Comparing ISA Server 2004
Transcript of Comparing ISA Server 2004
8/7/2019 Comparing ISA Server 2004
http://slidepdf.com/reader/full/comparing-isa-server-2004 1/8
COMPARING ISA SERVER 2004
Comparing ISA Server 2004 Standard Edition to Competing Solutions
ISA Server 2004 SE is an ideal solution to extend and add security to any Microsoft-based infrastructure. ISA Server provides advanced protection, fast and secure Web access, and is very easy to use. Additional advantages of ISA
Server 2004 over competing solutions, such as those built on Linux, include:
Best Integration with Windows and Microsoft Solutions
ISA Server 2004 was designed from the ground up to work with other Microsoftsolutions, and is ideal for extending and protecting Microsoft Exchange servers,
Microsoft SharePoint® servers, and Windows-based networks. ISA Server 2004recognizes and supports Windows 2003 server features such as VPN quarantine, and
customers can apply firewall policies and rules based on Windows user and groupaccounts.
More Technologies Built-in
Many of features that ISA Server 2004 includes, such as Web caching, intrusiondetection, and URL screening, must be added to competing firewall solutions at extra
cost²including in many cases requiring a separate machine. ISA Server 2004includes built-in support for the Microsoft VPN client (included at no additional cost
within all modern Windows client operating systems), and there is no extra cost toenable client/server VPN connections. Unlike many competing firewall solutions, with
ISA Server 2004 there are no limitations on the number of VPN connections, otherthan bandwidth and server resource considerations.
More Advanced Filtering Competing firewall solutions often do not provide the multi-level filtering that ISA
Server 2004 offers. Many competing firewalls only provide stateful inspection at thenetwork and session layers to make the decision as to whether a packet will be
blocked or allowed. This means application layer attacks such as Nimda and CodeRed as well as buffer overflows and worms are not detected. The ISA Server 2004
application-layer filtering prevents these types of attacks.
Integrated Firewall and Caching Provides Better Security ISA Server 2004 delivers fast Web performance using caching, and also provides
integrated firewall security. Many competing firewall solutions do not provide Webcaching, and competing cache-only solutions do not provide the added protection of
an advanced multi-layer firewall. Of those competing solutions that do offer Webcashing and firewall integration, many do not offer SSL termination. Thus, they
cannot decode and examine encrypted Web traffic as ISA Server 2004 can.
Better, More Broad Support Many open-source products designed for Linux are distributed freely, with no entity
taking responsibility for technical support. Linux users tend to rely on peers withinthe community for troubleshooting and technical help, which means the advice
received might fix the problem, or might crash the system. Those Linux-basedpackages that do provide support tend to be expensive enterprise-level offerings.
Meanwhile ISA Server 2004 is fully supported by Microsoft and a broad ecosystem of partners, including ISVs, resellers, systems integrators, and technology consultants.
Faster Learning Curve UNIX-based operating systems and applications can be more difficult to learn than
Windows-based software. Configuration of a Linux machine requires more technical
knowledge and often requires a mastery of arcane commands and/or someprogramming skills. The many wizards and intuitive interface of ISA Server 2004make it easy to install and set up. Because Windows is almost ubiquitous on the
desktop, almost all administrators are familiar with its interface.
Lower Total Cost of Ownership Cost is an important advantage of ISA Server 2004, especially when compared to
costly, high-end firewall solutions. Many competing firewall solutions not only have ahigh entry cost, but require ala carte purchase of features such as intrusion
detection, detailed SMTP and URL screening, Web caching, and others²all of whichare included in ISA Server 2004 at no extra cost. Open-source products suffer from
8/7/2019 Comparing ISA Server 2004
http://slidepdf.com/reader/full/comparing-isa-server-2004 2/8
the same problem as many other Linux/UNIX applications²difficulty of use and ahigh learning curve, adding to management costs. ISA Server 2004 meanwhile
provides powerful functionality built in, offers seamless integration with Microsoftsolutions, and features an intuitive, easy-to-use interface²with all-in-one pricing.
