Comparing ISA Server 2004

8/7/2019 Comparing ISA Server 2004

http://slidepdf.com/reader/full/comparing-isa-server-2004 1/8

COMPARING ISA SERVER 2004

Comparing ISA Server 2004 Standard Edition to Competing Solutions

ISA Server 2004 SE is an ideal solution to extend and add security to any Microsoft-based infrastructure. ISA Server provides advanced protection, fast and secure Web access, and is very easy to use. Additional advantages of ISA

Server 2004 over competing solutions, such as those built on Linux, include:

Best Integration with Windows and Microsoft Solutions

ISA Server 2004 was designed from the ground up to work with other Microsoftsolutions, and is ideal for extending and protecting Microsoft Exchange servers,

Microsoft SharePoint® servers, and Windows-based networks. ISA Server 2004recognizes and supports Windows 2003 server features such as VPN quarantine, and

customers can apply firewall policies and rules based on Windows user and groupaccounts.

More Technologies Built-in

Many of features that ISA Server 2004 includes, such as Web caching, intrusiondetection, and URL screening, must be added to competing firewall solutions at extra

cost²including in many cases requiring a separate machine. ISA Server 2004includes built-in support for the Microsoft VPN client (included at no additional cost

within all modern Windows client operating systems), and there is no extra cost toenable client/server VPN connections. Unlike many competing firewall solutions, with

ISA Server 2004 there are no limitations on the number of VPN connections, otherthan bandwidth and server resource considerations.

More Advanced Filtering Competing firewall solutions often do not provide the multi-level filtering that ISA

Server 2004 offers. Many competing firewalls only provide stateful inspection at thenetwork and session layers to make the decision as to whether a packet will be

blocked or allowed. This means application layer attacks such as Nimda and CodeRed as well as buffer overflows and worms are not detected. The ISA Server 2004

application-layer filtering prevents these types of attacks.

Integrated Firewall and Caching Provides Better Security ISA Server 2004 delivers fast Web performance using caching, and also provides

integrated firewall security. Many competing firewall solutions do not provide Webcaching, and competing cache-only solutions do not provide the added protection of

an advanced multi-layer firewall. Of those competing solutions that do offer Webcashing and firewall integration, many do not offer SSL termination. Thus, they

cannot decode and examine encrypted Web traffic as ISA Server 2004 can.

Better, More Broad Support Many open-source products designed for Linux are distributed freely, with no entity

taking responsibility for technical support. Linux users tend to rely on peers withinthe community for troubleshooting and technical help, which means the advice

received might fix the problem, or might crash the system. Those Linux-basedpackages that do provide support tend to be expensive enterprise-level offerings.

Meanwhile ISA Server 2004 is fully supported by Microsoft and a broad ecosystem of partners, including ISVs, resellers, systems integrators, and technology consultants.

Faster Learning Curve UNIX-based operating systems and applications can be more difficult to learn than

Windows-based software. Configuration of a Linux machine requires more technical

knowledge and often requires a mastery of arcane commands and/or someprogramming skills. The many wizards and intuitive interface of ISA Server 2004make it easy to install and set up. Because Windows is almost ubiquitous on the

desktop, almost all administrators are familiar with its interface.

Lower Total Cost of Ownership Cost is an important advantage of ISA Server 2004, especially when compared to

costly, high-end firewall solutions. Many competing firewall solutions not only have ahigh entry cost, but require ala carte purchase of features such as intrusion

detection, detailed SMTP and URL screening, Web caching, and others²all of whichare included in ISA Server 2004 at no extra cost. Open-source products suffer from



the same problem as many other Linux/UNIX applications²difficulty of use and ahigh learning curve, adding to management costs. ISA Server 2004 meanwhile

provides powerful functionality built in, offers seamless integration with Microsoftsolutions, and features an intuitive, easy-to-use interface²with all-in-one pricing.

ISA 2004 SE FEATURES



Application-Layer Filtering

Security and Firewall

Multi-Networking

Monitoring and Reporting

Management Secure Remote Access toMicrosoft Servers

Virtual Private Networks

Web Cache and Web Proxy

Application-Layer Filtering

Feature Description

HTTP filtering on a per-rule basis The RimApp RoadBLOCK HTTP policy allows the firewall to perform deepHTTP stateful inspection (application-layer filtering). The extent of the

inspection is configured on a per-rule basis. With this capability, you canconfigure custom constraints for HTTP inbound and outbound access.

Block access to all executable

content

You can configure RimApp RoadBLOCK HTTP policy to block all connection

attempts to the Microsoft Windows operating system executable content,regardless of the file name extension used on the resource.

Control HTTP file downloads

through file name extension

The RimApp RoadBLOCK HTTP policy enables you to define policy based

on file name extension, including "allow all except a specified group of extensions" or "block all extensions except for a specified group.

