Start with 7 free days of training.

Gain instant access to our entire IT training library, free for your first week.
Train anytime on your desktop, tablet, or mobile devices.

Implementing Microsoft Internet Security and Acceleration Server 2004

The Microsoft exam covered by this training has been retired. If you are still using the equipment covered by this retired exam, however, you'll find that this training holds significant value as an on the job reference.

This Jeremy Cioara video training for ISA Server 2004 maps to Microsoft Exam 70-350. You'll be earning elective credit towards both the MCSE and MCSA 2003 certifications, while you gain on-the-job skills for deploying ISA Server 2004 on your network from start-to-finish.

The course also teaches you how to configure the ISA Server firewall to inspect packets down to the application-layer data and filter out hard-to-catch instant messaging and peer-to-peer file sharing applications. It even gives you a side-by-side comparison of ISA Server 2004 to competitors such as Cisco PIX and Checkpoint, so you can determine which firewall will best meet the needs of your network....
The Microsoft exam covered by this training has been retired. If you are still using the equipment covered by this retired exam, however, you'll find that this training holds significant value as an on the job reference.

This Jeremy Cioara video training for ISA Server 2004 maps to Microsoft Exam 70-350. You'll be earning elective credit towards both the MCSE and MCSA 2003 certifications, while you gain on-the-job skills for deploying ISA Server 2004 on your network from start-to-finish.

The course also teaches you how to configure the ISA Server firewall to inspect packets down to the application-layer data and filter out hard-to-catch instant messaging and peer-to-peer file sharing applications. It even gives you a side-by-side comparison of ISA Server 2004 to competitors such as Cisco PIX and Checkpoint, so you can determine which firewall will best meet the needs of your network.
 show less
1. Microsoft's Firewall Evolution: The Road to ISA Server 2004 (46 min)
2. ISA Server 2004 Features (39 min)
3. The Ring Fight: ISA Server vs. The Competition (40 min)
4. ISA Server 2004 Design and Installation (38 min)
5. ISA Server is Installed... Now What? (43 min)
6. Selecting the ISA Client Types (43 min)
7. Building the ISA Network Infrastructure (33 min)
8. Configuring Networks and Filling Your Firewall Toolbox (32 min)
9. ISA Server 2004 As a Firewall (46 min)
10. ISA Server 2004 As a Firewall, Part 2 (35 min)
11. ISA Server Publishing, Part 1 (36 min)
12. ISA Server Publishing, Part 2 (42 min)
13. Configuring ISA Server for VPNs (51 min)
14. ISA Server's Caching Capabilities (48 min)
15. Monitoring ISA Server (38 min)
16. Introducing ISA Server 2004... Enterprise Edition (36 min)

Microsoft's Firewall Evolution: The Road to ISA Server 2004


Microsoft's Firewall Evolution, The Road to ISA Server 2004. Let me first off start by saying welcome. Welcome to the ISA Server 2004 video series, as we begin our own road, our own journey, into this latest and greatest firewall product that Microsoft has produced.


Now, what I'd like to do in this opening video is not just focus on Microsoft's road to ISA Server 2004, but focus on, I guess, the aura around that, the vision that Microsoft has, and the preconceived notions that a lot of network administrators have about this product.


First off, I'd like to talk about all eyes on the world of security. This is a new thing that has happened in our latest and greatest era of technology. It was one of those things that only the big networks worried about, network security, but now even your mother or your cousin or your non-technical friend is worried about network security because just about everybody is now connected to the internet, which introduces a whole plethora of security concerns.


So I'm going to talk about why all eyes have turned that direction. I also want to talk heavily about a lot of preconceived notions that people have and the question that drives this whole topic. Microsoft has a firewall. Is this a joke? I mean, I say that and I kind of laugh when I do, but a lot of network administrators say that seriously.


I've talked to people who are driven by that and almost get offended when I suggest that we use Microsoft as a firewall solution. It's kind of one of those things of, you mean-- and this is how the conversation goes-- you mean use Windows as a firewall?


You mean put one of our Windows servers and connect it to the internet and use that as a firewall solution; are you kidding? And they kind of laugh like they're waiting for the drum roll at the end where I go, oh no, no, Cisco PIX is what I meant. But when I say it seriously, people start even getting defensive of, this is not a good idea.


I know Microsoft and I know they are not a firewall. That's one of the big misconceptions that I hope to demystify in this opening video. I then want to peel back the network security onion, talk about design, where we're going to walk into a network and the layers of security that a network has, because that heavily affects where you place your firewall solutions.


We'll then tell you about choosing a network firewall, talk about why we might use ISA Server, why the Cisco PIX might be a solution, why Checkpoint is a good solution. As a matter of fact, that topic gets so big, I plan on creating an entire video, an entire separate presentation in the series, talking about how ISA Server stacks up.


I mean, when we compare ISA Server to the Cisco PIX or ISA Server to Checkpoint or ISA Server to many of the other products out there, what are the advantages of each? Why is Microsoft jumping into this game? And finally, we'll talk about what I titled this video-- that's our last topic-- the Microsoft Firewall Evolution.


We'll start from the beginning with the Microsoft Proxy Server product and talk about what has led us up to the point we're at now. Microsoft has gotten into this product and developed this line, or this series, of firewall products because all eyes of the world are on network security.


And take a step back with me real quick. I know we're focused on technology and Microsoft and so on, but take a step back and look at the world. And I'm not talking about a step like galactic sort of sense; I'm talking about the state of the world as it is today.


I mean, if you look around at any given time, you have wars that are constantly going on in many different corners of the Earth, wars you don't even hear about that are happening. You have terrorism that has become the new generation of wars that are always going on-- again in all corners of the world, you have natural disasters occurring at any given time, any given place.


Just snap your fingers and something has probably happened. So I would say, at best, our world, the current state, is a pretty volatile place. Now, let's get a little closer. Overlay what has happened to our world in the last 10 years. In the last 10 years, businesses, organizations, economies have become increasingly reliant on technology.


Businesses are becoming completely technology-based, meaning that if the technology isn't there the business stops functioning. Now, combine that overlay with the current state of our world and you start to see a strange trend. With our world being a volatile place, with strange things happening all over the place, with terrorism efforts and so on, people have begun to realize that it's no longer people with guns and bombs that have the most impact on an organization.


It's people that can take out a company's infrastructure without ever lifting a finger or going to a different location. I know it sounds weird and sounds kind of odd to say it that way, but the most effective way to take out an organization is no longer with weapons.


It's now through technology. As a matter of fact, if you take a look at cert.org-- cert.org, if you haven't been there, awesome place, very cool agency that has dedicated themselves to nothing but security and releasing papers and so on-- I mean, you go there and you'll find articles, easy-to-read articles, on how to secure your home network or what the latest worm that has come out is and how to protect yourself from it.


They've released some stats that show year over year the amount of hacking attempts and amount of break-ins in networks has increased from 50% to 100% a year-- I mean constantly increasing. Now, it sounds kind of funny to say that because years ago-- I'd say five, six years ago-- when Code Red or Nimda came out, these worms that took out Windows servers everywhere, it was kind of a wake up call for folks.


They were going, oh, wow, worm, and it's almost like it went away. Those worms-- it was a devastating thing, but now people are just like, oh yeah, we fixed it. Microsoft's security patch-- it's fixed, it's gone. But that is a misnomer. That is kind of what the hackers want you to believe-- oh, it's gone; it's fixed-- because it's still going on, much more so today than it was back then.


And the rise of Windows and what that means to you means that Windows is the operating system of businesses. Now, I know I cross a lot of sticky lines and preferences when I say that, because people say, well, no, I like FreeBSD, I like Linux. Of course, I have my own taste.


I bought a Macintosh PowerBook about a year go. Love it, but unfortunately-- and I know this is going to hurt some of you; it hurts me to say it-- I kind of consider it a toy. It's kind of a cool thing to play with. I've done some productive stuff on there, but overall it's more of a toy for me.


If I want to get work done, most of the time I'm going to go on my Windows PC because that has a lot of the familiar business applications. And I don't want to digress too far into that, but Windows is really what drives businesses today. Microsoft Exchange drives our emails-- the most popular email program.


We have SQL that is driving our databases. It is one of the most popular database programs. I mean, you have all these different things that run on Windows, and what this means is that Windows is the most attacked system in the world. And I say this because it brings up a lot of good points with ISA Server.


You mean you're going to run a firewall on Windows? Yeah, we are, and that's some of the benefits to ISA Server, is that it does run on the platform that just about everybody uses for most business applications today. Now, I'm going to expand on that a little bit more as we get into ISA Server directly, but I just want to mention that this is a Windows-based world.


And hang on. I'm going to digress just a little bit. Bear with me. But would it be true to say if Macintosh or if Linux, or if one of these other operating systems, were the most popular in the world that that would be the most attacked operating system in the world?


I think so. The reason I say that is because who wants to attack an operating system that 5% of the world is using? Not many people. They want to take out the world. They want to attack a vulnerable system that everybody uses. And it's funny because I've had this Macintosh-- let me talk about Macintosh for a moment-- for about a year.


Like I said, love it; great toy. But it's funny because they've begun to gain some popularity. That little iPod gadget that they released-- yeah, that kind of drives their business and has gotten a lot of people to buy Macintoshes. And since that has happened, you know what I've noticed?


Security updates automatically downloaded to my Macintosh that fixes a hole in Safari, the web browser, that could allow somebody to compromise your system or fix a hole in the root operating system. These security updates are coming out why? Because the operating system has gained a little popularity.


The more popular something is, the more attacked it is. I think that almost goes without saying, but I just want to make sure everybody is on the same page with me there. Now, the biggest problem with the world today, in my own opinion, is not so much with the enterprise businesses of the world.


