RealTime IT News

Microsoft Bows First Security Product

One day after its rah-rah press showing for the new XP operating system, Microsoft Corp. followed up with a company first Wednesday -- a foray into security.

After more than three years in the shop, the giant debuted its firewall and Web cache product, Internet Security and Acceleration (ISA) Server, as part of its Microsoft .NET Enterprise Servers platform.

Like many firewall products, ISA offers protection of the network from unauthorized access, defense from external attacks, the ability to inspect incoming and outgoing network traffic to ensure security and the ability to alert administrators to suspicious activity. In other words, it offers mission critical functionality if Microsoft is to ever succeed with its .NET strategy.

So, how does it work?

Hong Kong-based online broker Celestial Asia Securities Holdings Limited (CASH) opted to beta test Microsoft's first security product to protect its 70,000 clients and found it better suited their needs than products from Cisco Systems Inc. and Check Point. And it seemed to be easier to use.

"We reviewed several firewall products, but ISA Server was the only one that was easy to manage..." said Michael Wong, head of information technology at CASH.

ISA has also apparently passed the 90- to 120-day ICSA Labs firewall certification test, a gateway requirement for firms looking for a firewall, with flying colors; the firewall product only took about a month to complete the test.

But is the picture for the product release as rosy because of its "easy to manage" reputation as Microsoft's research suggests? One security expert, Wayne Pierce, director of service development for Cambridge, Mass.-based Athena Security Inc., isn't so sure.

Pierce said that while Microsoft's beta testers and sources seem to be pleased with the ISA product, he said how easy it is to use may actually be a reason for concern.

"They look like they've adapted it from their proxy server, which is fine," Pierce said. "They're pitching it as it's the Windows interface and that it's nice and easy to use. But it could also be easy for whoever is setting it up to make mistakes because people don't always know about default settings. You could put it up and protection could still be there, but if you leave the default settings, the passwords might be accessible."

Along those lines, Pierce said integration is also a concern. Too many items, such as using Word to create a rule base, or Internet Explorer to use the logs, may make ISA more susceptible to attack.

"It's a question of how tightly they are going to integrate it; how easy will it be for [IT people] to shoot themselves in the foot," Pierce said.

While the ICSA test is certainly no cinch, Pierce said a more convincing standard might be the "common criteria," an open, international standard that has its roots in Australia and offices around the world.

"They would need to pass the common criteria standard if they wanted to sell [ISA] to the government down the road," Pierce said.

Still, Pierce said ISA's pricing, at $1,499 for a standard edition and $5,999 for an enterprise edition, is reasonable.

Microsoft needs such support for its software-as-a-service .NET platform, for which the company plans to shell out $200 million in advertising.

*Clint Boulton is Associate Editor, Product News, for Internetnews.com, a property of Internet.com.