Microsoft recommends it, but ISA Server is a Microsoft product, so we can't really count on Redmond to be objective on the matter. In this column, I discuss ISA Server's strengths and weaknesses to help you decide whether or not it's the right firewall product for your environment.
Most firewalls function by regulating port access. There are over 65,000 TCP ports and just as many UDP ports that can be used as entry points into a network. Firewalls work by blocking access to unused ports. If a port is blocked, no one can use it to infiltrate your network.
Most firewalls have a few other port-related features as well. One example is port forwarding. Let's suppose you have to leave TCP port 80 open so users can log onto your Outlook Web Access server. If your OWA server is the only server on your network that you want to make accessible through port 80, you don't want to just open that port and assume that nobody will ever try to access other servers through it. Instead, it's better to use port forwarding to force all traffic coming in through port 80 to go to your OWA server.
I don't want to waste a lot of time talking about basic firewall features. My point is that just about any firewall blocks ports and offers security features like port forwarding. For example, Cisco makes a variety of firewall appliances ranging in price from under $500 to over $14,000, and all of them have these basic port-control features.
ISA Server is priced somewhere in the middle. The standard edition goes for $1,499 per processor and the enterprise edition costs $5,999 per processor. In addition, you will also need a dedicated server and a copy of Windows Server 2003.
So why would you want to spend that much money on an ISA Server when cheaper firewall alternatives are available?
One thing that sets ISA Server 2004 apart from some other types of firewalls is that it functions as a standard firewall and an application-level firewall. An application-level firewall doesn't just look at which ports traffic is coming in on, but also at how that traffic is being used.
To see why this is important, let's go back to my earlier example in which someone was using TCP port 80 to remotely access OWA. Port 80 is typically used by the HTTP protocol. Most firewalls will allow you to prevent any protocols other than HTTP from coming in on port 80. The problem is that the majority of the firewalls won't allow you to specify how HTTP should be used. There are an endless variety of attacks that can occur at the HTTP level. Such attacks can include things like directory traversals, buffer overflows and WebDAV attacks, just to name a few. Some viruses, such as Code Red and Nimda, also exploit the HTTP protocol.
My point is that simply blocking all unused ports and protocols isn't enough, because there are ways to exploit ports and protocols that you have to leave open. An application-layer firewall will help protect you from such exploits -- a basic port blocking firewall won't.
ISA Server isn't the only application-layer firewall available. However, to the best of my knowledge, ISA Server is the only firewall product that contains features specifically intended for protecting Exchange Server. A few of these features include secure Exchange RPC filtering, Outlook Web Access, Outlook Mobile Access and ActiveSync wizards that create secure publishing rules, URL protection, HTTP filtering and forms-based authentication.
ISA Server does have one major weakness though: it runs on top of the Windows operating system. This means that if there is a weakness in Windows Server, that vulnerability will also affect ISA Server. ISA Server has improved a lot since the last version, and does a better job of protecting the underlying operating system than it has done in the past. Even so, I don't recommend using it as your perimeter firewall.
However, I do like the way that ISA Server can protect Exchange Server. Therefore, you might consider using it as a second firewall. You could filter out as much malicious traffic as possible with a firewall appliance, and then use ISA Server to filter out anything that the first firewall wasn't capable of looking for. Using this approach would help to protect ISA Server's operating system from an attack. Another approach is to use a firewall appliance to guard your network perimeter, but use ISA servers to protect individual segments on your internal network.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.