Microsoft ISA Server 2004, the stateful packet and application-layer inspection firewall that Microsoft released in May 2004, has distant roots in Microsoft Proxy Server. Over the years, the firewall has evolved from a simple Web proxy server into a full-featured, highly secure network firewall and unified threat-management device that also provides Web-caching functionality.
WHY CHOOSE AN ISA SERVER–BASED APPLIANCE?
Network firewalls can be difficult to configure and manage. Although the ISA Server firewall goes a long way toward simplifying installation and configuration, it still shares the complexities that are common to all network-based firewalls. More than 90 percent of firewall-related security incidents are related to misconfiguration, so ease of use and simplified management are critical features of any network firewall.
When you're determining which firewall provides the best protection and is most cost effective for your organization, you should ask several questions: Which OS should you use to support the firewall software? How should the underlying OS be hardened to support the firewall features and capabilities you want to use? Which hardware should you run the appliance on to obtain optimal performance and reliability? What type or level of support is available when something goes wrong with the appliance?
Firewall appliance vendors take care of much of the guesswork you'd encounter if you decided to deploy one or more "roll-your-own" white-box firewalls. They've vetted the hardware, qualified the driver compatibility, optimized the hardware for the software, and prehardened the underlying OS and can provide a single point of contact when you run into problems.
This review looks at the following ISA Server hardware firewall products:
- HP's ProLiant DL320 Firewall/VPN/Cache Server (http://www.hp.com/servers/dl320fw-vpn-cache)
- Network Engines' NS6400 Security Appliance (http://www.networkengines.com/sol/nsapplianceseries.aspx)
- RimApp Technology's RoadBLOCK Security Appliance (http://www.rimapp.com/productdetail.asp?pd=1)
Table 1 lists some relevant software-specific features for each firewall. Table 2 drills down to some of the hardware components on which each appliance is built. For more details about features and components, contact the vendors.
HP PROLIANT DL320 FIREWALL/VPN/CACHE SERVER
The HP ProLiant is built on HP's sturdy, high-performance DL320 G3 hardware. The firewall is designed for experienced ISA Server firewall administrators who want a prebuilt and prehardened firewall that's ready to plug in and deploy. The DL320 sports the fewest bells and whistles of all the firewalls in this review, but what it lacks in extras it makes up for with a clean installation experience and snappy performance.
The DL320 is a pre-installed version of ISA Server 2004 on a hardened version of Windows Server 2003. Installation is a snap. A simple installation wizard asks for the IP address information for each of the firewall's interfaces, the name you want to assign to the device, and whether you want the firewall to join the domain. These steps take about 5 minutes, then the firewall reboots itself.
Logging on after the reboot opens the firewall's Microsoft Management Console (MMC) ISA Management snap-in. At this point, you can configure firewall policies to meet your network security requirements. You can use the ISA Server 2004 and Windows 2003 features to perform fine-tuning and tweaking.
The DL320 doesn't add much functionality to the firewall's networking or application-layer (i.e., deep-packet) inspection feature set compared with the other appliances in this review. This weakness is counterbalanced by its high performance, however. We carried out informal performance testing on the DL320 and found that when we saturated a 15Mbps FiOS line, processor use never went above 5 percent. Those results aren't bad because throughput is the major factor that affects processor use in ISA Server hardware firewall appliances. We found the DL320 to be the most responsive and best-performing firewall of those we reviewed.
The DL320 includes a slick piece of network-layer enhancement called HP Virus Throttle. The tool works at a low layer of the network stack and mitigates performance problems that are secondary to worm infestation on firewall-protected networks and external hosts. Virus Throttle looks at the number of packets per second on each interface and, if it exceeds the threshold number you set, automatically "shuts down" the hosts that send those packets.
Another useful HP feature is "lights out" (i.e., out-of-band) firewall management. If, for some reason, the firewall becomes unresponsive and you can't use in-band channels to access the device over the network, the DL320's Integrated Lights-Out (iLO) management software provides lights-out management for comprehensive out-of-band access to the firewall.
NETWORK ENGINES NS6400 SECURITY APPLIANCE
The NS6400 provides a stark contrast to the DL320. The DL320 is designed for the Microsoft-savvy network administrator who wants the pure ISA Server firewall experience, whereas the NS6400 is designed for the traditional hardware firewall administrator who requires a Web management interface and wants a totally locked down and "Windows-less" firewall experience.
Network Engines' approach to hardware firewall appliances is based on the belief that virtually all firewall-related security problems are caused by firewall and OS misconfiguration. The company solved these problems by
- making it impossible to access components of the Windows UI except for those components that are required to configure and manage the appliance
- providing a Web management interface called Network Engines Web Server (NEWS), which enables headless installation and management
- deploying a custom firewall update infrastructure that lets the NS6400 firewall download and install pretested and prequalified updates to the appliance
Traditional hardware firewall administrators don't want to see the Windows desktop or have it accessible because of concerns about security of the underlying OS. Network Engines addresses this concern by removing access to the Windows desktop and all unnecessary Windows components. The device doesn't boot to Windows, and even the NS6400 administrator can't access the Windows desktop.
