Check Point wasn't able to acquire SourceFire, but in the end maybe the two companies will be together in any case.
Forbes reported HP is going to massively invest in 2007 and among others a potential target is Check Point.
This could appear as an answer to growing interest of IBM in security companies, which just acquired Internet Security Systems (ISS).
If this acquisition would be confirmed I strongly doubt Check Point would be able to maintain its leadership in firewalls segment: HP could follow IBM path and blend Check Point offering with its customers-oriented services.
Also, HP is not known and trusted as security provider among the large public. Changing the name Check Point VPN-1 in HP VPN-1 would hardly conquer the interest and trust of potential customers.
I would say this can't be worst than being acquired by Symantec of Borg, but I'm not sure.
Update: Globes offers another point of view, suggesting Check Point could be near an acquisition or a merge with another company of the same size. Possibly the Nokia security division, manifacturing since so many years appliances for Check Point VPN-1.
Second update: In an interesting analysis Seeking Alpha reports Check Point's CEO firm intention to not be acquired.
Thursday, August 31, 2006
Wednesday, August 30, 2006
The frightening return of Check Point CVP
Few Check Point customers remember or even know what Content Vectoring Protocol (CVP) is.
CVP, together with URL Filtering Protocol (UFP), are the foundations of a very old technology embedded in Check Point VPN-1 and generally called Content Security.
Content Security is the first attempt of the company to approach application inspection, security the 3 most critical protocols of the current business-over-Internet: HTTP, FTP and SMTP.
Content Security was already present when Check Point conquered big market shares with its Firewall-1 4.1 (aka 2000), more than 6 years ago, and can be considered the pioneering of modern application inspection. Or, if you prefer, the ancestor of today's Check Point Application Intelligence (AI) / Web Intelligence (WI).
This ancient technology, still present in recent VPN-1 versions, permits administrators to intercept and inspect application traffic by the use of user-mode daemons and vectoring protocols (CVP and UFP exactly).
Depending on required analysis HTTP, FTP and SMTP can be analized on the VPN-1 machine thanks to user-mode daemons, or sent to a 3rd party Security Server through vectoring protocols.
Check Point developed around its Content Security a whole consotium called OPSEC (Open Platform for Security), which permitted partners to develop and integrate new Security Servers with FW-1 through a freely available SDK.
Capabilities of user-mode daemons are very limited and Check Point itself suggests to approach a 3rd party Security Server.
At beginning the amount of partners offering their UFP/CVP-compliant solutions was notable, including biggest security players like Websense, TrendMicro, Symantec, etc.
But several factors concurred to reduce support to the OPSEC program during years and, one after another, put existing solutions out of the market.
First of all was too early: the market was't really ready to embrace application inspection, still being occupied in massively adoption of antivirus and firewalls as first defensive line.
Secondly and mostly performance of UFP/CVP solutions were simply indecent.
The way Content Security works with 3rd party Security Server imposes the inspected application session to travel back and forth through VPN-1 which acts like a proxy:
This scheme has a lot of problems and the most critical is obviously speed.
Since the born of Content Security a large amount of customers lamented sessions time-out, missing or compromised files, network segments congestions, etc.
And if you consider it works not only with FTP but also with SMTP, you can understand risks in its adoption.
I won't go any further exploring Content Security problems since you can figure out from yourself. I just will say that depending on these performances, few customers in the world adopted the tecnology, avoiding OPSEC partners to return on investment of producing a dedicated UFP/CVP solution.
So, simply, while still existing Content Security cannot be used anymore.
Until today.
Kasperski, which is having a big success these days with the inclusion of its engine in the new AOL offering, just launched a version of its Anti-Virus 5.5 for Check Point VPN-1 (still called Firewall-1, which is a deprecated name), interacting with CVP.
The funny thing is official announcement states:
If you really decide to adopt this solution, pretend a very extensive and assisted pilot on real-world traffic. Otherwise you'll discover Content Security performances too late.
CVP, together with URL Filtering Protocol (UFP), are the foundations of a very old technology embedded in Check Point VPN-1 and generally called Content Security.