The reason I say "in my opinion" is because I consult a lot with small- to medium-sized businesses. That's my primary forte. The enterprise businesses have a huge IT staff that does nothing but making sure the network is OK. They have a group of firewall administrators that focuses on nothing but network security.


The biggest problem, in my opinion, is in the small to medium business market. I just came from a consulting job where people were using Windows servers to run their network that were directly connected to the internet. I'm not talking ISA Servers. I'm talking a Windows server, Windows 2000 server, directly plugged into the cable modem connection.


It was allowing them to have VPNs and everything like that, and when I came on board they actually had at least two of their Windows servers that had already been compromised. And they had never known it because somebody was using it as a point-to-point file sharing network, meaning somebody had gotten into that Windows Server and was now using that as a place to store pirated software, where everybody could go to an untraceable link where if the law enforcement zoomed in on it they would come to this company and say, hey, you're distributing pirated software.


And this company would have said, huh, what are you talking about? They never knew it because their network had grown from a small- to medium-sized network and they hadn't really grown security with it. Who'd have thought? Why would we need to do that?


That is where the biggest problem exists because the naivete of those organizations not knowing that they have a security problem. Now that word is going to bug me. Nai-e-tivity-- how about I just say, "the state of being naive." I hate words that I can't pronounce, but that's one of them.


So anyhow, let's get into Microsoft as a firewall, dot, dot, dot. Huh, what? What are you talking about? Who would do that? Well, I want to go through in this opening video-- before we even go any further in ISA Server I want to go through and talk about the list of thoughts-- and I was being very politically correct when I said "thoughts," because this is really a list of criticisms, a list of common misnomers, common paradigms that people are in, that really apply when they think about ISA Server.


And I have to tell you, I have fallen into this category time and time again, because, I'll tell you what, marketing is very effective. When you come from a world where the world is constantly saying, you need to buy a hardware-based firewall, you need an appliance, you need an appliance-- hardware-based appliance, hardware-based-- it's kind of like it gets in your head and you get to the point where you're like, oh, I need a hardware-based or appliance-based firewall.


And a lot of this comes from some of the experiences that you've probably had. For example, anyone know about Windows in its ability to do RAID, meaning that you can use your Windows Server to do, for instance, a RAID level 5 array, which means you combine multiple hard drives into one and its stripes data across them and so on?


And if you take Windows and you say, OK, well, let's use Windows to do a RAID 5 array and you and you take that to a production network, you know what people will do? Ha, ha, ha, ho, ho, you're fired. No, just kidding. They won't fire you, but they'll definitely laugh.


Because there are hardware appliances that can do RAID level 5 a whole lot faster than Windows can-- and much more efficient, much more reliable, a whole lot of things much better than Windows. So you take that kind of mentality and then you apply it to the firewall side of things.


You say, well, ISA Server's a good firewall and most people will do, ho, ho, ho. It's not going to happen because they say, well, we have these hardware appliances that have the chips to do firewall filtering. So we come to our first critique here. "Software firewalls equals weakness." And I guess I can piggyback right onto that.


Software firewalls equals less efficient than a hardware firewall. Now, let me talk about why this came in. The reason why is because a small company called IBM developed this chipset known as an ASIC. That stands for Application Specific Integrated Circuitry.


As a matter of fact, let me jot that right up here on the screen-- grab my pen. A-S-I-C, ASIC. And some of you may have seen that before, because Cisco touts this in all of their switching technology. They say we have switching ASICs, which means a switch can operate just as fast as wire can transmit.


It's known as wire speed. Now, they took this, and IBM came up with some ASICs, some chips for firewalls that allow them to do packet filtering at, quote-unquote, wire speed or close to it, meaning that the hardware is built to do it. It no longer has to run a software application to do that.


Now, ASICs definitely have ruled the hardware firewalls in the late 90s. I mean, when they came out, everyone's like, oh, we need ASICs for everything-- ASICs for switching, ASICs for firewall. Software firewalls are yesterday's news. And that was true for a while, until our applications started getting a little more advanced.


And let me tell you what my wake-up call was for software firewalls and where these start coming in. I'm a Cisco PIX guy. I've done Cisco PIX forever. I love Cisco PIX. It's fun for me. And I was using Cisco PIX on a network, and the network administrator said, OK, we've got all of our stuff in place.


We're filtering from the internet. The major stuff is cut out. One thing we need to do, Jeremy, before you leave-- we need you to filter instant messenger applications. We don't want people using MSN Messenger or AOL Online Messenger or Yahoo Messenger.


And there's good reason behind that. Number one, it's not very productive to be chatting with people all day, and number two, those instant messengers allow desktop sharing and file transfers to happen. I said, sure, no problem there; I can filter instant messenger applications.


So I go to my port number list, and I say, OK, instant messengers-- what port do they use? And I came up to this huge list saying, oh, well this instant messenger can use from port 1300 to 1600. Oh, and by the way, this instant messenger-- and here's the kicker; this is what got me-- can use port 80.


