Microsoft ISA Server: A Fully Integrated Security Solution
In the current networking environment it often seems like there are about as many new security concerns as there are babies born in the United States per day. Microsoft is trying harder than ever to be the complete solution for corporate needs. The vendor has made great strides to have its Windows 2000 operating system incorporate some of the best features from Novell and NT.Microsoft's ISA Server 2000 is more than just an update to Microsoft Proxy Server or an add-on to Windows 2000. The firewall/proxy server combo provides the security of a firewall and the caching processes of a proxy server, with a host of other options thrown into the mix.
To meet security concerns, Microsoft recently introduced a new product called Internet Security and Acceleration (ISA) Server 2000.
At its core, ISA is an advanced proxy server and firewall combination. It combines the security of a firewall and the caching processes of a proxy server into a single software package. Because the product is from Microsoft, and it holds the number 2000, it integrates with Windows 2000.
At its core, a proxy server is an Internet gateway that stores commonly used files in a disk cache, but it is usually more than that. Client machines have sessions with the proxy server, and the proxy server has sessions with the machines on the Internet on behalf of the client. The proxy server will then save the information it gets for clients in a disk cache. If another client requests the information within a certain set period of time, the proxy server pulls it from cache rather than the actual source server.
This can cut down on Internet connection usage greatly, but if the proxy server is improperly set up it can be detrimental for any Web sites that update very frequently. "Fast RAM" caching from ISA takes this process a step further by using main memory for frequently accessed data. Although this may pose a problem for machines with limited memory and a huge workload, it will not be problematic for a dedicated gateway server with a fairly large memory base.
One feature in ISA that particularly stands out is Cache Array Routing Protocol. This enables an administrator to set up multiple ISA servers as a single logical, manageable unit. The administrator can even schedule content downloads to allow frequently used data to be accessed during off-peak hours to minimize the impact of clients on the network using the Internet.
A firewall in and of itself can be a fairly simple system, as rudimentary as a 386 that boots off of a floppy disk. Of course, such an implementation would not be as feature-rich as ISA. ISA uses SecureNAT to provide Internet connection sharing, which is an implementation of the Network Address Translation protocol, but obviously with a layer of security.
With the ISA firewall, an administrator can filter content on three different levels: packet, circuit, and application. When packet filtering is enabled, all packets on the external interface are dropped unless they are explicitly allowed. Circuit-level filtering provides the most common Internet applications to simulate actually being directly connected to the Internet servers. This is particularly key for servers that require clients to directly connect but can be dangerous if a malicious server or application is involved. The most advanced filtering method is application filtering. Application filtering looks at incoming and outgoing data streams for particular applications and blocks them according to administrative settings. ISA Server includes many commonly used settings in templates to allow for easy set up of the firewall.
ISA also has many other features that cannot be covered here without writing an epic. We suggest that enterprises considering ISA visit the Microsoft ISA Server 2000 features page at http://www.microsoft.com/isaserver/productinfo/featuresoverview.htm for a comprehensive overview.Pros: Firewall and Proxy Server together with advanced features in both servers
Cons: Integration with Windows 2000 may cause problems for non-NT networks.
Version Reviewed: 2000
Date of Review: 5/17/01
Date Last updated: 3/19/02
Reviewed by: M.A. Dockter