasks. Each wizard provides the appropriate options for the task at hand, and almost every step includes a link to the comprehensive Help system included with the ISA Server 2004 firewall. This is a big advantage for the ISA Server 2004 firewall.
Comprehensive Help System Perhaps one of the most frustrating experiences in firewall administration is the experience of trying out a new procedure and needing to find out how the procedure is performed and the meaning of the terms used by the firewall management interface. The ISA Server 2004 firewall provides a comprehensive Help system that provides detailed discussions of the concepts used when configuring the firewall and also provides step-by-step procedures. The help file also contains links to the online knowledge base where more comprehensive material on custom configurations can be found.
Easy to Troubleshoot Rule Base ISA Server 2000 firewall administrators had a difficult time determining which rule applied to a particular connection. This complicated troubleshooting of the firewall rule base when connections were either allowed or denied and the reason for such wasn’t clear. In contrast, the ISA Server 2004 firewall rule base is an ordered list. All connections moving through the firewall are compared to rules in the firewall rule base, and the rule base is evaluated from the top down. This makes it easy for the ISA Server 2004 administrator to determine what rule allowed or denied a connection.
Easy Extensibility In-house programmers and third-party companies can easily develop add-on packages using the freely available SDK, and administrators can add ISAPI filters to expand ISA’s functionality.
Remote Management
Remote management is important because so many organizations are spread out over a large geographic area. Administrators must be able to manage the firewall(s) without traveling physically to their locations. Some remote management solutions for ISA Server 2004 firewalls include the following:
ISA Server 2004 Remote Console ISA Server 2004 firewall administrators can install the same ISA Server 2004 management console that’s used on the firewall machine itself on a management station anywhere on the network. The remote management console can also be used to manage multiple ISA Server 2004 firewalls. This greatly simplifies management of multiple firewalls. The firewall administrator can connect to multiple firewalls, and each firewall’s name will appear in the left pane of the console, which is easy to navigate. In contrast, Web-based management interfaces provided by other vendors often require that the firewall administrator have many browser windows open and then try to manage the firewalls through each of these windows.
Remote Desktop Protocol Management Another effective method for managing one or multiple ISA Server 2004 firewalls is with the Remote Desktop Protocol (RDP). You can use RDP to manage the ISA server via the terminal services client installed on Windows 2000 and previous operating systems or via the Remote Desktop Connection client built into Windows XP and Server 2003. This allows the ISA Server 2004 firewall administrator to connect to the local console of one or more firewalls over the network. While the Remote Desktop client requires that you open multiple windows in order to connect to multiple ISA Server 2004 firewalls, you can use the Windows Server 2003 Remote Desktops utility to manage multiple firewalls in a single RDP interface and move between machines by clicking on the name of the firewall in the left pane of the console.
Logging/Reporting
One of the major ease-of-use improvements seen in ISA Server 2004, as compared to ISA Server 2000, is the logging and reporting facility. The following features represent major improvements over what was available in ISA Server 2000 and over what is provided by many of the competitors:
Dashboard The ISA Server 2004 Dashboard provides a single interface from which the firewall administrator can get information about Connectivity, Service status, Report status, Alerts, active Sessions, and overall System Performance. The Dashboard provides a large amount of information in a single location and is presented in an attractive and easy-to-interpret fashion.
Alerts The Alerts feature is enhanced by providing all the Alert information relating to firewall activity in a single location within the ISA Server 2004 management console. Firewall administrators do not need to go into the Event Viewer to see details of a Firewall Alert. In addition, an Alert can either be reset (which removes the Alert from the Interface), or it can be Acknowledged (the Alert stays in the interface, but is marked as Acknowledged). The ISA Server 2004 firewall allows you to use a number of pre-configured Alerts and also allows the firewall administrator to create his own Alerts with custom Alert actions.
Sessions The Sessions panel enables Firewall administrators to view active connections through the firewall. Sessions can be filtered so that the Firewall administrator can focus on connections of special interest. In addition, connections to the firewall can be terminated using the Sessions console.
Connectivity Monitors ISA Server 2004 Connectivity Monitors enable the Firewall administrator to keep tabs on a number of network services that are vital to network and Internet connectivity. Connectivity Monitors are grouped into several classes: Active Directory, DHCP, DNS, Published Servers, Web (Internet) and Others. Each of these groups represents services that are critical to network functionality. An Alert can be triggered when a Connectivity Monitor indicates a failure in a network service.
Reporting The built-in reporting feature allows the administrator to create reports on firewall activity. Reports can be created to run once or can be scheduled on a recurring basis. A report configuration Wizard makes it easy to create a report. Information included in the report is focused on protocol usage, most popular sites, cache performance and most active users.
Logging ISA Server 2004 logging allows the firewall administrator to view connection information in real time. Real-time logging can be used to quickly troubleshoot firewall configuration problems and to respond to attacks in real time. In addition, the firewall administrator can use database queries against the firewall logs and drill down on specific information of interest. ISA Server 2004’s logging is database driven, allowing for greater flexibility. ISA Server allows log storage using the Microsoft Data Engine (MSDE) database, SQL, or file storage. MSDE ships with ISA Server and if you already have a SQL license, you can perform custom queries against it.
Most of ISA’s competitors have similar logging and reporting features. However, a competitive advantage here is that these features are included with the product and do not require expensive add-ons, as some competitive products do. One disadvantage of ISA Server’s logging and reporting is that the built-in reporting feature is not customizable to the extent that some customers require. They will need to purchase third-party products to obtain information about per-user usage statistics and per-site usage.
Firewall and Related Features
Now let’s take a look at some of ISA Server 2004’s firewall and related features in depth.
Application Layer Filtering Capabilities
One of the major strengths of ISA Server 2004 is its ability to perform application layer filtering (ALF). The application layer filtering feature allows the ISA Server 2004 firewall to protect against attacks that are based on weaknesses or holes in a specific application layer protocol or service.
ISA Server 2004’s most impressive application layer filtering feature is its advanced HTTP security filter. The ISA Server 2004 HTTP security filter can be configured to examine and block HTTP communications based on virtually any aspect of the HTTP communication. Examples of how the advanced HTTP security filter can be used include:
Blocking Java scripts
Blocking ActiveX controls
Blocking file-sharing applications
Blocking downloads based on file extension or MIME type
Blocking uploads via HTTP
Blocking malformed HTTP connections
Blocking URLs based on any component of the URL
Blocking Web pages containing keywords or phrases
In addition to the HTTP security filter, ISA Server 2004 firewalls provide application filters for the following protocols:
DNS
FTP
H.323
MMS (Microsoft Media Streaming)
PNM (RealNetworks Streaming)
POP intrusion detection
PPTP
RPC
Exchange RPC
RTSP (Real Time Streaming Protocol)
SMTP
SOCKS V4
Web Proxy (responsible for Web Proxy functionality)
SecurID
RADIUS
Link Translation
OWA Forms-based Authentication
Most of the competitors have similar application layer filtering features. However, there are some application layer filtering and inspection features that set ISA Server 2004 firewalls apart from the competition:
Secure Exchange RPC Filter With the exception of Checkpoint NG, ISA Server 2004 and ISA Server 2000 firewalls are the only ones that can provide secure inbound and outbound access to Microsoft Exchange using the full Outlook MAPI client. The ISA Server 2004 firewall’s Secure Exchange RPC Filter allows external users access to the full range of Exchange Server services via the full Outlook 2000, Outlook 2002 and Outlook 2003 MAPI client. In addition, the network can be configured so that regardless of the users’ locations, whether inside or outside the corporate network, “Outlook just works” without requiring reconfiguration of any of the Outlook client settings.
Link Translation Filter Based on research, ISA Server 2004 is one of the only firewalls that allows rewriting of URLs in reverse proxy scenarios. This is a tremendous boon to organizations that require remote access to Web applications that were not written with remote access connections from the Internet in mind. The Link Translation Filter removes the requirement of rewriting LAN-based Web applications for use on the Internet. This feature alone can save an organization tens of thousands of dollars per application.
OWA Forms-based Filter This unique feature of ISA Server 2004 allows the firewall to generate the logon form that users see when they log on to an Outlook Web Access (OWA) Web site. This increases the security of the OWA site because users must authenticate first before a connection is allowed to the OWA site. In addition, user credentials are not cached on the computer connected to the OWA site. This feature is useful in circumstances when users log on to the OWA site from untrusted computers, such as airport Web kiosks. Another security feature provided by forms-based authentication is an authentication time-out, so that if users are idle for a period of time, reauthentication is required. Finally, the forms-based application feature extends these features to all versions of Exchange Outlook Web Access, including Exchange 5.5, Exchange 2000 and Exchange 2003. Without ISA Server 2004, only Exchange 2003 supports the advantages of forms-based authentication.
Protocol Support
Protocol support is a critically important issue for users located behind the firewall. A firewall must be able to support all protocols required by users on the network. If a firewall cannot support a protocol that users require, that firewall will be quickly replaced with one that does provide the required protocol support. In addition, organizations require granular control over protocol access; not all users should have access to the same protocols. Some users require limited protocol access, while others require access to a broad range of protocols.
Key features of ISA Server 2004 protocol support include:
Application Layer Filters There are a number of application layer filters included with ISA Server 2004 that provide protocol support. Examples of these protocol support application layer filters include the FTP filter, the H.323 filter, the MMS filter, and the PNM filter. These filters manage the connections for these “complex” protocols. Users would not be able to use these protocols if there were no application layer filters for them. In addition, application layer filters are required to support SecureNAT client access to “complex” protocols.
Firewall client The Firewall client software provides a unique level of accessibility to machines that have the software installed. The Firewall client software allows the machine to use virtually any protocol to connect to the Internet, including all “complex” protocols. The most compelling feature of the Firewall client software is that application filters do not need to be written to support complex protocols. The Firewall client software works together with the Firewall service on the ISA Server 2004 firewall to manage the connections. No other firewall currently on the market can make the same claim. The Firewall client can be easily installed without requiring the network administrator to touch the machines. The software can be installed via SMS, Active Directory Group Policy Software Distribution, or logon and management scripts.
ISA Server 2004 Software Development Kit Organizations can create their own application filters using the information and tools included with the ISA Server 2004 Software Development Kit (SDK). Application filters can be created to perform tasks such as blocking downloads for SecureNAT and Firewall clients. Any organization with C++ programmers on staff can use the ISA Server 2004 SDK at no extra charge.
VPN Protocol Support Unlike many other firewalls in ISA Server 2004’s class, the ISA Server 2004 firewall can apply stateful filtering and stateful inspection to connections made via a VPN link. This allows the ISA Server 2004 firewall to provide full protocol support to VPN clients when these clients connect to the corporate network through the VPN, or when they connect to the Internet via the VPN connection. This means corporate firewall policy can be applied to VPN clients without losing vital protocol support.
Intrusion Detection
ISA Server 2004 includes a collection of intrusion-detection filters that are licensed from Internet Security Systems (ISS). These intrusion-detection filters are focused on detecting and blocking network layer attacks. In addition, ISA Server 2004 includes intrusion-detection filters that detect and block application layer attacks.
ISA Server 2004 can detect the follow intrusions or attacks:
Windows out-of-band (WinNuke)
Land
Ping of Death
IP half scan
UDP bomb
Port scan
DNS host name overflow
DNS length overflow
DNS zone transfer
POP3 buffer overflow
SMTP buffer overflow
When the ISA Server 2004 firewall detects one of these attacks, the following actions can be carried out:
An alert sent to the ISA Server 2004 Event Log
ISA Server 2004 services stopped or restarted
An administrative script or program run
An e-mail message sent to an administrator’s mailbox or pager
One competitive disadvantage of ISA Server is that the intrusion-detection system included with ISA Server 2004 is not configurable, and you cannot create your own intrusion signatures. However, third-party applications, such as Internet Security System’s Real Secure IDS, can be used to extend the intrusion-detection features at an additional cost.
VPN Functionality
ISA Server 2004 supports the following VPN protocols:
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Tunneling Protocol/IPSec (L2TP/IPSec)
IPSec Tunnel Mode
PPTP and L2TP/IPSec VPN protocols can be used in both remote access and site-to-site VPN connections. Site-to-site IPSec Tunnel Mode can be used only in site-to-site VPN connections.
IPSec Tunnel Mode is used only for compatibility with third-party VPN servers. It should not be used when site–to-site connections are created between an ISA Server 2004 firewall and another Microsoft VPN product (Windows 2000/Windows Server 2003 RRAS or ISA Server 2000).