Content Security is the first attempt of the company to approach application inspection, security the 3 most critical protocols of the current business-over-Internet: HTTP, FTP and SMTP.
Content Security was already present when Check Point conquered big market shares with its Firewall-1 4.1 (aka 2000), more than 6 years ago, and can be considered the pioneering of modern application inspection. Or, if you prefer, the ancestor of today's Check Point Application Intelligence (AI) / Web Intelligence (WI).
This ancient technology, still present in recent VPN-1 versions, permits administrators to intercept and inspect application traffic by the use of user-mode daemons and vectoring protocols (CVP and UFP exactly).
Depending on required analysis HTTP, FTP and SMTP can be analized on the VPN-1 machine thanks to user-mode daemons, or sent to a 3rd party Security Server through vectoring protocols.
Check Point developed around its Content Security a whole consotium called OPSEC (Open Platform for Security), which permitted partners to develop and integrate new Security Servers with FW-1 through a freely available SDK.
Capabilities of user-mode daemons are very limited and Check Point itself suggests to approach a 3rd party Security Server.
At beginning the amount of partners offering their UFP/CVP-compliant solutions was notable, including biggest security players like Websense, TrendMicro, Symantec, etc.
But several factors concurred to reduce support to the OPSEC program during years and, one after another, put existing solutions out of the market.
First of all was too early: the market was't really ready to embrace application inspection, still being occupied in massively adoption of antivirus and firewalls as first defensive line.
Secondly and mostly performance of UFP/CVP solutions were simply indecent.
The way Content Security works with 3rd party Security Server imposes the inspected application session to travel back and forth through VPN-1 which acts like a proxy:
- Content Security is configured to do antivirus inspection of ongoing traffic with help of a 3rd party antivirus Security Server
- a new FTP session starts from a client on the Internet and wants to reach a protected FTP server
- the client's request of sending a new file triggers Security Server daemon on VPN-1
- the incoming file is intercepted by the user-mode daemon, incapsulated in the CVP and sent to the 3rd party antivirus (meanwhile the FTP session is on hold)
- the 3rd party antivirus checks and possibly disinfects the received file
- the 3rd party antivirus sends back to the firewall the disinfected file through CVP
- the disinfected file is decapsulated from CVP and finally sent to FTP server
This scheme has a lot of problems and the most critical is obviously speed.
Since the born of Content Security a large amount of customers lamented sessions time-out, missing or compromised files, network segments congestions, etc.
And if you consider it works not only with FTP but also with SMTP, you can understand risks in its adoption.
I won't go any further exploring Content Security problems since you can figure out from yourself. I just will say that depending on these performances, few customers in the world adopted the tecnology, avoiding OPSEC partners to return on investment of producing a dedicated UFP/CVP solution.
So, simply, while still existing Content Security cannot be used anymore.
Until today.
Kasperski, which is having a big success these days with the inclusion of its engine in the new AOL offering, just launched a version of its Anti-Virus 5.5 for Check Point VPN-1 (still called Firewall-1, which is a deprecated name), interacting with CVP.
The funny thing is official announcement states:
The advanced scalability of the solution makes it eminently suitable for use in the largest organizations that see heavy traffic loads. The system administrator can choose to run multiple copies of the antivirus engine and multiple CVP servers for processing requests from the firewall to meet peaks in traffic volumes. Moreover, the solution is optimized for use on the Intel Xeon platform.
If you really decide to adopt this solution, pretend a very extensive and assisted pilot on real-world traffic. Otherwise you'll discover Content Security performances too late.
Tuesday, August 29, 2006
Security Engineering from Wiley available online for free
Did you read the free TCP/IP Guide from No Starch Press as I suggested?
If so it's time to approach more directly security topics. And you are lucky.
Wiley authorized the online publishing of the whole 640 pages book: Security Engineering: A Guide to Building Dependable Distributed Systems by Ross J. Anderson. For free.
Even if this book has been published at beginning of 2001 it's one of the best tome ever published and still represent a fundamental part of every security professional bookshelf.
Thanks to TaoSecurity for the news.
If so it's time to approach more directly security topics. And you are lucky.
