ISA Server Earns ICSA Labs Certification, Industry’s de Facto Standard for Firewall Security

REDMOND, Wash., Feb. 14, 2001 — How will Microsoft Corp. convince IT security experts and administrators across the globe that its newly released Internet Security and Acceleration (ISA) Server 2000 is a secure enterprise firewall? By letting the experts and customers do the talking.

One of the IT Security industry’s most respected independent laboratories, ICSA Labs, has just certified Microsoft Internet Security and Acceleration Server 2000 as a secure enterprise firewall. In the conservative world of Internet security, ICSA certification is the de facto standard, and customers, analysts and professional IT security advisors are taking notice.

“The ICSA Certification speaks for itself as evidence that Microsoft is delivering on its commitment to secure computing, and that customers using the Microsoft platform can operate with confidence, knowing that their systems are safe and firewall-secure,”
said Paul Flessner, executive vice president of the .NET Enterprise Servers at Microsoft.
“ISA Server is a key member of the .NET Enterprise Servers, which together offer customers all of the essential infrastructure required to succeed today, and prepares them for participating in a Web services economy.”

ISA Server


Ready for Prime Time

Customers and analysts say that the ICSA Labs certification of ISA Server based on a products ability to meet a broad range of criteria developed in conjunction with security experts and users throughout the industry is independent confirmation that the new product is
“ready for prime time”
in providing mission-critical, enterprise-wide firewall protection for even the largest global networks.

“Obtaining industry-recognized certification is the minimum price of entry into the firewall market,”
agrees John Pescatore, IT security industry analyst at Gartner Group.
“Gartner advises clients not to even consider firewalls that dont have ICSA or Common Criteria certification.”

“ISA Servers earning ICSA certification tells my clients that the product has met extensive criteria from a well-respected independent testing organization, which gives it the credibility it needs to be accepted by security planners,”
says Rick Kingslan, senior consultant for Rainier Technology Inc., a leading internet consulting firm that designs, develops, integrates and deploys enterprise Web solutions.
“This is on top of the respect the product is earning from companies that are evaluating it directly in their own environments. My clients are incredibly impressed with its ease of management and strength of security features. Specifically, they cite the extensive protocol definition and extensibility of the packet filtering mechanisms.”

“I expected ISA Server to become certified by ICSA Labs,”
says Larry Leibrock, the associate dean and chief technology officer for the Graduate School of Business and College of Business Administration at the University of Texas at Austin, where a pre-release version of the product is already deployed as a firewall.
“I already knew that Microsoft had a winner on their hands with this product; thats why Im deploying it on my 17,000-seat network. This certification means that the professional security community also gives ISA Server its stamp of approval.”

ISA Server Sails Through ICSA Labs Certification

To test a firewall for certification, ICSA Labs installs the product in its own test environments, conducts scans, and monitors control of network ports. It also assesses the ability to configure the firewall to analyze content and to pass or deny traffic that meets ICSA Labs test criteria. ICSA Labs tests to ensure that every authorized inbound and outbound connection attempt through the firewall is completed successfully.

“We test rigorously for the completion of connections because thats where new products typically fail,”
says George Japak, vice president of ICSA Labs, a part of TruSecure Corp., which was known as ICSA.net until last November. The lab reports initial results to the vendor so it can come back with new code to address any problems. The lab then implements the patch, retests the firewall, goes back to the vendor if necessary, and then conducts regression testing as a failsafe to certification.

The iterative testing process typically takes 90 to 120 days, according to Japak, with some firewalls taking up to three years to meet the demanding criteria. In contrast, Microsoft submitted ISA Server to ICSA Labs for testing in late December and the standards body certified it on January 19 after fewer than 30 days.

“Thats a very short time for a product to be certified and an impressive accomplishment for Microsoft,”
says Japak.

Industry Evaluations Confirm ICSA Results

ICSA Labs certification for ISA Server may be one of the most prestigious tests in the security industry, but its not the only one that ISA Server has passed, according to industry expert Joel Scambray, author of a best-selling book on Internet security, Hacking Exposed (2000, Osborne McGraw-Hill) and a managing partner of Foundstone, an Internet security training and consulting firm based in Irvine, Ca. Foundstone also evaluated the product, based on both proprietary methodology and publicly available standards of security assessment.

“Based on our own evaluation of ISA Servers security features, Im confident that it will compete successfully with well-established products in the security field,”
says Scambray.
“And thats in a very conservative marketplace where customers are traditionally reluctant to change security products.”

Rainier Technologys Kingslan has been testing ISA Server over the past year and reports similar results.
“All my testing says that ISA Server can stand up against mainstream and lesser-known products costing three or four times as much,”
he says.
“There are folks out there running firewalls on UNIX because they think that the Microsoft Windows 2000 platform cant possibly be secure enough and provide the same level of functionality but theyre wrong. ISA Server does provide this same level of enterprise security, absolutely.”