ISA 2004 SE FEATURES
8/7/2019 Comparing ISA Server 2004
http://slidepdf.com/reader/full/comparing-isa-server-2004 3/8
Application-Layer Filtering
Security and Firewall
Multi-Networking
Monitoring and Reporting
Management Secure Remote Access toMicrosoft Servers
Virtual Private Networks
Web Cache and Web Proxy
Application-Layer Filtering
Feature Description
HTTP filtering on a per-rule basis The RimApp RoadBLOCK HTTP policy allows the firewall to perform deepHTTP stateful inspection (application-layer filtering). The extent of the
inspection is configured on a per-rule basis. With this capability, you canconfigure custom constraints for HTTP inbound and outbound access.
Block access to all executable
content
You can configure RimApp RoadBLOCK HTTP policy to block all connection
attempts to the Microsoft Windows operating system executable content,regardless of the file name extension used on the resource.
Control HTTP file downloads
through file name extension
The RimApp RoadBLOCK HTTP policy enables you to define policy based
on file name extension, including "allow all except a specified group of extensions" or "block all extensions except for a specified group.
HTTP filtering is applied to all
R imApp R oadBLOCK client connections
With the RimApp RoadBLOCK HTTP policy, you can control HTTP access for
all RimApp RoadBLOCK client connections.
Control HTTP access based on
"HTTP Signatures"
RimApp RoadBLOCK deep HTTP inspection can help you create "HTTP
Signatures" that can be compared to the Request URL, Request headers,Request body, and Response body. This gives you precise control over
what content internal and external users can access through the RimAppRoadBLOCK firewall.
Control allowed HTTP methods You can control which HTTP methods are allowed through the firewall by
setting access controls on user access to various methods. For example,you can limit the HTTP POST method to prevent users from sending data
to Web sites using the HTTP POST method.
Enforce secure Microsoft Exchange remote procedure call
(RPC) connections from full Microsoft Outlook messaging and
collaboration MAPI clients
RimApp RoadBLOCK Secure Exchange Server Publishing Rules give remoteusers connection to Exchange Server using the fully functional Outlook
MAPI client over the Internet. However, the Outlook client must beconfigured to use secure RPC so that the connection is encrypted. With
the RimApp RoadBLOCK RPC policy, you can block all nonencryptedOutlook MAPI client connections.
FTP policy You can configure the RimApp RoadBLOCK FTP policy to let users upload
and download through FTP, or you can limit user FTP access to downloadonly.
Link Translator Some published Web sites may include references to internal names of
computers. Because only the RimApp RoadBLOCK firewall and externalnamespace, and not the internal network namespace, are available to
external clients, these references appear as broken links. RimAppRoadBLOCK includes a link translation feature that you can use to create a
dictionary of definitions for internal computer names that map to publiclyknown names.
8/7/2019 Comparing ISA Server 2004
http://slidepdf.com/reader/full/comparing-isa-server-2004 4/8
Granular control over IP options With RimApp RoadBLOCK, you can configure IP options on a granularbasis and allow only the ones you require while blocking all others.
Security and Firewall
Feature Description
Extensive protocol support
RimApp RoadBLOCK gives you control over accessing and using any protocol,including IP-level protocols. Users can then use applications such as ping and tracert
to create VPN connections using PPTP. In addition, IPSec traffic can be enabledthrough ISA Server.
Support for complex
protocols requiring multiple primary
connections
Many streaming media and voice/video applications require that the firewall manage
complex protocols. RimApp RoadBLOCK can manage these protocols and has aneasy-to-use New Protocol Wizard you can use to create protocol definitions.
Customizable protocol definitions
With RimApp RoadBLOCK, you can control the source and destination port numberfor any protocol for which you create a firewall rule. This allows the RimApp
RoadBLOCK firewall administrator a high level of control over which packets areallowed inbound and outbound through the firewall.