Remote Access/Site-to-Site VPN
The ISA Server 2004 VPN feature supports two types of VPN connections:
Remote Access VPN
Site-to-Site VPN
The Remote Access VPN allows individual computers configured as VPN clients to connect to the ISA Server 2004 firewall and access resources on the corporate network. Remote Access VPN clients can use either the PPTP or L2TP/IPSec VPN protocol. Advanced authentication mechanisms, such as SecurID, RADIUS, EAP/TLS certificates, biometric, and others are supported by the ISA Server 2004 VPN remote access server.
Site-to-site VPNs allow the ISA Server 2004 firewall to connect to another VPN server and join entire networks to each other over the Internet. Site-to-site VPNs allow organizations to remove expensive dedicated leased lines, which leads to significant cost reductions.
A major advantage of ISA Server 2004 is that firewall access policies are applied to VPN remote access and site-to-site connections. In contrast to many competitors’ products that allow VPN clients full access to the corporate network, the ISA Server 2004 VPN connections are exposed to the firewall’s access policies. The enables the ISA Server 2004 firewall administrator to set restrictive access controls on VPN connections on a per-user basis. When the user establishes a VPN connection with the ISA Server 2004 firewall, that user can only access resources he needs to get the job done. No other network resources will be available.
| Note | A common problem with some third-party VPN services is that additional configuration may be required to support single sign-on. That is, unless the third-party VPN service has a way of integrating with Active Directory, users are forced to log on twice. Even when integration with AD is supported, additional configuration is often required. This is a big advantage of ISA Server’s Active Directory integration when compared to many third-party firewall/VPN devices. |
VPN Client Support
All Windows operating systems include the Windows VPN client software. Advantages of using the Windows VPN client include:
No Third-Party Software Required This is a significant competitive advantage. Users do not need to install any extra software and can configure their VPN connections using an intuitive and easy-to-use VPN client connection Wizard. The VPN client software requires minimal configuration, and most users can connect to the ISA Server 2004 firewall in minutes.
No Compatibility Issues The Windows VPN client was designed from the ground up to work with the client operating system on which it runs. In contrast, third-party VPN client software may or may not work correctly on the client Windows operating system and may have known or unknown conflicts with other networking components of the Windows operating system. In addition, troubleshooting issues are minimized because the customer can call Microsoft and get VPN client problems addressed. In contrast, when the customer uses a third-party VPN client, he is often bounced between the operating system vendor and the third-party vendor before the final solution to the problem is discovered.
Simplified VPN Configuration and Deployment The Microsoft Connection Manager Administration Kit (CMAK) included with Windows 2000 and Windows Server 2003 makes it easy to create a VPN client that is preconfigured with the correct VPN client settings. The CMAK configures the VPN client software and packages it in an executable file. The file can be e-mailed, sent on disk, or downloaded from a server by corporate VPN users. The user only needs to double-click on the file, and it is automatically installed without requiring the user to make decisions. In contrast to the products of many competitors, this VPN client automation feature is provided at no additional cost to the customer. CMAK is also used to create client connection profiles to work with the VPN quarantine feature (discussed in the next section).
Support for IETF RFC IPSec NAT Traversal NAT traversal (NAT-T) is a mechanism used to allow IPSec VPN connections across firewalls and network devices that use network address translation (NAT). This is a very common configuration and almost all organizations use NAT in one form or another because it reduces the number of public IP addresses needed. ISA’s competitors have developed a number of different NAT traversal mechanisms, many of which are incompatible with one another and increase the complexity of firewall configurations. In contrast, the Microsoft VPN client uses industry standard NAT Traversal, which is firewall friendly.
VPN Quarantine
The ISA Server 2004 VPN quarantine feature increases the security of VPN client connections by “pre-qualifying” VPN clients before they are allowed to connect to the corporate network. The VPN clients must meet a set of requirements before the connection to the corporate network is enabled. They remain in a special “quarantine network” until they meet the corporate security standards. Quarantine policy can require that VPN clients have the latest security updates installed, the latest services packs, up-to-date virus definition files, and more. VPN quarantine policies are managed centrally and there is no need to distribute quarantine files to individual VPN clients.
The VPN quarantine feature is a significant competitive advantage for ISA Server 2004. No additional software needs to be purchased and there are no limited license fees required. There is no limit on the number of VPN clients that can connect through the VPN quarantine security feature.
ISA’s competitors provide managed VPN client solutions similar to the VPN quarantine feature, but at potentially larger costs to the organization. You frequently need to install the competitors’ proprietary VPN client software to obtain these advantages. In contrast, the ISA Server 2004 VPN quarantine feature works right out of the box with any Windows VPN client. You can create the managed clients using the Connection Manager Administration Kit, then the managed client software is quickly and easily deployed to users in the field.
VPN Throughput/Connections
VPN throughput is dependent on the hardware platform on which Windows and ISA Server 2004 are installed. Adding processors and encryption off-load cards will significantly increase throughput and VPN performance.
Web-Caching Features
In addition to ISA Server 2004’s firewall and VPN features, the ISA Server 2004 firewall can also act as a Web proxy server. The ISA Server 2004 machine can be deployed as a combined firewall and Web-caching server, or as a dedicated Web-caching server.
| Note | If the ISA Server 2004 firewall is configured as a Web-caching-only server, it loses the majority of its firewall network protection features. |
Forward Caching
Forward caching takes place when a user on a network protected by the ISA Server 2004 firewall makes a request for static Web content. The requested content is placed in the Web cache after the first user makes a request. The next (and subsequent) user who requests the same content from the Internet has the content delivered from the Web cache on the ISA Server 2004 machine instead of from the Internet Web server. This reduces the amount of traffic on the Internet connection and reduces overall network costs. In addition, the content is delivered to the user much more quickly from cache than it is from the actual Web server. This increases user satisfaction and productivity.
The primary benefit of ISA Server 2004’s forward caching is cost savings realized by reduced bandwidth usage on the Internet connection.
Reverse Caching
Reverse caching takes place when a user on the Internet makes a request for Web content that is located on a Web server published by a ISA Server 2004 Web Publishing Rule. The ISA Server 2004 firewall retrieves the content from the Web server on the Internal network or another network protected by the firewall and returns that information to the Internet user who requested the content. The ISA Server 2004 machine caches the content it retrieves from the Web server on the Internal network. When subsequent users request the same information, the content is served from the ISA Server 2004 cache instead of being retrieved from the originating Web site.
There are two principle advantages to the reverse caching scenario:
Reverse Caching Reduces Network Bandwidth Usage Reverse caching reduces the bandwidth usage on the Internal network because cached content is served directly from the ISA Server 2004 machine. No bandwidth is required on the internal network, which makes this bandwidth available to users on the internal network to get their work done. Corporate networks that are already “bandwidth challenged” will benefit from this configuration.
Reverse Caching Keeps Web Content Available An even more compelling advantage to reverse caching is its ability to make Web site content available when the Web server is offline. Web servers can go offline when routine maintenance needs to be performed or after the server experiences a hardware or software crash. Regardless of the reason for the server being offline, the time offline can create a negative experience for Internet users when they try to access content on the site. The ISA Server 2004 reverse caching feature enables you to take the Web server offline and still have Web site content available to Internet users because the content is served from the ISA Server 2004 cache.
Comparing ISA 2004 to Check Point
According to its Web site and marketing material, at the time of this writing Check Point has 97 of 100 Fortune 100 businesses as customers, and (along with Cisco PIX) is the major ISA Server competitor in the large- and medium-business markets. According to information from International Data Corp. as reported December 17, 2003 by TechTarget (http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci941717,00l), CheckPoint remains the leader in overall firewall/VPN technologies with a market share of 48 percent.
| Note | When considering market share figures, it is important to keep in mind that many large companies practice “defense in depth” by deploying multiple firewalls made by different vendors. Thus, the fact that 97 percent of Fortune 500 companies use Check Point does not mean that they don’t also use other firewall products along with Check Point. |
Among security appliances, Nokia (which runs the Check Point FW-1/VPN-1 software on its proprietary IPSO operating system) was ranked third, after Cisco and NetScreen.
In this section, we will provide an overview of Check Point firewall software and Nokia appliances. We will look at Check Point’s general specifications, platform support and system requirements, application layer filtering capabilities, VPN support, and Web-caching abilities, and examine how ISA Server 2004 stacks up against them.
Check Point: General Specifications
Check Point NG is the current (“next generation”) version of the Firewall-1 and VPN-1 security products. Check Point provides an NG security suite, which includes FW-1 Pro, VPN-1 Pro, SmartCenter/SmartCenter Pro, Check Point Express, SmartView Monitor/Reporter, SmartUpdate, ClusterXL, and the SecuRemote and SecureClient VPN clients. A time-limited evaluation version of the suite can be downloaded at:
https://www.checkpoint.com/GetSecure/MediaEngine?action=MP_OrderStart.
FW-1/VPN-1 can be purchased as a software firewall/VPN product that can be installed on any of several operating systems (see “Platform Requirements”) or on a Nokia appliance, running on Nokia’s proprietary IPSO operating system. You can buy the Nokia appliance with Check Point software installed, or you can download the software from Check Point (by providing your logon ID) and do the installation yourself. You can also download an updated image of the IPSO operating system to install before installing the NG software.
Check Point FireWall-1 and Check Point VPN-1 are licensed for a specified number of IP addresses (25, 50, 100, 250, Unlimited). Proprietary VPN-1 client software (VPN-1 SecureClient) is purchased as an option, at extra cost.
Pricing varies per reseller and there are many different products offered by Check Point (as well as appliances offered by other vendors, such as Nokia, that run the Check Point FW-1/VPN-1 software). Below are some typical software costs from popular resellers (based on information from Hardware Central) at the time of this writing:
FW-1 gateway with SmartCenter for a single security enforcement point that protects 100 IP addresses costs from $5150 to$5516.
According to Check Point’s website, pricing starts at:
$24,100 for enterprise solutions (500+ users)
$4,995 for medium businesses (100 – 500 users)
$399 for branch office solutions*
*VPN-1 Edge for branch offices includes VPN functionality and stateful inspection firewall only (does not support application layer filtering/security servers).
FW-1 and VPN-1 have yearly subscription licenses that require you to pay every year for use of FW-1. VPN-1 SecuRemote client software is free. However, the more advanced VPN-1 SecureClient for Windows and Macintosh (which includes personal firewall and security configuration control for individual desktops) is priced from $2300 for 25 IP addresses to $40,000 for 1000 IP addresses.
Adding a content-filtering server (UFP or CVP) adds extra cost, with the amount depending on the hardware and software deployed.
| Note | URL Filtering Protocol (UFP) servers hold lists of URLs designated as permitted or denied. Content Vectoring Protocol (CVP) servers analyze the data stream and allow or deny connections based on policy rules. |
Check Point: Platform Support and System Requirements
The Check Point FireWall-1 software firewall runs on the following operating systems:
Windows NT/2000
Sun Solaris
Linux (RedHat)
Check Point SecurePlatform
Nokia IPSO (UNIX-based proprietary OS)
IBM AIX
When installing on a Windows machine, Check Point FW-1 NG requires 40MB of free disk space, a 300MHz or better processor and at least 128MB of RAM. This is for the primary management and enforcement module. For the GUI clients, you need an additional 40MB of disk space and 32MB of RAM.
Check Point FW-1/VPN-1 products are marketed both as software solutions and pre-installed on hardware appliances.
Except for appliances, the underlying operating system must be properly configured before FW-1 will run correctly. OS patches and upgrades can cause problems. Support for Solaris 2.7 didn’t occur for two years after the OS release, and FW-1 still did not support Windows Server 2003 nine months after its release.
How does ISA Server 2004 compare? Like Check Point, ISA Server 2004 is a software firewall and can be installed on a variety of hardware configurations. Unlike Check Point, ISA Server 2004 cannot be installed on UNIX. Minimum system requirements are similar for the two.
ISA Server 2004 is designed specifically to integrate with Windows and take advantage of its features, including:
Network Load Balancing (NLB)
VPN quarantine
Active Directory
Windows DHCP, DNS, and WINS services
RADIUS Internet Authentication
All these Windows services are included “on the box” with the underlying Windows 2000 Server or Server 2003 operating system at no extra cost.
