• Top Ten Reasons for Replacing Your Simple Stateful Packet Inspection Firewall with an ISA Firewall
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Tip of the Month
• ISA Firewall Links of the Month
• Ask Dr. Tom

1. Top Ten Reasons for Replacing Your Simple Stateful Packet Inspection Firewall with an ISA Firewall

There are a lot of reasons for bringing an ISA firewall in your organization. You might be ready for a change, or you're tired of the poor service you get from your hardware firewall vendor, or maybe you realize that simple stateful packet inspection can't cut the mustard when it comes to network security in the 21st century. But whatever the reason, it's always a good decision to bring in an ISA firewall to enhance your network security for both inbound and outbound access.

Maybe you're just thinking about bringing an ISA firewall into your company to protect your core information resources, but you need some help identifying the most significant reasons for adding to your current firewall infrastructure. If you're in that position, here my list of top ten reasons you can give the boss or customer for bringing in an ISA firewall:

• Application Layer Inspection (ALI) The PIX/Netscreen model of firewalling is based on a 1990s concept of network firewall protection, where the firewall was a network router with some stateful packet inspection added. While stateful packet inspection is still needed, it's also a commodity item included with all firewalls. The ISA firewall is both a stateful packet inspection and a stateful application layer inspection firewall. The application inspection allows the ISA firewall to protect the services that house your data; in contrast, the stateful packet inspection firewall only protects ports. What's more important? Your ports or your data? The ISA firewall protects both.
• Authentication based access control for all Internet connections The ISA firewall is unique in that you can easily enforce user and group based access control not only over incoming connections from the Internet, but also for outgoing connections to the Internet. This allows you to give users, based on their job roles, access to only what they require on the Internet and block everything else.
• Pre-authentication at the ISA firewall to protect Web servers from anonymous attackers When a user connects to your corporate Web servers from over the Internet through your stateful packet inspection only firewall, the firewall just forwards the connection to the Web server. This allows attackers using anonymous connections to reach your Web server and leverage that anonymous connection to attack your Web sites. In contrast, the ISA firewall is able to use its application layer inspection features to pre-authenticate users at the firewall.
• ISA Firewall generated secure log on form (ISA OWA FBA) The OWA forms-based authentication feature included with the Microsoft Exchange Server is a nice feature, but it suffers from one major flaw: it allows attackers to create anonymous connections to the Exchange Server. In contrast, the ISA firewall is able to generate the log on form and pre-authenticate the user, and pre-authorize the user, before allowing the connection to the Exchange Server. This prevents attackers from using anonymous connections to attack your OWA server and you still get the benefits of forms-based authentication. Even if users are able to authenticate, authenticated but unauthorized users cannot connect to the OWA site. A simple stateful packet inspection firewall is unable to provide this level of security
• Protects against hackers hiding inside SSL connections SSL is quickly becoming the major conduit for network attacks. Why? Because simple stateful packet inspection firewalls cannot see what's inside the encrypted SSL tunnel. If the firewall can't see what's inside the tunnel, it can't protect you against the attacks that lie within. In contrast, the ISA firewall's unique SSL bridging feature enables the ISA firewall to crack open the tunnel, inspect the tunnel's contents for potential attacks, and block those attacks before they ever get to your corporate Web servers.
• "Outlook Just Works" Securely from Anywhere E-mail is the killer app for companies of all sizes. And Outlook is the most popular e-mail client in use today. Users want to use their Outlook e-mail client from anywhere in the world. You want secure access. With a simple stateful packet inspection firewall you can't secure connections from the native Outlook client, regardless of whether the Outlook client uses RCP/HTTP or Exchange MAPI. In contrast, the ISA firewall pairs up two impressive application layer inspection technologies - its secure Exchange RPC filter and its Web proxy filter to inspect and clean all connections from Internet based Outlook clients.
• Multi-perimeter security zones without paying a king's ransom Most simple stateful packet inspection only firewalls provide you with the option to get one or more "DMZ" interfaces. Unfortunately, you often have to pay a king's ransom to get those interfaces. In contrast, the ISA firewall makes it easy to add 1 or 20 interfaces to the firewall, which enables you to create a well designed network perimeterization scheme based on or corporate security zones, all for the commodity price of additional NICs.
• Nail abusive users with exceptional logging and reporting Traditional hardware firewalls typically do not authenticate users when they connect to the Internet. Their logs show only IP addresses for the outgoing connections. In the typical corporate network, DHCP is in widespread use and IP address based logging and reports are of little value. In contrast, the ISA firewall can be easily configured to log the user names and the applications the users use to access the Internet, and do this transparently. This logged information makes it easy to find out exactly what a user has done with their Internet privilege and display that information in an easy to read report.
• Low cost IPSec VPN and SSL VPN for over 1000 users SSL VPNs are all the rage. Why? Because they allow you to provide secure remote access to specific applications without requiring the overhead of a full-fledged VPN. The ISA firewall's unique security support for remote access to Microsoft Exchange qualifies it as an SSL VPN for Exchange Web services and provides that support for a fraction of the price you would pay for a dedicated "SSL VPN" solution. For those companies who want full-fledged IPSec VPN support, the ISA firewall provides you that too, and at no per-user costs for over 1000 IPSec VPN tunnels per ISA firewall.
• Doesn't require expensive staff training to learn arcane command line controls If you've ever tried configuring an even moderately complex firewall policy on a traditional stateful packet inspection only firewall, you know that it's not a simple affair. While most of them have some sort of Web interface, the interfaces are woefully lacking in features and functionality. This means you need to pay for expensive training so that your admins can understand the arcane command line interface terminology and then pray that that you don't make any typo's that will turn your firewall against you. In contrast, the ISA firewall has a very well done and sophisticated graphical interface that enables you to create complex firewall policies without needing to consult an encyclopedia of command line directives and their innumerable switches.

