Thursday, July 5, 2007

ISA Web Access?

Firstly let me say that I am not expert in ISA or other types of firewall systems. I was just wondering and looking for new software ideas to implement in my spare time as a open source project and i found a success story about a company named "Devbiz", an IT company developing and selling .NET components, acquired by Microsoft just because they have implemented web based application which enables Web access to Microsoft's Team Foundation Server. As a result of Microsoft's acquisition of devBiz, TeamPlain Web Access is now available as a free download. Even more, TeamPlain is now official part of Team Foundation Server product. So i thought that why can't i implement such product to Microsoft, and started to checkout all the product families to find out is there any similar idea to add value to Microsoft's core products. Finally, i got ISA Server which don't have Web Access. I checked different vendor's security products like ISA, they all have web access for remote and easy administration and configuration. I asked questions "Why i should not implement ISA Web Access?" on some forums, but i didn't got clear answers except security problem. So other vendor's products are unsecure? I think No. There must be different reason or ...

Then i decided to search for ways to implement my idea, downloaded ISA SDK, and samples from official sites. You can extend ISA using its SDK in languages C++, VB Scripting and VB.NET. I am familiar and good at VB.NET, and played with VB examples. But i faced with a problem which is to run my VB.NET application, i need to install IIS on Firewall which is said to be unsecure as they said. But there is a better way to do. Webfilter feature of ISA SDK. You can create a webfilter to listen to port 80, and filters the incoming packages to see whether it is your request or not. Your webfilter will receive requests from remote client, invokes the administration functions of ISA using SDK or your component which supplies interface to webfilter and hides details of SDK. Webfilter will then processes the result of the SDK functions, and sends back to client. Client is using web browser to access to our webfilter to manage, configure firewall settings, rules etc... Bingoooo. It looks like simple, but again problem. Webfilter can be implemented using only C++ which i am not familiar with. So i wish someone else could implement this idea.

Maybe I am already on wrong way, like i said i am not expert in ISA. Just opening my ideas to you. If you are expert in ISA, Please comment on this subject "Why/Not Web access?"

4 comments:

Bayar said...

Useful resource on ISA Scripting;
http://www.isascripts.org/

Anonymous said...

Discussion is going on here?

http://forums.isaserver.org/m_2002048524/mpage_1/key_/tm.htm#2002048532

Anonymous said...

You are right... Awhile ago when I first started working with IIS, Exchange and ISA I thought the same. Why not have a web based configuration for ISA? After all there is a web based admin for OWA and IIS.

However...after being in the IT world a bit longer I have come to notice that one of the first recommendations for any secure environment is to DISABLE the OWA and IIS administrator web interfaces. Why... Well if these are enabled you have essentially increased your attack surface thus made it easier for the bad guys to get in. When working with ISA (especially if your server is facing the "cloud") you want to minimize your attack surface by turning off services and avoid installing extras. After all it is Internet SECURITY and Acceleration Server.

Your arguement, as I understand it, is to have the same restrictions and rules apply to it as we would...for say...remote mmc or terminal services. Sure you could also snap an SSL requirements on it as well so you are not managing over HTTP. I have to be very honest with you that this sounds like an interesting idea but I would be very skeptical to use it even as described. Personally I think there is a fine line between secure and easy. Unfortunately I believe this is crossing that line a bit... Maybe I am just thinking old fashion like. Needless to say I would be interested to read other's comments.

I will have to add though... There is probably interest out there and even people that would pay some $$ for the functionality.

http://forums.isaserver.org/m_2002048524/mpage_1/key_/tm.htm#2002048532

Bayar said...

Thanks for your opinion. So i am not wrong totally, There must be something like that. Furthermore, there are peoples who can pay bucks for this kind of toool.