Craig Fiebig, general manager, Security Business Unit
REDMOND, Wash., Jan. 7, 2003 — As companies move more of their business processes to the Internet to give employees, customers and partners greater access to information, they’re opening themselves up to a corresponding increase in security risks. To help enterprises combat increasingly sophisticated Internet-based threats, Microsoft today released a new set of product enhancements for its ISA Server firewall product.
ISA Server 2000 with the new ISA Server Feature Pack 1 helps secure applications such as Exchange Server and Internet Information Services (IIS) with more protection than traditional firewalls, while using wizards to minimize the complexity of configuring this protection. Craig Fiebig , general manager of the Microsoft Security Business Unit, spoke with PressPass about the capabilities of ISA Server Feature Pack 1 and how ISA Server supports the business unit’s overall commitment to helping meet customers’ evolving security needs. Fiebig has worked extensively with large enterprises, government agencies and partners for which security is a top priority.
PressPass: How have you seen your customers’ priorities change with regard to security issues around technology?
Fiebig: Until fairly recently, features and functionality were the main criteria for the new products we delivered. What we’re hearing from customers today is that security is their number-one priority. After the Code Red and Nimda worm attacks last year, many businesses saw that security issues were hurting their bottom line. They rightly expect Microsoft to take a leadership role in addressing these concerns.
PressPass: What’s the overall mission of the new Microsoft Security Business Unit, and how does ISA Server fit within those objectives?
Fiebig: The mission of the SBU is clear: provide customers with a secure platform to run their business, period. We’re focused on two key objectives to meet that goal. First, we deliver a very secure technology environment for people and businesses deploying Microsoft products. Second, with that foundation established, we continuously develop new tools and products that will help our customers keep their networks and systems as secure as possible — which is where ISA Server fits in.
ISA Server can play an important role in an effective defense-in-depth strategy that ideally would include a correctly-configured firewall at the edge, good patch management practices and strong anti-virus and intrusion detection systems. Beyond those tools, implementing sound processes and a comprehensive security policy are important steps in securing a network. Security is an ongoing practice that will continue to evolve as customer needs expand and the threats become more complex.
PressPass: How is Microsoft responding to customers’ evolving needs with regard to firewall protection? What distinguishes ISA Server from other enterprise firewall products?
Fiebig: First, we’ve optimized ISA Server for application-layer filtering to help protect against the more evolved and potentially dangerous Internet-based attacks targeted at networks today. Traditional firewalls are dedicated to packet filtering and stateful inspection of network traffic.
If you think of a piece of mail — an envelope delivered by the postal service — packet filtering and stateful inspection can be compared to merely looking at the
“to”
and the
“from”
addresses on the front of the envelope, and then deciding, based on that information, whether to let this piece of mail into your organization. Application-layer filtering is like opening up the envelope, scanning the contents of the letter inside, closing the letter back up and putting it back inside the envelope. Based on all that information, the system then decides whether or not to let this content into your organization. That’s the kind of detection ability that our customers are asking for in order to enhance the security of their networks.
Second, ISA Server is exceptionally well integrated with Exchange Server, IIS and other Microsoft technologies, so it provides a high level of security and ease of use for these products. With many other firewall solutions, the complexity of security configuration and management can actually make a network even more vulnerable. When you consider that security experts at the CERT Coordination Center estimate that 95 percent of security vulnerabilities result from misconfiguration, you can see why ease of integration is so important.
Third, ISA Server has integrated caching technology built in to help accelerate Web access performance and minimize network congestion — a capability that sets ISA Server apart from many other firewalls. The integrated caching technology allows ISA Server to scale to the needs of small and medium-sized businesses that use one server for both firewall and proxy/cache functionality, all the way up to the largest enterprises that want to focus their ISA Server deployment and use the functions individually.
PressPass: What led Microsoft to develop and release Feature Pack 1 for ISA Server?
Fiebig: Since the Security Business Unit was formed last March, our unit vice president, Mike Nash, and the team have made a series of trips to visit customers and better understand their security concerns. We’ve also been listening to comments and suggestions from partners, newsgroups and IT support communities. Based on all this guidance, we’ve developed a set of features responding to these recommendations — stronger protection for customers’ e-mail servers, stronger protection for customers’ Web servers and well-defined tools that make this protection easier to deploy and maintain. The latest enhancements include specific features that help defend Exchange Server and IIS, two of the most common server products customers want to protect.
PressPass: How will the improvements in ISA Server Feature Pack 1 help companies better meet today’s security issues?
