News Articles

ISA Server 2004:
The Ideal Unified Threat Management Device

Everyone connected to the Internet needs a firewall. Firewalls range from personal firewalls that protect individual hosts to enterprise level network firewalls that protect entire corporate networks. In a well designed network defense in depth plan, each host on the network will have a personal firewall and all security perimeters on the corporate network will be protected by a network firewall.

The problem is that the first and second generation firewalls of yesteryear can’t keep up with the evolving nature of network attacks. First generation firewalls we stateful packet filtering devices that ran on general purpose operating systems. Hardware vendors realized that they could jack up their margins by burning a proprietary operating system and firewall software into a Application Specific Integrated Circuit (ASIC). The first and second generation firewalls were effective at protecting networks against the network layer attacks that were popular in the latter 1990’s.

Attacks most frequently encountered and the attacks that do the most damage today are not the simple network layer attacks that second generation stateful filtering devices protect against. Today’s 21st century attacks bypass the network layer because that’s not where the money is. The Holy Grail for today’s hacker, virus or worm is the application layer. Only a stateful application layer inspection device can protect networks against the attacks you need to protect against in the 21st century.

Third generation firewalls run on general purpose operating systems that have been specially modified and hardened against network and application layer attacks. The firewall software is installed on the general purpose operating system. Third generation firewalls benefit from the robust hardware support provided by open hardware platforms and can be quickly updated to meet the latest application layer attack, be that the next Blaster, the next Sasser, the next Netsky and the next blended attack that travels over Web, FTP, instant messenger, VoIP or any other application layer protocol.

These third generation firewalls are also known as Unified Threat Management (UTM) devices. The third generation firewall is able to perform stateful filtering (like second generation hardware firewalls) and perform stateful application layer inspection. By perform stateful application layer inspection, the third generation firewall is able to fully inspect HTTP, FTP, POP3, SMTP, NNTP, instant messenger, peer to peer, VoIP and other application layer protocol communications. The third generation firewall UTM device performs the basic stateful filter that all firewalls perform today, and then provides the real protection required for 21st century networks by exposing the application layer protocols to deep inspection. Only after the application layer commands and data pass muster as the connections allowed through the third generation firewall.

ISA Server 2004 is the model of a stateful filtering and stateful application layer inspection firewall. Built from the ground up as a Unified Threat Management solution, the ISA firewall can take apart IM, P2P, SMTP, POP3, and many other application layer protocols and stop threats at the perimeter. This is in stark contrast to second generation hardware firewalls which merrily pass application layer attacks through because the hardware firewall administrator “opened a port” and thought the network was protected.

What’s this all mean to you? A lot. Suppose you expose your Exchange Server to the Internet to allow remote access connections to Outlook Web Access (OWA). The stateful filtering second generation hardware firewall sees an incoming SSL connection and passes it right on through the to front-end OWA server. Unfortunately, the attacker was able to tunnel an exploit through the hardware firewall because hardware firewalls are unable to perform stateful application layer inspection, and even if it could, it isn’t able to inspect the contents of an encrypted SSL channel.

On the other hand, a third generation firewall like ISA 2004 is able to perform stateful application layer inspection and its able to statefully inspect the communications within the SSL encrypted link. When an attack, virus or worm attempt to leverage an SSL connection to launch an attack against the OWA site, the ISA firewall’s stateful application layer inspection engine stops it in its tracks.

UTM devices promise to become increasingly popular over the next few years as the word gets out that “opening and closing ports” can’t cut the mustard when it comes to network protection. The ISA Server 2004 firewall is at the bleeding edge of stateful application layer inspection and this makes it the ideal and best UTM device platform on the market today.

Thomas W Shinder, M.D is a computing industry veteran who's worked as a trainer, writer and a consultant for Fortune 500 companies including Microsoft, FINA Oil, Lucent Technologies and a number of US Federal Agencies. Tom was a Series Editor of the Syngress/Osborne Series of Windows 2000 and 2003 Certification Study Guides and author of the best selling book "Configuring ISA Server 2000: Building Firewalls with Windows 2000" and the upcoming best-selling book on ISA Server 2004 “Dr. Tom Shinder’s Configuring ISA Server 2004” Most importantly, Tom is content editor, contributor and moderator for the World's leading site on ISA firewalls, www.isaserver.org and contributor to Everywhere Networks Inc.