Check Point: Application Layer Filtering Capabilities
Check Point provides application filtering with its newest “NG with Application Intelligence” products. Check Point calls its application proxies “security servers” and uses the term “Application Intelligence” to refer to application layer attack prevention technologies integrated in FireWall-1 and SmartDefense. Check Point is relatively new to application layer filtering (this feature was not included with its versions prior to 4.0).
Content filtering can be done via a URL Filtering Protocol (UFP) Server for FW-1 (SurfControl) plug-in. The plug-in provides a category list of classified Web sites and can be installed on the FW-1 machine or a separate server. Content filtering can also be done via a Content Vectoring Protocol (CVP) server. Content filtering appliances and services such as Websense can interoperate with FW-1.
How does ISA Server 2004 compare? ISA Server 2004 performs intelligent stateful inspection using “smart” application filters. Not only can you determine the validity of data moving through the firewall in request and response headers, you can also filter by “signature” (text string) for keyword filtering or filter for particular file types. Like FW-1, ISA 2004 works with Websense, SurfControl, and other third-party filtering products.
ISA Server 2004 inspects all aspects of HTTP communications. The SMTP filter protects from invalid SMTP commands that cause buffer overflows, and the SMTP message screener blocks spam and mail containing dangerous attachments. ISA Server’s RPC filtering protects from exploits and malicious code directed to the RPC services and ensures that only valid connections get through to the Exchange server. DNS filtering prevents application layer attacks aimed at published DNS servers, and the POP3 filters protect published POP3 mail servers from attack. ISA Server’s SDK allows easy development of web and application filters.
Check Point: VPN Support
Check Point provides a number of different VPN solutions:
VPN-1 Edge: for remote sites/branch offices
VPN-1 Express: mid-sized businesses with multiple sites and up to 500 users
VPN-1 Pro: complex enterprise-level networks (includes FW-1)
VSX: VLAN environments, datacenters, large segmented networks
All support stateful inspection, URL filtering, site-to-site VPN, remote access VPN, and X.509 certificates. SmartDefense intrusion detection, content filtering and application proxy (Security Server), stateful failover, and load balancing are supported only by VPN-1 Express, VPN-1 Pro and VSX. Other VPN features include:
One-click VPNs (ability to create a VPN with a one-step operation).
IPSec encryption and authentication
SecuRemote uses 128-256 bit AES and 56-168 bit 3DES for data encryption
VPN QoS support via optional module (FloodGate-1)
Support for SSL-based VPNs via Web browser
Support for Microsoft L2TP VPN clients
Check Point’s SecureClient (extra cost VPN client software) provides functionality similar to ISA’s VPN Quarantine (Check Point calls it “client configuration verification”) and also provides a personal firewall for the client machine.
How does ISA Server 2004 compare? ISA Server 2004 supports user- and group-based access control, and site-to-site and remote VPN, with both stateful inspection and stateful filtering to allow you to control what moves through the VPN. VPN connections are exposed to firewall policies like any other connection; this provides granular control of protocols that can be used, servers to which they can connect, time of day/duration of connection, and IP address from which connection is allowed. In addition:
ISA Server supports X.509 certificates for IPSec encryption, and pre-shared keys for organizations that don’t want to implement a PKI.
ISA Server VPN wizards make it easy to set up VPNs. ISA Server supports use of CMAK to create a VPN connectoid that allows users to connect to VPN with one click, and supports an automatically downloadable phone book. CMAK also allows you to customize routes for VPN clients. CMAK wizards make it easy for the administrator as well as the user.
ISA Server uses IETF RFC Internet standard L2TP IPSec Nat Traversal (NAT-T) protocol to connect to Server 2003 VPNs.
ISA Server 2004 supports 3DES encryption.
ISA Server 2004 does not support VPN QoS; however, QoS has limited functionality outside the corporate network because every intervening router must also support it, and the likelihood of this is low.
ISA Server supports SSL tunneling.
ISA Server 2004 supports both Microsoft PPTP and L2TP clients.
ISA Server supports VPN quarantine through Windows Server 2003’s quarantine feature using the standard Windows PPTP and L2TP clients at no extra cost.
Check Point: Web Caching
Web-caching functionality is not included in the basic Check Point software; it can be added through the purchase of an extra module or via an “off-box” solution.
How does ISA Server 2004 compare? ISA Server 2004 includes Web-caching functionality at no extra charge. Forward caching allows the ISA Server 2004 firewall to cache objects retrieved by internal users from external Web servers. Reverse caching allows the ISA Server 2004 firewall to cache objects retrieved by remote users from servers that have been published by the ISA Server 2004 firewall. Web objects requested by remote users are cached on the ISA Server 2004 firewall, and subsequent requests for the same objects are served from the firewall’s Web cache instead of forwarding the request to the published Web server located behind the ISA Server 2004 firewall.
Fast RAM caching allows the ISA Server 2004 firewall to keep most frequently-accessed items in memory. This optimizes response time by retrieving items from memory rather than from disk. ISA Server 2004 gives you an optimized disk cache store that minimizes disk access for both read and write operations. ISA Server 2004 also supports Web proxy chaining, which allows the ISA Server 2004 firewall to forward Web requests to an upstream Web proxy server.
Comparing ISA 2004 to Cisco PIX
Cisco offers PIX “security appliances” in a number of different models and configurations. These range from small, relatively inexpensive models that are aimed at small offices and telecommuters (such as the PIX 501) to high performance, high-dollar models marketed to enterprise customers and service network providers (such as the PIX 535), with a number of “in-between” models targeted at businesses of various sizes.
Check Point is acknowledged by most sources as the overall market share leader (taking into account that its product is sold both as a software firewall and installed on Nokia appliances). However, when it comes to firewall appliances, Cisco topped the appliance market in 2003 with 34.3 percent of the market, according to International Data Corp information reported by CNET News at http://news.com.com/2100-7355-5079045l.
PIX firewalls are typically deployed as edge firewalls, and to create perimeter networks (DMZs). Their hardware is optimized for fast performance (as with all hardware-based firewalls), and the simplicity of their packet-filtering functionality makes them especially appropriate at the Internet edge.
In this section, we provide an overview of PIX appliances. We look at Cisco PIX’s general specifications, platform support and system requirements, application layer filtering capabilities, VPN support and Web-caching abilities, and examine how ISA Server 2004 stacks up against them.
Cisco PIX: General Specifications
PIX firewalls are generally licensed for an unlimited number of users. Cisco VPN client software (which is not required, but adds functionality) is typically priced at $30 to $50 per client. Customers with support contracts and encryption entitlement can download the client at no charge. PIX firewalls have Common Criteria EAL4 certification.
PIX series 500 firewalls cover a broad range. At the time of this writing, available PIX models included:
PIX 501: designed for use in small offices and by telecommuters. Provides up to 10Mbps firewall throughput, 3Mbps VPN throughput (using 3DES encryption). Includes one 10baseT interface and a four-port 10/100 integrated switch.
PIX 506E: designed for use in branch/remote offices. Provides up to 20Mbps firewall throughput, 16 Mbps VPN throughput (using 3DES encryption). Provides two autosense 10BaseT interfaces.
PIX 515E: designed for use by small-to-medium businesses and within the enterprise environment. Provides up to 188Mbps firewall throughput, integrated support for 2000 IPSec tunnels. Supports up to six 10/100 interfaces.
PIX 525: designed for enterprise and service provider environments. Provides over 360Mbps firewall throughput, up to 70Mbps VPN throughput (using 3DES encryption), support for 2000 IPSec tunnels. Can handle 280,000 simultaneous firewall sessions. Supports up to eight 10/100 interfaces or three gigabit Ethernet interfaces.
PIX 535: designed for large enterprise and service provider environments. Provides over 1Gbps firewall throughput, 95Mbps VPN throughput (using 3DES encryption), support for 2000 IPSec tunnels. Can handle 500,000 simultaneous firewall sessions. Supports up to ten 10/100 interfaces or nine gigabit Ethernet interfaces.
Cost ranges from under $500 for the PIX 501 with 10 user licenses ($795 for unlimited users) to over $20,000 for the PIX 535. Specifically, at the time of this writing, typical pricing for each of the PIX models was as shown below:
PIX 501: $495 to $795
PIX 506E:$959
PIX 515E: $2495 to $2695
PIX 525: $10,920 to $14,759
PIX 535: $20,000 to $24,000
The PIX software is the same on all appliance models. The difference is in the hardware, specifically in processor speed, amount of RAM, throughput, number of connections allowed, maximum number of interfaces, and whether failover is supported. Table 3.1 illustrates the different hardware configurations for the different models.
Model | 501 | 506E | 515E | 525 | 535 |
|---|---|---|---|---|---|
Processor | 133MHz | 300MHz | 433MHz | 600MHz | 1GHz |
RAM | 16MB | 32MB | 32MB, 64MB | 256MB | 1GB |
Flash memory | 8 M B | 8 M B | 16MB | 16MB | 16MB |
Throughput | 10Mbps | 20Mbps | 188Mbps | 360Mbps | 1Gbps |
Connections | 7,500 | 25,000 | 130,000 | 280,000 | 500,000 |
Max. number of interfaces | 1, + 1 four-port switch | 6 | 8 | 10 | |
Failover | No | No | Yes | Yes | Yes |
How does ISA Server compare? ISA Server 2004 is a software firewall, and thus, is not tied to a particular vendor’s hardware. This gives you more flexibility and allows throughput based on the hardware configuration on which you install it. ISA Server has been tested at firewall throughput up to 1.59 Gbps. There is no software limit on the number of interfaces; ISA Server supports as many interfaces as the hardware allows.
Cisco PIX: Platform Support and System Requirements
Cisco’s appliances run on the proprietary PIX OS embedded operating system. The OS is built specifically for security services, and thus, is a “hardened” OS. It is based on the Cisco IOS operating system used by Cisco routers, with fewer commands and a few that are extra or differently named. Administrators not familiar with the OS must learn a new operating system.
Hardware configurations vary by PIX model, as shown in Table 3.1
How does ISA Server 2004 compare? ISA Server 2004 runs on standard Intel PCs that are easily upgraded and can be installed on Windows 2000 Server or Windows Server 2003, providing a standardized, familiar management interface and the flexibility to use hardware of your choice. This makes ISA Server more scalable than appliances that are tied to the hardware.
The Windows Server 2003 OS can be “hardened” by applying a series of special profiles included in Server 2003 SP2 for the Security Configuration wizard. Microsoft also provides a system hardening guide that includes specific configuration recommendations and deployment strategies for ISA Server 2004. The document can be downloaded at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx.
Cisco PIX: Application Layer Filtering Capabilities
PIX firewalls provide “stateful application inspection” via the Adaptive Security Algorithm (ASA), to discern IP addressing information embedded in the user data packet or open secondary channels on dynamically assigned ports (for example, FTP, H.323). This allows NAT to translate the embedded addresses. PIX firewalls include support for a type of URL filtering that is designed to work with third-party content-filtering services WebSense and N2H2. With this feature, you can allow or deny access to Web sites based on administrator-created lists of acceptable and unacceptable sites. This requires a subscription and access to NetPartner’s WebSense server or N2H2 server over the Internet. The PIX captures the URL requests and queries the database on the WebSense or N2H2 server, and then denies or allows the request based on the acceptable use policy set by the administrator. Content filtering blocks ActiveX or Java applets.
Cisco calls their application proxies “fixup protocols.” They are handled via the “fixup” command. These proxies include: FTP, HTTP, H.323, ils, rsh, rtsp, SMTP, SIP, Skinny, and SQL. Application layer protocols supported by the intrusion-detection feature in the native PIX services don’t have to be configured.
How does ISA Server 2004 compare? ISA Server 2004 performs intelligent stateful inspection using “smart” application filters. Not only can you determine the validity of data moving through the firewall in request and response headers, you can also filter by “signature” (text string) for keyword filtering or filter for particular file types. ISA 2004 can also work with Websense and other third-party filtering products.
ISA Server 2004 inspects all aspects of HTTP communications. ISA’s SMTP filter protects from invalid SMTP commands that cause buffer overflows, and the SMTP message screener blocks spam and mail containing dangerous attachments.
ISA Server’s RPC filtering protects from exploits and malicious code directed to the RPC services and ensures that only valid connections get through to the Exchange server.
DNS filtering prevents application layer attacks aimed at published DNS servers, and the POP3 filters protect published POP3 mail servers from attack.
ISA Server’s SDK allows for easy development of web and application filters.
