Extending ISA Server

When Microsoft released Internet Security and Acceleration (ISA) Server 2000 in late 2000 as a successor to Microsoft Proxy Server 2.0, the new product positioned the company as a serious contender in the network security market. As a Web-caching proxy server and firewall, ISA Server filters several layers of Open System Interconnection (OSI) model traffic (for information about the various types of firewall filtering, see the sidebar "Types of Firewall Filters," page 40). ISA Server also supports server publishing and can be part of a VPN solution. Given these capabilities, several respected security audit teams have identified ISA Server post—Service Pack 1 (SP1) and later versions as a first-rate network defense tool.

To build on this solid foundation, Microsoft has partnered with dozens of companies to enhance ISA Server's capabilities through third-party products. (The complete partner list is available at http://www.microsoft.com/isaserver/partners/default.asp.) Many of these third-party products enhance performance, ease monitoring and administration, and improve or add security features. Let's look at just a small cross-section of these ISA Server add-ons.

Performance Enhancements
ISA Server performance-enhancing add-ons improve on Microsoft's already strong caching, load balancing, and fault tolerance feature sets. In addition, you can improve performance by off-loading security processing to an add-on processor. Performance add-ons fall into three categories: caching, high availability and load balancing, and Secure Sockets Layer (SSL) acceleration and key management.

Caching. ISA Server comes with its own configurable, high-performance HTTP, FTP, and Gopher caching algorithms. As a result, many third-party caching add-ons focus on a particular niche. For example, Chutney Technologies' Chutney Apptimizer (formerly called PreLoader) increases ISA Server's throughput of Web applications traveling to and from the end user. Apptimizer consists of a library of runtime APIs that you include in the Web application coding. The Apptimizer database engine caches Web content and acts as a fast intermediary between the end user and Web server. With its new Simple Object Access Protocol (SOAP) 3 support, Apptimizer is ready for Web services.

High availability and load balancing. You can cluster multiple ISA Server systems for load balancing and fault tolerance. Third-party products typically offer more load-balancing algorithms; fast, specialized processors; secondary RAM caches, and other security features. F5 Networks' BIG-IP switches are external devices that provide load balancing, fault tolerance, and SSL acceleration for traffic in OSI model layers 4 through 7. BIG-IP switches work with any IP traffic, not just Web traffic, and use rules and scripting to let administrators customize load balancing. Several BIG-IP products are available, the fastest of which provides 2.5GHz of processing power.

Radware refers to its FireProof enterprise security product as a security application switch. FireProof is an external layer-4-through-7 switch built to load balance, optimize, and provide high availability for firewalls, VPN systems, and gateways. FireProof has five different load-balancing routines, including one that can poll ISA Server boxes for six predefined variables to determine optimization. Radware says one FireProof device can support up to 100 ISA Server systems and offers limited intrusion detection and protection against Denial of Service (DoS) attacks.

Rainfinity's RainConnect provides load balancing and failover redundancy on networks with two or more ISP connections. You can deploy the software on a standalone server or on top of ISA Server. RainConnect sends unsophisticated Ping (Internet Control Message Protocol—ICMP—echo) test packets to predefined hosts to monitor the health of each connection. Like most other fault-tolerance products discussed in this review, during a failover event, the active connections running on the broken link are lost but can be reconnected over other available links.

Another Rainfinity product called RainWall can be installed on an existing ISA Server system within an ISA Server cluster to provide high availability and load balancing. Rainwall deploys virtual IP (VIP) addresses on each server's interface and monitors each server's health, including the status of ISA Server and RRAS services. When a server or monitored service fails, RainWall automatically fails that server over to another ISA Server node. RainWall also handles administrative shutdowns for maintenance work and brings the server back into the cluster automatically when the administrator restarts it. You use a Microsoft Management Console (MMC) snap-in to administer both RainConnect and RainWall.

Stonesoft's StoneBeat FullCluster for ISA Server provides load balancing and high availability between multiple ISA Server boxes. The software distributes loads according to process utilization and packet throughput. StoneBeat FullCluster for ISA Server uses a customizable test subsystem located on each participating node to monitor server health. Remote administrators can use an SSL-encrypted Java client to securely manage the product.

SSL acceleration and key management. Too many inbound SSL connections can quickly over-task ISA Server. Several vendors provide adjunct hardware devices to take over SSL processing, thereby increasing the number of secure connections that ISA Server can handle at once.

AEP Systems' AEP SureWare Runner SSL accelerator cards are specially designed for SSL sessions. AEP says its product can handle up to 2000 SSL transactions per second (tps), and the company's internal tests show a 220 percent increase in SSL transactions per second serviced and a 20 percent decrease in CPU utilization on an ISA Server system with a card.

nCipher offers several SSL accelerator products that work with ISA Server. The company's nFast 800 is a Federal Information Processing Standard (FIPS) 140 Level 2 SSL accelerator PCI card. The nForce is a FIPS 140 Level 2 SSL accelerator and key security PCI card. The nShield is a FIPS 140 Level 3 SSL acceleration and key security PCI card. You can add multiple cards for increased processing benefit and automatic failover.