HTTP filtering is applied to all

R imApp R oadBLOCK client connections

With the RimApp RoadBLOCK HTTP policy, you can control HTTP access for

all RimApp RoadBLOCK client connections.

Control HTTP access based on

"HTTP Signatures"

RimApp RoadBLOCK deep HTTP inspection can help you create "HTTP

Signatures" that can be compared to the Request URL, Request headers,Request body, and Response body. This gives you precise control over

what content internal and external users can access through the RimAppRoadBLOCK firewall.

Control allowed HTTP methods You can control which HTTP methods are allowed through the firewall by

setting access controls on user access to various methods. For example,you can limit the HTTP POST method to prevent users from sending data

to Web sites using the HTTP POST method.

Enforce secure Microsoft Exchange remote procedure call

(RPC) connections from full Microsoft Outlook messaging and

collaboration MAPI clients

RimApp RoadBLOCK Secure Exchange Server Publishing Rules give remoteusers connection to Exchange Server using the fully functional Outlook

MAPI client over the Internet. However, the Outlook client must beconfigured to use secure RPC so that the connection is encrypted. With

the RimApp RoadBLOCK RPC policy, you can block all nonencryptedOutlook MAPI client connections.

FTP policy You can configure the RimApp RoadBLOCK FTP policy to let users upload

and download through FTP, or you can limit user FTP access to downloadonly.

Link Translator Some published Web sites may include references to internal names of

computers. Because only the RimApp RoadBLOCK firewall and externalnamespace, and not the internal network namespace, are available to

external clients, these references appear as broken links. RimAppRoadBLOCK includes a link translation feature that you can use to create a

dictionary of definitions for internal computer names that map to publiclyknown names.



Granular control over IP options With RimApp RoadBLOCK, you can configure IP options on a granularbasis and allow only the ones you require while blocking all others.

Security and Firewall

Feature Description

Extensive protocol support

RimApp RoadBLOCK gives you control over accessing and using any protocol,including IP-level protocols. Users can then use applications such as ping and tracert

to create VPN connections using PPTP. In addition, IPSec traffic can be enabledthrough ISA Server.

Support for complex

protocols requiring multiple primary

connections

Many streaming media and voice/video applications require that the firewall manage

complex protocols. RimApp RoadBLOCK can manage these protocols and has aneasy-to-use New Protocol Wizard you can use to create protocol definitions.

Customizable protocol definitions

With RimApp RoadBLOCK, you can control the source and destination port numberfor any protocol for which you create a firewall rule. This allows the RimApp

RoadBLOCK firewall administrator a high level of control over which packets areallowed inbound and outbound through the firewall.

Firewall user groups You can use RimApp RoadBLOCK to create custom firewall groups that consist of pre-

existing groups in the local accounts database or the Active Directory servicedomain. This increases your flexibility to control access based on user or group

membership, because the firewall administrator can create custom security groupsfrom these existing groups. This removes the requirement that the firewall

administrator be a domain administrator to credit custom security groups for inboundor outbound access control.

Authentication Users can be authenticated using built-in Windows, RADIUS, or RSA SecurID

authentication Enters or other namespaces. Rules can be applied to users or usergroups in any namespace. Third-party vendors can use the software development kit

(SDK) to extend these built-in authentication mechanisms.

Firewall client credentials forwarded to

the Web Proxy service

RimApp RoadBLOCK allows firewall clients to access the Web cache with the HTTPfilter without requiring separate authentication with the Web Proxy service.

Hotmail Web-based e-mail access through the

firewall

RimApp RoadBLOCK improved HTTP filter enables users to access Hotmail through aneasy-to-configure firewall rule without the need for special configuration on the client

or firewall.

Network objects With RimApp RoadBLOCK, you can greatly expand your ability to define networkobjects by creating computers, networks, network sets, address ranges, subnets,

computer sets, and domain name sets. These network objects are used to definesource and destination settings for firewall rules.

Firewall R ule wizards RimApp RoadBLOCK includes a new set of rule wizards that make it easier than ever

to create access policy. RimApp RoadBLOCK access policy can be created by asophisticated firewall rule that you can use to configure any required policy element

"on the fly." You do not need to leave the rule wizard to create a network object; anynetwork object or relationship can be created in the new wizard.

Firewall rules represent

an ordered list

RimApp RoadBLOCK firewall rules are represented in an ordered list in which

connection parameters are first compared to the top listed rule. RimApp RoadBLOCKmoves down the list of rules until it finds a rule matching the connection parameters

and enforces the matching rule's policy. This approach to firewall policy makes it

much easier to determine why a specific connection is allowed or denied.

