Deploying Microsoft's ISA in the enterprise

Thinking about deploying Microsoft's Internet Security and Acceleration (ISA) Server 2000 in your enterprise? Check out solutions to common ISA problems from security consultant, columnist and author Roberta Bragg. Bragg fielded over 60 security questions from Windows IT pros in a live expert Q&A on July 25. Here are her answers to many of your pressing Windows security manageability questions.

Thinking about deploying Microsoft's Internet Security and Acceleration (ISA) Server 2000 in your enterprise? Check out solutions to common ISA problems from security consultant, columnist and author Roberta Bragg. Bragg fielded over 60 security questions from Windows IT pros in a live expert Q&A on July 25. Here are her answers to many of your pressing Windows security manageability questions.

sWM: Does the installation of ISA Server slow down Windows 2000 performance?
Bragg:

Every service you ask a computer to perform slows it somewhat. However, if you follow good management and strip unnecessary services, you can improve performance. You will also want to make sure you appropriately size the system for the duties it will perform. Microsoft has some stats on its site at http://www.microsoft.com/isaserver and there are also some in the ISA help files that will help you with sizing.

sWM: Should you use Windows 2000 Server or Advanced Server to build ISA?
Bragg:

Win2k Server is fine unless you use more processors or need the benefits of Advanced Server for Network Load Balancing.

sWM: Do you feel that security is a number one priority in regards to securing a database?
Bragg:

That's really an unfair question. In my mind security is always job one. However, we do have to get some work done. Properly designed systems have both. What does the database have in it? Credit card numbers? Security better be pre-eminient. On the other hand, if it's just a record of the technical books that I have on my shelves, then I probably wouldn't invest too heavily in securing it. You must weigh the risks of each gain in security versus potential loss in productivity or ease of use. Sometimes you get both improved security and improved productivity.

sWM: How well does ISA run in a mixed Win2k/NT 4.0 environment? Any 'known' issues?
Bragg:

The issues I'm aware of have to do with networks where Proxy still exists or did exist and older Proxy clients are still installed. For details, search the Microsoft Knowledge Base: http://search.support.microsoft.com/kb/c.asp?ln=en-us&sd=gn.

sWM: What levels of the Open Systems Interconnection (OSI) model does the ISA 2000 Server work at? Does it work at all levels?
Bragg:

ISA server offers the potential to work at multiple levels. Visit http://www.microsoft.com/isaserver for full descriptions of various layers of protection, and where they operate.

sWM: How does ISA compare to firewalls like NetScreen or Check Point?
Bragg:

NetScreen is a hardware-based firewall device; ISA and Check Point are software-based. Both types have advantages and disadvantages. The two major difference between ISA and both of the others are features and ease-of-use. A thorough comparison would take a while, but you can get a list of ISA features from Microsoft at http://www.microsoft.com/isaserver/evaluation/overview/default.asp plus a free download of an evaluation version http://www.microsoft.com/isaserver/evaluation/trial/default.asp.

sWM: What are the big differences between from Check Point over Microsoft?s ISA?
Bragg:

I'm not a Check Point guru. But many people I have spoken with find ISA server to be much easier to understand and therefore configure. There is much more readily available help, free documentation and training classes available now. I suspect in the future there will be even more knowledgeable ISA server admins then there are knowledgeable Check Point admins. You can secure your network with either.

sWM: How risky is it to use SNMP to manage (alerting and rebooting) all servers in a DMZ (external ISA and IIS) from the internal network?
Bragg:

Well, you are then allowing SNMP through to your internal network. Can an attacker use this against you? You'd have to evaluate the other rules and filters you have in place. I'm presuming you don?t have SNMP access from the external world to your DMZ.

sWM: Once the ISA Server is installed, do clients require a software for running general programs like newsgroups, real audio etc.?
Bragg:

For any http, https or ftp access, client software is not necessary. For any software which can be proxied, client software is not necessary. Whether or not software would require you to load the firewall client depends on the software and the protocol rules and packet filters you have in place on your ISA server. There are good articles on the Microsoft Web site which deal with specific issues of many types of software.

sWM: How risky is it to use Win2k Terminal Services to manage all servers in a DMZ (external ISA and IIS) from the internal network?
Bragg:

Less risky than many other remote management tools. You will want to make sure that you have properly set up this service; i.e. use in administrative mode and secure the DMZ servers etc.

sWM: When configuring system backups, are there any areas of the ISA Server that should not be included?
Bragg:

You probably will not back up the cache.

sWM: How do I roll out Firewall Client enterprise wide?
Bragg:

How about using group policy?

sWM: What server(s) should ISA not co-exist with on the same box?
Bragg:

Keep it simple. Use a server to do one thing. If ISA Server is loaded, I know of no additional server that can't be there. But I believe most should not be there and a number are difficult to configure if they are there.

sWM: What are the major benefits to ISA as compared to Novell Border Manager? Are there any acknowledged deficiencies?
Bragg:

I have not seen any studies that do a blow by blow feature comparison. My feeling is that ISA is easier to configure and superior in every way.

sWM: If you add a new piece of hardware that requires reapplication of a Service Pack, will it break the preinstall hotfix or ISA itself by overwriting a dll or something like that?
Bragg:

Not that I am aware of, however, it is a good practice to determine if the hotfix is incorporated in the Service Pack. If it is post Service Pack, then reinstall it unless you can find a Microsoft recommendation that says you do not need to.

sWM: For the cache only option, can we leave all protocols opened?
Bragg:

Make sure you are leaving all protocols open for accessing the external network from the internal -- not the other way around. I presume you have a firewall to protect your network from external intruders. This is really a corporate policy. If you want to allow all employees equal access to all Internet resources that may be ok depending on your company's policy.

Roberta Bragg MCSE, MCT, MCP, CISSP is the author of a number of highly regarded Win2000 security books and writes MCP Magazine's popular "Security Advisor" column. As founder of Have Computer Will Travel, she consults on security, operating systems, and databases. Her latest book is "MCSE Training Guide (70-227) Installing, Configuring and Administering Internet Security and Acceleration (ISA) Server 2000."

FOR MORE INFORMATION

To hear Bragg's complete audio presentation on "Implementing a Secure ISA Server," check out the searchWin2000 live Expert Q&A archives.

You can read more of Bragg's off-line replies to unanswered ISA chat questions on the searchWin2000 tip page.

Dig deeper on Microsoft Windows 2000 Server Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close