Monitoring and Administration Improvements
Most third-party add-on products either focus on collecting and analyzing critical events from one or more ISA Server systems or they monitor and report on Internet usage. Functioning as a host-based Intrusion Detection System (IDS), GFI Software's GFI LANguard Security Event Log Monitor (SELM) analyzes the event logs for ISA Server or any Windows XP, Windows 2000, or Windows NT machine and monitors important files for critical events. The software can alert administrators with an email or pager notification or centrally store events for historical analysis. GFI LANguard SELM excels at consolidating information from two or more ISA Server boxes, thus offering the potential to alert administrators to a wider-scale attack than might otherwise be immediately noticed.

GFI Software's GFI DownloadSecurity for ISA Server lets administrators control and view inbound HTTP and FTP downloaded files. The software includes Norman Virus Control and SOFTWIN's BitDefender antivirus engines, and you can add McAfee VirusScan antivirus product as an option. In addition, you can block files according to MIME type (e.g., executable) and extension and prevent users from downloading ActiveX and Java applets.

Intellitactics' Network Security Manager (NSM) collects security events from ISA Server to generate realtime alerts based on predefined security rules. NSM interprets, analyzes, and stores events and uses intelligence to appropriately classify threats and minimize false positives.

Microsoft Operations Manager (MOM) is a centralized reporting tool for monitoring and managing Microsoft server products, including ISA Server. Management pack modules are available for each server product and provide predefined computer groups, processing rules, filters, alerts, and performance sampling. Pricing is set according to each processor the software runs on and for each processor the software manages, plus an additional fee for each processor that uses a management pack module. MOM is also available as part of Microsoft's Universal Subscription package.

NetIQ's AppManager for Microsoft ISA Server monitors one or more ISA Server systems from one console, storing performance and event-log data in a Microsoft SQL Server database. The software can alert administrators through SNMP, email, or pager notifications. During a downtime event or alert, AppManager for Microsoft ISA Server stores key statistics, such as the total number of requests and bytes being sent from ISA Server to remote locations.

Another NetIQ product called Firewall Suite reports on critical errors, warnings, and rules triggered by ISA Server and includes more than 200 customizable reports. The software monitors event logs, IP devices, and services. If a device or service goes down, the product can alert administrators by email, audio alarm, or pager.

PatchLink, which is well known for its patch management software, offers WebConsole IT Management Suite for Windows NT/2000 with a PatchLink Alert snap-in module that lets you use SNMP to monitor ISA Server. The snap-in alerts administrators to server runtime and downtime events and to unauthorized firewall breach attempts. The snap-in can monitor and report on multiple ISA Server boxes. PatchLink's Web-based solution lets you use any Java-enabled Web browser to gather realtime monitoring and historical reporting information.

Sane Solutions' NetTracker analyzes ISA Server logs and provides detailed statistics. The software comes with more than 80 standard reports, plus wizards to design more customized filters and reports. Administrators can readily export information to Microsoft Word, Excel, and Access.

Aelita Software's InTrust (formerly EventAdmin) software collects, consolidates, and reports on ISA Server events. It comes with 60 predefined reports and lets you use OLAP to perform data analysis. The software can alert administrators through email, pager, network message, or SNMP trap notifications. You can save reports in HTML, XML, PDF, comma-separated value (CSV), text, and other popular Microsoft formats.

Burst Technology offers ISAFilter and bt-LogAnalyzer separately or combined as its Employee Productivity Management (EPM) solution. Both products use the MMC for administration and work with Active Directory (AD) in mixed or native mode. ISAFilter blocks inappropriate Web content based on category, time of day, bandwidth quotas, length of time, and day of week. bt-LogAnalyzer categorizes and reports on email and Web content. Web usage is broken down into predefined categories, such as sex, sports, and malicious code. Email usage reports identify the most popular message domains sending mail to and from your organization.

WebSpy's ISA Server Suite includes a copy of ISA Server and a copy of WebSpy's WebSpy Analyzer Standard. WebSpy Analyzer Standard is a reporting tool that lets you summarize and drill down into your organization's Internet use. The software reads more than 20 different log formats from various firewalls and proxies and exports the information in almost a dozen different formats. WebSpy Analyzer Standard comes with a Web-based client to review its predefined multi-tiered reports.

Security Enhancements
Although ISA Server works well as a firewall and proxy, many third-party products are available that can help you strengthen your defenses against a hostile world. Security add-ons fall into four categories: content and application security, intrusion detection, URL filtering, and user authentication.

Content and application security. Content and application security add-ons work by analyzing data within the application layer. Akonix Systems has made a name for itself by monitoring and securing Instant Messaging (IM) communications in the corporate environment. The company's Akonix L7 Enterprise for ISA Server lets you secure unmanaged public IM. After you install the software as an ISA Server application filter, it begins mapping active IM sessions and chat names to users' network ID. You can then monitor and store IM sessions or deny messages based on content, size, destination, and user name. You can also configure Akonix L7 Enterprise for ISA Server to scan IM file attachments and enforce the use of the latest IM clients to minimize security holes.

