Comet provides out-of-this-world security features for the Internet firewall market
[Editor's Note: This article is based on Microsoft Internet Security and Acceleration (ISA) Server beta 3. As a result, the information might not apply to the final release of the product.]
With the introduction of Proxy Server 1.0, Microsoft made its first foray into two burgeoning new markets: Internet security and accelerated Web access. Although the initial version of Proxy Server provides only basic security features and doesn't support several popular Internet protocols, it quickly gained popularity among Windows NT-centric organizations that needed user-level access control to Internet services, Internet firewall functionality, and accelerated Web access.
In Proxy Server 2.0, Microsoft addressed several of the first version's shortcomings by including the ability to control inbound and outbound traffic and adding support for a wider array of Internet protocols and applications for proxy-enabled clients. (For more information about Proxy Server 2.0, see "Related Articles in Previous Issues," page 52.) Microsoft also enhanced the product's security functionality to include a sophisticated packet-filtering feature that lets administrators define and control the flow of specific traffic types through the Proxy Server system. For many large organizations, Proxy Server's primary benefits are the ability to leverage the NT user accounts database to control user access to Internet services, and the ability to use Proxy Server's caching features to optimize Internet connection performance. However, despite Proxy Server 2.0's security improvements, many large organizations have reservations about implementing the product as their primary firewall because it lacks many of the features that other firewall products provide.
Proxy Server has faced challenges in being accepted as a standalone Internet security product. As a result, Microsoft has targeted the next version to incorporate the security features that Proxy Server 2.0 lacks. In addition, the company has set out to remedy some of Proxy Server 2.0's other shortcomings, such as its lack of support for popular protocols and its reliance on the installation of client-side software for Proxy Server access. Microsoft named the beta 1 and beta 2 phase of Proxy Server 2.0's progeny Comet, but as of beta 3, the company rechristened the product Microsoft Internet Security and Acceleration (ISA) Server. This new name better represents the product's capabilities and its target audience: the Internet firewall market.
What Comet Entails
Although ISA Server is a descendent of Proxy Server, the new product is much more than a simple upgrade of its predecessor. ISA Server introduces a wealth of new features and improves many of Proxy Server's existing capabilities.
New firewall features. ISA Server sports a robust set of firewall features that can compete with most security products on the market. In addition to supporting packet-, circuit-, and application-level traffic filtering, ISA Server supports stateful packet inspection (i.e., the ability to examine data passing through the firewall in the context of its protocol and the state of the connection). ISA Server can also leverage Windows 2000's Active Directory (AD) or NT's SAM to secure individual features and services at a user or group level—a feat that most third-party firewall products can't achieve because they're based on IP addresses or use a separate database for user authentication. ISA Server offers out-of-the-box support for detecting, preventing, and alerting you to several attack types, including Windows out-of-band (e.g., WinNuke), Ping of Death, Land attacks, and UDP bombs. ISA Server also provides true Network Address Translation (NAT) services through its SecureNAT feature, which lets LAN clients point their default gateways at ISA Server and securely and transparently access the Internet without client software.
Policy-based administration. Another important ISA Server feature is its use of policy-based administration. ISA Server lets administrators define policy elements such as users and groups, client protocols, schedules, sites, and content groups, then use those
elements to manage various settings through ISA Server policies (e.g., client protocol access policies, site access policies, bandwidth usage policies). You can create policies at an array level or an enterprise level for AD-enabled networks. (Enterprise-level policies let you enforce companywide security policies through AD.)
RRAS and VPN integration. A major improvement that ISA Server offers is the software's seamless integration with Win2K's RRAS and VPN services. Unlike Proxy Server's RAS and RRAS integration under NT 4.0, the process of establishing a VPN through ISA Server to a remote RRAS VPN server is a breeze. To facilitate the setup process, ISA Server includes an easy-to-use VPN configuration wizard that will even launch RRAS setup if you haven't already installed the service for local VPN configurations.
Smart caching. ISA Server offers active caching features that let administrators proactively cache content from popular Web sites. Administrators can schedule cache updates to run automatically at predetermined times during the day.
Smart application filters. Using smart application filters, you can define filters that control traffic through ISA Server on an application-specific level. For example, you can implement an email traffic filter that blocks certain content types or a filter that handles streaming audio or video data.
Dynamic IP filtering. Many firewall products can reduce administrators' management burden by dynamically opening firewall ports for active client sessions to the Internet and closing them after the client terminates the session. ISA Server provides a similar dynamic-filtering feature so that you don't have to run to the firewall to manually open ports every time your network clients use a new protocol.
Scalability. In large organizations, scalability is an important feature of a Web caching server because performance can deteriorate when a server caches a lot of data. To address this situation and meet enterprise-network needs, ISA Server provides dynamic load-balancing functionality through the Cache Array Routing Protocol (CARP), which Proxy Server also supports. CARP improves performance in ISA Server farms by automatically sending client requests to the server that is most likely to house the requested content. ISA Server's use of Win2K's Network Load Balancing (NLB) services through multiserver arrays enhances the product's dynamic load-balancing capabilities and improves ISA Server systems' overall availability. You can also configure ISA Server to have multiple or backup connections (aka routes) to other ISA Server systems to enhance server availability.
Bandwidth usage rules. NLB isn't the only new Win2K feature that ISA Server leverages. By utilizing Win2K's bandwidth control and Quality of Service (QoS) features, ISA Server lets you configure rules that define how much bandwidth might be consumed by various protocols and traffic types that pass through an ISA Server between the Internet and the local network. This feature provides more control over the availability and utilization of a corporate Internet connection than Proxy Server provides.
Enhanced reporting. ISA Server lets you run extensive reports on user ac-cess and security events. You can schedule ISA Server to automatically run these reports and deliver them to you at specified intervals (e.g., daily, weekly, monthly).
H.323 gatekeeper service. ISA Server includes an H.323 gatekeeper component, which lets administrators use ISA Server to manage IP telephony calls between H.323 protocol-enabled applications (e.g., Microsoft NetMeeting 3.0). After you create DNS SRV record registrations to advertise the gatekeeper services, clients can connect to ISA Server, register their names with the gatekeeper service, and establish connections to other H.323 endpoints.
Look Ma, No Client
An essential feature in many of today's Internet security products is support for NAT. The Internet Engineering Task Force (IETF) Request for Comments (RFC) 1361 defines NAT, which is a set of standards that lets one Internet-connected host act as an Internet gateway for internal LAN clients by translating the clients' internal network IP addresses into the Internet-connected address on the NAT-enabled gateway device. This technology provides a high level of security by protecting internal client IP addresses and making them inaccessible to Internet hosts. In addition, NAT reduces organizations' IP address procurement costs because companies need only the single routable Internet address on the NAT device. Another major benefit of NAT is transparency: The internal network clients don't require special software or configuration (other than ensuring that the NAT device is the default gateway to the Internet) to establish Internet connections. These benefits have promoted NAT support from an amenity to a standard feature of all Internet gateway devices.