That's my top ten list. What's one of yours? Send me an entry that I've missed that's on your top ten list and I'll include it in next month's newsletter. Thanks! -Tom.

[Have questions, comments or suggestions? Write to me at tshinder@isaserver.org and let me know.]

=======================

Quote of the Month - "When push comes to shove, there's usually a lot of both" - Thomas W Shinder MD, commenting on the art of negotiation

=======================

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 6: Creating the SMTP and Secure Exchange Server Publishing Rules
• Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 5: Configuring the Server Publishing and Access Rules Supporting Front-end Exchange Server Communications to the DC and Back-end Exchange
• Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 4: Configuring the Web Publishing Rules Supporting Connections to the Front-end Exchange Server on the Authenticated Access DMZ
• Customizing the OWA FBA Logon Screen
• Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 3: Certificate Naming Conventions and DNS Infrastructure Design
• Basic ISA 2004 Troubleshooting

4. KB Articles of the Month

Here are some interesting and useful ISA Server related Q articles posted by Microsoft in the last month:

• INFO: WinInet Error Codes (12001 through 12156)
• How to configure access auditing for storage and for configuration in ISA Server 2000 and in ISA Server 2004
• Internet Security and Acceleration Server 2004 stops responding or performs slowly after you configure a Web listener to use OWA forms-based authentication
• The DHCP clients may not obtain the configuration script when you use DHCP Option 252 to automatically configure Internet Explorer
• You experience problems when you access the Windows Update Version 5 or Version 6 Web site through a server that is running ISA Server
• FIX: You cannot use a different SSL certificate for each array member in an ISA Server 2004, Enterprise Edition-based array

5. Tip of the Month

Stefaan Pouseele has been working on several issues related to IPSec tunnel mode connections for site to site VPNs. Stefaan, who is an ISA firewall MVP, has put together an interesting and useful collection of links to discussions related to this issue:

• How to enable ESP Null Encryption on ISA 2004 (http://forums.isaserver.org/fb.aspx?m=2002001758). This problem is solved and I will write an article on this for isaserver.org.
• S2S VPN: why are static routes sometimes needed (http://forums.isaserver.org/fb.aspx?m=2002001759) This is a fascinating issue. I will create a trouble ticket for MS PSS because I want to get a good explanation.
• S2S VPN: why is a new QM SA negotiated every 5 minutes (http://forums.isaserver.org/fb.aspx?m=2002001812) The key point here is if the renegotiating of the QM QA might break some type of TCP connections.

Stefaan also points out a solution to the Error 786: The L2TP connection attempt failed because there is no valid machine certificate on your computer for security authentication problem, when you are sure that the client system has a machine certificate correctly installed in the machine's certificate store.