Cisco PIX: VPN Support
Cisco PIX firewalls all include VPN support. They support Cisco software VPN clients (for Windows, Linux, Solaris, and Mac OS X), Cisco hardware VPN clients (PIX 501 and 506E, Cisco 800 and 1700 series routers), and Microsoft PPTP and L2TP clients. Data is encrypted using 56-bit DES, 168-bit 3DES, or 256-bit AES.
| Note | PIX users can download a 3DES/AES or 56-bit DES encryption license free from Cisco’s Web site. |
VPN policy configuration enforcement (which is similar to ISA Server 2004’s VPN quarantine feature) is provided with the Cisco Secure VPN client v.3.x. or above. VPN access policies and configuration requirements are downloaded from a central gateway and “pushed” to the client upon establishing the VPN connection. Customers who have purchased support contracts and encryption entitlement can download the client software at no extra cost.
How does ISA Server 2004 compare? ISA Server 2004 can apply firewall policy to the VPN interfaces. Perhaps more significantly, ISA Server does not require any software to be added to VPN clients. ISA Server supports the PPTP and L2TP/IPSec VPN clients that are built into Windows 9x/ME, Windows XP, Windows NT, 2000, and Server 2003 operating systems. ISA Server’s VPN quarantine allows administrators to enforce specific conditions VPN clients must meet before being allowed to connect (for example, latest service pack/updates must be installed) and direct clients to a server to download and install the required updates.
ISA Server’s VPN wizards make it easy for administrators to set up VPNs, and the CMAK can be used to provide easy one-click connections for clients.
Cisco PIX: Web Caching
As with Check Point, Web-caching functionality is not included with the Cisco firewall/VPN; it is available at extra cost through purchase of the Cisco Content Engine.
Cisco Application and Content Networking Software (ACNS) is deployed on Cisco Content Engine caching modules/devices, which range in price from $2500 to over $18,000, to provide integrated caching and content delivery. Content Engines are caching appliances that run on the Cisco IOS. Cisco cache software runs on the Content Engine to provide streaming media splitting and caching, proxy-style caching (HTTP, FTP, SSL tunneling), and transparent caching.
For transparent caching, the cache software and ACNS support the Web Cache Communication Protocol (WCCP), a protocol developed by Cisco to redirect specified traffic to the Web cache. WCCP has also been used by CacheFlow (now BlueCoat), NetApp, and Squid.
How does ISA Server 2004 compare? ISA Server 2004 includes Web-caching functionality at no extra charge. Forward caching allows the ISA Server 2004 firewall to cache objects retrieved by internal users from external Web servers. Reverse caching allows the ISA Server 2004 firewall to cache objects retrieved by remote users from servers that have been published by the ISA Server 2004 firewall. Web objects requested by remote users are cached on the ISA Server 2004 firewall, and subsequent requests for the same objects are served from the firewall’s Web cache instead of forwarding the request to the published Web server located behind the ISA Server 2004 firewall.
Fast RAM caching allows the ISA Server 2004 firewall to keep most frequently accessed items in memory. This optimizes response time by retrieving items from memory rather than from disk. ISA Server 2004 gives you an optimized disk cache store that minimizes disk access for both read and write operations. ISA Server 2004 also supports Web proxy chaining, which allows the ISA Server 2004 firewall to forward Web requests to an upstream Web proxy server.
Comparing ISA 2004 to NetScreen
NetScreen ranked second among security appliance vendors in 2003, with a 16 percent market share, according to the information provided by to International Data Corp. (IDC) and published by CNET News at http://news.com.com/2100-7355-5079045l.
Juniper Networks signed an agreement to acquire NetScreen Technologies in February, 2004. Juniper Networks markets carrier-class and service provider/large enterprise routers and switches.
In this section, we provide an overview of NetScreen firewall appliances. We look at NetScreen’s general specifications, platform support and system requirements, application layer filtering capabilities, VPN support and Web caching abilities, and examine how ISA Server 2004 stacks up against them.
NetScreen: General Specifications
NetScreen appliances include firewall and IPSec VPN capabilities. They also incorporate antivirus functionality based on Trend Micro AV technology. The firewall component uses stateful inspection and limited application layer inspection.
NetScreen appliances are built on Application Specific Integrated Circuit (ASIC) architecture, which embeds RISC processors and accelerates processing. Appliances run the proprietary real time ScreenOS firmware in flash memory, rather than on a hard disk. This gives the appliance some advantages over traditional disk-based machines, in that there is less chance for mechanical failure.
NetScreen makes a number of different appliances, ranging from the low-end 5 series (5XP, 5XP Elite, 5GT, 5GT Plus, 5XT, 5XT Elite) to the high-end 200, 500, and 5000 series. Mid-range models include the NetScreen 25 and 50. Prices range from under $500 to almost $100,000. At the time of this writing, typical pricing for each of the NetScreen models is as shown below:
NetScreen 5XP (10 user): $495
NetScreen 5GT: $495
NetScreen 5XT: $695
NetScreen 5XP Elite (unlimited): $995
NetScreen 5GT Plus: $995
NetScreen 5XT Elite: $1195
NetScreen 25: $3495
NetScreen 50: $5695
NetScreen 204: $9995
NetScreen 208: $14,245
NetScreen 500: $22,500
NetScreen 5200: $99,000
The cost of add-ons for more functionality can significantly increase the capital investment required. For example, at the time of this writing, NetScreen IDP (intrusion detection and prevention) appliances range from $7995 for the IDP 10 to $34,995 for the IDP 500. NetScreen remote VPN client licenses (v.8) cost $95 for 10 users, $195 for 100 users, and $995 for 1000 users. NetScreen remote security VPN client (which also provides personal firewalls for remote users) cost $345 for 10 users, $2495 for 100 users, and $19,995 for 1000 users.
Table 3.2 compares features available on popular models that are most competitive with ISA Server 2004.
Feature | NetScreen 200 Series | NetScreen 50 | NetScreen 25 | NetScreen 5XP |
|---|---|---|---|---|
Concurrent sessions | 128,000 | 8,000 | 4,000 | 2,000 |
Firewall throughput | 400 to 550Mbps | 170Mbps | 100Mbps | 10Mbps |
VPN throughput with 3DES | 200Mbps | 50Mbps | 20Mbps | 10Mbps |
Policies | 4,000 | 1,000 | 500 | 100 |
Feature | 200 Series | 50 | 25 | 5XP |
Transparent mode (all interfaces) | Yes | Yes | Yes | Yes |
Route mode (all interfaces) | Yes | Yes | Yes | Yes |
NAT | Yes | Yes | Yes | Yes |
PAT | Yes | Yes | Yes | Yes |
Virtual IP | 4 | 2 | 2 | 1 |
Mapped IP | 4,000 | 1,000 | 1,000 | 32 |
Static IP routes | 256 | 60 | 60 | 16 |
Dedicated VPN tunnels | 1000 | 100 | 25 | 10 |
High availability | Yes | Future ScreenOS | No | No |
All models of the NetScreen appliance support the following features:
Manual key, IKE, PKI (X.509) authentication, PKCS 7 and 10 certificate requests
DES, 3DES and AES encryption
Automated certificate enrollment (SCEP)
Certification authorities: VeriSign, Microsoft, Entrust, RSA Keon, iPlanet (Netscape), Baltimore, DOD PKI
RADIUS, RSA SecureID, LDAP external databases
How does ISA Server compare? ISA Server 2004 is a software firewall, and thus, is not tied to a particular vendor’s hardware. This gives you more flexibility and allows throughput based on the hardware configuration on which you install it. ISA Server has been tested at firewall throughput up to 1.59 Gbps. There is no software limit on the number of interfaces; ISA Server supports as many interfaces as the hardware allows.
The Windows Server 2003 OS can be “hardened” by applying a series of special profiles included in Server 2003 SP2 for the Security Configuration wizard. Microsoft also provides a system hardening guide that includes specific configuration recommendations and deployment strategies for ISA Server 2004. The document can be downloaded at www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx.
NetScreen: Platform Support and System Requirements
NetScreen appliances run on the proprietary ScreenOS operating system, which in turn runs on proprietary ASIC-based hardware. The NetScreen firewall software cannot be installed on general purpose PC operating systems. ScreenOS is hardened and optimized for the specific purpose of running the firewall software.
Hardware configurations vary by NetScreen model, as shown in Table 3.2
How does ISA Server 2004 compare? ISA Server 2004 runs on standard Intel PCs that are easily upgraded and can be installed on Windows 2000 Server or Windows Server 2003, providing a standardized, familiar management interface and the flexibility to use hardware of your choice. This makes ISA Server more scalable than appliances that are tied to the hardware.
NetScreen: Application Layer Filtering Capabilities
Netscreen firewalls provide “deep inspection” technology for application layer protection to integrate intrusion detection and prevention for common Internet-originating attacks that exploit the following protocols:
HTTP
POP3
IMAP
SMTP
FTP
DNS
Intrusion-detection technology was acquired when NetScreen bought OneSecure. For more sophisticated intrusion detection, NetScreen markets a separate product, NetScreen-IDP, that can be deployed behind the firewall and in front of mission critical servers.
All models of NetScreen appliances support Websense (external URL filtering service).
How does ISA Server 2004 compare? ISA Server 2004 performs intelligent stateful inspection using “smart” application filters. Not only can you determine the validity of data moving through the firewall in request and response headers, you can also filter by “signature” (text string) for keyword filtering or filter for particular file types. ISA 2004 supports Websense and other third-party filtering products and services.
ISA Server 2004 inspects all aspects of HTTP communications. The SMTP filter protects from invalid SMTP commands that cause buffer overflows, and the SMTP message screener blocks spam and mail containing dangerous attachments. ISA Server’s RPC filtering protects from exploits and malicious code directed to the RPC services and ensures that only valid connections get through to the Exchange server. DNS filtering prevents application layer attacks aimed at published DNS servers, and the POP3 filters protect published POP3 mail servers from attack. ISA Server’s SDK allows easy development of web and application filters.
NetScreen: VPN Support
NetScreen firewall appliances all include VPN support. They support NetScreen proprietary VPN client software, available both as remote client and remote security client (the latter includes personal firewall protection for remote users). VPN client software licenses cost extra.
Data is encrypted using 56-bit DES, 168-bit 3DES or 256-bit AES. NetScreen supports authentication via X.509 certificates in a PKI environment. Certificates must be obtained from a certification authority (a separate system running CA software, either within the Internal network or a public CA such as Verisign).
NetScreen supports IPSec and SSL VPNs.
NetScreen supports remote access and site-to-site VPNs.
VPN throughput is dependent on the appliance model (hardware).
Enforcement of firewall protection on client machines is accomplished by using NetScreen Remote Security Client (at extra cost) which installs personal firewall software on the client machine and enforces updates over the Web. This provides some of the functionality of VPN quarantine. VPN policies are tied to user accounts rather than machines. Policies will not be retrieved unless the firewall software is installed and operational.
How does ISA Server 2004 compare? ISA Server 2004 supports user- and group-based access control, site-to-site and remote VPN with both stateful inspection and stateful filtering to allow you to control what moves through the VPN. VPN connections are exposed to firewall policies like any other connection; this provides granular control of protocols that can be used, servers to which they can connect, time of day/duration of connection, and IP address from which connection is allowed. In addition:
ISA Server supports X.509 certificates for IPSec encryption, and pre-shared keys for organizations that don’t want to implement a PKI.
ISA Server VPN wizards make it easy to set up VPNs. ISA Server supports use of CMAK to create a VPN connectoid that allows users to connect to VPN with one click, and an automatically downloadable phone book. CMAK also allows you to customize routes for VPN clients. CMAK wizards make it easy for the administrator as well as the user.
ISA Server uses IETF RFC Internet standard L2TP IPSec Nat Traversal (NAT-T) protocol to connect to Server 2003 VPNs.
ISA Server 2004 supports 3DES encryption.
ISA Server 2004 does not support VPN QoS; however, QoS has limited functionality outside the corporate network because every intervening router must also support it, and the likelihood of this is low.
ISA Server supports SSL tunneling.
ISA Server 2004 supports both Microsoft PPTP and L2TP clients.
ISA Server supports VPN quarantine through Windows Server 2003’s quarantine feature using the standard Windows PPTP and L2TP clients at no extra cost.
NetScreen: Web Caching
NetScreen firewall/VPN appliances do not provide Web-caching functionality. Web caching/acceleration can be added to a network using NetScreen products by implementing a caching solution such as ISA Server on the network.
