On the security front, the ISA Server includes an extensible, multi-layer firewall featuring packet, circuit and application level (proxy) traffic screening, stateful inspection, network address translation (NAT), integrated VPN and basic intrusion detection (based on technology from ISS), smart application filters, authentication and secure web publishing.

As with most firewalls, the ISA Server uses rules to determine whether users, services, ports or domains are granted access to computers on the protected network and on the Internet. Four types of rules are available: access policy rules, bandwidth rules, protocol rules and publishing rules. In addition, ISA Server can apply policies to users and groups in NT and Windows 2000 domains for an integrated approach to user management.

Access policy rules define which Internet sites can be accessed by clients behind the ISA Server, as well as which protocols internal clients can use. They also implement the usual packet filter rules that block or allow traffic depending on source and destination address, source and destination port, and protocol.

Bandwidth rules build on the Windows 2000 QoS (quality of service) features to determine bandwidth priorities for any specific Internet request.

Publishing rules allow internal servers (web server, or even Exchange 2000, for example) to publish securely through the ISA Server. These rules map incoming requests to the appropriate servers behind the firewall, and support for multiple network cards in the host PC allows the administrator to create a secure demilitarized zone (DMZ) if required.

Each of the rules is built from a number of different ‘policy elements,’ which include schedules, bandwidth priorities, destination sets (remote sites), client address sets (hosts, networks, servers, etc.), protocol definitions and content groups (video, audio, images, etc.). This modularity provides plenty of flexibility when defining rules, but unfortunately, we found the process of rules definition to be the least intuitive of any firewall we have seen. It may be that the ISA Server approach is geared towards the security novice, to whom it may make more sense (though we doubt it). To anyone who is used to working with firewalls, however, ISA makes hard work of configuration tasks.

The console is the usual MMC interface, which at least makes it familiar in terms of look and feel. The ‘scope pane’ down the left of the screen provides a hierarchical menu tree, whilst the ‘results pane’ on the right shows the results of selecting a menu option, and the Taskpads. Taskpads provide a high level of hand-holding for the administrator which makes the completion of individual tasks – such as enabling intrusion detection – fairly straightforward. However, the overall layout is such that it is very difficult to know just which Taskpads you need to use in order to achieve the desired effect. We found ourselves fiddling about in two or three different places just to allow outgoing web access for our internal users, and inbound access to our web server on the DMZ for external users.

A couple of useful Taskpads are the ones to enable a range of basic intrusion detection capabilities (which detect such things as port scans, WinNuke, Ping of Death and a few other common denial-of-service attacks), and OS hardening. The system-hardening wizard allows the administrator to lock down the Windows 2000 OS by setting the appropriate levels of security (auditing levels and access controls on key directories and Registry entries, for example) depending on how the ISA Server is expected to function on the network. For example, different levels of hardening are applied depending on whether the ISA machine is a dedicated firewall, or is also expected to function as a domain controller.

Finally, it is worth noting that most of the ISA Server features are available without installing the firewall client that is supplied. However, should the administrator wish to go to the trouble of installing the client on end-user’s desktops, it offers additional high-level protocol support and user-based authentication.
 

SC On-Line
SC Magazine
www.scmagazine.com