Stefaan points out that the problem occurs because the System and Administrator account do not have sufficient permissions to, or the Administrators group does not have ownership of, the directory %system_drive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder. You can fix the problem by implementing the suggestions noted in the KB article at http://support.microsoft.com/default.aspx?scid=kb;en-us;295162.

Another issue that Stefaan points out is that on a number of HP Evo N1020V laptops that came pre-installed with Windows XP they experienced this problem. He could quickly verify that the permissions issue was the problem by trying to export the certificate using the Certificates MMC snap-in:

• If the perms were wrong, he got the message The associated private key cannot be found. Only the certificate can be exported.
• If the perms were correctly set, the message was The associated private key is marked as not exportable. Only the certificate can be exported.

Another tip I'd like to share with you is Jason Fossen's www.ISAscripts.org Web site. Jason was recently named an ISA firewall MVP! Congrats! He also does advanced instruction on ISA firewall deployments. Jason is a security consultant and ISA firewall MVP living in Dallas, Texas. He manages the www.ISAscripts.org web site and teaches a week-long course on Windows security for the SANS Institute, including a course on deploying ISA firewalls. If you're looking for an ISA firewall consultant or for scripts to help manage your firewall, check out his web site!

6. ISA Firewall Links of the Month

Speaking of issues with IPSec tunnel mode for site to site VPN connections, check out this list of articles that will help you with configuring IPSec site to site VPN connections to third party VPN gateways:

Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Astaro Security Linux

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ipsectunnelmodevpn.mspx

Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Cisco PIX v6.3.1

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ipsecvpn.mspx

Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Netopia R9100 4.11.3

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/netopia.mspx

Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and SmoothWall Express 2.0

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ipsecvpnexpress.mspx

Configuring IPSec Site-to-Site Connections Between ISA Server 2004 and Third-Party Gateways

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/sitetositeipsec.mspx

Another good article worth your time is Authenticating VPN Clients with RSA SecurID Authentication at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/vpnrsa.mspx. This article shows you how to setup SecurID support for the ISA firewall's VPN server component. I highly recommend that you consider dual-factor authentication and SecurID is the market leader.

Want to have some fun doing command line queries of your MSDE advanced logging? Then check out the Querying Logs article in the ISA firewall's Coding Corner on the Microsoft Web site at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/queryinglogs.mspx.

Steven Hope, best known for the fantastic article on configuring the ISA firewall to work with Microsoft Exchange at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/firewall-exchange2003.mspx has come up with another great tip on how to configure the ISA firewall to support the new Windows Mobile features. Check it out at http://spaces.msn.com/members/stevenhope/Blog/cns!1pgrtf7mtzBlzzINx6k1E_aw!113.entry.

7. Ask Dr. Tom

QUESTION: I'm having problems using FTP from the Internet Explorer browser. Do you have any hints, tips or tricks that might point me the right direction? Thanks! -Bob.

ANSWER: FTP is problematic for any firewall, the ISA firewall included. However, there are a number of issues with how the ISA firewall handles FTP connections, depending on how the client system is configured as whether the connection is initiated from a Web proxy client versus a non-Web proxy client. Check out this link to a post by Martin Grasdal which gives some insight into how the ISA firewall handles FTP connections from different client types -- http://forums.isaserver.org/passive_ftp/m_2002000794/tm.htm

QUESTION: I have a Netscreen device on the edge of my main office network and it participates in a site to site VPN with another Netscreen device at my branch office. I want to bring an ISA firewall into my main office, but I don't want to change the default gateway configuration on any of my clients and I don't want to change the site to site VPN configuration. What's the best design for bringing an ISA firewall into my environment?

ANSWER: The question of bringing the ISA firewall into an established firewall infrastructure is a common one. There are many firewall infrastructure designs you can use: back to back firewall, parallel firewall, hybrid parallel/back-end firewall, and many others. If you already have a Netscreen device or any other simple stateful packet inspection firewall with a DMZ interface, then check out the article Creating a Parallel ISA Firewall Configuration in a Netscreen DMZ at http://www.isaserver.org/tutorials/Creating-Parallel-ISA-Firewall-Configuration-Netscreen-DMZ.html

Got a question for Dr. Tom? Send it to tshinder@isaserver.org