How does ISA Server 2004 compare? ISA Server 2004 includes Web-caching functionality at no extra charge. Forward caching allows the ISA Server 2004 firewall to cache objects retrieved by internal users from external Web servers. Reverse caching allows the ISA Server 2004 firewall to cache objects retrieved by remote users from servers that have been published by the ISA Server 2004 firewall. Web objects requested by remote users are cached on the ISA Server 2004 firewall, and subsequent requests for the same objects are served from the firewall’s Web cache instead of forwarding the request to the published Web server located behind the ISA Server 2004 firewall.
Fast RAM caching allows the ISA Server 2004 firewall to keep most frequently accessed items in memory. This optimizes response time by retrieving items from memory, rather than from disk. ISA Server 2004 gives you an optimized disk cache store that minimizes disk access for both read and write operations. ISA Server 2004 also supports Web proxy chaining, which allows the ISA Server 2004 firewall to forward Web requests to an upstream Web proxy server.
Comparing ISA 2004 to SonicWall
SonicWall was ranked fourth (after Cisco, Netscreen and Nokia) among security appliance vendors in 2003, with a 5.4 percent market share, according to International Data Corp. information published by CNET News at http://news.com.com/2100-7355-5079045l.
In this section, we provide an overview of SonicWall appliances. We look at SonicWall’s general specifications, platform support and system requirements, application layer filtering capabilities, VPN support and Web caching abilities, and examine how ISA Server 2004 stacks up against them.
SonicWall: General Specifications
SonicWall’s line of firewall/VPN appliances use ASIC architecture and are based on stateful inspection technology that is ICSA certified. The following SonicWall appliances are available at the time of this writing:
SOHO3: for small businesses or branch offices
SOHO TZW: has built in wireless gateway
TELE3: for telecommuters
TELE TZ: for telecommuters; includes “WorkPort” architecture that physically separates corporate and home network
TELE TZX: as above; includes integrated four-port MDIX switch for connecting multiple network devices
TELE3 SP/TELE3 SPi: for Point of Sale (POS) businesses with failover from broadband to analog modem connection; supports bandwidth on demand and usage management of ISDN connection
PRO 100: for small-to-large businesses; unlimited network nodes; integrated DMZ (perimeter network)
TZ 170: for small businesses and IT administrators with limited resources; includes integrated five-port MDIX switch and security processor (system on a chip); policy-based NAT; optional upgrade adds ISP failover and load balancing
PRO 230: rack-mount; supports multiple protected zones; user-level authentication, bandwidth management, DHCP relay through VPN tunnels, automatic security updates
PRO 330: for business critical networks; includes high availability, guaranteed automatic failover when configured with mirror appliance, redundant power
PRO 3060: for complex networks; uses next-gen SonicOS 2.0; optional upgrade provides hardware failover, ISP failover, and automated secondary VPN gateway; supports hardware AES, processor includes dedicated cryptographic accelerator; multiple interfaces per security zone, policy-based NAT
PRO 4060: enterprise class firewall with same features as 3060; includes one year 8-hour day/5-day week support and on-going software updates.
Table 3.3 shows a comparison of the specifications and features among the different SonicWall models.
Model | Processor | R A M | Interfaces | Concur. Connections | FW users | FW through-put | 3DES Through- put | VPN tunnels/policies |
|---|---|---|---|---|---|---|---|---|
SOHO3 | 133MHz | 16MB | 2 10/100 baseT | 6000 | 10/25/50/ Unlim | 75Mbps (bi-dir) | 20Mbps | 10 |
SOHO TZW | 133MHz | 16MB | 2 10/100 baseT | 6000 | 10/25 | 75Mbps (bi-dir) | 20Mbps | 10 |
TELE3 | 133MHz | 16MB | 2 10/100 baseT | 6000 | 5 | 75Mbps (bi-dir) | 20Mbps | 5 |
TELE TZ | 133MHz | 16MB | 3 10/100 baseT | 6000 | 5 | 75Mbps (bi-dir) | 20Mbps | 5 |
TELE TZX | 133MHz | 16MB | 3 10/100 baseT,4 port switch | 6000 | 5 | 75Mbps (bi-dir) | 20Mbps | 5 |
TELE3 SP/SPi | 133MHz | 16MB | 2 10/100 baseT,1v.90, 1 ISDN | 6000 | 10 | 75Mbps (bi-dir) | 20Mbps | 10 |
PRO 100 | 133MHz | 16MB | 3 10/100 baseT | 6000 | Unlim | 75Mbps (bi-dir) | 20Mbps | 50 |
TZ 170 | SonicWall Security Processor | 64MB | 7 10/100 baseT | 6000 | 10/25/ unlim | 90Mbps (bi-dir) | 30+Mbps | 2-10 site-to-site pol-icies |
PRO 230 | 233MHz | 64MB | 3 10/100 baseT | 30,000 | Unlim | 190Mbps (bi-dir) | 25Mbps | 500 |
PRO 330 | 233MHz Strongarm RISC | 64MB | 3 10/100 baseT | 128,000 | Unlim | 190Mbps (bi-dir) | 45Mbps | 1000 |
PRO 3060 | 2GHz Intel | 256MB | 6 10/100 | 128,000 | Unlim | 300+Mbps | 75Mbps | 500-1000 |
baseT | (bi-dir) | (same for | ||||||
AES) | ||||||||
PRO 4060 | 2GHz Intel | 256MB | 6 10/100 baseT | 500,000 | Unlim | 300+Mbps (bi-dir) | 190Mbps (same for AES) | 1000/3000 |
SonicWall appliances cover a wide range of price points, depending on the model and reseller. Typical prices at the time of this writing are:
SonicWall SOHO3:$445 (10 users) $645 (25)$795 (50)
SonicWall TZW:$449 (10 users) $599 (25)
SonicWall TZ170:$410 (10 users) $576 (25)$825 (unlim.)
SonicWall Tele3 TZX: $493
SonicWall Tele3 SP:$534
SonicWall Pro 230:$1655 (unlim.)
SonicWall Pro 3060:$2319 (unlim.)
SonicWall Pro 4060:$4995 (unlim.)
Add-ons, upgrades and services for SonicWall products are priced as follows at the time of this writing:
VPN for SonicWall SOHO:$410
SonicWall VPN for PRO 100:$576
SonicWall VPN client:$451 (10 user)$659 (50)$825 (100)
Content filtering add-on:$75 (5 node)$495 (50)$695 (unlim)
VPN upgrade for SOHO:$495
(Source: http://www.tribecaexpress.com/sonicwall_firewalls_price)
SonicWall Content Filtering Service (CFS) requires a one-year subscription fee and is priced according to number of nodes. For unlimited node products, at the time of this writing, list price is $695 per year for the standard service, $995/year for the PRO 3060 and PRO 4060 SonicWall devices. (Source: http://www.sonicguard.com/ContentFilteringService.asp).
Other add-ons include:
Anti-virus subscription: varies from $136/year for 5 users to $19,195/year for 1000 users
Global Management System: $1655 for software plus 10 node licenses; $12,446 for 100 incremental node licenses
Support contracts: vary from $95 (SOHO 10 node) to $20,749 (GMS unlimited)
(Source: www.tribecaexpress.com/sonicwall_firewalls_price)
SonicWall: Platform Support and System Requirements
SonicWall appliances run on dedicated ASIC-based hardware devices with specifications as shown in the table above. The appliances run the single-purpose SonicOS operating system. There are two current versions of the operating system:
SonicOS v.2.0s, which runs on lower-end products and is a simpler version of the OS that uses wizards to guide users through configuration options.
SonicOS v.2.0e, which runs on the higher end products (PRO 3060 and 4060) and allows you to define security zones for which you can set separate security policies and define user groups to which policies can be applied.
How does ISA Server 2004 compare? ISA Server 2004 runs on standard Intel PCs that are easily upgraded and can be installed on Windows 2000 Server or Windows Server 2003, providing a standardized, familiar management interface and the flexibility to use hardware of your choice. This makes ISA Server more scalable than ASIC appliances that are tied to the hardware.
The Windows Server 2003 OS can be “hardened” by applying a series of special profiles included in Server 2003 SP2 for the Security Configuration wizard. Microsoft also provides a system hardening guide that includes specific configuration recommendations and deployment strategies for ISA Server 2004. The document can be downloaded at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx.
SonicWall: Application Layer Filtering Capabilities
Content filtering can be accomplished via SonicWall’s subscription-based Content Filtering Service (CFS). This requires that you pay a subscription fee for deep filtering of Web content. URL ratings of Web sites and those sites that are rated as acceptable (according to administrator-defined policies) are cached on the local appliance as part of the service.
The service comes in both standard and premium editions. The standard edition only filters the sites that are in its database. The premium edition also analyzes pages that aren’t in the database and adds them. There are also special editions of the service available for governmental and educational institutions.
CFS standard edition filters Web content according to 14 pre-defined categories:
Violence
Hate/racism
Intimate apparel
Nudism
Pornography
Weapons
Adult/mature content
Cult/occult
Illegal drugs
Drugs
Criminal skills
Sex education
Gambling
Alcohol/tobacco
The premium edition adds more categories, such as Abortion, Arts/Entertainment, Auctions, Brokerage/Trading, Humor/Jokes, News/Media, Personals/Dating, Religion, Streaming Media/MP3, Software Downloads, and many more (for a total of 52 categories).
The premium edition runs only on fourth-generation SonicWall products and requires the enhanced SonicOS. CFS does not run on older first-generation SonicWall products, but its predecessor, SonicWall Content Filter List (CFL) can be used on older models.
How does ISA Server 2004 compare? ISA Server includes deep application layer filtering at no extra cost. However, ISA 2004 can also use Websense or other third-party products and services if desired.
| Note | There are performance and administrative overhead costs involved in configuring filters for a wide range of content and Web sites. In cases in which a subscription service is an attractive option, ISA Server 2004 can also provide content filtering through subscription services such as Websense. |
ISA Server 2004 performs intelligent stateful inspection using “smart” application filters. Not only can you determine the validity of data moving through the firewall in request and response headers, you can also filter by “signature” (text string) for keyword filtering or filter for particular file types.
ISA Server 2004 inspects all aspects of HTTP communications. The SMTP filter protects against invalid SMTP commands that cause buffer overflows, and the SMTP message screener blocks spam and mail containing dangerous attachments.
ISA Server’s RPC filtering protects against exploits and malicious code directed to the RPC services and ensures that only valid connections get through to the Exchange server.
DNS filtering prevents application layer attacks aimed at published DNS servers, and the POP3 filters protect published POP3 mail servers from attack.
ISA Server does not require an extra cost subscription service to perform application layer filtering.
SonicWall: VPN Support
SonicWall appliances include VPN support. PRO models support from 500 to 3000 simultaneous VPN tunnels. SonicWall appliances support IPSec and PPTP VPNs.
SonicWall uses proprietary VPN Client 8.0 (extra license cost), which is needed to use automatic certificate support, L2TP and to access VPN gateway using DNS, WINS, and LMHOST resolution instead of IP addresses.
SonicWall Client Policy Provisioning allows clients to automatically download VPN configuration data from the VPN gateway with the proprietary Global VPN client.
At the time of this writing, the appliances come with a limited number of VPN client licenses included, depending on the model, as shown in the list below.
SOHO TZW:<TAB></TAB><TAB></TAB>1
TZ 170:<TAB></TAB><TAB></TAB>1
PRO 2040:<TAB></TAB><TAB></TAB>10
PRO 306:<TAB></TAB><TAB></TAB>25
PRO 406:<TAB></TAB><TAB></TAB>1000
If the number of VPN users exceeds this number, additional client licenses must be purchased.
Some models do not include any VPN client licenses. These include the following:
TELE3
TELE3 TZ
TELE3 TZX
TELE3 SP
SOHO3 10-node
SOHO3 25-node
SOHO3 50-node
TZ 170 10-node
How does ISA Server 2004 compare? In ISA Server 2004, the number of simultaneous VPN connections depend on the operating system, from 1000 (Standard edition), depending on the operating system on which it is installed. In addition, ISA Server supports IPSec VPNs for site-to-site connections, and both PPTP and the more secure L2TP for remote access connections. ISA Server can apply firewall policy to the VPN interfaces.
ISA Server does not require any software to be added to VPN clients. ISA Server supports the PPTP and L2TP/IPSec VPN clients that are built into Windows 9x/ME, Windows XP, Windows NT, 2000, and Server 2003 operating systems. There is no extra cost for the VPN clients.
