To better understand ISA Server 2004 as a product, it is important to understand its beginnings and the environment around which it was designed. First and foremost, general security concepts relating to ISA should be reviewed.
Defining the Concept of a Firewall
The idea of a computer firewall has evolved over time. In the beginning, the first networks were isolated and unconnected. With the rising need to collaborate between different organizations, the networks were joined together, eventually creating a worldwide network defined as the Internet. Along with the advantages of being able to communicate with systems all over the world came the disadvantages of being exposed to those same systems.
Thus was born the network firewall, named to reflect the concept of an architectural barrier constructed to slow the spread of fires from one part of a building to another. Initially, firewalls simply blocked all access from the "untrusted" network to the "trusted" internal network, and allowed only traffic out of the network. As technology progressed, however, the need to share internal information with outside clients and vendors arose, driving the need for firewall administrators to "open ports" on the firewall to allow for specific types of traffic, such as HTTP web traffic, into the internal network.
Initially, filtering traffic at the packet layer proved to be successful in thwarting hacking attempts, which traditionally required for certain "dangerous" ports to be open to succeed. Eventually, however, virus and exploit writers realized that if their dangerous payloads were encased in commonly allowed protocols such as HTTP, they could freely pass through packet-filter firewalls and into the internal network unobstructed.
These types of exploits gave rise to extremely damaging viruses such as Code Red, Nimda, and Slammer. Many of these viruses and exploits sailed right through traditional firewalls and wreaked havoc upon internal servers. To make matters worse, internal "trusted" clients would get infected with a virus, exploit, or spyware application, which would then launch a set of attacks behind the firewall at unprotected servers and other workstations.
It quickly became obvious that some type of solution was needed to determine what type of traffic was legitimate and what was a potential exploit. This gave rise to firewall technologies such as ISA Server 2004, which provided for stateful inspection of the traffic at the Application layer of the TCP/IP stack.
Filtering Traffic at the Application Layer
Network traffic is logically divided into multiple layers of what is called the Open System Interconnection (OSI) Reference Model. Each layer in the OSI model provides for different types of TCP/IP functionality as follows:
The deficiency in firewall devices that use packet filtering technologies only is that the true nature of the traffic cannot be determined at this layer. A standard exploit, for example, can include a simple HTTP header, with the exploit itself hidden in the body of the packet. If that packet is scanned at the Application layer with ISA Server 2004, however, it can be determined whether a packet is truly legitimate. In addition, filters can be written to look for specific types of traffic in Application-layer protocols. For example, the HTTP filter in ISA server can be modified to block directory traversal attacks that include HTTP strings that include multiple dots (..).
Deploying ISA Server 2004 as a firewall device gives an environment Application-layer inspection capabilities. Indeed, this is one of the most distinct advantages to deploying ISA in this fashion. All traffic that passes through the ISA box is scanned at the Application layer, providing for a great degree of flexibility in what type of traffic is allowed and what is denied.
Understanding Common Myths and Misperceptions About ISA
ISA Server 2004 has always faced an uphill battle for acceptance, based mainly on the fact that Microsoft has only recently put a strong emphasis on security in its products. Since the Trustworthy Computing initiative a few years back, however, the emphasis has shifted to "Security first, functionality second." How big of an effect the Trustworthy Computing initiative has had is debatable, but needless to say, the security provided by ISA Server 2004 is quite respectable.
Despite this fact, however, there is a great deal of confusion and misunderstanding of what ISA really is and what type of functionality it supports. It's easy to dismiss ISA as simply another "Microsoft BOB," but the reality is that a growing number of organizations are finding that ISA Server 2004 provides an excellent fit into their environments, and allows for a degree of security previously nonexistent. At a minimum, ISA should at least be evaluated for inclusion into an environment, particularly for functions in which it currently excels, such as securing Outlook Web Access or providing for secured web proxy functionality.
Keeping this in mind, several key misconceptions about ISA Server 2004 should be dispelled. These misconceptions are as follows: