Microsoft Corp.s ISA 2004 includes major improvements over its predecessor, significantly easing policy management processes, supporting multiple types of network configuration and offering improved integration with third-party VPN products for site-to-site IP Security connectivity.
Businesses with heavy investments in publicly accessible Microsoft services and applications, such as Exchange Server and IIS (Internet Information Services), stand to gain the most from Internet Security and Acceleration Server 2004s extensive ap-plication filtering capabilities.
However, because ISA is a server-based platform, companies that dont want to perform critical server hardening should consider using ISA 2004 as a secondary layer of defense behind a high-security stateful inspection firewall appliance.
Licensing for ISA 2004, which started shipping this month, starts at $1,499 per processor on a single server. Of course, businesses must also factor in the cost of hardware and Windows 2000 or 2003 server licenses, putting the starting price in the neighborhood of $3,500 for a low-end implementation.
Microsoft does not charge the per-feature or per-user license fees weve seen from security appliance vendors such as Juniper Networks Inc. and Fortinet Inc. However, administrators must factor in the time necessary to properly harden and test ISA 2004s underlying operating system configuration.
eWEEK Labs installed ISA 2004 on a server with a single 2.53GHz processor and 512MB of RAM running Windows Server 2003 Enterprise Edition. ISA 2004 also works on Windows 2000-based servers, but Windows 2000 doesnt support quarantining and scanning VPN clients for desktop firewalls and up-to-date anti-virus software before the clients fully connect to a protected network.
ISA 2004 offers much more flexibility than its predecessor when dealing with a variety of network architectures and server hardware configurations. We appreciated ISA 2004s various network architecture templates that make it a snap to configure the firewall as an edge firewall with a separate DMZ network or as a front or back security device in tandem with other security hardware.
Microsoft has taken much of the complexity out of managing firewall policies, introducing easy-to-decipher wizards to create access policies. Particularly effective are the publishing wizards for Microsoft services, which take some of the guesswork out of configuring access to Web servers or complicated RPC (remote procedure call)-based services.
Using VPN wizards, we created a site-to-site IPSec tunnel to a SonicWall Inc. SonicWall Pro 330 and a remote user tunnel using L2TP (Layer Two Tunneling Protocol)/IPSec. Although the wizards were quite helpful in setting up the remote user tunnel, the site-to-site wizards could do a better job of leading the administrator from tunnel setup to creating the appropriate access policies.
Technical Analyst Andrew Garcia can be reached at [email protected].