Wiley authorized the online publishing of the whole 640 pages book: Security Engineering: A Guide to Building Dependable Distributed Systems by Ross J. Anderson. For free.
Even if this book has been published at beginning of 2001 it's one of the best tome ever published and still represent a fundamental part of every security professional bookshelf.
Thanks to TaoSecurity for the news.
Saturday, August 26, 2006
Free rootkit scanners
The antivirus vendor Sophos released a free anti-rootkit tool for Windows.
It only permits scanning of system and removal of malware.
To have prevention you need to buy the Sophos Antivirus.
Sophos Anti-Rootik is not the only free scanning tool in its category. There are a couple of famous competitors:
Both only do detection of malware with similar techniques and could be both merged in future releases of Microsoft Windows Defender: Rootkit Revealer has been developed by Mark Russinovich, which just moved back in Microsoft as Technical Fellow.
Apart them a horde of similar tools is raising and most of them are free. Antirootkit.com has a very complete list.
It only permits scanning of system and removal of malware.
To have prevention you need to buy the Sophos Antivirus.
Sophos Anti-Rootik is not the only free scanning tool in its category. There are a couple of famous competitors:
Both only do detection of malware with similar techniques and could be both merged in future releases of Microsoft Windows Defender: Rootkit Revealer has been developed by Mark Russinovich, which just moved back in Microsoft as Technical Fellow.
Apart them a horde of similar tools is raising and most of them are free. Antirootkit.com has a very complete list.
Friday, August 25, 2006
IBM acquires Internet Security Systems
As quite every security portal already reported IBM is acquiring Internet Security Systems (ISS).
As official announcement reports ISS services will be integrated in IBM Global Technology Services while ISS products will be blended in Tivoli portfolio.
This substantially means that the network intrusion detection system RealSecure is out of market.
At this point customers looking for a NIDS have less choices than ever being available only Enterasys Dragon IDS, Snort and Cisco ASA (which now integrates previously stand-alone Cisco Secure IDS) among main players.
I would not consider ASA a viable choice since a customer wanting a network IDS is obliged to buy also a firewall/VPN concentrator/antivirus in Cisco opinion.
So just 2 real options remain: one, Dragon, is highly expensive, the other, Snort, is open source and free.
It's worth to remember earlier this year Check Point tried to acquire SourceFire, the company founded by Snort creator which offers commercial grade versions of the product, but has been stopped by US government.
Then the overal scenario implies 2 things:
This new competitor will not be Symantec for sure, which had its opportunity to lead the NIDS segment after acquisition of ManHunt in 2002 from Recourse Technologies but never integrated the product in a decent way (like the large majority of its acquired technologies).
As official announcement reports ISS services will be integrated in IBM Global Technology Services while ISS products will be blended in Tivoli portfolio.
This substantially means that the network intrusion detection system RealSecure is out of market.
At this point customers looking for a NIDS have less choices than ever being available only Enterasys Dragon IDS, Snort and Cisco ASA (which now integrates previously stand-alone Cisco Secure IDS) among main players.
I would not consider ASA a viable choice since a customer wanting a network IDS is obliged to buy also a firewall/VPN concentrator/antivirus in Cisco opinion.
So just 2 real options remain: one, Dragon, is highly expensive, the other, Snort, is open source and free.
It's worth to remember earlier this year Check Point tried to acquire SourceFire, the company founded by Snort creator which offers commercial grade versions of the product, but has been stopped by US government.
Then the overal scenario implies 2 things:
- Snort could be a desirable acquisition for many other companies after Check Point (including Microsoft if only someone at Redmond would decide to seriously enter the enterprise security market)
- there is enough room for a new competitor (if only security vendors would stop pretending intrusion prevention systems have any value and customers want them)
This new competitor will not be Symantec for sure, which had its opportunity to lead the NIDS segment after acquisition of ManHunt in 2002 from Recourse Technologies but never integrated the product in a decent way (like the large majority of its acquired technologies).
Monday, August 21, 2006
Microsoft opens WSUS 3.0 beta 2 program
Microsoft is preparing to release last generation of its much appreciated Windows Server Update Services (WSUS), opening to the whole public beta 2.
