If you're a large organisation looking for a firewall/VPN solution that can be scaled to handle thousands of users with central monitoring and management, then the Enterprise Edition has a fair bit extra to offer.
In terms of feature count, such as its firewall, VPN and other security features, there's not much new in the recently released Enterprise Edition of Microsoft's Internet Security & Acceleration (ISA) Server 2004. Indeed, there are no real differences in functionality compared to the Standard Edition introduced last year.
However, the Standard Edition is limited to servers with just four processors, a limit that's removed entirely with the Enterprise Edition. There's also support for Windows Network Load Balancing (NLB) and the Cache Array Routing Protocol (CARP), enabling multi-server firewall arrays to be constructed with up to 32 nodes.
Nor do you have to apply security rules on a per firewall basis, as on the Standard Edition, as a central repository for security policies allows them to be automatically enforced across all ISA firewalls in the company. It's also possible to manage arrays as single entities from a new central management console included as key part of the Enterprise Edition package.
Security policies defined using the Enterprise Edition are stored using Active Directory Application Mode (ADAM), an independent LDAP directory that runs as a non-operating system service on Windows Server 2003. This is used instead of Active Directory itself (as in ISA Server 2000 Enterprise) to effectively ring-fence the main network directory while, at the same time, enabling ISA firewalls to be deployed on workgroup hosts for even greater security. Despite which, the same replication services are provided as with Active Directory and you can easily deploy two or more local Storage Configuration servers for redundancy, with additional replicas in branch offices to preserve functionality in the event of a connectivity failure.
The same security
In terms of its security features, ISA Server 2004 compares well against competitive offerings from Check Point and others, and the software was warmly welcomed by many when the Standard Edition launched in July 2004. Application filtering, in particular is an important enhancement compared to the 2000 release along with VPN quarantining and automatic protection for a wide range of Microsoft applications such as Exchange and SharePoint Servers and Outlook Web Access.
Equally welcome was the redesign of the user interface with a visual policy editor, new network templates and a clutch of additional setup wizards. These turn what, in ISA Server 2000, can be nightmarish deployment into a much more user-friendly solution, with the same GUI applied in the Enterprise edition also. Moreover, the enhancements are carried over into the extensions required to build and manage enterprise firewall arrays.
What's it like?
Unfortunately it's not that easy to test this kind of product in the labs, and in real life a lot of careful planning and lengthy reading will be required before you get anywhere near cranking up a production system. However, we had few problems putting a firewall array together and were impressed both by the new wizards provided and the amount of support information available to help ease the process. Installation proved to be a breeze and we were taken through each step required to configure an array with hand-holding all the way. So Microsoft's software compares favourably with other enterprise security products we've looked at in terms of ease of use and should cause few problems for most security specialists.
On the downside, ISA Server has always been an expensive solution, and the latest Enterprise Edition is no exception. Not only does it cost several thousand pounds for each per-processor licence (exact cost depends on your licensing agreement) but, unlike the Standard Edition, the Enterprise software can't be deployed on Windows 2000 either. That's because it builds on technologies, such as ADAM, which are dependent on Windows Server 2003, requiring the latest OS plus well-specified host hardware in order to operate. All this can add significantly to deployment costs.
It's also not possible to integrate Standard Edition firewalls into Enterprise arrays or manage them through the central console. The two versions can be operated side by side, together with older implementations if required, but a full network-wide upgrade will be required to get the full benefit of the new software.
Finally, it's worth just noting that anti-virus, anti-spam and other content filtering tools aren't included with any version of ISA server. However, there is a thriving third-party market offering such add-ons, plus it's possible to buy security appliances based on the Microsoft Software, from Network Engines and others.
Again there are cost implications but, for companies already using ISA Server, this latest implementation is worth looking at both for the additional security it has to offer and it's ease of use. Whether the same applies to other alternatives is open to debate but, at the very least, it gives enterprise buyers another product to consider.
It's important to understand the positioning of the Enterprise Edition of ISA Server 2004 as a high-end security solution for very large networks. Smaller companies could benefit from the extra scalability and centralised management facilities provided but the cost compared to both the Standard Edition and alternative solutions is high. It's also very much a Windows solution and some companies may prefer alternatives based on, arguably, more secure hardware/software platforms.