And I stood there stunned, and I was looking at it, blink, blink-- stare a little closer. Port 80? What are you talking about? Port 80-- that's web browsing. You can't use port 80 for an instant messenger. And sure enough, soon all the instant messages jumped right in suit and said, we will use a dynamic port searching feature that will find an open port and rely on port 80 if all else fails.


They have tuned that application to, quote-unquote, tunnel out port 80, meaning act like web traffic to get out of a network firewall. And so I'm sitting there going, well, that's dumb. I mean, how do I block that? How do I block port 80 but still let people surf the web?


So then, all of a sudden, Jeremy, genius, I have another idea. I can block the servers that these instant messengers connect to. I know what I'll do. I'll find out this instant messenger, what server it tries to connect to, and I'll block their IP address.


Well, that worked for a couple weeks, until I found out that these servers are getting more and more, and the updates to the instant messenger applications start including thousands of servers. And then before long, thankfully, our friends at Microsoft that created MSN messenger decided to make MSN messenger connect to the same server that runs www.msn.com and a lot of the other www.microsoft.com websites that are out there.


So I say all this to point out that the hardware ASIC-based firewalls no longer have the capability to do the kind of filtering we need. Simple blocking based on port number and IP address is no longer what we need for our networks of today. And here's a fact not many people know.


Most popular firewall manufacturer in the world-- name is Checkpoint. Checkpoint rules the firewall market, and did you know that Checkpoint is a software-based firewall? Gasp, it can't be true, but it is. Checkpoint is a software-based firewall. Yes, they do rely on ASICs for doing some of their switching for high performance packet filtering, but they do use software components that can slow down the network.


So software firewalls equals weakness, or software firewalls equal performance hit, is not a true fact anymore. Now, I will talk about a mix of firewalls when we get to that third bullet in there, but let's talk about the second one. I have a lot of thoughts on this, so forgive me if I talk a little bit much.


But I just want to make sure you are armed, because I guarantee you if you suggest ISA Server 2004 to another network engineer that hasn't heard much about it, you're going to be faced with these questions. You're going to have to answer the question of, why are you using a Windows box as a firewall when I have my Cisco PIX sitting just to the right of me?


So second point, it's running on Windows. Windows is assumed to be inherently weak, and the reason why is because Windows-- and I guess you could say Microsoft when they wrote Windows-- decided to create something known as RPCs. Let me jot that up here-- RPC.


It's a remote procedure call, which is a way that people can create applications to integrate with Windows and so on. And without digressing too much into the coding behind it, RPCs are where a lot of the vulnerabilities came in, in the sense that if you took a Windows box, connected up to the internet with no security whatsoever, somebody could start running remote procedure calls-- get the term, remote; somebody at a remote location is running those-- on Windows and gain control of that host.


Now, with that in mind, the ISA Server 2004 product does something known as system hardening, meaning if you block the ports and you block the ability for people to run RPCs remotely then people can't run RPCs remotely. It's just not possible. Essentially, if you cut off the services, if you cut off the access to this box that allows people to access the Windows foundation, then I kind of get this mental picture in my head that Windows-- if you just think of Windows, it's like a big, chewy chocolate chip cookie.


For a hacker, it's just like, let me just munch right into that. Chomp, chomp, chomp. Can you feel that chocolate filling your mouth? Oh, that's good. And, I mean, it's just this big chewy center, because Windows was designed to be open, meaning people can write applications, people can run things on there, without any hindrance from the Windows operating system in itself.


So when you start introducing security, it's kind of like you're taking that cookie and baking it a little long. You get this big crusty edge around the cookie that when you bite into, people are like, uh-- if you bake it long enough, I suppose. It's like this crusty edge that your teeth start breaking.


Can't bite the chocolate chip cookie, can't get to the chewy center, because we've got this nice crusty edge around the cookie. I just came up with that. So when you're talking about running ISA Server on Windows, what will happen is you will bake the edges of your Windows cookie.


It will now be a solid, security-hardened perimeter around there. Now, you might think, well, what about the Windows updates? And this is a common thing people say. I always get Windows updates. Security vulnerability here, security vulnerability there, and so on.


Well, first off, most of those apply to services that you'll never run on your ISA Server server. You'll never run the workstation browser service or the server service on your ISA Server. Those services will be disabled. 90% of those hot fixes that come out are for things that do not apply to the ISA Server.


And when there is something that applies the ISA Server, that's a good thing. It's Microsoft being proactive to update their firewall platform to address some new security vulnerability. And it doesn't matter what firewall vendor you go with. If they're not releasing updates for their software or patches to prevent certain worms and certain items out there, they're either just in denial, meaning they're just like, we don't see that, and they're not telling you, or they're just not doing you a good service.


I mean, every firewall vendor will release updates to their software as new types of attacks come out. Now, the third thing that people say, and the third statement I've heard, is that ISA Server is good-- you see we've made some progress here-- but it's only good as a complement to a "real" firewall.