User/group-basedaccess policy

With the RimApp RoadBLOCK enhanced firewall rules, you can define the source anddestination for each protocol a user or group is able to access. This greatly increases

flexibility for inbound and outbound access control.



Outlook Web Access (OWA) Publishing

Wizard

Clientless remote access through secure SSL connections form the core of SSL VPNs.The RimApp RoadBLOCK Outlook Web Access Publishing Wizard walks you through

creating a firewall rule and creates the OWA SSL connection to your ExchangeServer. All network elements can be created "on the fly," and you never need to

leave the wizard to create a policy element.

FTP support RimApp RoadBLOCK gives you access to Internet FTP servers, listening on alternate

port numbers without requiring special configuration on the client or RimAppRoadBLOCK firewall. The FTP server publishing on alternate port numbers requiresnothing more than a simple FTP Server Publishing Rule.

Port redirection for FTP

Server Publishing R ules

Using RimApp RoadBLOCK, you can receive a connection on one port number and

redirect the request to a different port number on the published server.

Secure Web Publishing With ISA Server, you can place servers behind the firewall, either on the corporate

network or on a perimeter network (also known as a demilitarized zone [DMZ] orscreened subnet), and securely publish their services. With the improved secure Web

Publishing Wizard, you can easily create a rule that lets users secure SSL remoteaccess to published Web servers.

Multinetworking

Feature Description

Multiple network

configuration

You can configure one or more networks, each with distinct relationships to other networks.

Access policies are defined relative to the networks and not necessarily relative to aparticular internal network. RimApp RoadBLOCK extends the firewall and security features to

apply to traffic between any networks or network objects.

Unique per-network policies

The new multinetworking features of RimApp RoadBLOCK enable you to protect yournetwork against internal and external security threats by limiting communication between

clients even in your own organization. Multinetworking functionality supports sophisticatedperimeter network scenarios, helping you to configure how clients in different networks

access the perimeter network. Access policies between networks can then be based on theunique security zone represented by each network.

R outed and NAT

network relationships

You can use RimApp RoadBLOCK to define routing relationships between networks,

depending on the type of access and communication required between the networks. Insome cases, you may want more secure, less transparent communication between the

networks. For these scenarios, you can define a NAT relationship. In other situations, youwant to route traffic through ISA Server. In these cases, you can define a routed

relationship. Packets moving between routed networks are fully exposed to RimAppRoadBLOCK stateful filtering and inspection mechanisms.

Monitoring and R eporting

Feature Description

R eal-time monitoring of log

entries

With RimApp RoadBLOCK, you can see firewall, Web Proxy, and SMTP Message Screenerlogs in real time. The monitoring console displays the log entries as they are recorded in

the firewall's log file.

Built-in log query facility

You can query the log files by using the built-in log query facility. Logs can be queried forinformation contained in any field recorded in the logs. You can limit the scope of the

query to a specific time frame. The results appear in the RimApp RoadBLOCK console andcan be copied to the Clipboard and pasted into another application for more detailed

analysis.

R eal-time monitoring and

filtering of firewall

With RimApp RoadBLOCK, you can view all active connections to the firewall. From asession view, you can sort or disconnect individual sessions or groups of sessions. In

addition, you can filter the entries in the session's interface to focus on the sessions of



sessions interest using the built-in sessions filtering facility.

Connection Verifiers You can verify connectivity by regularly monitoring connections to a specific computer orUniform Resource Locator (URL) from the RimApp RoadBLOCK computer using Connection

Verifiers. You can configure which method to use to determine connectivity: Ping,Transmission Control Protocol (TCP) connected to a specific port, or HTTP GET. You can

select which connection to monitor by specifying an IP address, computer name, or URL.

Customizing R imApp R oadBLOCK reports

RimApp RoadBLOCK includes an enhanced report customization feature for adding moreinformation in the firewall reports.

R eport publishing You can configure RimApp RoadBLOCK report jobs to automatically save a copy of a

report to a local folder or network file share. The folder or file share the reports are savedin can be mapped to a Web site virtual directory so that other users can view the report.

You can also manually publish reports that have not been configured to automatically

publish after report creation.

E-mail notificationafter report creation

You can configure a report job to send you an e-mail message after a report job iscompleted.

Customized time for

log summary creation

RimApp RoadBLOCK is hard-coded to create log summaries at 12:30 A.M. Reports are

based on information contained in log summaries. You can easily customize the timewhen RimApp RoadBLOCK creates log summaries, giving you increased flexibility in

determining the time of day reports are created.

Enhanced SQLServer logging

You can log to a computer running a SQL Server database located on another computeron the internal network. RimApp RoadBLOCK SQLServer logging has been optimized to

provide much higher performance.

