SAN DIEGO, May 24, 2004 — When Microsoft talks with customers about the newest version of its Microsoft Internet Security and Acceleration (ISA) Server at TechEd today, it will have company. That’s because ISA Server 2004 isn’t just the latest version of Microsoft’s advanced application layer firewall, virtual private network and Web cache solution. It’s also the foundation for a growing range of dedicated security hardware.
To find out how hardware vendors are using ISA Server 2004 to deliver innovative security products and which customers might find these new products of greatest value, PressPass sat down to talk with executives from each of the three companies announcing ISA Server-based products today: Jeff Brandes , Vice President and Business Development Manager at Network Engines; Neil Matz , Product Manager at Celestix Networks; and Rick Fricchione , Vice President of Enterprise Microsoft Services at Hewlett-Packard.
Joining these executives was Jonathan Perera , Senior Director of Product Management, Security Business & Technology Unit at Microsoft.
PressPass: Jonathan, before we talk about what the hardware vendors are doing with ISA Server 2004, can you give us a little background on what’s new with this product?
Jonathan Perera (Microsoft): Sure. ISA Server 2004 is an advanced application layer firewall, VPN [virtual private network] and Web caching solution that helps improve network security and performance.
Our primary focus has been delivering advanced protection for Internet-facing applications. We’ve made significant improvements in the firewall to help better protect solutions such as Outlook Web Access for Exchange 2003 and SharePoint Services against the latest types of Internet threats. Organizations will further benefit from advanced application layer filtering and the work we’ve done to help securely publish Web content to the Internet.
At the same time, we’ve invested heavily in making ISA Server 2004 very easy to deploy and manage. This is critical since IT budgets are tight, and many security breaches are the result of mis-configuration. Easy-to-follow setup wizards help will help administrators get up-and-running securely in a very short period of time. If organizations are familiar with Windows, they’re going to be spending much less time and money training their staffs to deploy and manage it.
Finally, our customers asked us to continue to invest in the VPN and caching capabilities of our solution — this is about delivering fast, secure access for both remote users and for branch offices. ISA Server 2004 enables secure site-to-site and remote access connections over PPTP, L2TP/IPSec, and supports VPN network quarantine to help ensure that systems have the correct system updates and settings before getting access to the network.
PressPass: ISA Server 2004 is generally known to customers as a software product to be loaded onto a full PC server. These new hardware solutions represent a different way of using ISA Server. What are some of these hardware security products and who should be interested in them?
Neil Matz, (Celestix Networks): Hardware solutions are a great way for customers to get the advanced protection, ease of use and fast, secure access of ISA Server 2004 in a dedicated security appliance. For example, we’re offering two products based on ISA Server 2004: our Scorpio and Gemini Celestix MSA4000 products. They’re Pentium 4 and Xeon gateway firewalls for enterprise perimeter defense. They take advantage of the great functionality in ISA Server 2004 to provide caching and proxying for outbound Internet traffic, VPN deployments, application-layer inspection and Web publishing for internal Web sites. We’ve integrated that functionality into low-cost hardware that’s specialized for these uses: rack-mountable appliances with multiple network ports and LCD displays instead of monitors, keyboards and mice. And we’ve added features such as a Web-based user interface to make them even easier to use. We’re targeting these products especially to the small and medium business segments.
Jeff Brandes (Network Engines): Our next-generation Firewall for Microsoft Exchange Server is also targeted for the small and medium business markets, but it’s a very different product: a specialized firewall to help protect servers running Microsoft Exchange Server. We have integrated the application firewall features of ISA Server with NEWS, our Web-based setup and patch management system, in a small desktop appliance that’s easy to deploy and use.
PressPass: Why the small and medium markets? Are ISA Server 2004 hardware products inherently attractive to these types of organizations?
