How secure is ISA?

Posted on 2009-02-20
Medium Priority
Last Modified: 2013-11-16
   Hi. I'm evaluating and teaching myself different firewalls and security measures. I have worked on PIX a little, just got a Netgear to play with, and have also worked with ISA 2004 and 2006. I must say that ISA does a very good job it seems.
     Here is my question - I have been doing some thinking and would like some opions. How secure could ISA be since it is built on a MS product and MS tends to be quite easy for skiiled hackers to break. Maybe w/ ISA on the host, it protects the box enough to where there isn't such the risk that other MS servers have?... I don't know. Thoughts and comments?
Question by:dsmjeff
  • 4
  • 4
LVL 51

Accepted Solution

Keith Alabaster earned 1600 total points
ID: 23694297
ISA has never been hacked in its history - when implemented correctly by people who know the product it is likely the best firewall and application gateway in the world.
The art is in the configuration: if you don't know what you are doing with it and you open ports that really shouldn't be opened then that is not hacking - its poor implementation and product knowledge..

For excample, people deploy ISA on domain controllers or decide to put other things like SQL or Exchange on the ISA Server - absolutely ridiculous.

it is unfortunate that MS make it appear simple to run the setup.exe program and all is straight forward. ISA is NOT a simple product - it requires understanding of security concepts, protocols, authentication, precedents, networking, DNS, VPN's and numerous other areas. ISA is used to implement a security policy and has an EAL4+ accreditation for its ability to do so.

Many people knock the accreditation system on security standards - especially Cisco addicts. However, it did not stop Cisco making sure that the PIX and the ASA also eventually reached the EAL4+ standard also. Yes, it took them longer to get there than ISA did but that is a side issue.

ISA protects in a number of additional areas also by being a full-blown cern-compliant forward and reverse proxy server.

How secure is ISA Server? It ticks every box on any criteria sheet that you want to set out.

The much bigger - and more important - questions you should be asking are:
How secure will ISA be when it gets installed if I have not read the installation manuals, followed the setup guides,and obtained some basic training?
How secure will ISA be if I have not ensured that the environment into which I will install ISA is setup properly?
How secure will ISA be if I allow every port to be opened that people tell me is imperative?


Author Comment

ID: 23694365
Thanks for knowledge. And you are correct, ISA is NOT easy to setup. I do think that is does a great job though and I have been very impressed so far, but I am not a security expert by any means.
As far as study guides, I bought Microsoft ISA Server 2006 Unleashed by Michael Noel. Do you have any other suggestions on training guides?
Thanks for the knowledge! :)
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23694410
More than welcome - and you have no idea how refreshing it is to come across someone who has that right attitude.
Although it is for ISA2004, the product is near-damn identical to ISA2006 except for the Sharepoint publishing wizard.

The implementing microsoft Internet Security and Acceleration server 2004 self paced training kit is superb by MS Press.
The ISBN is 0-7356-2169-1. be aware though that the new version of ISA is already in test and is due out this year.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 23694439
MS is releasing a ISA 09?
LVL 28

Assisted Solution

jhyiesla earned 400 total points
ID: 23694466
My personal preference is for a hardware-based firewall like a PIX or ASA, but, having said that, I agree with the other expert that ISA is a very solid performer WHEN it is configured properly.  This starts with properly hardening the server OS itself.

My suggestion in that regard is to NOT run the wizard to do this, but to manually harden the server.  When I installed one of my ISA servers I ran the wizard and it totally screwed up my setup and I had to completely redo it.   Check on isaserver.org and do a site search for "harden".  There are some really good articles about hardening the server by hand that work really well and add several layers of excellent protection.
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23694480
Currently new release dates are under non-disclosure-agreements.

You might find this interesting.....

Author Comment

ID: 23694481

Author Closing Comment

ID: 31549336
Thanks again!
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23702865
Welcome :)

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month16 days, 13 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question