ISA Server’s VPN quarantine allows administrators to enforce specific conditions VPN clients must meet before being allowed to connect (for example, latest service pack/updates must be installed) and direct clients to server to download and install the required updates. ISA Server’s VPN quarantine is a function of Windows Server 2003 and allows you to block VPN access if the client does not meet pre-defined configuration criteria, including installation of current service packs and hotfixes, operational anti-virus and firewall. No proprietary client software is required to use VPN-Q, and there is no extra cost to apply it to any number of clients up to the limits of the operating system.
SonicWall: Web Caching
SonicWall products do not include Web caching on the basic box; however, if you subscribe to the Content Filtering Service (CFS), acceptable Web sites—as defined by your policies and checked against the CFS database—are cached on the local appliance for faster returns.
How does ISA Server 2004 compare? ISA Server 2004 includes Web caching functionality at no extra charge. Forward caching allows the ISA Server 2004 firewall to cache objects retrieved by internal users from external Web servers. Reverse caching allows the ISA Server 2004 firewall to cache objects retrieved by remote users from servers that have been published by the ISA Server 2004 firewall. Web objects requested by remote users are cached on the ISA Server 2004 firewall, and subsequent requests for the same objects are served from the firewall’s Web cache instead of forwarding the request to the published Web server located behind the ISA Server 2004 firewall.
Fast RAM caching allows the ISA Server 2004 firewall to keep most frequently accessed items in memory. This optimizes response time by retrieving items from memory rather than from disk. ISA Server 2004 gives you an optimized disk cache store that minimizes disk access for both read and write operations. ISA Server 2004 also supports Web proxy chaining, which allows the ISA Server 2004 firewall to forward Web requests to an upstream Web proxy server.
Comparing ISA 2004 to WatchGuard
According to information provided by International Data Corp. and published by CNET News at http://news.com.com/2100-7355-5079045l, Watchguard was ranked fifth (after Cisco, NetScreen, Nokia, and SonicWall) among security appliance vendors in 2003, with a 4 percent market share.
In this section, we provide an overview of WatchGuard appliances. We look at WatchGuard’s general specifications, platform support and system requirements, application layer filtering capabilities, VPN support and Web caching abilities, and examine how ISA Server 2004 stacks up against them.
Watchguard: General Specifications
Watchguard is offering the following appliance models at the time of this writing:
SOHO 6: designed for small businesses and remote offices; provides stateful packet filtering and VPN capability
Firebox X: designed for small to mid-sized enterprises; scalable to grow with the business
Firebox Vclass: designed for medium-sized enterprises; supports high-speed networking and advanced networking features
A comparison of the features among the various WatchGuard appliance models is shown in Table 3.4.
Feature | Firebox X | SOHO 6 | Firebox Vclass |
Firewall throughput | Up to 275 Mbps | Up to 75 Mbps | Up to 2 Gbps |
VPN throughput | Up to 100Mbps | Up to 20Mbps | Up to 1.1 Gbps |
Concurrent sessions | 500,000 | 7000 | 500,000 |
Interfaces | 6 10/100 (3 active) | 6 10/100 | V200, V100: ]2 1000BaseSX Fiber Gigabit Ethernet 2 Dedicated HA V80, V60, V60L: 4 10/100 2 Dedicated HA V10:2 10/100 |
VPN tunnels | Up to 1000 | Up to 10 | Up to 40,000 |
ALF | HTTP, SMTP,FTP, DNS, H.323, DCERPC, RTSP | HTTP | SMTP, HTTP |
Spam filtering | Optional addition | No | No |
URL filtering | Optional | Optional | No |
High availabililty | Active/passive | No | Active Passive Active/active (optional) |
QoS | No | No | Yes |
VLAN tagging | No | No | Yes |
Mobile user VPN licenses | Up to 1000 | Up to 10 (optional) | Up to 20 |
Network diagnostic tools | No | No | Yes |
Command line interface | No | No | Yes |
Real time monitoring | Yes | No | Yes |
Historical reporting | Yes | No | No |
Upgradability | To be available March 2004 | Upgrade 25 or 50 | V60L upgrade to V60 |
At the time of this writing, typical pricing for various WatchGuard Firebox models is shown in the following list:
SOHO 6 / 10 users:$549
SOHO 6 / 50 users:$899
Firebox III 700/ 250 users:$2490
Firebox III 2500/ 5000 users:$5790
Firebox V10 / unlimited (20/75Mbps):$799
Firebox V60 / unlimited (100/200Mbps):$599
Firebox V80 /unlimited (150/200Mbps):$8490
Firebox V100 / unlimited (300/600Mbps):$14,490
Additional user licenses may be required for SOHO and Firebox V10 (10 users supported out of box). VPN Manager software is required for more than one VPN site with SOHO models:
Four Fireboxes:$796
20 Fireboxes:$2796
Unlimited Fireboxes:$6396
VPN client software cost:
5 user:$220
50 user:$1800
Vclass MU VPN client software cost:
100 user:$780
1000 user:$1440
Centralized Policy Manager (CPM) is used for multiple Vclass appliances. The cost of the CPM for Windows NT/2000 is as follows:
10 appliances:$2840
100 appliances:$12,680
(Watchguard pricing information was gathered from http://www.securehq.com/group.wml&storeid=1&deptid=76&groupid=222&sessionid=200437249417233)
WatchGuard: Platform Support and System Requirements
The Watchguard appliances run a proprietary operating system and firewall software (Security Management System) that can be configured in three ways:
InternetGuard: protects corporate networks and bastion hosts and defines corporate-level security.
GroupGuard: protects departmental systems, restricts flow of information and packets, and defines Internet privileges at the group level.
HostGuard: protects specific servers.
How does ISA Server 2004 compare? ISA Server 2004 runs on standard Intel PCs that are easily upgraded and can be installed on Windows 2000 Server or Windows Server 2003, providing a standardized, familiar management interface and the flexibility to use hardware of your choice. This makes ISA Server more scalable than ASIC appliances that are tied to the hardware and more user-friendly than appliance-based firewalls.
The Windows Server 2003 OS can be “hardened” by applying a series of special profiles included in Server 2003 SP2 for the Security Configuration wizard. Microsoft also provides a system hardening guide that includes specific configuration recommendations and deployment strategies for ISA Server 2004. The document can be downloaded at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx.
WatchGuard: Application Layer Filtering Capabilities
Watchguard Fireboxes (except the lower cost models – SOHO and V10) support application proxies to block common application-layer attacks. You can set protocol rules for HTTP, FTP and SMTP. Firebox III models 500, 700, 1000, 2500, and 4500, and Firebox Vclass models V60L, V60, V80, V100, and V200 support the following proxies:
SMTP: inspects content of ingoing and outgoing e-mail; denies executable attachments, filters by address, filters malformed headers, spoofed domain names and message IDs, specifies maximum number of message recipients and maximum message size, allows specific characters in e-mail addresses.
HTTP: blocks Web traffic on ports other than 80, filters MIME content, Java, ActiveX, removes unknown headers, removes cookies, filters content to comply with use policies.
FTP: Filters FTP server commands, uses read-only rules to control file changes, sets time limits for idle connections.
DNS: Checks for malformed headers and packets, filters header content for class, type, and length abnormalities.
H.323: Limits open ports.
The Vclass firewalls provide built-in intrusion detection, with configurable logs and alarms for the following attacks:
Java script blocking
IP source route
Denial of service (DoS)
Distributed denial of service (DDoS)
Ping of Death
ICMP flood
TCP SYN flood
UDP flood
Automatic logs are embedded in the ASIC to detect the following attacks:
LAND
Teardrop
NewTear
OpenTear
Overdrop
Jolt2
SSPING
Bonk/Boink
Smurf
Twinge
How does ISA Server 2004 compare? ISA Server 2004’s intrusion detection mechanism can detect the following types of attacks:
Windows out-of-band (WinNuke)
Land
Ping of Death
IP half scan
UDP bomb
Port scan
DNS host name overflow
DNS length overflow
DNS zone transfer
POP3 buffer overflow
SMTP buffer overflow
ISA Server includes deep application layer filtering at no extra cost. ISA Server 2004 performs intelligent stateful inspection using “smart” application filters. Not only can you determine the validity of data moving through the firewall in request and response headers, you can also filter by “signature” (text string) for keyword filtering or filter for particular file types. ISA 2004 supports Websense and other third-party filtering products and services.
ISA Server 2004 inspects all aspects of HTTP communications. The SMTP filter protects against invalid SMTP commands that cause buffer overflows, and the SMTP message screener blocks spam and mail containing dangerous attachments.
ISA Server’s RPC filtering protects against exploits and malicious code directed to the RPC services and ensures that only valid connections get through to the Exchange server.
ISA Server’s DNS filtering prevents application layer attacks aimed at published DNS servers, and the POP3 filters protect published POP3 mail servers from attack.
WatchGuard: VPN Support
The number of VPN tunnels and VPN throughput for WatchGuard Fireboxes varies widely depending on the model. The lower cost appliances (SOHO, Firebox III 700, Firebox V10) support a low number or no VPN clients. VPN support for various models is shown in Table 3.5.
Model | VPN throughput | Max VPN clients | Free VPN Clients included | VPN sites |
|---|---|---|---|---|
SOHO 6 | 20 Mbps | 5 | 0 | 1/5 |
Firebox III 700 | 150 | 0 | 1000 | |
Firebox III | 75 Mbps | 1000 | 50 | 1000 |
2500 | ||||
Firebox V10 | 20 Mbps | 0 | 0 | 10 |
Firebox V60 | 100 Mbps | 400* | 20 | 400* |
Firebox V80 | 150 Mbsp | 8000* | 20 | 8000* |
Firebox V100 | 300 Mbps | 20,000* | 20 | 20,000* |
*Total client plus site connections
Firebox V80, WatchGuard’s enterprise level firewall, supports the following VPN protocols:
IPSec with IKE
L2TP over IPSec for external L2TP servers
PPTP over IPSec for external PPTP servers
IPSec Security Services
Tunnel and Transport Mode
ESP (Encapsulated Security Payload)
AH (Authentication Header)
AH + ESP
IPSec Encryption and Authentication
DES and 3DES
MD5 and SHA-1
RSA
Digital Signature Standard (DSS)
Certificate Management
Automatic Certificate Revocation List (CRL) through LDAP Server
Digital Certificates X.509 v2 and v3, PKCS #10, and PKCS #7
Watchguard Fireboxes require a proprietary Mobile User VPN client, which must be distributed, along with security configuration policy, to each client machine. The VPN client includes personal firewall software for the client computer.
How does ISA Server 2004 compare? ISA Server 2004’s VPN wizards make it easy to set up VPNs. ISA Server supports the use of the Connection Manager Administration Kit (CMAK) to create VPN connectoids that allow users to connect to the VPN server with one click, and supports an automatically downloadable phone book. CMAK also allows you to customize routes for VPN clients. CMAK wizards make it easier for the administrator as well as the user.
ISA Server uses IETF RFC Internet standard L2TP IPSec Nat Traversal (NAT-T) protocol to connect to Server 2003 VPNs. ISA Server 2004 supports DES, 3DES and AES encryption.
ISA Server 2004 supports both remote access and site-to-site VPNs. ISA Server can apply firewall policy to the VPN interfaces.
ISA Server 2004 supports both Microsoft PPTP and L2TP clients. ISA Server does not require any software to be added to VPN clients. ISA Server supports the PPTP and L2TP/IPSec VPN clients that are built into Windows 9x/ME, Windows XP, Windows NT, 2000, and Server 2003 operating systems.
ISA Server’s VPN quarantine allows administrators to enforce specific conditions VPN clients must meet before being allowed to connect (for example, latest service pack/updates must be installed, antivirus and personal software must be installed and operational) and direct clients to server to download and install the required updates. This goes further than Watchguard’s Mobile User VPN client, which enforces use and update of firewall software.
WatchGuard: Web Caching
Watchguard appliances do not include Web caching functionality. Web caching/acceleration can be added to a network using Watchguard products by implementing a caching solution such as ISA Server on the network.
How does ISA Server 2004 compare? ISA Server 2004 includes Web caching functionality at no extra charge. Forward caching allows the ISA Server 2004 firewall to cache objects retrieved by internal users from external Web servers. Reverse caching allows the ISA Server 2004 firewall to cache objects retrieved by remote users from servers that have been published by the ISA Server 2004 firewall. Web objects requested by remote users are cached on the ISA Server 2004 firewall, and subsequent requests for the same objects are served from the firewall’s Web cache instead of forwarding the request to the published Web server located behind the ISA Server 2004 firewall.