Fiebig: In just about every company and government agency, executives are becoming more mobile. When they’re on the road and trying to access their e-mail, often they have to use a completely different e-mail client and learn how to set up a VPN connection from their hotel or wherever they happen to be. That can be a highly technical and expensive challenge. In ISA Server Feature Pack 1, we help provide the security over that connection between Outlook and Exchange, so that mobile workers can use the same familiar tools on the road as they use in the office, and still have an encrypted link to their e-mail server.
To help companies secure their network from unwanted e-mail, the feature pack also includes enhancements to the ISA Server SMTP Filter and Exchange RPC Filter. These filters help improve the ability to filter e-mail at the application layer using criteria such as keywords and sender to prevent malicious mails from entering the network.
Second, companies are facing increasingly sophisticated attacks on their Web servers, and the attacks are coming at the application layer. Customers are finding that their traditional firewalls aren’t stopping these types of attacks. As part of the Feature Pack, Microsoft has developed defenses, such as URLScan, that can help stop these attacks at the edge of the network and prevent them from even reaching Web servers such as Internet Information Services and Outlook Web Access (OWA). The Feature Pack also allows users to authenticate themselves to the Web servers by using RSA Security Inc.’s patented SecurID authentication technology.
Third, we recognize that configuring the integration between multiple servers and a firewall can be very complex for customers. To make ISA Server easier to deploy, we’ve created an OWA wizard that simplifies the tasks involved in configuring ISA Server to protect an OWA deployment without compromising the security of the installation. We’ve added a new RPC filter configuration wizard that helps administrators control client access to RPC servers located on the internal network. On top of that, we’re providing additional technical documentation and scenario guides to help customers through deployment and troubleshooting the most common problems.
PressPass: You mentioned working with RSA Security. How is Microsoft working with partners to deliver new security solutions that include ISA Server technology?
Fiebig: We formed the SBU with the No. 1 priority of helping customers get secure. One way that we are making that happen is by working with and investing in partners with significant expertise in certain key areas. We see ISA Server as an application-layer engine capable of performing a wide variety of security functions. Many of these functions need to be performed at the network edge and are addressed by ISA Server’s functionality as a firewall. However, there are a number of functions — such as URL and content filtering, SSL acceleration and load balancing — that are outside the core scope of a firewall, but still necessary for comprehensive network security.
To address these issues, we’ve created integration opportunities for our partners to develop technology that builds on ISA Server’s core technologies. For example, there are anti-virus add-ons and intrusion detection add-ons for ISA Server that complement the built-in, application-layer firewall security. We recently signed an agreement with Symantec to incorporate its new anti-virus product for ISA Server that will be able to detect and repair viruses in HTTP, FTP and SMTP content before it moves through the ISA Server.
In the area of intrusion detection, Internet Security Systems (ISS) has made available RealSecure, the company’s comprehensive intrusion detection product, for ISA Server. We also signed a similar agreement with Trend Micro to integrate its anti-virus product with ISA Server. As I mentioned earlier, our partner RSA Security provides the SecurID authentication for which we’re adding integration as part of the Feature Pack.
In addition, we’re seeing the caching market evolving into Content Delivery Network (CDN)-based solutions, and we’ve recently signed agreements with several CDN partners, some of which plan to sell ISA Server with their products as a complete solution for customers.
PressPass: What are some examples of ISA Server adding value to customers?
Fiebig: Many customers are deploying ISA Server between their Exchange infrastructure and their existing packet-layer firewall service. This helps to make their Exchange deployment more secure at both the traditional level — the stateful inspection of packets as they’re coming across the network — and at the more sophisticated level of inspecting the contents of the payload itself. Malicious traffic that tries to send an attack in the data’s payload can pierce the company’s packet-layer firewall, but the chances of it getting past ISA Server are extremely low. Virtually all operational deployments of Exchange would be more secure with the addition of ISA Server. We recommend that all Exchange customers evaluate the use of ISA in conjunction with their mail server infrastructure.
Another interesting scenario we see is customers using the combination of the VPN services in Windows 2000 Server and ISA Server to use the Internet as the company’s backbone telecommunications infrastructure. Avanade, a customer with many branch offices around the world, replaced its expensive frame relay network with an ISA Server and Windows 2000 Server VPN deployment. As a result, the company is saving roughly US$1 million a year in telecommunications costs.
For highly distributed organizations that are running lots of internal Web sites, the caching capabilities within ISA Server can improve performance by minimizing network congestion. We have major customers with worldwide deployments using the caching functionality to offload traffic from their networks.