Microsoft Bows First Security Product

One day after its rah-rah press showing for the new XP operating system,
Microsoft Corp. followed up with a company first Wednesday — a foray
into security.

After more than three years in the shop, the giant debuted its firewall and
Web cache product, Internet Security and Acceleration (ISA) Server, as part
of its Microsoft .NET Enterprise Servers platform.

Like many firewall products, ISA offers protection of the network from
unauthorized access, defense from external attacks, the ability to inspect
incoming and outgoing network traffic to ensure security and the ability to
alert administrators to suspicious activity. In other words, it offers mission critical functionality if Microsoft is to ever succeed with its .NET strategy.

So, how does it work?

Hong Kong-based online broker Celestial Asia Securities Holdings Limited
(CASH) opted to beta test Microsoft’s first security product to protect its
70,000 clients and found it better suited their needs than products
from Cisco Systems Inc. and Check Point. And it seemed to be easier to use.

“We reviewed several firewall products, but ISA Server was the only one that
was easy to manage…” said Michael Wong, head of information technology at

ISA has also apparently passed the 90- to 120-day ICSA Labs firewall
certification test, a gateway requirement for firms looking for a firewall,
with flying colors; the firewall product only took about a month to complete
the test.

But is the picture for the product release as rosy because of its “easy to
manage” reputation as Microsoft’s research suggests? One security expert,
Wayne Pierce, director of service development for Cambridge, Mass.-based
Athena Security Inc.,
isn’t so sure.

Pierce said that while Microsoft’s beta testers and sources seem to be
pleased with the ISA product, he said how easy it is to use may actually be
a reason for concern.

“They look like they’ve adapted it from their proxy server, which is fine,”
Pierce said. “They’re pitching it as it’s the Windows interface and that
it’s nice and easy to use. But it could also be easy for whoever is setting
it up to make mistakes because people don’t always know about default
settings. You could put it up and protection could still be there, but if
you leave the default settings, the passwords might be accessible.”

Along those lines, Pierce said integration is also a concern. Too many
items, such as using Word to create a rule base, or Internet Explorer to use
the logs, may make ISA more susceptible to attack.

“It’s a question of how tightly they are going to integrate it; how easy
will it be for [IT people] to shoot themselves in the foot,” Pierce said.

While the ICSA test is certainly no cinch, Pierce said a more
convincing standard might be the “common criteria,” an open, international
standard that has its roots in Australia and offices around the world.

“They would need to pass the common criteria standard if they wanted to sell
[ISA] to the government down the road,” Pierce said.

Still, Pierce said ISA’s pricing, at $1,499 for a standard edition and
$5,999 for an enterprise edition, is reasonable.

Microsoft needs such support for its software-as-a-service .NET platform,
for which the company plans to shell out $200 million in advertising.

A public relations representative from Waggener Edstrom said Microsoft would be available for comment late Wednesday or early Thursday morning.

News Around the Web