News Stay informed about the latest enterprise technology news and product updates.

Microsoft firewall dispels myth of hardware superiority

An updated version of Microsoft's Internet Security and Acceleration (ISA) Server is proof that software firewalls have surpassed their hardware counterparts, one expert says.

The Mydoom worm has already clocked in as the first major security annoyance of the New Year. It will fade, but more worms and viruses are likely to follow, which means an IT administrator can never drop the ball on perimeter network security.

For its part, Microsoft continues to make improvements to the way it barricades Windows, and this summer the software maker will be releasing a new version of its Internet Security and Acceleration (ISA) Server.

Though the largest enterprise customers tend to use ISA as a proxy server to cache and filter Web content, it is indeed Microsoft's firewall product. Microsoft is punching up its upcoming version with some improvements in application-layer filtering and performance; it will also give ISA a more finely tuned ability to specify which traffic can enter a network. The software entered its first public beta in late January and is expected to become available midyear, Microsoft said.

Improvements to virtual private networking represent perhaps the biggest advances in ISA 2004, said Thomas Schinder, a technology trainer and ISA expert in Dallas. Schinder said ISA is the only firewall in its price range that actually filters the connection from VPN clients and routers. The current version of ISA sells for about $1,500 per processor. Pricing for ISA 2004 has not yet been set, company executives said.

The idea that hardware firewalls perform better is a leftover from days gone by, when the hardware firewall was a single-purpose device.
Thomas Schinder
ISA expert

Normally, when a user makes a VPN connection from, say, a hotel room to the office, that user has access to everything on the corporate network to which they've been assigned permissions. This exposes the network to vulnerabilities, Schinder said. For example, VPN clients could call in and share the Blaster worm.

"ISA 2004 can now control what someone coming in through a VPN can do," he said.

Schinder said that another improvement is support for IPsec tunnel mode for third-party VPN connections. And the new server also prevents unauthenticated connections to Outlook Web Access by generating a login form, which is then sent to the firewall and checked for legitimacy against the domain controller.

Schinder said that IT administrators need to dispel the myth that hardware-based firewalls are stronger than software firewalls. All firewalls have an underlying operating system that manages their code, and hardware-based products have assumed that the operating system can handle the hardware firewall efficiently.

Schinder said that hardware firewalls, historically, could pass packets faster than software firewalls running on Intel Corp. hardware. "That gap, if it exists anymore, doesn't exist in the range of the ISA 2000's performance and security," he said. "The idea that hardware firewalls perform better is a leftover from days gone by, when the hardware firewall was a single-purpose device that performed limited packet-filtering functions."

Schinder said that, today, the packet-filtering approach isn't particularly helpful in fending off attacks because packet filtering only works on network layers 3 to 4, and most attacks happen on the application layer.

Still, for the largest environments, most enterprise customers prefer a workhorse appliance. Michael Rasmussen, a principal analyst at Forrester Research in Cambridge, Mass., said that, while ISA is good technology, enterprises today still want hardware firewalls, because they require less maintenance and because their performance is generally seen as better, he said.

Smaller customers will find it useful for caching or integrating with Active Directory to control outbound traffic, he said.

That is exactly what IT administrators for the Whitman-Hanson Regional School District had in mind when they set up ISA 2000 on the school's network.

The school system in southeastern Massachusetts chose ISA as its firewall because of its price and for its ability to control students' access to the Internet, said Josh MacNeil, assistant director of technology services for the school district.

The school system makes all its students turn in a permission form for Internet access and, because the software is integrated with Active Directory, it can determine whether a student is allowed to go online, said MacNeil, who had considered a product from Checkpoint Software Technologies Inc. before opting for ISA. "The Checkpoint hardware didn't go down to user-based management," he said.

Joel Sloss, a Microsoft product manager for ISA Server 2004, said that the firewall is best used in an environment that has no more than 1,500 desktops. Sloss said he expects that the largest enterprises might use the firewall in a remote office or for a specific department.

Whether it is used as a proxy server or a firewall, Microsoft's ISA faces tough competition. Many of the big firewall companies, including Netscreen Technologies Inc., Sunnyvale, Calif., and Checkpoint, Redwood City, Calif., are starting to aim hardware firewalls at the application layer, Rasmussen said. Netcontinuum Inc., Santa Clara, Calif., makes a firewall specifically for Web applications.

Microsoft sees competition in software firewalls and application proxy servers coming from Symantec Corp., Cupertino, Calif., and Secure Computing Corp., San Jose, Calif.


Article: Deploying Microsoft's ISA in the enterprise

Expert advice: Accessing a remote server using ISA Server

Best Web Links: ISA Server

Dig Deeper on Windows client management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.