By Andrew Garcia  |  Posted 2004-07-19 Print this article Print

Businesses with heavy investments in publicly accessible Microsoft services and applications, such as Exchange Server and IIS (Internet Information Services), stand to gain the most from Internet Security and Acceleration Server 2004s extensive ap-plication filtering capabilities.

However, because ISA is a server-based platform, companies that dont want to perform critical server hardening should consider using ISA 2004 as a secondary layer of defense behind a high-security stateful inspection firewall appliance.

Licensing for ISA 2004, which started shipping this month, starts at $1,499 per processor on a single server. Of course, businesses must also factor in the cost of hardware and Windows 2000 or 2003 server licenses, putting the starting price in the neighborhood of $3,500 for a low-end implementation.

Microsoft does not charge the per-feature or per-user license fees weve seen from security appliance vendors such as Juniper Networks Inc. and Fortinet Inc. However, administrators must factor in the time necessary to properly harden and test ISA 2004s underlying operating system configuration.

Click here to read eWEEK Labs review of Junipers NetScreen and three other SSL VPN appliances. eWEEK Labs installed ISA 2004 on a server with a single 2.53GHz processor and 512MB of RAM running Windows Server 2003 Enterprise Edition. ISA 2004 also works on Windows 2000-based servers, but Windows 2000 doesnt support quarantining and scanning VPN clients for desktop firewalls and up-to-date anti-virus software before the clients fully connect to a protected network.

ISA 2004 offers much more flexibility than its predecessor when dealing with a variety of network architectures and server hardware configurations. We appreciated ISA 2004s various network architecture templates that make it a snap to configure the firewall as an edge firewall with a separate DMZ network or as a front or back security device in tandem with other security hardware.

Microsoft has taken much of the complexity out of managing firewall policies, introducing easy-to-decipher wizards to create access policies. Particularly effective are the publishing wizards for Microsoft services, which take some of the guesswork out of configuring access to Web servers or complicated RPC (remote procedure call)-based services.

Using VPN wizards, we created a site-to-site IPSec tunnel to a SonicWall Inc. SonicWall Pro 330 and a remote user tunnel using L2TP (Layer Two Tunneling Protocol)/IPSec. Although the wizards were quite helpful in setting up the remote user tunnel, the site-to-site wizards could do a better job of leading the administrator from tunnel setup to creating the appropriate access policies.

Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com.

Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel