A
great deal of confusion exists about the role that ISA Server can play
in an Exchange Server environment. Much of that confusion stems from the
misconception that ISA Server is only a proxy server. ISA Server 2006
is, on the contrary, a fully functional firewall, virtual private
network (VPN), web caching proxy, and application reverse-proxy
solution. In addition, ISA Server 2006 addresses specific business needs
to provide a secured infrastructure and improve productivity through
the proper application of its built-in functionality. Determining how
these features can help to improve the security and productivity of an
Exchange Server environment is, therefore, of key importance.
In addition to the
built-in functionality available within ISA Server 2006, a whole host of
third-party integration solutions provide additional levels of security
and functionality. Enhanced intrusion detection support, content
filtering, web surfing restriction tools, and customized application
filters all extend the capabilities of ISA Server and position it as a
solution to a wide variety of security needs within organizations of
many sizes.
Outlining the High Cost of Security Breaches
It
is rare when a week goes by without a high-profile security breach,
denial of service (DoS) attack, exploit, virus, or worm appearing in the
news. The risks inherent in modern computing have been increasing
exponentially, and effective countermeasures are required in any
organization that expects to do business across the Internet.
It has become impossible
to turn a blind eye toward these security threats. On the contrary, even
organizations that would normally not be obvious candidates for attack
from the Internet must secure their services as the vast majority of
modern attacks do not focus on any one particular target, but sweep the
Internet for any destination host, looking for vulnerabilities to
exploit. Infection or exploitation of critical business infrastructure
can be extremely costly for an organization. Many of the productivity
gains in business recently have been attributed to advances in
information technology (IT) functionality, including Exchange
Server-related gains, and the loss of this functionality can severely
impact the bottom line.
In addition to
productivity losses, the legal environment for businesses has changed
significantly in recent years. Regulations such as Sarbanes Oxley (SOX),
HIPAA, and Gramm-Leach-Bliley have changed the playing field by
requiring a certain level of security and validation of private customer
data. Organizations can now be sued or fined for substantial sums if
proper security precautions are not taken to protect client data. The
atmosphere surrounding these concerns provides the backdrop for the
evolution and acceptance of the ISA Server 2006 product.
Outlining the Critical Role of Firewall Technology in a Modern Connected Infrastructure
It is widely
understood today that valuable corporate assets such as Exchange OWA
cannot be exposed to direct access to the world’s users on the Internet.
In the beginning, however, the Internet was built on the concept that
all connected networks could be trusted. It was not originally designed
to provide robust security between networks, so security concepts needed
to be developed to secure access between entities on the Internet.
Special devices known as firewalls were created to block access to
internal network resources for specific companies.
Originally, many
organizations were not directly connected to the Internet. Often, even
when a connection was created, there was no type of firewall put into
place as the perception was that only government or high-security
organizations required protection.
With the explosion of
viruses, hacking attempts, and worms that began to proliferate,
organizations soon began to understand that some type of firewall
solution was required to block access to specific, dangerous
Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)
ports that were used by the Internet’s TCP/IP protocol. This type of
firewall technology would inspect each arriving packet and accept or
reject it based on the TCP or UDP port specified in the packet of
information received.
Some of these firewalls
were ASIC-based firewalls, which employed the use of solid-state
microchips, with built-in packet-filtering technology. These firewalls,
many of which are still
used and deployed today, provided organizations with a quick-and-dirty
way to filter Internet traffic, but did not allow for a high degree of
customization because of their static nature.
The development of
software-based firewalls coincided with the need for simpler management
interfaces and the ability to make software changes to firewalls
quickly and easily. The most popular firewall in organizations today,
CheckPoint, falls into this category, as do other popular firewalls such
as SonicWall and Cisco PIX. ISA Server 2006 was built and developed as a
software-based firewall, and provides the same degree of
packet-filtering technology that has become a virtual necessity on the
Internet today.
More recently,
holes in the capabilities of simple packet-based filtering technology
has made a more sophisticated approach to filtering traffic for
malicious or spurious content a necessity. ISA Server 2006 responds to
these needs with the capabilities to perform application-layer filtering
on Internet traffic.
Understanding the Growing Need for Application-Layer Filtering
Nearly all organizations
with a presence on the Internet have put some type of packet-filtering
firewall technology into place to protect the internal network resources
from attack. These types of packet-filtering firewall technologies were
useful in blocking specific types of network traffic, such as
vulnerabilities that utilize the remote procedure calls (RPC) protocol,
by simply blocking TCP and UDP ports that the RPC protocol would use.
Other ports, on the other hand, were often left wide open to support
certain functionality, such as the TCP 80 port, utilized for HTTP web
browsing and for access to OWA/ActiveSync. As previously mentioned, a
packet-filtering firewall is only able to inspect the header of a
packet, simply understanding which port the data is meant to utilize,
but is unable to actually read the content. A good analogy to this is if
a border guard was instructed to only allow citizens with specific
passports to enter the country, but had no way to inspect their luggage
for contraband or illegal substances.
The problem that is
becoming more evident, however, is that the viruses, exploits, and
attacks have adjusted to conform to this new landscape, and have started
to realize that they can conceal the true malicious nature of their
payload within the identity of an allowed port. For example, they can
“piggyback” their destructive payload over a known “good” port that is
open on a packet-filtering firewall. Many modern exploits, viruses, and
“scumware,” such as illegal file-sharing applications, piggyback off the
TCP 80 HTTP port, for example. Using the border guard analogy to
illustrate, the smugglers realized that if they put their contraband in
the luggage of a citizen from a country on the border guards’ allowed
list, they could smuggle it into the country without worrying that the
guard would inspect the package. These types of exploits and attacks are
not uncommon, and the list of known application-layer attacks continues
to grow.
In the past,
when an organization realized that they had been compromised through
their traditional packet-filtering firewall, the knee-jerk reaction was
to lock down access from the Internet in response to threats. For
example, an exploit that arrives over HTTP port 80 might
prompt an organization to completely close access to that port on a
temporary or semipermanent basis. This approach can greatly impact
productivity because OWA access can be affected. This is especially true
in a modern connected infrastructure that relies heavily on
communications and collaboration with outside vendors and customers.
Traditional security techniques involve a trade-off between security and
productivity. The tighter a firewall is locked down, for example, the
less functional and productive an end user can be.
In direct response to
the need to maintain and increase levels of productivity without
compromising security, application-layer stateful inspection
capabilities were built into ISA Server that can intelligently determine
if particular web traffic is legitimate. To illustrate, ISA Server
inspects a packet using TCP port 80 to determine if it is a properly
formatted HTTP request. Looking back to the border guard analogy, ISA
Server is like a border guard who not only checks the passports, but is
also given an X-ray machine to check the luggage of each person crossing
the border.
The more
sophisticated application-layer attacks become, the greater the need
becomes for a security solution that can allow for a greater degree of
productivity while reducing the type of risks that can exist in an
environment that relies on simple packet-based filtering techniques.
