What makes ISA Server stand out as a product is its versatility and capability to play the part of multiple roles in an environment. In addition to the capability to be deployed as a fully functional Application-layer firewall, ISA can also provide web caching, Virtual Private Network support, reverse proxy, and combinations of any of them. It is subsequently important to understand all the potential deployment scenarios for ISA when considering the product for deployment.
Deploying ISA Server 2004 as an Advanced Application-Layer Inspection Firewall
ISA Server 2004 was designed as a full-function firewall that provides for the type of functionality expected out of any other firewall device. At a base level, ISA enables you to block Internet traffic from using a specific port, such as the RPC or FTP ports, to access internal resources. This type of filtering, done by traditional firewalls as well, provides for filtering of Internet Protocol (IP) traffic at the Network layer (Layer 3). The difference between ISA and most other firewalls, however, comes with its capabilities to filter IP traffic at the more complex Application layer (Layer 7). This functionality enables an ISA firewall to intelligently determine whether or not IP traffic contains dangerous payloads, for example.
Because of the advanced IP filtering capabilities of ISA, it is becoming more common to see small to mid-sized organizations deploying ISA Server 2004 as a full-fledged edge firewall, similar to what is shown in Figure 1.3. ISA Server 2004 has passed many of the security tests that have been thrown at it, and it has proven to have firewall functionality beyond many of the more common firewall products on the market today.
Figure 1.3. Deploying ISA Server 2004 as a firewall.
For more information on the capabilities of ISA Server 2004 as a firewall device, refer to Chapter 5.
Securing Applications with ISA Server 2004's Reverse Proxy Capabilities
Although ISA Server 2004 is marketed as an edge firewall, it is more common in organizations, particularly in mid-sized and larger ones, to see it deployed strictly for reverse-proxy capabilities. This functionality enables ISA to protect internal web and other application resources from external threats by acting as a bastion host.
To hosts on the Internet, the ISA Server looks and acts like a regular web or application server. Requests made by the client are then relayed back to the actual machine that performs the services, but not before being inspected for exploits or threats. In addition, it can also be configured to authenticate the user in advance before allowing requests to be relayed back, further securing the infrastructure.
For more information on utilizing the reverse-proxy capabilities of ISA Server, see the chapters in Part III.
Accelerating Internet Access with ISA Server 2004's Web Caching Component
The original function of ISA Server when it was still known as Proxy Server was to act as a simple web proxy for client web traffic. This functionality is still available in ISA Server, even as the focus has been directed more to the system's firewall and VPN capabilities. By enabling the caching service on an ISA Server, many organizations have realized improved access times for web and FTP services, while effectively increasing the available bandwidth of the Internet connection at the same time.
The concept of web and FTP caching in ISA Server 2004 is fairly straightforward. All clients configured to use ISA for caching send their requests for web pages through the ISA server, similar to what is shown in Figure 1.4. If it is the first time that particular page has been opened, the ISA server then goes out to the Internet, downloads the content requested, then serves it back to the client, while at the same time keeping a local copy of the text, images, and other HTTP or FTP content. If another client on the network requests the same page, the caching mechanism delivers the local copy of the page to the user instead of going back to the Internet. This greatly speeds up access to web pages and improves the responsiveness of an Internet connection.
Figure 1.4. Deploying ISA Server 2004 as a web caching server.
An added advantage to using ISA Server 2004 as a content caching server is that all the web traffic that clients request is scanned for exploits and viruses as well, decreasing the threat of clients being infected with spyware, viruses, and other scumware.
For more information on configuring ISA for web and FTP caching, refer to Chapter 8.
Controlling and Managing Client Access to Company Resources with Virtual Private Networks (VPNs)
Some of the more major improvements to ISA Server 2004 have been in the area of Virtual Private Networks (VPNs). VPN functionality has been greatly improved, and the flexibility of the VPN Networks for access rules is robust. Deployment of an ISA Server 2004 VPN solution is an increasingly common scenario for many organizations. The capabilities for clients to securely access internal resources from anywhere in the world is ideal for many organizations.
VPN Deployment with ISA Server 2004 typically involves a secure, encrypted tunnel being set up between clients on the Internet and an Internet-facing ISA firewall. After the clients have authenticated, they are granted access to specific internal resources that are defined by the ISA administrator. The resources that can be accessed can be designated via access rules, so the control can be very granular.
In addition to this control, ISA Server also makes it possible to quarantine VPN users that do not comply with specific rules that can be set up. For example, ISA can be configured to quarantine clients that do not have antivirus programs installed. Different access rules can be configured for the Quarantine VPN Users network as well, restricting their access even further, for example.
Finally, ISA Server also includes the ability to set up site-to-site VPN connections to remote sites across the Internet. This enables networks to be joined across VPN links. An added advantage is that the Internet Key Exchange (IKE) protocol used to set up this connection can also be used to set up a site-to-site VPN between an ISA server and another third-party VPN product.
For more information on working with VPNs in ISA Server 2004, refer to Chapters 9 and 10.
Using the Firewall Client to Control Individual User Access
In addition to the default capability to support traffic from any Internet client (SecureNAT clients), ISA includes the capability to restrict, control, and log individual user firewall access through the installation and configuration of ISA firewall clients. Although it is a less common deployment scenario by virtue of the need to install and support a client component, using the ISA firewall client can create scenarios that are more secure, and also enable an administrator to control firewall policy based on individual users or groups of users.
For more information on deployment scenarios involving the ISA Firewall Client, see Chapter 11, "Understanding Client Deployment Scenarios with ISA Server 2004."