NEWS lets you use a Secure Sockets Layer (SSL) connection for headless installation and management of the firewall. You use NEWS for the initial setup as well as for configuration and management of the device and the ISP failover components. You can also use the NEWS interface to configure automatic updates of the firewall software and the OS. Network Engines uses the automatic-update feature to deliver pretested updates and hotfixes.
You use a management port on the NS6400 firewall and a Web interface to install the appliance. We checked the NS6400 manual for step-by-step instructions because the installation is unique and we couldn't leverage our understanding of Windows or ISA Server 2004. After installation is complete, you use an SSL connection to the NEWS interface to access the appliance hardware and its networking and add-on features. For firewall policies and other firewall-configuration options, the NEWS interface gives you links that open an encrypted RDP connection to a specific section of the firewall's MMC ISA Management snap-in. You can't drop out of the snap-in and enter the Windows UI.
The NS6400 includes a 30-day trial version of the SurfControl Web filter, which builds on the firewall's stateful application-layer inspection feature set. If you want to keep SurfControl after the trial period, you have to contact SurfControl directly to obtain the license (the cost isn't included in the NS6400's price).
Network Engines enhances firewall reliability by adding hot-standby failover. When you deploy a pair of NS6400 firewalls, if the active firewall fails, the second firewall automatically takes over for the first. Firewall policy is automatically shared between the active and passive firewalls. The downside of the NS6400 high-availability solution is that it uses the active-passive cluster model and, thus, the cluster doesn't perform load balancing.
ISP failover is an increasingly requested feature for network firewalls. Users want to deploy multiple ISP connections for fault tolerance and bandwidth aggregation from multiple providers. The NS6400 supports ISP failover but doesn't support bandwidth aggregation (you can't combine multiple ISP connections to create a higher-bandwidth connection). If the primary ISP connection goes down, the firewall automatically fails over to the second connection. This implementation of ISP failover doesn't support fail-back, however, so you'll need to manually switch the device back to the primary ISP when it comes back up.
RIMAPP TECHNOLOGY ROADBLOCK SECURITY APPLIANCE
RoadBLOCK is the Swiss army knife of ISA Server firewall appliances. Of all the appliances we reviewed, RoadBLOCK most fully leverages ISA Server 2004's ability to be a fully extensible, unified threat-management device. RoadBLOCK is designed for knowledgeable Windows firewall administrators who want the best of the ISA Server 2004 configuration environment along with its network security and network-level enhancements. We tested the CFMR-403U PLUS model.
The RoadBLOCK installation is similar to that of the HP DL320. You plug in the cables, start the box, and go through a short setup wizard that lets you name the machine, configure the Administrator account, and set up the network interfaces. After rebooting, you have the choice of configuring and managing RoadBLOCK from either the ISA Server 2004 MMC ISA Management snap-in or from the RimApp RDA-Web UI.
The RimApp RDA-Web interface almost completely abstracts the ISA Server 2004 MMC ISA Management snap-in so you can configure and manage RoadBLOCK over an SSL connection. You can use the RDA-Web UI to configure firewall policies, caching, VPN, and stateful packet inspection parameters. No other ISA hardware firewall appliance provides such comprehensive support for Web-based management.
RoadBLOCK enhances the firewall's core application-layer-inspection feature set by adding many extras, including:
- email antispam protection
- antivirus worm protection
- antivirus protection for Web downloads
- Web content filtering
- real-time Web monitoring
RoadBLOCK also includes important network-level enhancements. Like the NS6400, RoadBLOCK provides ISP and device failover. However, it does so by using Rainfinity's exceptional Rain-Wall and RainConnect products. Rain-Wall provides real-time failover and load balancing for all members of the Road-BLOCK firewall array. RainConnect supplies robust ISP failover and bandwidth aggregation, which lets you install two or more Internet connections from different providers and aggregate bandwidth from all available connections into one high-bandwidth connection. If an ISP connection goes offline, RainConnect automatically drops the dead line from the connection set and brings the line back into the set when it becomes available.
All these features come at a price, however. Our experience with Road-BLOCK is that enabling all these features can result in performance hits. Several of the application-layer inspection features require a significant amount of processor overhead. Although we didn't experience any noticeable performance degradation during our informal tests, you might see a performance drop if all the features are deployed on a heavily loaded network. To avoid this scenario, select a dual-processor RoadBLOCK appliance.
WHICH APPLIANCE IS BEST FOR YOU?
If you want high performance and a pure ISA Server 2004 firewall installation, configuration, and management experience, the DL320 is the appliance for you. If you're more comfortable with traditional hardware firewalls that have no trace of the underlying OS and a completely locked-down hardware and software environment, the NS6400 is your best bet. If you're looking for the apex of a hardware firewall-based unified threat-management device, Road-BLOCK could be your best choice. ISA Server 2004 is flexible enough so that vendors can produce appliances that are optimized for each of these situations.