First off, you hear that ISA Server's good, but then you see the bias come in when they say "a real firewall," as in ISA Server is not considered a real firewall. And what they really mean when they say that is something with a proprietary operating system, like Cisco PIX or Checkpoint, that is designed to be a firewall appliance device, meaning an all-in-one system.


You buy the box from Checkpoint, they ship it to you, and, voila, you have a firewall. When you come to that statement, I will say, yes and no. The reason I say that is, first off, these ASICs that I was talking about to begin with, these hardware chips, are good.


I mean, they're really fast. They work really well for what they're designed to do. However, when you're saying "only as a complement to a real firewall," I would say that in a larger network scheme, ASIC chips and packet-based filters are very important and need to run at a high speed.


Here's what I mean. When you design your firewall solution, you design it like an onion, and I'm going to get into the layers in just a moment, how you have an outside perimeter defense. And as you get closer in, you go through these layers of an onion.


Now, the outside perimeter, the fence of your network if you will, needs to have some very fast packet switching equipment, meaning that it needs to have something that's capable of switching as fast as possible. And I'm talking a large network scenario here, because you're going to have a lot of packets that are coming in that don't belong there.


And a packet filter, which is what a lot of the appliance firewalls really are-- they just filter based on important numbers and IP addresses, and that's known as stateful filtering as well. And I'll define some of these terms a little bit later. They really just look at network and port information, because that's what their ASICs are designed to do.


And they do it very quickly. That is a good external perimeter system, because it catches, I guess, the big dogs, the ones that are trying to come in on a denied port number. It can grab those, deny them quickly, and then move on. ISA Server-- it can't compete with an ASIC-based system for speed when we're looking at packet-based filtering, looking at IP addresses and port numbers.


ISA Server shines because it does packet filtering all the way up to Layer 7 of our OSI model, all the way up to the application layer. Instead of just saying, hey, you know what, port 80 is denied, I can actually use the ISA Server to say, well, this kind of request on port 80 is denied.


Or if you're trying to send this kind of application, which is non-HTTP, out on port 80, it's denied. Now, a packet-based, hardware-based filter can't catch that, because the ASICs are written only to do filtering based on IP addresses and port numbers.


It's not looking at application layer data. Now, like I said, I have a pretty heavy Cisco background, so I'm pretty versed into what their latest and greatest stuff is. And they just came out with something for routers they call NBAR, and this is on the Cisco side.


It stands for network-based application recognition. Now, NBAR allows the router to recognize applications rather than port numbers. It can recognize FTP regardless of what port it's using. However, NBAR is a software-based feature. And I tap my pen on the desk when I say that.


It's software-based. It's just like ISA server, meaning they don't-- IBM hasn't written an ASIC that does NBAR. It has to rely on Cisco software-- it's called the ILS-- to do that kind of catching. So pretty much at that point, it's just the same as ISA Server.


It's a little more limited because NBAR is a fairly new feature and doesn't have the flexibility that ISA Server has. So when we say real firewall, I want to say different firewalls, in the sense that they have different purposes and different designs.


And when we talk about the network onion, I'll expand more on that. And the final thing is, "appliance firewalls are more reliable." And the reason people say that is because appliance firewalls don't run on computers. They are an appliance that, usually, they don't have a hard drive, meaning their operating system is stored in a flash chip.


Appliance firewalls-- I guess the big statement I can say-- have no moving parts, like hard drives is, I guess, the main thing people say. And first off, hard drives have become far more reliable than they used to be. Their mean time to failure is now in years rather than in months, unlike the old hard drive systems would be.


ISA Server as well, since it does run on a software box-- I will admit that computers absolutely are more prone to failure than an appliance firewall. With that in mind, Microsoft has designed ISA Server to be able to be backed up and restored in a matter of seconds-- seconds; I should be hired as a marketing guy.


It's not seconds. But the entire ISA Server file, all the configuration-- oh, man, I'm throwing my pen here; let me put that down-- all this ISA Server configuration is stored in an XML file. That's the new standard that just about everything is being stored in, in the sense that you can back up and restore an ISA Server box in, say, 10 to 15 minutes to completely replace it.


And appliance-based firewalls do fail. I mean, they have power supplies just like anything else. The only component that they're missing is a hard drive, and, I guess, are they really missing a hard drive? Because if you plan to use a firewall to store log files and keep track of attacks and things of that nature, I mean, these reports, which are really necessary-- those are going to have to be stored on a hard drive somewhere.


So hard drives are still around even in appliance firewalls to store log files and so on. So, again, there are benefits to both software- and hardware-based firewalls, and I'll highlight them as I go further in this video. But for now, I just want to give you some thoughts on the list of critiques that I hear commonly brought against ISA Server.


Now, before we get into the different flavors of ISA Server and where ISA Servers come from and so on, let's first talk about this network onion I keep referring to in all my discussions. It's taking a multi-layered approach to security, just like an onion has multiple layers.