Log to an MSDEdatabase

Logs can now be stored in MSDE format. Logging to a local database enhances queryspeed and flexibility.

Management

Feature Description

Management RimApp RoadBLOCK includes new management features, making it easier to

secure your networks. New user interface features include Task Panes, HelpPanes, an improved Getting Started Wizard, and a new look for the Firewall Policy

Editor.

Export and Import RimApp RoadBLOCK introduces the capability to export and import configurationinformation. You can use this feature to save configuration parameters to an XML

file, and then import the information from the file to another server.

Delegated permissions wizard for firewall

administrator roles

The Administration Delegation Wizard helps you assign administrative roles tousers and groups. These predefined roles delegate the level of administrative

control users have over specified RimApp RoadBLOCK services.

Secure R emote Access to Microsoft Servers

Feature Description

Firewall generated forms for forms-based

authentication

RimApp RoadBLOCK can generate the forms used by OWA sites for forms-basedauthentication. This enhances security for remote access to OWA sites by

preventing unauthenticated users from contacting the OWA server.

R emote access to

Terminal Services using SSL

Computers running the Microsoft Windows Server 2003 operating system support

RDP over SSL to allow secure SSL connection to Windows Server 2003 TerminalServices. With RimApp RoadBLOCK, you can securely publish your Terminal Server



using secure SSL technology.

Virtual Private Networks

Feature Description

Virtual Private Network (VPN)

Administration

RimApp RoadBLOCK includes a more fully integrated VPN mechanism, which is

based on the Windows 2000 and Windows Server 2003 functionality.

Stateful filtering andinspection for VPN

VPN clients are configured as a separate network zone. Therefore, you cancreate distinct policies for VPN clients. The firewall rule engine discriminately

checks requests from VPN clients The engine statefully filters and inspectsthese requests and dynamically opens connections based on the access policy.

SecureNAT client support for

VPN clients connected to

R imApp R oadBLOCK VPNserver

RimApp RoadBLOCK expands VPN client support by allowing SecureNAT clients

to access the Internet without the firewall client being installed on the client

system. You can also enhance corporate network security by forcing auser/group-based firewall policy on VPN SecureNAT clients.

Stateful filtering and

inspection for communications moving through a site-to-site

VPN tunnel

RimApp RoadBLOCK introduces stateful filtering and inspection for all

communications moving through a site-to-site VPN connection. As a result,you can control the resources that specific hosts or networks can access on the

opposite side of the link. You can use User/group-based access policies to gaindetailed control over resource use with the link.

VPN Quarantine RimApp RoadBLOCK takes advantage of Windows Server 2003 VPN Quarantine

tools for deep VPN client inspection and integration of your firewall policy.

Publishing VPN servers Use RimApp RoadBLOCK Server Publishing Rules to publish IP protocols andPPTP servers. The RimApp RoadBLOCK smart PPTP application filter performs

the complex connection management. In addition, you can easily publish theWindows Server 2003 NAT-T L2TP/IPSec VPN server using RimApp RoadBLOCK

Server Publishing.

IPSec tunnel mode support for site-to-site VPN links

RimApp RoadBLOCK improves site-to-site link support with you using IPSectunnel mode as the VPN protocol. IPSec tunnel mode support greatly increases

RimApp RoadBLOCK interoperability with an array of third-party VPN solutions.

Web Cache and Web Proxy

Feature Description

Cache R ules With the centralized ISA Server Cache Rule mechanism, you can configure howobjects stored in the cache are retrieved and served from the cache.

Path mapping for Web

Publishing R ules

RimApp RoadBLOCK significantly improves the flexibility of Web publishing because

you can redirect the path sent to the firewall by the user to any path of choice onthe published Web server.

RADIUS support for Web

Proxy client authentication

With RimApp RoadBLOCK, you can authenticate users in Active Directory and other

authentication databases by using RADIUS to query Active Directory. Web PublishingRules can also use RADIUS to authenticate remote access connections.

Delegation of basic

authentication

Published Web sites are protected from unauthenticated access by requiring the

RimApp RoadBLOCK firewall to authenticate the user before forwarding theconnection to the published Web site. This prevents exploits from unauthenticated

users from reaching the published Web server.

Preservation of source IPaddress in Web

Publishing R ules

RimApp RoadBLOCK gives you a choice on a per-rule basis whether the firewallshould replace the original IP address with its own or forward the original IP address

of the remote client to the Web server.



SecurID authenticationfor Web Proxy clients

RimApp RoadBLOCK can authenticate remote connections using SecurID two-factorauthentication. This provides a high level of authentication security because a user

must "know" something and "have" something in order to gain access to thepublished Web server.

Comparing ISA Server 2004

Documents

Transcript of Comparing ISA Server 2004