Symantec extends its antivirus protection to ISA Server by filtering and protecting Web, SMTP, and FTP connections over HTTP traffic. Symantec AntiVirus for Microsoft ISA Server works by installing an ISA Server filter that intercepts and passes monitored content to a separate server running Symantec's antivirus scan engine. The scan engine inspects, cleans, repairs, and returns the content to ISA Server for forwarding to users. The software can alert administrators by using SMTP, SNMP, or any of the default ISA Server reporting mechanisms.

Trend Micro's InterScan WebProtect for ISA is installed as an Internet Server API (ISAPI) filter on ISA Server systems to scan and protect HTTP and FTP connections over HTTP traffic. The software also scans for malicious Java applets and ActiveX objects and uses Trend Micro's MacroTrap technology to detect known and unknown macro viruses.

Intrusion detection. ISA Server comes with some built-in, basic IDS features. Internet Security Systems (ISS), the company that helped Microsoft develop ISA Server's IDS features, offers an enhanced product called RealSecure Server Sensor for ISA Server. The software is installed on ISA Server and provides hundreds of additional IDS checks that automatically update the server, unlike ISA Server's built-in IDS checks. RealSecure Server Sensor for ISA Server also monitors crucial local files and OS resources and can prevent buffer overflows. Unfortunately, this product doesn't work with ISA Server Enterprise edition.

URL filtering. Although ISA Server lets you block specific Web sites that contain objectionable content, many third-party add-ons let you automate and simplify the Web-filtering process. Secure Computing's SmartFilter URL filter plugin for ISA Server approves or denies Web content based on your predefined settings. SmartFilter comes with a list of more than 2 million previously reviewed Web sites and lets you block additional sites by keywords or file types. Denied content can generate a message to the user explaining the denial or coach the user to follow approved corporate policy.

Wavecrest Computing's CyBlock Web filter lets you approve or deny access to specific Web sites and Web site categories (e.g., chat, porn, news). The filter lets users access only specific sites and lets you manage users individually or as part of a group. Wavecrest Computing's other product, Cyfin Reporter, reads ISA Server logs so that you can generate reports to analyze Web-access activity and bandwidth performance.

CornerPost Software's Chaperon 2000 filters Internet content and offers a few features the competition doesn't have. In addition to alerting you to users who are trying to access objectionable content, the software can report on users specifically trying to circumvent the filter. This functionality is especially important to counteract the new hacker tools designed specifically to allow filter circumvention. Even if the user is initially successful in getting around Chaperon, if the software notes inappropriate content, it flags the Web site and alerts the administrator. Chaperon's blocked URL list is updated every 2 hours. CornerPost Software also sells Surrogate Socket 5.0 to provide SOCKSv5 support for ISA Server (which typically supports only SOCKSv4).

8e6 Technologies' 8e6 for Microsoft ISA Server 2000 Internet filter software monitors and blocks objectionable Web site traffic. The software monitors search engines for inappropriate keywords and adds new blocked sites daily. You can block Web sites by group or for individual users. The software also lets you produce Internet monitoring reports by Web site IP address, domain name, authentication type, and category.

The SurfControl Web Filter for Microsoft ISA Server software works as an ISA Server ISAPI plugin that monitors and blocks inappropriate content. The software can filter according to Web site, directory, page, time, bandwidth, or byte quotas and can alert you by email when a rule is triggered. SurfControl Web Filter contains more than 55 standard reports, and you can monitor specific users and sites in realtime.

Websense Enterprise, Microsoft ISA Server Edition monitors and blocks Web sites using categories, keywords, time-based quotas, and time of day. The software categorizes more than 4 million sites, includes more than 60 reports, and supports non-American languages.

User authentication. ISA Server depends on Microsoft's typical Windows authentication mechanisms. Third-party user authentication systems add checks and external hardware keys (called two-factor authentication) to increase user identity reliance. Authenex's AOne uses ISA Server with Authenex Strong Access Control (ASAC) and Authenex Strong Authentication System (ASAS) to provide access control for Internet users. ISA Server provides the firewall, cache, and VPN, and the AOne solution provides user authentication and control. Internal or remote users must have an authentication password and a physical access key (called an A-Key) to use company resources over the Internet. ASAC lets you restrict users by time, destination, or content.

RSA Security's cryptographic offerings are popular in the industry. RSA Security uses RSA ACE/Agent for Windows 2000 software, RSA ACE/Server software installed on ISA Server, and physical RSA SecurID smart cards for two-factor authentication. Users must know their secret PIN and use their cryptographically unique SecurID device to gain access to their company's Internet resources.

By itself, ISA Server is a formidable network security product. Coupled with any of Microsoft's ISA Server partner products, it's an even better perimeter tool. I couldn't cover every ISA Server add-on here, but you can visit ISAserver.org at http://www.isaserver.org/software for a broad list of available products and additional discussion.