The most notable enhancements are an overhauled reporting system, the adoption of MMC console instead of traditional web console, and finally a more user-friendly database clean up system.
Microsoft, which will offer WSUS 3.0 both in 32 and 64bits, has also released a useful guide: Step-by-Step Guide to Getting Started with Microsoft Windows Server Update Services 3.0.
Check an extensive screenshots gallery or enroll for the beta here.
And do not forget to follow the Microsoft WSUS Product Team blog here.
Update: At the same time Microsoft is preparing to dismiss updates services for WSUS 1.0, which was called SUS more than 3 years ago. December 6th will trigger its End of Life.
The most notable enhancements are an overhauled reporting system, the adoption of MMC console instead of traditional web console, and finally a more user-friendly database clean up system.
Microsoft, which will offer WSUS 3.0 both in 32 and 64bits, has also released a useful guide: Step-by-Step Guide to Getting Started with Microsoft Windows Server Update Services 3.0.
Check an extensive screenshots gallery or enroll for the beta here.
And do not forget to follow the Microsoft WSUS Product Team blog here.
Update: At the same time Microsoft is preparing to dismiss updates services for WSUS 1.0, which was called SUS more than 3 years ago. December 6th will trigger its End of Life.
Friday, August 18, 2006
Presentation: Solaris 10 Security
Glenn Brunette, the man behind Sun Solaris security and the one who created the hardening tool JASS, posted a great presentation of Solari 10 security, including improvements made with Update 1 and 2.
Among others there are slides about:
Download it here.
Among others there are slides about:
- Kerberos enhancements
- SSH enhancements
- Process privileges model
- Solaris Containers (aka Zones) security
- Basic Auditing and Reporting Tool (BART)
- Cryptographic framework architecture
Download it here.
Monday, August 14, 2006
Free parental control tools
Parental control is the name we tipically use for the act of filtering kids interaction with several Internet sources of data. The same action in the business world is called content filtering.
Both names involves the censorship concept while trying to defend certain interests.
I already briefly covered content filtering considering Google release of such tool sooner or later.
I don't have kids but several times found myself wondering if IT offers free products to help millions of parents who decided to protect children in this way.
I don't want to judge approach in this blog (but if you care to know I quietly admit I would use such tools for my children) but technical solutions.
After significant search I learned there are very few and poor alternatives.
I evaluate the biggest issue in this case is complexity of solution since a parental control software can be used by individuals of any level of technical knowledge. The second issue is the size of categorizing database, decreeing efficacy of the tool, at least for the URL filtering part.
Given these two criteria what I found available for free seems very poor:
DansGuardian
Considered the best in its category it's an open source project working on most Linux distributions.
DansGuardian is distributed as standard installation package and there is no liveCD format, which misses the very first criteria I listed above.
The good news is it supports the free URLblacklist.com categorizing database.
CensorNet
This seems a very good alternative to DansGuardian, still based on Linux but relatively easier to install since it formats a dedicated machine and install the whole operating system.
But while you can manually setup which sites are blocked (which is almost impossible to make the tool effective) for free, you have to pay if you want access to an already populated categorizing database.
Naomi
A very interesting italian alternative for Windows able to block undesirable sites not with categorizing database but with euristic filters.
Unlikely the project has been just declared dead since the developer has no more spare time.
K9 Web Protection
For Windows. This one is the free version of a business-grade content filtering tool, claiming to have the largest and most accurate categorizing database.
We-Blocker
For Windows. It relies on a categorizing database where We-Blocker community submit new sites and toold developers audit requests before populating database.
The company survive charging on-demand support, which seems to work since the product is there since 1999.
As I said a very poor horizon and sincerely I'm very surprised seeing community dedicated so few attentions to this problem.
Luckily a new big player is arriving: Microsoft announced the upcoming Windows Live Family Safety (another reason why Google could do the same move). If you are interested you better add yourself to the waiting list.
If you don't have time to wait for Microsoft and you still have to address above solutions complexity probably virtualization can help.
