How secure is ISA?

   Hi. I'm evaluating and teaching myself different firewalls and security measures. I have worked on PIX a little, just got a Netgear to play with, and have also worked with ISA 2004 and 2006. I must say that ISA does a very good job it seems.
     Here is my question - I have been doing some thinking and would like some opions. How secure could ISA be since it is built on a MS product and MS tends to be quite easy for skiiled hackers to break. Maybe w/ ISA on the host, it protects the box enough to where there isn't such the risk that other MS servers have?... I don't know. Thoughts and comments?
Who is Participating?
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
ISA has never been hacked in its history - when implemented correctly by people who know the product it is likely the best firewall and application gateway in the world.
The art is in the configuration: if you don't know what you are doing with it and you open ports that really shouldn't be opened then that is not hacking - its poor implementation and product knowledge..

For excample, people deploy ISA on domain controllers or decide to put other things like SQL or Exchange on the ISA Server - absolutely ridiculous.

it is unfortunate that MS make it appear simple to run the setup.exe program and all is straight forward. ISA is NOT a simple product - it requires understanding of security concepts, protocols, authentication, precedents, networking, DNS, VPN's and numerous other areas. ISA is used to implement a security policy and has an EAL4+ accreditation for its ability to do so.

Many people knock the accreditation system on security standards - especially Cisco addicts. However, it did not stop Cisco making sure that the PIX and the ASA also eventually reached the EAL4+ standard also. Yes, it took them longer to get there than ISA did but that is a side issue.

ISA protects in a number of additional areas also by being a full-blown cern-compliant forward and reverse proxy server.

How secure is ISA Server? It ticks every box on any criteria sheet that you want to set out.

The much bigger - and more important - questions you should be asking are:
How secure will ISA be when it gets installed if I have not read the installation manuals, followed the setup guides,and obtained some basic training?
How secure will ISA be if I have not ensured that the environment into which I will install ISA is setup properly?
How secure will ISA be if I allow every port to be opened that people tell me is imperative?

dsmjeffAuthor Commented:
Thanks for knowledge. And you are correct, ISA is NOT easy to setup. I do think that is does a great job though and I have been very impressed so far, but I am not a security expert by any means.
As far as study guides, I bought Microsoft ISA Server 2006 Unleashed by Michael Noel. Do you have any other suggestions on training guides?
Thanks for the knowledge! :)
Keith AlabasterEnterprise ArchitectCommented:
More than welcome - and you have no idea how refreshing it is to come across someone who has that right attitude.
Although it is for ISA2004, the product is near-damn identical to ISA2006 except for the Sharepoint publishing wizard.

The implementing microsoft Internet Security and Acceleration server 2004 self paced training kit is superb by MS Press.
The ISBN is 0-7356-2169-1. be aware though that the new version of ISA is already in test and is due out this year.
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

dsmjeffAuthor Commented:
MS is releasing a ISA 09?
jhyieslaConnect With a Mentor Commented:
My personal preference is for a hardware-based firewall like a PIX or ASA, but, having said that, I agree with the other expert that ISA is a very solid performer WHEN it is configured properly.  This starts with properly hardening the server OS itself.

My suggestion in that regard is to NOT run the wizard to do this, but to manually harden the server.  When I installed one of my ISA servers I ran the wizard and it totally screwed up my setup and I had to completely redo it.   Check on and do a site search for "harden".  There are some really good articles about hardening the server by hand that work really well and add several layers of excellent protection.
Keith AlabasterEnterprise ArchitectCommented:
Currently new release dates are under non-disclosure-agreements.
You might find this interesting.....
dsmjeffAuthor Commented:
dsmjeffAuthor Commented:
Thanks again!
Keith AlabasterEnterprise ArchitectCommented:
Welcome :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.