And I guess before we can even talk about that, we need to define what security means. I mean, if you were to think of security-- define the word, dictionary definition-- you'd probably say something like freedom from harm, complete prevention. Being safe, I guess, would be a good definition-- freedom from invasion or harm or damage or whatever the case may be.


And I would say that's a good definition but unreasonable in most cases. For example, take my house. I live in a house where we have security doors and they're always locked. My wife is a big security person. Anytime I come in and out, gotta lock the doors, gotta lock the doors.


And I'm horrible about that. I always forget. Oh, I forgot, and then it's kind of like, oh, you should have locked the door; I forgot to lock the door. And you go back and forth. And my argument that I always throw out there is, well, if I'm going to lock the door, big deal.


If somebody really wants to get in, they're going to chuck a rock through the window and get in through the window and unlock the door themselves. And we go back and forth on this, and she always says, well, yes, that's possible, but I want to make it as difficult for them as I can.


It's kind of the home security paradigm. Now, if I wanted to, could I secure the windows? I mean, could I keep them from getting in? Well, sure, I could put metal bars on the outside of our house, and you at that point are sacrificing some of the look of your home for the security aspect of it.


So it's really a give-or-take. Now, even then, are you completely secure? No. Somebody could drive a car through the wall of your home. But you see what I mean? The more you're doing, the more security you're adding, the less convenience and, I guess, the less look there is for you.


Now, take that and apply it to the network, that same paradigm. When we're securing a network, we can't ever have it be completely, impenetrably secure, meaning that the more security we add the less functionality we're going to get. The only way to be truly secure from anything is to disconnect everything from the network.


And I'm talking externally-- no internet connections, no internal hosts on the network. It's to disassemble the network. Because what if you have that disgruntled employee that just wants to do damage from the inside of your network? Didn't think of that one.


So pretty much the only truly secure network is no network at all. So we have to have this multi-layer approach to where you use different pieces to guard different points in your network. And there's many different network walls. And I like this picture of the dog, because you can kind of think of it like a yard as well.


I mean, you have an initial perimeter security around your yard. Maybe you have a block wall or a wooden fence that protects the yard, and that keeps most people. Somebody is walking and they're like, oh, I see a tricycle in their backyard; I'd like to take it but there's a fence there.


I'd have to climb the fence. So the fence catches most people from stealing your tricycle in your back yard, but maybe you have a big, mean-- much meaner-looking than that dog in this picture-- dog in the back of your yard to where if somebody gets over the fence they've breached the first perimeter, which is very weak.


You have this bloodthirsty dog that's going to jump on them and do who knows what. So, in that sense, you have multiple layers of security in your yard. Now, take it to the network, and on the outside of the network we might have a hardware firewall.


Now, I know I've been advocating ISA Server-- hey, software firewalls are great; a lot of them are software firewalls, anyway-- but let me tell you something about hardware firewalls. They are very good at what they do. They are fantastic when it comes to packet filtering.


They are fantastic when it comes to moving packets in and out of the network at a very fast rate, because they have those-- remember the term-- ASICs, application-specific integrated circuitry, that allows them to do what they do very quickly. Now, unfortunately, with the new application layer filtering that's coming out, you can't create these ASICs for every kind of application.


It's very difficult to change hardware. That's why software updates become so easy to apply to adapt to new situations. So software firewalls start fitting into where you need to do the more advanced filtering, when you need a deeper packet inspection maybe on the inside of your network.


For instance-- let me grab my pen here-- let's say that we've got our network, which is seen as this big onion. On the outside, you have your hardware firewall that catches the big ones. It's like this fence. It's not very intelligent; it's just blocking some of the major ports that your worms commonly come in on.


And you need the high performance. Maybe you have the OC3 or OC192 connection, extremely high speed internet connection coming in, where you just need speed and some packet filtering that will not affect the performance of that internet connection. Now, once we get inside the network maybe you have the software firewall to where you now do deeper inspections.


And actually, let me clear that off there. Let's say inside of there you have multiple areas of your network. Maybe you have one major division right here, one major division here, and one here. You can put software firewalls at the border of each one of those, all of them terminating out that OC192 or high speed internet connection.


But they each have a software firewall that guards that area. Software firewalls aren't as fast, but they are very good at deep packet inspection, making sure nothing gets by that's not supposed to, since they can inspect up to the application layer.


And by the way, this excites me. For people that are like, oh, appliances-- you've got to have a firewall appliance and all this is the way to go-- well, Microsoft's been hearing that much longer than you or I have been hearing that. Since the original Proxy Server came out, I'm sure they've been hearing, appliances are better, better.


So with ISA Server 2004, they put the contract out there for manufacturers to create appliance-based ISA Server devices. And there's about 10 to 12 vendors out there. I just grabbed one of them right here. Take a look. This is the website of a company called Celestix, where they're talking about, right here, Microsoft Security and Acceleration, ISA.