The recent VMware Ultimate Virtual Appliance Challenge produced several ready-to-run virtual machines with preloaded content filtering tools:
None of them are near requirements of semplicity and completeness I think should be reached but are alternatives to contemplate while waiting for a better product.
Both names involves the censorship concept while trying to defend certain interests.
I already briefly covered content filtering considering Google release of such tool sooner or later.
I don't have kids but several times found myself wondering if IT offers free products to help millions of parents who decided to protect children in this way.
I don't want to judge approach in this blog (but if you care to know I quietly admit I would use such tools for my children) but technical solutions.
After significant search I learned there are very few and poor alternatives.
I evaluate the biggest issue in this case is complexity of solution since a parental control software can be used by individuals of any level of technical knowledge. The second issue is the size of categorizing database, decreeing efficacy of the tool, at least for the URL filtering part.
Given these two criteria what I found available for free seems very poor:
DansGuardian
Considered the best in its category it's an open source project working on most Linux distributions.
DansGuardian is distributed as standard installation package and there is no liveCD format, which misses the very first criteria I listed above.
The good news is it supports the free URLblacklist.com categorizing database.
CensorNet
This seems a very good alternative to DansGuardian, still based on Linux but relatively easier to install since it formats a dedicated machine and install the whole operating system.
But while you can manually setup which sites are blocked (which is almost impossible to make the tool effective) for free, you have to pay if you want access to an already populated categorizing database.
Naomi
A very interesting italian alternative for Windows able to block undesirable sites not with categorizing database but with euristic filters.
Unlikely the project has been just declared dead since the developer has no more spare time.
K9 Web Protection
For Windows. This one is the free version of a business-grade content filtering tool, claiming to have the largest and most accurate categorizing database.
We-Blocker
For Windows. It relies on a categorizing database where We-Blocker community submit new sites and toold developers audit requests before populating database.
The company survive charging on-demand support, which seems to work since the product is there since 1999.
As I said a very poor horizon and sincerely I'm very surprised seeing community dedicated so few attentions to this problem.
Luckily a new big player is arriving: Microsoft announced the upcoming Windows Live Family Safety (another reason why Google could do the same move). If you are interested you better add yourself to the waiting list.
If you don't have time to wait for Microsoft and you still have to address above solutions complexity probably virtualization can help.
The recent VMware Ultimate Virtual Appliance Challenge produced several ready-to-run virtual machines with preloaded content filtering tools:
None of them are near requirements of semplicity and completeness I think should be reached but are alternatives to contemplate while waiting for a better product.
Thursday, August 10, 2006
Spammers started harvesting social networks
The increase popularity of social networks has already attracted spammers, looking for new methods to harvest email addresses every day.
I personally use LinkedIn since a lot of time and in the last two weeks noted a new behavior.
Contacts with name and surname with first letter in lowercase, a Google Gmail address, and a standard introductory message (this last one is pretty normal) are inviting me to their network:
Their profile claim a HR role in the IT industry (usually a recruiter, which highly raises the chance someone would add your to his network) and is full of previous company positions (all without capitalization) without any description, all of 1 year:
Seems evident they are generated by a software.
At the moment of writing last last fake contact inviting me already collected 171 contacts in his network, which means he harvested 171 email addresses.
At this point the spammer has 2 possibilities: use collected email addresses in the usual way or use a new LinkedIn feature which permit a user to automatically send an email to all his contacts every time he changes his profile.
Assured the second method would lead to an immediate banning of the the account, it grants more effectiveness since the unsolicited message would come in the form of LinkedIn update warning and all users would put great attention in reading it.
The frequency of invitation from these fake contacts is increasing and unless LinkedIn acts in some way I expect an explosion soon.
I have no idea of what's happening in other similar platforms.
A just released report from ScanSafe seems to confirm raising interest in social networking.
I personally use LinkedIn since a lot of time and in the last two weeks noted a new behavior.
Contacts with name and surname with first letter in lowercase, a Google Gmail address, and a standard introductory message (this last one is pretty normal) are inviting me to their network:
Their profile claim a HR role in the IT industry (usually a recruiter, which highly raises the chance someone would add your to his network) and is full of previous company positions (all without capitalization) without any description, all of 1 year:
Seems evident they are generated by a software.