Fast RAM caching allows the ISA Server 2004 firewall to keep most frequently accessed items in memory. This optimizes response time by retrieving items from memory rather than from disk. ISA Server 2004 gives you an optimized disk cache store that minimizes disk access for both read and write operations. ISA Server 2004 also supports Web proxy chaining, which allows the ISA Server 2004 firewall to forward Web requests to an upstream Web proxy server.
Comparing ISA 2004 to Symantec Enterprise Firewall
Symantec is well known for the popular Norton anti-virus software and its comprehensive virus database available on the Web. The company posted a 31 percent increase in revenues for fiscal third quarter ending 01/02/2004. Enterprise security, administration, and services represented 51 percent of total revenues (Source: http://www.symantec.com/press/2004/n040121l).
Symantec markets low-cost basic firewall/VPN appliances for SOHO, small businesses and remote locations, as well as enterprise-level gateway security appliances that provide application layer filtering, centralized management, and high availability. Symantec also offers a software firewall product that runs on the Windows and Solaris operating systems.
In this section, we will provide an overview of Symantec Enterprise firewall software and appliances. We will look at Symantec’s general specifications, platform support and system requirements, application layer filtering capabilities, VPN support and Web caching abilities, and examine how ISA Server 2004 stacks up against them.
Symantec: General Specifications
Symantec’s firewall/VPN products that are available at the time of this writing can be broken into three major categories, as shown in Table 3.6.
Firewall/VPN appliances (small/remote office) | Gateway security appliances (enterprise) | Firewall/VPN software (enterprise) |
|---|---|---|
Symantec Firewall/ VPN 100 | SGS 5420 | Symantec Enterprise Firewall |
Symantec Firewall/ VPN 200 | SGS 5440 | |
Symantec Firewall/ VPN 200R | SGS 5460 |
Table 3.7 shows key features of Symantec’s small/remote office firewall/VPN appliances at the time of this writing:
Feature | Firewall/VPN 100 | Firewall/VPN 200 | Firewall/VPN |
|---|---|---|---|
Stateful inspection firewall functionality | Yes | Yes | Yes |
Intrusion detection | Yes | Yes | Yes |
Remote access VPN | No | No | Yes |
Gateway-to-Gateway VPN | Yes | Yes | Yes |
VPN client included | No | No | Yes |
IPSec/VPN pass-through | Yes | Yes | Yes |
DSL/cable interface | Yes | Yes | Yes |
T-1/ISDN interface | Yes | Yes | Yes |
PPPoE support | Yes | Yes | Yes |
10/100 LAN ports | 4 | 8 | 8 |
W AN ports | 1 | 2 | 2 |
Load balancing | No | Yes | Yes |
Number of users (recommended) | 15-25 | 30-40 | 30-40 |
Failover | Analog dialup with external modem | Analog dialup with external modem | Analog dialup with external modem |
Configuration | W eb interface | W eb interface | W eb interface |
Processor | ARM7 | ARM7 | ARM7 |
WAN throughput (bi-directional) | 8Mbps s | 8Mbps | 8Mbp |
Web caching | No | No | No |
Application layer content filtering | No | No | No |
Built-in DHCP server | Yes | Yes | Yes |
NAT | Yes | Yes | Yes |
Symantec’s current enterprise gateway security appliances, at the time of this writing, comprise the 5400 series (SGS 5430, SGS 5440 and SGS 5460). Table 3.8 compares features of the three enterprise gateway security appliances.
Feature | SGS 5420 | SGS 5440 | SGS 5460 |
|---|---|---|---|
Stateful inspection | Yes | Yes | Yesfirewall functionality |
WAN Ports | 6 | 6 | 8 |
10/100 ports | 6 | 0 | 0 |
Gigabit ports | 0 | 6 | 8 |
Maximum nodes | 500 | 2500 | 4500(recommended) |
Concurrent | 64,000 | 190,000 | 200,000connections |
Stateful throughput | 200Mbps | 1.4Gbps | 1.8Gbps |
Full inspection | 95Mbps | 680Mbps | 730Mbps |
VPN w/3DES | 90Mbps | 400Mbps | 600Mbps |
Memory | 512MB | 1GB | 2GB |
Hard disk | 40GB | 80GB | 80GB |
Signature-based | Yes | Yes | Yesintrusion detection |
IPSec compliant | Yes | Yes | YesVPN |
Application layer | Yes | Yes | Yesinspection |
HTTP content | Yes | Yes | Yesfiltering |
Web caching | No | No | No |
Anti-spam protection | Yes | Yes | Yes |
Symantec markets two software packages that are designed to run on Windows NT/2000 or Solaris; these are the Symantec Enterprise Firewall and Symantec Enterprise VPN. The current version is 7.0 at the time of this writing. The Symantec Enterprise Firewall is ICSA certified.
This software is also the basis for the enterprise security gateway appliances. Symantec Enterprise Firewall 7.0 includes:
Hybrid architecture firewall
Deep packet inspection
Application proxy
Automated system hardening
Wide range of user authentication methods (RADIUS, LDAP, digital certificates, S/Key, Defender, SecureID, Windows domain authentication)
Integrated Web content filtering
Integrated load balancing
EAL-4 certification
AES support
NAT: both inbound and outbound for VPN and non-VPN traffic
WebNOT URL filtering
Symantec Enterprise VPN includes:
Support for IPSec VPNs; interoperates with other IPSec-compliant VPN clients and servers
Operates independently of firewall and integrates into networks with non-Symantec firewalls
One-step configuration and one-step connect
Remote centralized management for large scale deployments.
The cost of the Symantec firewall/VPN appliances for small or remote offices, at the time of this writing, is as follows:
Symantec Firewall/VPN 100:$499
Symantec Firewall/VPN 200:$899
Symantec Firewall/VPN 200R:$1199
The cost of the Symantec enterprise gateway security appliances, at the time of this writing, is shown in the following list. These prices are for a base license (50-node firewall, one client-to-gateway VPN session).
Symantec SGS 5420:$2999.99
Symantec SGS 5440:$6899.98
Symantec SGS 5460:$11,534.98
A base license is for a 50-node firewall, unlimited gateway-to-gateway VPN, and one client-to-gateway VPN session. The base license also includes one year of Gold Maintenance support service and content updates of virus definitions, attack signatures, and URL filtering via LiveUpdate.
The appliance itself contains all supported security features, but several of the security functions have to be licensed separately, including the following:
Optional Event Manager plug-in for centralized logging, alerting and reporting
Optional Advanced Manager plug-in (included Event Manager) for centralized management of rule sets and security policies
Optional high availability and load balancing
Optional enhanced anti-virus engine
Optional hybrid anomaly intrusion prevention and detection engine (real-time monitoring, detection and prevention using protocol anomaly detection and attack signatures)
Additional concurrent VPN sessions
Symantec: Platform Support and System Requirements
SGS is based on the Raptor firewall plus the Recourse Intrusion Detection System (IDS) plus Symantec’s Antivirus. The software version of the Symantec Enterprise Firewall will run on Windows NT/2000 or Solaris. Windows machines require a 400 MHz PIII processor, 256MB of RAM, and 8 GB of disk space. Solaris machines require Solaris 7 or 8, Sun UltraSPARC I or II sbus or PCI bus, 256MB of RAM and 8 GB of disk space.
How does ISA Server 2004 compare? ISA Server 2004 runs on standard Intel PCs that are easily upgraded and can be installed on Windows 2000 Server or Windows Server 2003, providing a standardized, familiar management interface and the flexibility to use hardware of your choice.
The Windows Server 2003 OS can be “hardened” by applying a series of special profiles included in Server 2003 SP2 for the Security Configuration wizard. Microsoft also provides a system hardening guide that includes specific configuration recommendations and deployment strategies for ISA Server 2004. The document can be downloaded at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx.
Symantec: Application Layer Filtering Capabilities
Symantec provides application layer filtering for intrusion detection, HTTP and SMTP/POP3 protection, and FTP filtering (virus and attack protection). The firewall uses ManHunt (which Symantec purchased from Recourse Technologies) for IDS. ManHunt monitors as passive IDS or actively blocks specified attacks. Symantec uses WebNot content filtering for URL screening. Anti-spam filtering is also sold as a separate optional function.
How does ISA Server 2004 compare? ISA Server 2004’s built-in intrusion detection examines the HTTP, POP3, IMAP, SMTP, FTP, and DNS protocols. ISA Server 2004 performs intelligent stateful inspection using “smart” application filters. Not only can you determine the validity of data moving through the firewall in request and response headers, you can also filter by “signature” (text string) for keyword filtering or filter for particular file types.
ISA Server 2004 inspects all aspects of HTTP communications. The SMTP filter protects against invalid SMTP commands that cause buffer overflows, and the SMTP message screener blocks spam and mail containing dangerous attachments. ISA Server’s RPC filtering protects against exploits and malicious code directed to the RPC services and ensures that only valid connections get through to the Exchange server. DNS filtering prevents application layer attacks aimed at published DNS servers, and the POP3 filters protect published POP3 mail servers from attack.
ISA Server was built from the beginning to perform ALF, and ISA Server’s SDK allows easy development of new web and application filters.
Symantec: VPN Support
The Symantec Enterprise VPN 7.0 runs on Windows NT/2000 and Solaris 7/8 and is included in the Enterprise Gateway appliances. The Symantec Enterprise VPN client runs on Windows 9x, ME, 2000, NT 4.0 and XP. Enterprise VPN software is integrated with the Enterprise Firewall software on Symantec’s security appliances.
Symantec Enterprise VPN includes:
Support for IPSec VPNs; interoperates with other IPSec-compliant VPN clients and servers
Operation independent of firewall and integrates into networks with non-Symantec firewalls
One-step configuration for administrators and one-step connect for clients
Remote centralized management for large-scale deployments.
The Enterprise VPN client includes personal firewall software; remote policies create a bootstrap file for clients, and the VPN server performs ProxySecured scanning of VPN connections.
How does ISA Server 2004 compare? In ISA Server 2004, the number of simultaneous VPN connections depend on the operating system, from 1000 (Standard edition), and up. ISA Server supports IPSec VPNs for site-to-site connections and both PPTP and the more secure L2TP for remote access connections. ISA Server can apply firewall policy to the VPN interfaces.
ISA Server does not require any software to be added to VPN clients. ISA Server supports the PPTP and L2TP/IPSec VPN clients that are built into Windows 9x/ME, Windows XP, Windows NT, 2000, and Server 2003 operating systems.
ISA Server’s VPN quarantine allows administrators to enforce specific conditions VPN clients must meet before being allowed to connect (for example, latest service pack/updates must be installed) and direct clients to server to download and install the required updates.
ISA Server’s VPN quarantine is a function of Windows Server 2003 and allows you to block VPN access if the client does not meet pre-defined configuration criteria, including installation of current service packs and hotfixes, operational anti-virus and firewall. No proprietary client software is required to use VPN-Q, and there is no extra cost to apply it to any number of clients up to the limits of the operating system.
Symantec: Web Caching
Symantec firewalls do not perform Web caching. A separate appliance or third-party Web caching solution must be implemented to provide this functionality on the network.
How does ISA Server 2004 compare? ISA Server 2004 includes Web caching functionality at no extra charge. Forward caching allows the ISA Server 2004 firewall to cache objects retrieved by internal users from external Web servers. Reverse caching allows the ISA Server 2004 firewall to cache objects retrieved by remote users from servers that have been published by the ISA Server 2004 firewall. Web objects requested by remote users are cached on the ISA Server 2004 firewall, and subsequent requests for the same objects are served from the firewall’s Web cache instead of forwarding the request to the published Web server located behind the ISA Server 2004 firewall.
Fast RAM caching allows the ISA Server 2004 firewall to keep most frequently accessed items in memory. This optimizes response time by retrieving items from memory rather than from disk. ISA Server 2004 gives you an optimized disk cache store that minimizes disk access for both read and write operations. ISA Server 2004 also supports Web proxy chaining, which allows the ISA Server 2004 firewall to forward Web requests to an upstream Web proxy server.
Comparing ISA 2004 to Blue Coat SG
Blue Coat Systems is one of ISA Server’s few competitors that markets an integrated firewall and Web caching solution. It was originally known as CacheFlow, then in 2002 the company changed its name and shifted its focus to the security market. The company’s Web site claims more than 3,000 customers and over 14,000 appliances shipped worldwide, with over 70 percent of the Dow-Jones Industrial companies as customers. According to IDC, Blue Coat has a 33 percent share of the content management market, making it number one in that area. Blue Coat appliances are ICSA certified.
