• Getting the Best of Both Worlds: The Third Generation ISA Firewalls
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Pre-order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Post of the Month
• ISA Firewall Links of the Month
• Ask Dr. Tom

1. Getting the Best of Both Worlds: The Third Generation ISA Firewalls

Last month I did an article on how to make the ISA firewall as dumb as a hardware firewall. One thing I didn't point out were the advantages of the hardware firewall. The fact is that so-called hardware firewalls are very popular and represent the most common firewall seen in production today.

Firewalls have gone through an evolutionary process over the years. There are essentially three generations of firewalls. These are:

• The first generation firewall. First generation firewalls were software firewalls that ran on general purpose operating systems and open spec hardware platforms
• The second generation firewall. Second generation firewalls are dedicated hardware devices running proprietary operating systems and firewall software on specialized hardware platforms dedicated to running only the firewall software and firewall operating system
• The third generation firewall. Third generation firewall is a software based firewall that runs on a general purpose operating system that has been specially configured and hardened to support only the firewall software and firewall software add-ons. The firewall software and operating system are installed on an open spec hardware platform that is designed to fully optimize the firewall software's performance

The first generation firewalls ran on general purpose operating systems. The operating systems were not specially configured to support the firewall software. The core operating system depended on the firewall software to protect the underlying operating system. Checkpoint was one of the first and most successful of the first generation software firewall vendors. The advantage of first generation firewalls was that they could be quickly and easily updated to meet the demands of current network threats.

It became clear that first generation firewalls were not able to handle the high volume of traffic seen on enterprise networks. In addition, first generation firewalls were difficult to configure because you often had to make changes in the underlying operating system to get the firewall software to work correctly or in an optimal fashion. The second generation firewalls are hardware devices running proprietary operating systems designed to support the firewall software running on them. In order to optimize performance, the hardware firewall vendors designed ASICs (Application Specific Integrated Circuits) that ran the firewall OS and software. The ASIC implementation greatly increased the performance of these second generation firewalls but they suffered from their inability to perform sophisticated application layer inspection.

Third generation firewalls blend the advantages of the first and second generation firewalls. A third generation firewall is software based and isn't hamstrung by the limitations of ASIC technology. Third generation firewalls can be quickly updated with add-on software that allows them to meet the demands of today's evolving network threats and attacks.

In addition, the third generation firewall takes a page from the second generation hardware firewall and uses a general purpose operating system that has been specially configured and locked down to support the box's role as a dedicated network firewall. Finally, the third generation firewall is installed on an open spec hardware platform that is designed to optimize the performance of the third generation firewall's core operating system and firewall software.

The new hardware based ISA firewalls represent the cutting edge of third generation firewalls. A number of vendors have partnered up with Microsoft and have designed third generation firewalls based on ISA Server 2004. These ISA firewalls provide all the power and flexibility that the ISA firewall provides out of the box, but with the enhanced security and performance you get with specially hardened Windows Server 2003 operating systems and hardware that significantly increases the security and performance of these third generation firewalls.

These third generation hardware firewalls are also fully supported by their vendors and some of them include add-ons such as Web filtering, spam filtering, IM filtering and support for network load balancing (which isn't natively supported on ISA 2004 SE) and multiple ISPs. For more info on the new ISA based third generation firewalls, check out http://www.microsoft.com/isaserver/howtobuy/hardwaresolutions.asp

Editor's Note:
Last month we did a piece on how to make the ISA firewall as dumb as a conventional hardware firewall. That article generated a ton of e-mail from ISA firewall admins. Most of you expressed a sigh of relief because finally someone said what you were thinking: the hardware firewall admins are clueless regarding how to secure modern networks, and that they were depending on their knowledge of packet filtering routers to configure and manage firewalls. Several of you mentioned that these "old timer" firewall admins confused firewalls with routers and expected firewalls to have the same routing capabilities as a dedicated layer 3/4 router. Another issue several of you mentioned was that you got a lot of pushback on putting a firewall on a Windows platform, but when you put your hardware firewall friends to the wall on the specifics of why an ISA firewall on a Windows Server 2003 platform is unsecure, all you got where blank looks and epithets.