Firewall user groups You can use RimApp RoadBLOCK to create custom firewall groups that consist of pre-
existing groups in the local accounts database or the Active Directory servicedomain. This increases your flexibility to control access based on user or group
membership, because the firewall administrator can create custom security groupsfrom these existing groups. This removes the requirement that the firewall
administrator be a domain administrator to credit custom security groups for inboundor outbound access control.
Authentication Users can be authenticated using built-in Windows, RADIUS, or RSA SecurID
authentication Enters or other namespaces. Rules can be applied to users or usergroups in any namespace. Third-party vendors can use the software development kit
(SDK) to extend these built-in authentication mechanisms.
Firewall client credentials forwarded to
the Web Proxy service
RimApp RoadBLOCK allows firewall clients to access the Web cache with the HTTPfilter without requiring separate authentication with the Web Proxy service.
Hotmail Web-based e-mail access through the
firewall
RimApp RoadBLOCK improved HTTP filter enables users to access Hotmail through aneasy-to-configure firewall rule without the need for special configuration on the client
or firewall.
Network objects With RimApp RoadBLOCK, you can greatly expand your ability to define networkobjects by creating computers, networks, network sets, address ranges, subnets,
computer sets, and domain name sets. These network objects are used to definesource and destination settings for firewall rules.
Firewall R ule wizards RimApp RoadBLOCK includes a new set of rule wizards that make it easier than ever
to create access policy. RimApp RoadBLOCK access policy can be created by asophisticated firewall rule that you can use to configure any required policy element
"on the fly." You do not need to leave the rule wizard to create a network object; anynetwork object or relationship can be created in the new wizard.
Firewall rules represent
an ordered list
RimApp RoadBLOCK firewall rules are represented in an ordered list in which
connection parameters are first compared to the top listed rule. RimApp RoadBLOCKmoves down the list of rules until it finds a rule matching the connection parameters
and enforces the matching rule's policy. This approach to firewall policy makes it
much easier to determine why a specific connection is allowed or denied.
User/group-basedaccess policy
With the RimApp RoadBLOCK enhanced firewall rules, you can define the source anddestination for each protocol a user or group is able to access. This greatly increases
flexibility for inbound and outbound access control.
8/7/2019 Comparing ISA Server 2004
http://slidepdf.com/reader/full/comparing-isa-server-2004 5/8
Outlook Web Access (OWA) Publishing
Wizard
Clientless remote access through secure SSL connections form the core of SSL VPNs.The RimApp RoadBLOCK Outlook Web Access Publishing Wizard walks you through
creating a firewall rule and creates the OWA SSL connection to your ExchangeServer. All network elements can be created "on the fly," and you never need to
leave the wizard to create a policy element.
FTP support RimApp RoadBLOCK gives you access to Internet FTP servers, listening on alternate
port numbers without requiring special configuration on the client or RimAppRoadBLOCK firewall. The FTP server publishing on alternate port numbers requiresnothing more than a simple FTP Server Publishing Rule.
Port redirection for FTP
Server Publishing R ules
Using RimApp RoadBLOCK, you can receive a connection on one port number and
redirect the request to a different port number on the published server.
Secure Web Publishing With ISA Server, you can place servers behind the firewall, either on the corporate
network or on a perimeter network (also known as a demilitarized zone [DMZ] orscreened subnet), and securely publish their services. With the improved secure Web
Publishing Wizard, you can easily create a rule that lets users secure SSL remoteaccess to published Web servers.
Multinetworking
Feature Description
Multiple network
configuration
You can configure one or more networks, each with distinct relationships to other networks.
Access policies are defined relative to the networks and not necessarily relative to aparticular internal network. RimApp RoadBLOCK extends the firewall and security features to
apply to traffic between any networks or network objects.
Unique per-network policies
The new multinetworking features of RimApp RoadBLOCK enable you to protect yournetwork against internal and external security threats by limiting communication between
clients even in your own organization. Multinetworking functionality supports sophisticatedperimeter network scenarios, helping you to configure how clients in different networks
access the perimeter network. Access policies between networks can then be based on theunique security zone represented by each network.