At the moment of writing last last fake contact inviting me already collected 171 contacts in his network, which means he harvested 171 email addresses.
At this point the spammer has 2 possibilities: use collected email addresses in the usual way or use a new LinkedIn feature which permit a user to automatically send an email to all his contacts every time he changes his profile.
Assured the second method would lead to an immediate banning of the the account, it grants more effectiveness since the unsolicited message would come in the form of LinkedIn update warning and all users would put great attention in reading it.
The frequency of invitation from these fake contacts is increasing and unless LinkedIn acts in some way I expect an explosion soon.
I have no idea of what's happening in other similar platforms.
A just released report from ScanSafe seems to confirm raising interest in social networking.
Tuesday, August 08, 2006
AOL releases free antivirus but violates privacy
Claiming antivirus is something too important to ask customers to pay for (good one!), AOL released a new product, based on Kasperski engine (award-winning and certified by ICSA Labs), for free: Active Virus Shield.
Only other 3 antivirus are available today for free on Windows: AntiVir Personal, the open source ClamWin and Grisoft AVG.
On February Virus.gr published a massive comparison of 50 antivirus programs, including Kasperski and these free tools. Kasperski was at first position.
The engine sports commercial-class features including:
Someone could think: too good to be true.
And in fact AOL asks us something in exchange: not just the email address needed to download the package but also a lot more of personal informations, including credit card use and general behaviour schemes.
Put in a simpler term AOL is providing a free antivirus and want to profile us back. Definitively less elegantly than how Google does.
The not so exposed EULA also leaks the unexpected possibility of sudden injection of advertising in the product:
I'm comfortable with the idea of an ad-supported free antivirus, but I think customers have the right to know since beginning if any ad will appear on the program they are downloading.
I'm not so confortable instead with the idea of permitting a company to profile my actions on my computer outside the interaction with its products or services.
Antivirus is something too important to ask customers to pay huh? Too bad after the terrible security breach AOL had with its customers data.
Update: It seems I'm not the only one concerning about the AOL EULA. Obviously.
Only other 3 antivirus are available today for free on Windows: AntiVir Personal, the open source ClamWin and Grisoft AVG.
On February Virus.gr published a massive comparison of 50 antivirus programs, including Kasperski and these free tools. Kasperski was at first position.
The engine sports commercial-class features including:
- 2 hours vaccine delivery time
- on-demand and scheduled scanning
- real-time protection
- POP/SMTP/IMAP email accounts and newsgroups scanning
- ZIP/ARJ/CAB/RAR/LHA archive files scanning
- scheduled updates
- priority thread execution depending on computer activity
Someone could think: too good to be true.
And in fact AOL asks us something in exchange: not just the email address needed to download the package but also a lot more of personal informations, including credit card use and general behaviour schemes.
Put in a simpler term AOL is providing a free antivirus and want to profile us back. Definitively less elegantly than how Google does.
The not so exposed EULA also leaks the unexpected possibility of sudden injection of advertising in the product:
Information Collection.
Your APS Product information consists of personally identifiable information collected or received about you when you interact with the Software and its related features. Your APS Product information may include registration-related information (such as your e-mail addresses); information about how you use the Software, as well as your responses to offerings and advertisements presented through the Software; transaction-related information (such as credit card or other preferred means of payment, billing or shipping information); customer service information; and technical and diagnostic information gathered or received from the Software. Your APS Product information may be supplemented with additional information, including publicly-available information and information from other companies.
I'm comfortable with the idea of an ad-supported free antivirus, but I think customers have the right to know since beginning if any ad will appear on the program they are downloading.
I'm not so confortable instead with the idea of permitting a company to profile my actions on my computer outside the interaction with its products or services.
Antivirus is something too important to ask customers to pay huh? Too bad after the terrible security breach AOL had with its customers data.
Update: It seems I'm not the only one concerning about the AOL EULA. Obviously.
Wednesday, August 02, 2006
Release: Microsoft ISA Server 2006 and Best Practices Analyzer
After a very short beta program Microsoft silently published the new version of its enterprise firewall: ISA Server 2006 (both Standard and Enteprise version).
