Windows Server System Magazine - Protect the Application Layer

Protect the Application Layer

Web-based attacks are on the rise, and according to consulting group Gartner Inc., the weakest point in most perimeter infrastructures is the application layer. In fact, Gartner claims that up to 70 percent of Internet-based attacks occur at this layer—a layer that traditional firewalls are not normally designed to protect. According to Dave Berkowitz and Joel Sloss, product managers with Microsoft's Security Business and Technology Unit, Microsoft is listening. That's why the 2004 version of Internet Security and Acceleration (ISA) Server boasts improved security for the application layer. ISA is one of the few products on the market specifically designed to offer application layer protection.

You might remember ISA Server. Its initial appearance was under the name Proxy Server, and it was designed to perform address translation and content caching. But, with the emergence of Windows 2000 and the .NET Enterprise Server family (now Windows Server System), Microsoft transformed Proxy Server into a firewall and reverse proxy, both major improvements from its former architecture. This was the focus of ISA Server 2000. Although it provided the basis for added protection in the perimeter network, ISA Server 2000, being a first version product, had its failings. Its performance levels were often poor and its configuration was fairly complex, requiring advanced knowledge of routing and address translation. This served as input for Microsoft's improvements for the new version. That's because, according to Gartner, 99 percent of successful break-ins are due to configuration errors. This is why Microsoft concentrated on three areas of improvement for ISA Server 2004:

Improved network security
Improved ease of use
Improved performance

Although ISA still supports content caching, few improvements to this feature have been implemented in the new version. On the other hand, ISA's firewall feature now boasts new protocol support, letting users control the access of any protocol, even the Internet Protocol (IP). This supports improved integration and administration of virtual private network (VPN) connections at both the Point-to-Point Tunneling Protocol (PPTP) and the Internet Protocol Security (IPSec) level as well as supporting improved user authentication.

ISA 2004 now supports three authentication methods natively: Windows, Remote Authentication Dial-in User Service (RADIUS), and RSA Security's SecureID. In addition, Microsoft provides a software development kit for ISA 2004 to allow other third-party manufacturers to integrate their authentication solutions to ISA. While the ISA 2000 Feature Pack included RSA authentication, the addition of RADIUS and direct integration of SecureID to ISA 2004 is a vast improvement because it allows organizations to create and implement authentication gateways, which are secure entry points into both intranets and extranets. ISA 2004 also supports multiple network configurations, letting you implement different connections for different networks easily (for example, a private network along with an Internet connection) while applying the same standard policies to all connections. In addition, ISA 2004 is fast: up to five times as fast as ISA 2000, easily providing throughputs of 1.6 Gbps when running on Windows Server 2003.

But perhaps the best feature of ISA 2004 is its improved ease of use. ISA 2004 now includes new network templates, facilitating its implementation and configuration. Choose from one of the five network templates and proceed (see Figure 3). Or, if you want something more complex, choose the template that best matches your needs and customize it. This greatly simplifies secure network interconnectivity implementations. In addition, ISA 2004 includes a new visual policy editor that visually portrays the effects of the policies you implement, once again simplifying firewall administration. Another great feature of ISA 2004 is the ability to export and import configuration data in XML format. This lets administrators configure one machine and easily duplicate its settings on another. In fact, this is the method used to upgrade from ISA 2000 to ISA 2004; simply export the settings from one and import them into the other. ISA 2004 also includes great support for VPN connection configurations (see Figure 4), making it easier to perform than before. Finally, ISA 2004 includes an improved troubleshooting tool, making it easier to locate configuration errors and offering protection against the most common break-in scenario.

ISA 2004 offers policy-based administration of firewall protection at the application layer, content caching, and application server publishing (reverse proxy) for Microsoft applications such as Exchange, Internet Information Services, and SharePoint Portal Server. It is available in two editions: Standard and Enterprise. The Standard edition is currently in beta testing with final code available by the middle of 2004. The Enterprise edition should be in beta later this year with final code expected by the year's end. One advantage of the new Enterprise edition will be its independence from Active Directory (AD). The Enterprise edition of ISA 2000 required integration to an AD, making it less practical for external protection scenarios. ISA 2004 will now rely on Active Directory in Application Mode (ADAM), a new lightweight version of AD. This will make it more useful for implementation into perimeter networks.