And you come down and see a little bit about ISA Server 2004 and so on-- screenshots of what it looks like. And you'll see there's plenty. But right down here, look at this. I'm so excited. Celestix MSA appliances. These are actually pre-built ISA Server 2004 machines.


I mean, you've got, for instance, over here two auto-sensing gigabit ethernet ports, six 10/100 ports that are built in. This is your appliance, if you will, that runs ISA Server. Now, let me tell you a secret. It's nothing special-- nothing at all. You can build this.


And now, forgive me, I don't mean to pull back the curtain on Celestix, but all that really is is a computer. It's a server that's in a box with some switch ports installed into it, and that allows you to have this all-in-one device. But you can build it much cheaper-- psst- as long as you use high-quality equipment.


I mean, look at this-- meant to support T1, T3, OC3. I mean, it looks awesome, but there's many vendors that have things like this to answer the desire people have to buy this pre-made package. So when you're looking at software firewalls and appliances, that's really one of the things to keep in mind.


Now, where do host firewalls fit? Host firewalls are things that you install on individual PCs, meaning, for instance, the Windows XP firewall. Windows XP Service Pack 2 starts gearing your host to have an individual firewall. Most of the time that will be used on small home network environments, where you have computers directly connected.


Most administrators-- now I'm not going to say all, but most of them-- will not turn on personal firewalls or shareware or freeware firewalls on PCs within an organization, because that's what this multi-layer system is meant to protect from. Now, they may install virus protection to keep those machines virus-free, but they rely on the hardware and software.


And that's where the network firewall comes in. These are network firewalls instead of host-based firewalls that allow you to protect an organization. You can almost picture an organization growing. Two computers-- hey, we've got host-based individual firewalls; three computers, four.


Continue to grow, you buy a little Linksys box, and then from there you upgrade to some small different devices until finally you have a decent amount of computers and now you have dedicated ISA Server boxes and things of that nature. So this is what I mean when I'm talking about the onion.


I'm talking about a multi-layer approach to security where you limit each and every one of those layers. And as we get deeper into ISA Server design, we'll talk more about this. Well, now, let's go ahead and wrap things up by taking a look at the movements that Microsoft made, the evolution of their product, starting with Proxy Server and moving to ISA Server.


Now, the beginning, back in 1996, Microsoft introduced Microsoft Proxy Server 1.0, and all it was really designed to do was to try and compete with Netscape. I mean, this was back in the day when you had the huge Internet Explorer versus Netscape. Internet Explorer was the new kid on the block.


Everybody was Netscape. There was almost no question. Nowadays, quite the opposite, but this was designed to compete with a product from Netscape that, frankly, blew it out of the water. Proxy Server 1.0 was just kind of an introductory method that allowed you to cache web pages on a server.


For instance, everybody's going through a server. It's called a proxy server. It's caching web pages so you can save the bandwidth on your internet connection. This was a huge desire of every administrator, because think back to 1996. How fast were the internet connections?


I mean, if you're really lucky, maybe a T1 line, and that's breaking the bank for the company there. Internet connections were very slow and, most of the time, not as mandatory as they are nowadays. So in 1997, Microsoft got tired of being kicked around by Netscape, and they created Proxy Server 2.0.


And they added a huge missing feature from Proxy 1.0, and that's the array functionality. And they actually eclipsed Netscape at this point by adding an array functionality that included something known as CARP, which is Microsoft's proprietary caching protocol.


So now, you can combine multiple proxy servers as essentially one device. They back each other up. The redundancy is in place. There was no redundancy at all with 1.0. CARP-- it's not a fish; it's a protocol-- allowed the proxy servers to communicate with each other so that they wouldn't duplicate the cached content.


They would each store unique cache, and it would really allow you to load balance between those servers. It was really a great release. They also included FTP and HTTP caching, which before it only did web pages so only HTTP was supported. And this is when Microsoft began on their strategy to unify management.


Nowadays, we look back, and Microsoft admins can't live without the Microsoft Management Console. The MMC is where all of our administration tools take place. But this was actually one of the first products that used an MMC-like device. The only two products that used it back then was Proxy Server and Internet Information Services.


I think we were on version 4.0 back then, and they kind of shared that same interface. So Microsoft started running the pitch of, hey, you're running our web server, IS 4.0-- great web server-- and you can now partner that with Proxy Server in the same management interface.


It was a huge, huge selling point for those. Now, that stayed around for a long time, and that's actually where I really got into the scene was in Proxy Server 2.0. I started teaching classes on it back then. So I really caught the tail end of 1.0 and started working with it in Proxy Server 2.0, which really was a good product.


Now, once Microsoft made the move in the year 2000-- it was actually late 1999-- that they introduced ISIS server 2000, that's where I really got heavily involved with the product. That was actually the first book I ever wrote was on ISA Server 2000.


That product line was a revolutionary change that went silent in the industry. It's funny, because back then, when I wrote the book on ISA Server, it was released and I think for the first year it sold 60 copies. I mean, I kid you not-- 60 copies for a full year for a product.