Below the list of new features:
As I said before and as you can everybody can notice, despite the name, this release is everything but a major update.
The new version has been submitted to Common Criteria aiming to obtain EAL4+ certification, like ISA Server 2004 already did.
The Tracking Microsoft ISA Server versions post has been updated accordingly.
At the same time Microsoft also updated the ISA Server Best Practices Analyzer, a tool able to scan system and firewall installation and report typical misconfiguration issues.
The tool is good for a very superficial analysis of installation but don't hope it can help finding firewall configuration errors (like rules order, objects definitions, etc.).
Download it here.
Now the product is out we can finally concentrate on the ISA Server 2007 (tentative name) release, which is planned for H2 2007 and expected to be much more competitive than actual version, built on the new Windows codename Longhorn stack, having missing enterprise-class features and incorporating SSL VPN capabilities obtained by Whale Communications acquisition.
Below the list of new features:
- Increase security and deployment flexibility for Web application servers through enhanced multifactor authentication (smartcards, one-time passwords), flexible integration with Active Directory (Lightweight Directory Access Protocol), and customizable forms-based authentication for almost any Web application and client device
- Easily integrate ISA Server with your existing authentication infrastructure through enhanced authentication delegation (including NTLM, Kerberos, and SecurID), and gain more access control with improved session management that detects non-user traffic through automatic idle-based timeouts
- Maintain secure branch office infrastructure using Background Intelligent Transfer Service (BITS) caching to accelerate the deployment of software updates and keep remote computers protected
- Help defend your network with enhanced flood resiliency features for event handling and monitoring that provide better resistance to denial-of-service (DoS) and distributed-denial-of-service (DDoS) attacks
- Mitigate the effects infected machines have on your network with enhanced worm resiliency through simplified client IP alert pooling and connection quotas
- Enhanced attack remediation through comprehensive alert triggers and responses can quickly notify administrators of network problems
- Simplify the process of securely publishing Exchange, Windows SharePoint Services, and other Web servers with automated wizards for multiple sites and enhanced certificate administration to avoid configuration errors
- Web publishing load balancing makes it easy to deploy entire farms of Web servers behind ISA Server deployments using session- and IP-based affinity with automatic out-of-service detection
- Easily deploy and configure ISA Servers in branch offices by using answer files on removable media for unattended installation and with automated virtual private network (VPN) wizards to streamline connectivity
- Manage remote ISA Servers more effectively with faster propagation of enterprise policies, reduced server requirements, and low-bandwidth optimizations
- Log throttling and control of memory consumption and pending Domain Name System (DNS) queries provides enhanced resource control
- Unify management and monitoring across your ISA Server infrastructure with the Management Pack for Operations Manager 2005, and use enterprise- and array-level policies to easily control security and access rules across your organization
- Enable a smoother user experience for published Web applications, document libraries, and content through single sign on and comprehensive link translation to help ensure secure and consistent access
- Improve Web page load times and reduce WAN costs for users in branch offices with HTTP traffic compression and caching
- Help ensure that the highest priority applications get precedence over other network traffic through DiffServ IP settings, providing better bandwidth utilization and response times for critical Web resources
As I said before and as you can everybody can notice, despite the name, this release is everything but a major update.
The new version has been submitted to Common Criteria aiming to obtain EAL4+ certification, like ISA Server 2004 already did.
The Tracking Microsoft ISA Server versions post has been updated accordingly.
At the same time Microsoft also updated the ISA Server Best Practices Analyzer, a tool able to scan system and firewall installation and report typical misconfiguration issues.
The tool is good for a very superficial analysis of installation but don't hope it can help finding firewall configuration errors (like rules order, objects definitions, etc.).
Download it here.
Now the product is out we can finally concentrate on the ISA Server 2007 (tentative name) release, which is planned for H2 2007 and expected to be much more competitive than actual version, built on the new Windows codename Longhorn stack, having missing enterprise-class features and incorporating SSL VPN capabilities obtained by Whale Communications acquisition.
Subscribe to:
Posts (Atom)