Jeff Brandes (Network Engines): Small and medium businesses are under intense pressure. They often lack the IT resources found in larger companies, yet they face the same security and productivity challenges of larger companies. ISA Server 2004 Server solution vendors pre-configure ISA Server 2004 so the solutions are optimized for those purposes out of the box. For example, with our next-generation Firewall for Exchange Server, we’ve already blocked all ports except the ones needed for Exchange Server, so the customer doesn’t have to figure out how to do that.
That makes the product even faster and easier to deploy and use. It also eliminates the potential of mis-configuration that Jonathan mentioned earlier. The specialized hardware generally has only the features that a customer needs for the specific application — the hardware can be “headless” [no keyboard, video, or mouse] where appropriate. All of this adds up to a lower purchase price and lower deployment costs.
Jonathan Perera (Microsoft): I might add that while the benefits we’re talking about are of obvious interest to smaller companies, products from these companies can also be of interest to larger organizations. A company isn’t limited to deploying a single ISA Server 2004 hardware product. So, the savings that a company gets on a single ISA Server appliance scale out as the company deploys more of them. Because they can be extremely cost-effective and easy to deploy, larger organizations can more easily afford to deploy these solutions wherever they really want them throughout their networks without the cost constraints they had with more traditional deployments. They can also deploy them more readily to branch offices — without a technician from headquarters having to fly out to oversee the process.
Rick Fricchione (HP): Cost-effectiveness is certainly a key, whether a small company is deploying a single product or a larger company is deploying these products throughout an enterprise. Customers can deploy our HP ProLiant DL320 running ISA Server 2004 starting at U.S.$3,000 — well below the price they might expect for many full-featured, enterprise-class security and caching solutions.
PressPass: What does that lower price mean in terms of performance and functionality?
Rick Fricchione (HP): Customers can make a modest investment without compromising performance, interoperability or security. What users are getting is strong integration with the Microsoft infrastructure — with Exchange Server, IIS [Internet Information Services] and Windows — and easy integration with a customer’s existing network security infrastructure. The goal is to enable the customer to achieve the optimal “defense in depth” infrastructure.
The HP ProLiant DL320 running Microsoft ISA Server 2004 is flexible enough to accommodate the security policies that vary from company to company; Microsoft provides the tools and extensibility for certified third-party plug-ins that allow customers to either develop or apply additional features and functionalities. And that flexibility extends to the appliance’s use. Businesses can use it as a primary or secondary firewall, as a VPN solution, as a Web cache solution, or as all three.
PressPass: You mentioned features that Microsoft provides to facilitate the development and use of these hardware products. Jonathan, has Microsoft taken any steps leading up to ISA Server 2004 to make it easier for hardware vendors to develop them?
Jonathan Perera (Microsoft): Yes. Customers told us that they wanted the option of a pre-configured, dedicated hardware and software security solution, so we made a special investment in ISA Server 2004 to enable hardware vendors to create appliances or pre-installed solutions. For example, we made investments to enhance the out-of-the-box experience. Customers no longer need to load a series of CDs during and the installation process. The out-of-box Setup Wizard walks them through the setup process, in most cases without their even needing to know their IP address. Some of our hardware vendors have built additional features onto this, such as remote setup. That’s useful for a central IT office that’s shipping a device out to a local office and wants to confirm that it was installed properly.
Neil Matz (Celestix): There’s another big customer benefit that Microsoft has made possible that goes beyond the great technology in ISA Server 2004. Easier installation is a one-time benefit. But easier maintenance is a benefit that continues for the life of the product and lowers the TCO. Because we’re able to lock down the MSA4000 to its ideal configuration, there’s less need for maintenance down the road. Even when there is such a need, customers know where to go: to the company that provided the integrated solution. There’s no finger-pointing between hardware and software companies and, because this is built on the Windows Server platform, there’s no need for an extended search on the Internet to find some obscure technical fix, as there might be with a Linux product.
When you combine the peace-of-mind that comes from a robust defense-in-depth architecture based on ISA Server 2004 and the ease of use of our hardware-based solutions, companies get a great addition to their security arsenal.