People ask whether putting an Edge Firewall on a Windows computer is a good idea.
When the Trustworthy Computing initiative started in 2003, we realized that to ship a security product from Microsoft, we had to establish credibility. So the ISA team made sure to invest all of the needed resources and to fully implement SDL – the Microsoft Security Development Lifecycle process.
I was hired by the company to drive this process in 2003. This is what we implemented across the 2004 and 2006 release of ISA Server:
1. Threat Modeling – Together with subject matter security experts we performed a security design review for each component to identify design weaknesses, evaluate security architecture, identify threats to be tested and ensure that default settings are secure.
2. Manual and Automatic Code Reviews – We’ve ensured that all code undergoes human code reviews and that that all issues detected by static code analysis tools, such as PREfast, are fixed, to ensure code has no vulnerabilities.
3. 3rd party penetration (pen-testing) – We employed the services of the best pen-test companies in the industry to perform security audit and penetration testing of the product.
4. Pen-testing and fuzzing – Our internal pen-test team tested every component for security vulnerabilities, especially buffer overruns. Moreover, to facilitate this work the ISA Server team developed the FuzzGuru fuzzing framework that was later adopted by many other teams in Microsoft and is used to look for buffer overruns and access violations.
5. Monitoring public security research – We track security research in areas relevant to ISA Server – HTTP, VPN, PKI, proxies, firewalls, etc. I personally spend hours reading mailing lists, such as BugTrack and DailyDave, reviewing security research papers from DefCon/BlackHat/Usenix and other conferences. I regularly monitor CVEs – security vulnerabilities of other products. For each of them I evaluate whether it or a similar one may affect ISA Server.
6. We review the user interface and product documentation to ensure they clearly provide security best practices.
7. We regularly ship service packs fixing security vulnerabilities for shipped products, when we find new ones using pen-testing methodologies and tools that emerged since the previous release.
A search on http://www.microsoft.com/technet/security/current.aspx shows the benefits of this process – as of this writing, you would not see any bulletins for ISA Server 2004 or ISA Server 2006. Of course, this doesn’t guarantee there won’t be any, as with break-throughs in penetration testing methodologies things may emerge in the future. Naturally, if such are found, the MSRC will do what we always do: investigate the issue fully and take appropriate steps to protect customers.
One could say that ISA Server security was determined not by ISA Server itself only, but also by platform it runs on – the Windows Server operating system, which ships security bulletins monthly. This is true, so we invest in hardening and locking down the OS by disabling services with high attack surfaces (e.g. the Server service) and by having a tight inbound and outbound firewall system policy, which blocks or restricts the majority of the protocols through which OS could be attacked.
So putting Windows-based ISA Server on the Edge is a great way to secure your networks!
Lead Program Manager
Forefront Edge Server