R outed and NAT
network relationships
You can use RimApp RoadBLOCK to define routing relationships between networks,
depending on the type of access and communication required between the networks. Insome cases, you may want more secure, less transparent communication between the
networks. For these scenarios, you can define a NAT relationship. In other situations, youwant to route traffic through ISA Server. In these cases, you can define a routed
relationship. Packets moving between routed networks are fully exposed to RimAppRoadBLOCK stateful filtering and inspection mechanisms.
Monitoring and R eporting
Feature Description
R eal-time monitoring of log
entries
With RimApp RoadBLOCK, you can see firewall, Web Proxy, and SMTP Message Screenerlogs in real time. The monitoring console displays the log entries as they are recorded in
the firewall's log file.
Built-in log query facility
You can query the log files by using the built-in log query facility. Logs can be queried forinformation contained in any field recorded in the logs. You can limit the scope of the
query to a specific time frame. The results appear in the RimApp RoadBLOCK console andcan be copied to the Clipboard and pasted into another application for more detailed
analysis.
R eal-time monitoring and
filtering of firewall
With RimApp RoadBLOCK, you can view all active connections to the firewall. From asession view, you can sort or disconnect individual sessions or groups of sessions. In
addition, you can filter the entries in the session's interface to focus on the sessions of
8/7/2019 Comparing ISA Server 2004
http://slidepdf.com/reader/full/comparing-isa-server-2004 6/8
sessions interest using the built-in sessions filtering facility.
Connection Verifiers You can verify connectivity by regularly monitoring connections to a specific computer orUniform Resource Locator (URL) from the RimApp RoadBLOCK computer using Connection
Verifiers. You can configure which method to use to determine connectivity: Ping,Transmission Control Protocol (TCP) connected to a specific port, or HTTP GET. You can
select which connection to monitor by specifying an IP address, computer name, or URL.
Customizing R imApp R oadBLOCK reports
RimApp RoadBLOCK includes an enhanced report customization feature for adding moreinformation in the firewall reports.
R eport publishing You can configure RimApp RoadBLOCK report jobs to automatically save a copy of a
report to a local folder or network file share. The folder or file share the reports are savedin can be mapped to a Web site virtual directory so that other users can view the report.
You can also manually publish reports that have not been configured to automatically
publish after report creation.
E-mail notificationafter report creation
You can configure a report job to send you an e-mail message after a report job iscompleted.
Customized time for
log summary creation
RimApp RoadBLOCK is hard-coded to create log summaries at 12:30 A.M. Reports are
based on information contained in log summaries. You can easily customize the timewhen RimApp RoadBLOCK creates log summaries, giving you increased flexibility in
determining the time of day reports are created.
Enhanced SQLServer logging
You can log to a computer running a SQL Server database located on another computeron the internal network. RimApp RoadBLOCK SQLServer logging has been optimized to
provide much higher performance.
Log to an MSDEdatabase
Logs can now be stored in MSDE format. Logging to a local database enhances queryspeed and flexibility.
Management
Feature Description
Management RimApp RoadBLOCK includes new management features, making it easier to
secure your networks. New user interface features include Task Panes, HelpPanes, an improved Getting Started Wizard, and a new look for the Firewall Policy
Editor.
Export and Import RimApp RoadBLOCK introduces the capability to export and import configurationinformation. You can use this feature to save configuration parameters to an XML
file, and then import the information from the file to another server.
Delegated permissions wizard for firewall
administrator roles
The Administration Delegation Wizard helps you assign administrative roles tousers and groups. These predefined roles delegate the level of administrative
control users have over specified RimApp RoadBLOCK services.
Secure R emote Access to Microsoft Servers
Feature Description
Firewall generated forms for forms-based
authentication
RimApp RoadBLOCK can generate the forms used by OWA sites for forms-basedauthentication. This enhances security for remote access to OWA sites by
preventing unauthenticated users from contacting the OWA server.