In this section, we provide an overview of Blue Coat SG appliances. We look at Blue Coat’s general specifications, platform support and system requirements, application layer filtering capabilities, VPN support and Web caching abilities, and examine how ISA Server 2004 stacks up against them.
Blue Coat: General Specifications
Blue Coat offers three series of security and caching appliances:
SG 400: designed for small to medium sized businesses with up to 250 users
SG 800: designed for enterprise networks with up to 2000 users
SG 8000: designed for enterprise networks with 1000 to 10,000+ users, providing an expandable modular platform that allows customization of disk size, memory and interfaces.
Configurations of the different models are shown in Table 3.9.
Model | Disk | Memory | Interfaces |
|---|---|---|---|
SG400-0 | One 40GB IDE | 256MB | Two 10/100 |
SG400-1 | Two 40GB IDE | 512MB | Two 10/100 |
SG800-0 | One 18GB or one 36GB Ultra SCSI | 512MB | Two 10/100 |
SG800-0B | Two 18GB or two 36GB Ultra SCSI | 768MB | Two 10/100 |
SG800-1 | One 73GB Ultra SCSI | 1GB | Two 10/100; one expansion slot for 10/100, 10/10/1000 or SX |
SG800-2 | Two 73GB Ultra SCSI | 1.5GB | Two 10/100; one expansion slot for 10/100, 10/10/1000 or SX |
SG800-3 | Four 73GB Ultra SCSI | 2GB | Two 10/100; one expansion slot for 10/100, 10/10/1000 or SX |
SG8000-1* | Two 15,000 RPM 73GB | 1GB | Four 10/100/1000 |
SG8000-2* | Four 15,000 RPM 73GB | 2GB | Four 10/100/1000 |
SG8000-3* | Six 15,000 RPM 73GB | 3GB | Four 10/100/1000 |
SG8000-4* | Eight 15,000 RPM 73GB | 4GB | Four 10/100/1000 |
* SG8000 series are all dual processor with two 3.2GHz Xeon processors
Cost of the Blue Coat SG appliances, at the time of this writing, is as follows:
SG400 starts at $3495
SG800 starts at $5995
SG8000 starts at $40,000
Content filtering license costs extra; for 500 users, a two-year site license costs $9140 at the time of this writing.
Blue Coat: Platform Support and System Requirements
Blue Coat appliances run on a proprietary hardened SGOS operating system. The SGOS and integrated firewall and caching software are installed on proprietary disk-based appliance hardware (not ASIC).
How does ISA Server 2004 compare? ISA Server 2004 runs on standard Intel PCs that are easily upgraded and can be installed on Windows 2000 Server or Windows Server 2003, providing a standardized, familiar management interface and the flexibility to use hardware of your choice. This makes ISA Server more scalable than appliances that are tied to the hardware and more user-friendly than Blue Coat.
The Windows Server 2003 OS can be “hardened” by applying a series of special profiles included in Server 2003 SP2 for the Security Configuration wizard. Microsoft also provides a system hardening guide that includes specific configuration recommendations and deployment strategies for ISA Server 2004. The document can be downloaded at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx.
Blue Coat: Application Layer Filtering Capabilities
Blue Coat appliances provide packet-filtering rules that are defined using Content Policy Language (CPL) and Access Control Lists (ACLs). The SG appliances support NTLM, LDAP, and RADIUS authentication.
The Blue Coat SG appliances support content filtering via the major filtering vendors (WebSense, SurfControl, SmartFilter). Policies can be defined to provide MIME-type filtering. Filtering of content headers is supported. Third party anti-virus software is required to filter for malicious code downloaded from the Web. The SG appliances integrate with Symantec and TrendMicro via ICAP for real-time AV scanning of Web content.
Active content can be blocked, Web content can be stripped and replaced, and the information in content headers can be limited, stripped, or replaced. You can block or log Peer-to-Peer and IM traffic, and control clients’ actions (for example, prevent them from downloading files). Pop-up ad blocking is also included.
Blue Coat uses a “policy-processing engine” that utilizes security triggers that can be based on a variety of factors, including users/groups, protocols, time of day, location, or content type.
Blue Coat appliances support bandwidth management.
How does ISA Server compare? ISA Server provides packet filtering, circuit filtering and application layer filtering, along with stateful inspection/stateful filtering. ISA Server includes deep application layer filtering at no extra cost.
ISA Server 2004 performs intelligent stateful inspection using “smart” application filters. Not only can you determine the validity of data moving through the firewall in request and response headers, you can also filter by “signature” (text string) for keyword filtering or filter for particular file types.
ISA Server 2004 inspects all aspects of HTTP communications. The SMTP filter protects from invalid SMTP commands that cause buffer overflows, and the SMTP message screener blocks spam and mail containing dangerous attachments.
ISA Server’s RPC filtering protects from exploits and malicious code directed to the RPC services and ensures that only valid connections get through to the Exchange server.
DNS filtering prevents application layer attacks aimed at published DNS servers and the POP3 filters protect published POP3 mail servers from attack.
Blue Coat: VPN Support
VPN support is not included in the basic Blue Coat Firewall and Web caching appliances.
How does ISA Server 2004 compare? ISA Server 2004 supports the following VPN protocols:
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Tunneling Protocol/IPSec (L2TP/IPSec)
IPSec Tunnel Mode
The ISA Server 2004 VPN feature supports two types of VPN connections:
Remote Access VPN
Site-to-site VPN
Firewall access policies are applied to VPN remote access and site-to-site connections. ISA Server uses the PPTP and L2TP VPN clients included free with all Windows operating systems.
Blue Coat: Web Caching
The SG appliances support the following:
Forward caching
Reverse caching
Active caching
Distributed caching
Hierarchical caching
Streaming media caching
Client browsers can be automatically configured via a Proxy Autoconfiguration (PAC) file.
Reverse caching is accomplished by using a layer 4/7 switch or a router that supports WCCP. This redirects Web requests so that they are sent to the cache instead of the originating server.
Statistics (size, usage and changes) for all Web objects served are kept by the OS, then used to create “refresh patterns” for each object. These are used by the Active caching function. You cannot schedule the refreshing for particular times.
How does ISA Server 2004 compare? ISA Server 2004 includes Web caching functionality at no extra charge. Forward caching allows the ISA Server 2004 firewall to cache objects retrieved by internal users from external Web servers. Reverse caching allows the ISA Server 2004 firewall to cache objects retrieved by remote users from servers that have been published by the ISA Server 2004 firewall. Web objects requested by remote users are cached on the ISA Server 2004 firewall, and subsequent requests for the same objects are served from the firewall’s Web cache instead of forwarding the request to the published Web server, located behind the ISA Server 2004 firewall.
Fast RAM caching allows the ISA Server 2004 firewall to keep most frequently accessed items in memory. This optimizes response time by retrieving items from memory rather than from disk. ISA Server 2004 gives you an optimized disk cache store that minimizes disk access for both read and write operations. ISA Server 2004 also supports Web proxy chaining, which allows the ISA Server 2004 firewall to forward Web requests to an upstream Web proxy server.
Comparing ISA 2004 to Open Source Firewalls
Open source firewalls are developed and distributed under the GNU General Public License (GPL) and other open source licenses; as with other open source programs, the source code is available free to anyone who wants it. This results in peer review that theoretically makes it easier for flaws in the software to be discovered and fixed.
Open source firewalls are popular with highly technical individuals (such as hackers, both of the black and white hat varieties) and those who advocate and are familiar with open source operating systems. The obvious advantage (cost) is often offset by the following disadvantages:
Difficult to use: a high level of technical expertise is often required to configure open source software. Many (although not all) rely on command-line interfaces (CLI) and obscure commands that must be learned; this can take time, especially if administrators are not already familiar with the underlying OS.
Lack of documentation: Because the software is developed for free, programmers may not have the time nor the inclination to prepare commercial-grade documentation and Help files for the products. Combined with the inherently less intuitive interfaces, this makes the learning curve for new users even steeper and more frustrating, and thus, adds hidden cost in terms of administrative time to get up to speed.
Weak or missing logging and alerting; no real time monitoring: these are “extra” features that are often left out of open source firewall products. They may be less important in a home use or a lab environment but are essential to a corporate business environment where administrators must be able to track events, provide forensics information for investigation of security incidents, and justify decisions with well documented information.
Despite these drawbacks, a number of open source firewall products have gained popularity in some business circles. Some of the most well established include IPchains, the Juniper Firewall Tool Kit (FWTK), and IPCop.
IPChains/IP Tables
IPchains is a part of the Linux core operating system that provides packet filtering and Network Address Translation (often referred to as IP Masquerade in the Linux community). Administrators can create “chains” or tables of rules that can be applied to each incoming or outgoing packet. The rules are applied in the order in which you create them. The rules can be bundled into “chains” for specified types of traffic.
IPchains perform firewall functionality in the traditional sense of the word: packet filtering at the network layer of the OSI model. It can redirect higher level streambased protocols such as SMTP, POP, NNTP, and DNS, but can’t examine the contents to ensure that the data inside the packets are valid for the protocol.
IPTables is similar to IPchains but performs stateful inspection, whereas IPchains is stateless. Both support port redirection and are often used in conjunction with other products such as Squid or FWTK for application proxies.
VPN functionality can be added with free open source software that can be downloaded from the Internet.
How does ISA Server 2004 compare? ISA Server 2004 is a full-featured multi-layered firewall and Web-caching product that offers easy management through a graphical interface and enterprise-level performance and centralized management.
ISA Server provides sophisticated application layer filtering capability and built-in IDS functionality. ISA Server includes full VPN gateway functionality supporting PPTP, L2TP and IPSec VPNs.
FWTK/ipfirewall
The Juniper Firewall ToolKit was developed by Obtuse Systems to run on Linux and BSD/FreeBSD. It was based on ipfirewall and offered as a toolkit for building proxy firewalls.
Ipfirewall is a kernel packet filter that comes with FreeBSD. It allows you to set up a machine as a packet-filtering router or you can use it on machines that aren’t configured as routers as a personal firewall to filter incoming and outgoing packets.
Using ipfirewall is anything but user friendly. You must add options to the operating system’s kernel configuration file and recompile the kernel. The default when you install ipfirewall is, “deny ip from any to any.” This means everything is effectively blocked so that you may not be able to reboot back into the server after you install the firewall.
Configuration is done through the ipfw utility. This is a command line utility that can be used to enable and disable the firewall, add and delete rules, move them to different sets, and so on. You can have up to 65,535 rules. The firewall compares each packet to each rule and performs whatever action you have set on the matching rule(s). A default rule (allow or deny) determines whether all packets are blocked by default or allowed by default.
Dynamic rules with limited lifetimes can be created to open the firewall “on demand” to legitimate traffic.
How does ISA Server 2004 compare? ISA Server 2004 is a full-featured multi-layered firewall and Web caching product that offers easy management through a graphical interface and enterprise-level performance and centralized management.
ISA Server provides sophisticated application layer filtering capability and built-in IDS functionality. ISA Server includes full VPN gateway functionality supporting PPTP, L2TP and IPSec VPNs.
IPCop
IPCop is a user-friendly firewall that runs on Linux and is managed from a Web UI, thus it can be managed remotely. It includes NAT functionality to protect a small LAN.
It is based on the Smoothwall code and licensed under the GNU GPL. The firewall is based on ipchains, but the graphical interface makes it much easier to manage.
IPCop is more full-featured than command line open source firewalls. It includes VPN (IPSec only) and Snort IDS. It is implemented as an operating system/firewall combination that is installed as one package. The OS is a “cut down” distro of Linux with extra services removed.
IPCop supports up to three network interfaces, allowing you to set up a DMZ. The interfaces are color coded green, red and orange (for internal, external and DMZ) for ease of setup. Access from the DMZ network to the internal network can be provided via “DMZ pinholes”).
A Web proxy service (Squid) is included but disabled by default.
How does ISA Server 2004 compare? ISA Server 2004 is a full-featured multi-layered firewall and Web-caching product that offers easy management through a graphical interface and enterprise-level performance and centralized management.
ISA Server provides sophisticated application layer filtering capability and built-in IDS functionality. ISA Server includes full VPN gateway functionality supporting PPTP, L2TP and IPSec VPNs.
