Microsoft plugs ISA Server hole
XML add-on to get official premiere this week.
By John Fontana, Network World | Network World US | Published: 00:00, 24 May 2004
Microsoft will plug a major gap in its perimeter security software by integrating a partner's XML filtering and acceleration technology into its firewall and caching server this week. The end result will be to let corporate users secure the flow of Web services traffic.
Microsoft plans to showcase XML upgrades to Internet Security and Acceleration (ISA) Server 2004 at its 11th annual Tech Ed conference in San Diego. ISA is an application-layer firewall, VPN and caching server.
The XML component is XWall, a Web services firewall from Forum Systems which is integrated into the ISA Server Console and inspects XML messages to authenticate data, validate schema and check for malicious content.
This should secure XML-based Web services. Previously, the absence of an XML firewall had drawn criticism from users and analysts. In ISA 2000 (released in 2001), Microsoft only provided an Internet Server API (ISAPI) filter for validating XML messages.
"This has been one shortcoming of the product," says Peter Pawlak, an analyst with Directions on Microsoft. "Web services is like calling a function, so you have to look at the messages through careful inspection. You have to ensure the messages are well-formed XML, that they adhere to current parameters and do not have any malicious code injected."
In addition to packet inspection, the Forum XWall for ISA Server 2004 is expected to provide acceleration of XML traffic, which is very CPU-intensive because each message must be opened and parsed. XWall for ISA Server 2004 provides data-level authentication, schema validation, XML intrusion prevention and support for the WS-I Basic Profile, a set of guidelines to ensure interoperability across disparate products. "The 2000 version of ISA was a red-headed stepchild, but ISA 2004 should be ready for prime time," says Wes Swenson, CEO of Forum.
XML support is just one addition to ISA Server 2004. Celestix Networks will introduce a firewall, caching and VPN appliance based on ISA Server 2004. Avanade, a systems integrator formed by a joint partnership in 2000 between Accenture and Microsoft, will introduce VPN Quarantine for ISA Server 2004, which assesses the configuration of a client system before it can connect to the network.
Windows Server 2003 and ISA Server 2004 provide rudimentary quarantine technology that lacks assessment capabilities, according to Craig Nelson, systems engineer for Avanade. VPN Quarantine will provide those capabilities and add an administrative interface for setting rules and policies.
Security will be a main theme at Tech Ed. Also on the docket is a preview of management software, including System Center 2005, patching tools such as Windows Update Services, and other forthcoming products such as SQL Server 2005 and Visual Studio 2005. Microsoft also plans to release Service Pack 1 for Exchange Server 2003.
But Longhorn, which was the main area of focus earlier this month at the Windows Hardware Engineering Conference, will not make an appearance. "TechEd is where we start to make things real and people can get their hands on the technology," says Harley Sipner, senior product manager for the Windows Server System at Microsoft.