Another group of respondents said that I misunderstood modern hardware firewalls and that these hardware firewalls do have some of the aspects of the ISA firewall and that I might have misrepresented the ISA firewall as the only firewall worth having. The tenor of the article might have made it sound that way, but I'm fully aware that if you have an existing firewall infrastructure, or if you have very high-speed connections to the Internet, the ISA firewall might not be the best one to put on the front line, depending on your specific environment.

In fact, the best firewall topology has the packet filter hardware firewalls in front of the ISA firewalls. This allows the high-speed packet filters to do rudimentary packet filtering (stateful packet inspection) on incoming and outbound connections and offloads a lot of processing from the ISA firewalls. The ISA firewall can then do the firewall heavy-lifting (stateful application layer inspection) on the traffic the packet filters allow through.

I want to thank everyone who took the time to write. I really appreciate the time and effort you put into your e-mail messages to me and I hope to hear more from all of your in this and subsequent newsletters. Thanks! -Tom.

ISA Firewall Alert:
A recent security hotfix was released for ISA Server 2000 that addresses a potential problem with Firewall and Web Proxy service cache. If you are still running a 2000 ISA firewall, then you should download and install this fix ASAP. You can get it at http://www.microsoft.com/downloads/details.aspx?FamilyId=7A4C318F-5AC9-4CF2-8792-A4A62076EBE7&displaylang=en

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Pre-order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder are preparing for you their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logging literally 1000's of flight hours with ISA Server 2004 and they'll be sharing the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is going to be even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Pre-order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

• Editing the ISA 2004 System Policy Part 1
• Amy Babinchak's ISA/SBS Series: Configuring Trend Micro CSM for SSL with ISA Server 2000 by Amy Babinchak
• Should You Allow SSL Through Your ISA Firewall? (and why your hardware firewall leaves you defenseless)
• Reasons to Upgrade to the 2004 ISA Firewall
• Configuring DHCP and DNS for ISA automatic discovery
• Publishing a TCP/IP Printer behind ISA Server 2000
• Strong Outbound Access Control using the ISA Firewall (2004): Using Scripts to Populate URL Sets and Domain Name Sets
• Network Behind A Network (2004) - v1.1

4. KB Articles of the Month

• Internal clients cannot use Internet Explorer to access FTP sites through Microsoft Proxy Server or Internet Security and Acceleration Server 2000
• You Cannot Save Web Proxy Setting in Internet Explorer on Some Windows-Based Clients
• You cannot access the Exchange Server computer by using OWA after you turn on forms-based authentication in ISA Server 2004
• Users cannot submit data to a Web site that you publish by using client certificate authentication in ISA Server 2004
• ISA Server 2004 does not support traffic redirection
• Cannot configure access to Exchange Server between two routed networks in ISA Server 2004
• An IPSec policy is not applied to internal translated network traffic when you use ISA Server 2004
• Routing and Remote Access stops responding in Windows Server 2003
• You receive a "The request was rejected by the HTTP Security filter" error message when you try to open a message from an Exchange Server that is published in ISA Server 2004

5. Post of the Month

"AOL IM
login.oscar.aol.com
Default Port: 5190
64.12.161.153
64.12.161.185
64.12.200.89
205.188.179.233
=======================
ICQ
login.icq.com
Default Port: 5190
64.12.162.153
64.12.162.185
64.12.200.89
205.188.179.233
=======================
MSN Messenger
207.46.104.20
gateway.messenger.hotmail.com
64.4.13.171
http1.msgr.hotmail.com
64.4.13.190
http20.msgr.hotmail.com
=======================
Yahoo
cs.yahoo.com
Default Port: 5050
216.136.175.145
216.136.224.213
216.136.224.214
216.136.225.11
216.136.225.12
216.136.225.35
216.136.225.36
216.136.225.83
216.136.225.84
216.136.226.117
216.136.226.118
216.136.131.93
216.136.175.142
216.136.175.143
216.136.175.144
216.136.233.128 (latest)
======================="

6. ISA Firewall Links of the Month

7. Ask Dr. Tom