R emote access to
Terminal Services using SSL
Computers running the Microsoft Windows Server 2003 operating system support
RDP over SSL to allow secure SSL connection to Windows Server 2003 TerminalServices. With RimApp RoadBLOCK, you can securely publish your Terminal Server
8/7/2019 Comparing ISA Server 2004
http://slidepdf.com/reader/full/comparing-isa-server-2004 7/8
using secure SSL technology.
Virtual Private Networks
Feature Description
Virtual Private Network (VPN)
Administration
RimApp RoadBLOCK includes a more fully integrated VPN mechanism, which is
based on the Windows 2000 and Windows Server 2003 functionality.
Stateful filtering andinspection for VPN
VPN clients are configured as a separate network zone. Therefore, you cancreate distinct policies for VPN clients. The firewall rule engine discriminately
checks requests from VPN clients The engine statefully filters and inspectsthese requests and dynamically opens connections based on the access policy.
SecureNAT client support for
VPN clients connected to
R imApp R oadBLOCK VPNserver
RimApp RoadBLOCK expands VPN client support by allowing SecureNAT clients
to access the Internet without the firewall client being installed on the client
system. You can also enhance corporate network security by forcing auser/group-based firewall policy on VPN SecureNAT clients.
Stateful filtering and
inspection for communications moving through a site-to-site
VPN tunnel
RimApp RoadBLOCK introduces stateful filtering and inspection for all
communications moving through a site-to-site VPN connection. As a result,you can control the resources that specific hosts or networks can access on the
opposite side of the link. You can use User/group-based access policies to gaindetailed control over resource use with the link.
VPN Quarantine RimApp RoadBLOCK takes advantage of Windows Server 2003 VPN Quarantine
tools for deep VPN client inspection and integration of your firewall policy.
Publishing VPN servers Use RimApp RoadBLOCK Server Publishing Rules to publish IP protocols andPPTP servers. The RimApp RoadBLOCK smart PPTP application filter performs
the complex connection management. In addition, you can easily publish theWindows Server 2003 NAT-T L2TP/IPSec VPN server using RimApp RoadBLOCK
Server Publishing.
IPSec tunnel mode support for site-to-site VPN links
RimApp RoadBLOCK improves site-to-site link support with you using IPSectunnel mode as the VPN protocol. IPSec tunnel mode support greatly increases
RimApp RoadBLOCK interoperability with an array of third-party VPN solutions.
Web Cache and Web Proxy
Feature Description
Cache R ules With the centralized ISA Server Cache Rule mechanism, you can configure howobjects stored in the cache are retrieved and served from the cache.
Path mapping for Web
Publishing R ules
RimApp RoadBLOCK significantly improves the flexibility of Web publishing because
you can redirect the path sent to the firewall by the user to any path of choice onthe published Web server.
RADIUS support for Web
Proxy client authentication
With RimApp RoadBLOCK, you can authenticate users in Active Directory and other
authentication databases by using RADIUS to query Active Directory. Web PublishingRules can also use RADIUS to authenticate remote access connections.
Delegation of basic
authentication
Published Web sites are protected from unauthenticated access by requiring the
RimApp RoadBLOCK firewall to authenticate the user before forwarding theconnection to the published Web site. This prevents exploits from unauthenticated
users from reaching the published Web server.
Preservation of source IPaddress in Web
Publishing R ules
RimApp RoadBLOCK gives you a choice on a per-rule basis whether the firewallshould replace the original IP address with its own or forward the original IP address
of the remote client to the Web server.
8/7/2019 Comparing ISA Server 2004
http://slidepdf.com/reader/full/comparing-isa-server-2004 8/8
SecurID authenticationfor Web Proxy clients
RimApp RoadBLOCK can authenticate remote connections using SecurID two-factorauthentication. This provides a high level of authentication security because a user
must "know" something and "have" something in order to gain access to thepublished Web server.