A couple of months ago, I wrote an article for SearchWindowsSecurity.com on how to create a VPN for wireless users. In that article, I made use of ISA Server and the Internet Authentication Service (Microsoft's implementation of RADIUS, Remote Authentication Dial-In User Service). In this article, I will explain what these technologies are, what they do and why they are often used together.
Note: To prevent confusion, I will refer to IAS as RADIUS.
Internet Security and Authentication (ISA) Server is Microsoft's enterprise-class firewall product. Like traditional firewalls, ISA Server can block unused ports at your network's perimeter, but it can do a lot of other things too. It can be configured as a NAT (Network Address Translation) router that allows the workstations on your network to share an Internet connection. When ISA Server is configured as a NAT router, it caches Web pages as a way of conserving Internet bandwidth. As I demonstrated in my article on creating a wireless VPN, ISA Server can also be configured to provide various types of remote access to your network.
ISA Server performs all of the duties that you would typically expect of an enterprise-class firewall, but it has a couple of other tricks up its sleeve as well. ISA Server acts as both a stateful packet filter and as an application firewall. That means it can examine individual inbound packets to see if they are malicious in nature.
For example, imagine that you had your network set up so that users could use Outlook Web Access (OWA) to check their Exchange mailboxes over the Internet using a Web browser. An OWA server is nothing more than a normal Web server that acts as a front end to an Exchange Server and provides users with a Web-based interface that looks and acts a lot like Microsoft Outlook. Users communicate with OWA using the HTTP and HTTPS protocols just as they would with any other Web site.
Like any other Web site, you wouldn't want to expose an OWA server directly to the outside world. You would want to place a firewall between the Internet and your OWA server to filter out communications over unauthorized ports or communications that use an unauthorized protocol.
The problem is that many firewalls would simply look at the inbound packets and see that they were HTTP packets being sent over port 80 or HTTPS packets being sent over port 443. As long as the packets conformed to these requirements, the firewall would allow the packets to be sent to the OWA server.
ISA Server is different though. ISA Server knows what typical OWA communication sessions look like. If a packet that comes in uses the required port and protocol, but doesn't look like a typical OWA packet, then ISA Server could block the packet because abnormal packets are often malicious.
Of course this is an over-simplified example, but the point is that ISA Server does a lot more than just look at the port number and the protocol used by an inbound packet. I use Outlook Web Access as an example, but ISA Server can perform similar types of integrity checks against VPN traffic and against other types of Web traffic. You can read more about ISA Server's capabilities on Microsoft's ISA Server Web site.
Now that I have explained what ISA Server is and what it does, I want to talk about the RADIUS component. As powerful as ISA Server is, it does not have any authentication components of its own. This tends to be a problem because aside from Web sites, most of the resources that you would typically protect with an ISA Server should not be accessible to just anyone. You usually want to authenticate a user's identity before you just give them access to a resource.
The reason ISA Server doesn't have a built-in authentication mechanism is because having one would be extraordinarily dangerous. The ISA Server's job is to defend your network against attacks coming from the Internet. That being the case, you have to assume that the ISA Server itself is going to be attacked. If the ISA Server had its own built-in authentication mechanism and the server were somehow compromised, then the hacker could use that authentication mechanism to gain access to all of the resources protected by the ISA Server.
Rather than risk something like that happening, Microsoft requires ISA Server to use some form of external authentication. This is where RADIUS comes into play. A RADIUS server can provide secure authentication to external users over the Internet. RADIUS is usually a much better choice for Internet-based authentication than a normal domain controller-based authentication. RADIUS was specifically designed for authenticating remote users. It was originally designed for dial-up sessions, but it works just as well for Internet sessions. The nice thing about RADIUS is that it prevents remote users from having to communicate directly with your domain controllers, thus adding an extra layer of security. RADIUS also allows remote user authentication whether they are running a Windows operating system or something else such as Linux.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
This was first published in February 2006