Earlier today I was asked “what is ISA Server?” – the person who asked me was completely non-technical and therefore I held off from answering “Internet Security and Acceleration Server – it’s an Application Layer Firewall with integrated Cache” as this would have made absolutely no sense.
I thought for a moment and came up with the following analogy – your constructive feedback is appreciated. If you have anaologies for other complex subjects I’d love to hear them.
Supermarkets in the UK rely upon distribution centres to store and make products available to stores. Typically there are a small number of distribution centres – each are huge. To keep things simple let’s assume that there’s a single distribution centre which holds all products required by the stores.
Goods (products) are loaded onto lorries (trucks) at the distribution centre and driven to stores where they are sold to the general public.
The distribution centre takes the form of a huge warehouse with in excess of twenty bays each of which can accommodate the rear end of a lorry. For loading purposes each lorry reverses into the bay.
This is not the case in reality but imagine that each bay held a single type of product and therefore each lorry would have to visit several bays to requisition the required combination of products.
Let’s say for example that bay twenty five held all of the stationary products. Imagine if the people loading the goods blindly filled the lorry with boxes of goods without reading the labels. If an alternative product was accidentally placed in the stationary bay then it would be loaded onto the lorry.
Now let’s think about how email works at a very simplistic level in terms of network traffic with respect to ISA.
Internet Security and Acceleration Server is a piece of software that can be loaded onto Windows Server. ISA is placed at the juncture of two or more networks. ISA’s firewall featureset enables the administrator to define and enforce rules specifying what network traffic can flow from one interface (network) to another. By default email will be transmitted from the client (perhaps Microsoft Outlook running on Windows) to the server (perhaps Microsoft Exchange Server). Server computers typically host multiple services each of which is assigned a unique port number – much like our distribution centre has bays. By default email is delivered to port 25 – just like stationary goes to bay 25.
ISA’s Application Layer Firewall featureset enables the administrator to define and enforce policy to allow requests from Microsoft Outlook on the client computer(s) to reach the Microsoft Exchange Server – without additional configuration ISA will deny ALL other traffic. This is like automatically opening EVERY box to check that it contains stationary BEFORE loading it onto the lorry.
A common form of network based attack is to rely upon the fact that the majority of firewalls DO NOT INSPECT the payload and therefore ALLOW traffic that is addressed to the Email Server (such as Exchange Server) THOUGH THEY include attack traffic rather than pure email.
ISA can be used to securely publish (make visible) many kinds of application including web traffic (Internet Information Server) and many kinds of Email including Outlook Web Access, full Outlook client and Exchange Server to Exchange Server.
CACHING simply means that ISA can be configured to keep a copy network traffic such that repeat requests are served from ISA and therefore the response is likely to be quicker and your bandwidth requirements are likely to be lower.
An example of ISA caching in action is as follows:
ISA is configured to cache HTTP (web) traffic from head office to your branch office. A memo is posted to a web site at head office and all staff are instructed to read the memo. ISA will retrieve the memo (from head office) when the first person attempts to read it. Subsequent requests from other staff will be served by the ISA Server’s cache.
Addendum: ISA Server software can be installed onto a multi-purpose computer OR it can be purchased as an “appliance” – an ISA appliance looks like a hardware device though it’s actually a custom built server containing a cut down version of Windows Server with ISA pre-installed.