I'm like, oh my word. I wrote this book and nobody's buying ISA Server. Nobody wants it. Because that was the era of hardware appliance security-- "firewalls have to be dedicated platforms" and so on. You've heard my digression on that. So nobody wanted ISA Server 2000.


As it started proving itself, time and time again, people started going, hey, this is a pretty good product. And what's funny is I'm selling more books now, in the year 2005, than I did back when this product came out for first full two years. The book is even selling more now, now that even ISA Server 2004 is out, than it did back then, just because it's finally gotten some traction and is starting to go.


One thing I didn't mention is they added features such as VPN, intrusion detection, email screening, and this is where you started seeing the application layer filtering taking place, was first in ISA Server 2000. The reason why this didn't gain much traction is everybody just thought it was the next Proxy Server version.


It's another caching server, is what people thought. If it was that, they would have called it Proxy Server 3.0. They totally redesigned the product and added a ton of firewall features, and that's when it became ISA Server. So just now is ISA Server 2000 gaining some traction, and right as it's gaining traction Microsoft came out with ISA Server 2004, which is amazing.


I'm telling you, ISA Server 2004 is like night and day from ISA Server. It's not one of those things where it's like, we've just added features. Well, we definitely have done that. I mean, it's a radical product compared to ISA Server 2000-- so a lot of new features, a lot more user-friendly interface.


You'll see the interface. You'll be like, wow, anybody could set this up-- for the basic features. As you get into the advanced features, like VPNs and so on, that's where you really need to understand how to do the different features of ISA Server 2004.


One thing I didn't mention, though-- this is what I was thinking at the beginning-- was Intel. I want to mention Intel. The reason why is because they have started coming out with chips for computers that allow them to do encryption offloaded from the processor.


I was thinking about appliances and I saw this VPN IDS and things like that. We have the ASICs that have been created to do that for a lot of the hardware-based VPNs and firewalls. Intel is now creating those chips-- hardware-based encryption and VPN processing-- for things like ISA Server.


So a lot of those advantages that were stuck in the appliance world only, Intel has begun moving into the software firewall system as well. Now, you could tell I kept it pretty light on Microsoft ISA Server 2004, and the reason why is because I don't want to give away too much thunder before we get into the product itself.


We'll have a whole section on the ISA Server 2004 capabilities, what it can do, what's new from ISA Server 2000, and so on. In this video, what my sole purpose was-- I have all these things, Microsoft evolution, and so on-- but my main goal in this was this one right here.


Microsoft as a firewall-- is this a joke? And I hopefully have done a decent job communicating that, no, it's not a joke. This is a solid firewall platform that is very, very viable in the industry today. So I just wanted to make sure that I communicated that.


Now, we talked about all eyes on the world of security, talked about why that is, and why it's going. It's only going to get worse, I guess, as time goes on, as more sophisticated attacking attempts come out. We looked at the network security onion, designing security in a layered approach.


More on that as we get into the design of ISA Server, but do know that there's no one all-in-one firewall product that's meant to take the whole network under its wing. Even hardware-based systems come up short. They need some software filtering at the application layer.


My brain just starts flying because I have a lot of experience in the Cisco world, and if you're looking to use Cisco for any decent filtering you have to purchase a server to run alongside it. For instance, there's a platform called Websense that can start doing internet filtering, filtering out certain websites, certain content, and so on.


So there's no one all-in-one solution to filtering for your network. There's a combination, where you move from hardware to software and so on. Then, finally, we took a look at the Microsoft firewall evolution, moving from the early Proxy Server 1.0 days to the point we're at now of ISA Server 2004.


I hope this has been informative for you, and I'd like to thank you for viewing.

ISA Server 2004 Features

The Ring Fight: ISA Server vs. The Competition

ISA Server 2004 Design and Installation

ISA Server is Installed... Now What?

Selecting the ISA Client Types

Building the ISA Network Infrastructure

Configuring Networks and Filling Your Firewall Toolbox

ISA Server 2004 As a Firewall

ISA Server 2004 As a Firewall, Part 2

ISA Server Publishing, Part 1

ISA Server Publishing, Part 2

Configuring ISA Server for VPNs

ISA Server's Caching Capabilities

Monitoring ISA Server

Introducing ISA Server 2004... Enterprise Edition

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
11 hrs 16 videos

Training Features

Practice Exams
These practice tests help you review your knowledge and prepare you for exams.

Virtual Lab
Use a virtual environment to reinforce what you are learning and get hands-on experience.

Offline Training
Our iOS and Android mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching
Develop and maintain a study plan with one-to-one assistance from coaches.

Supplemental Files
Files/materials that supplement the video training.

Speed Control
Play videos at a faster or slower pace.

Included in this course
Pick up where you left off watching a video.

Included in this course
Jot down information to refer back to at a later time.

Closed Captions
Follow what the trainers are saying with ease.
Jeremy Cioara
Nugget trainer since 2003