• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Apache vs ISA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> Apache vs ISA Page: [1]
Login
Message << Older Topic   Newer Topic >>
Apache vs ISA - 2.Sep.2009 7:20:11 AM   
ljones10

 

Posts: 100
Joined: 14.Oct.2008
Status: offline
Hi Guys,

I am not familar with Apache however an employee has suggested using Apache instead of ISA 2006 for reverse proxy.  I feel that ISA would offer greater security benefits with a web publising rule setup for the front end web server hosted in the DMZ.  Would it be possible to have people views on this?

Any help would be much appreciated.

Lee
Post #: 1
RE: Apache vs ISA - 2.Sep.2009 8:23:05 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
LOL..Apache is a web server...ISA is a Firewall..Nuff said.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to ljones10)
Post #: 2
RE: Apache vs ISA - 2.Sep.2009 8:48:10 AM   
ljones10

 

Posts: 100
Joined: 14.Oct.2008
Status: offline
Hi Steve,

This was my thoughts exactly when this was suggested but not knowing that much about Apache did not make this point at the meeting.

Lee

(in reply to SteveMoffat)
Post #: 3
RE: Apache vs ISA - 2.Sep.2009 4:34:49 PM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
Why not google a little bit ?
This is usually a good way to start.
http://www.modsecurity.org/documentation/faq.html
http://blog.modsecurity.org/
http://www.modsecurity.org/
http://blog.ivanristic.com/
http://www.cgisecurity.com/apachesecurity.html
https://calomel.org/apache_proxy.html
http://www.securityfocus.com/infocus/1739

Your question is more of a general question without any precise shots.
Some Apache mods will beat ISA's default HTTP filter, and offer better protection for your web application, as ISA Server is not a WAF.
However, as Steve said ISA was built as a firewall, and to get working Apache as a reverse proxy acting as a WAF with a mod or another you may have to work quite a bit tweaking various settings. They may say it's not that complicated, but that remains to be seen, it may vary based on some factors.
And you don't need iptables and some of its modules for some stuff or other Apache mods, or to have a network firewall in front of your reverse web proxy.
With ISA you may notice that some things are more "unified" and there is a certain level of "defaultness" out-of-the-box as it was designed from the start to work that way, as a firewall. Of course, you may be able to buy directly some appliances say using modsecurity(but you will have to see where and how should be such an appliance deployed, if it needs a network firewall in front of it or not, sandwich topology or not).
Also ISA can naturally address both inbound and outbound access(as well as VPN, s2s or remote access), a point which may count in certain situations for the overall decision, especially now considering the financial crisis.
ISA may work better in an MS environment.
etc.

Apache is a framework on which you can build. Of course you can have customized filters on ISA Server too, if you want(there are out there some shops that can do that for you).

But what happens, when like here, the Apache mods may kick in too late ?
Forefront TMG, even in its beta stages does not seem to be bothered by the issue described there.

If I'm allowed, I would suggest you to work with your Apache guy to see what are his points(of course would be advisable to read yourself something about it), and to see what would be your points for ISA Server. Obviously you should discuss for what you want to use Apache or ISA Server, what you want to protect with(saying I want to protect a web server means pretty much nothing), how will both integrate within your current network design, level of protection offered for both the device itself and for the web server(web appl) behind it, ease of use and configure, user experience, authentication and SSO, DoS protection afforded (at application layer, at transport layer, etc.), performance, scalability, patching infrastrcuture(and (expected) patching frequency), etc.
More of a constructive discussion, rather than mine is better than yours one.

If you feel ISA looses ground and you want to continue with a Microsoft solution as this is what you know best and feel comfortable with, no need to worry, take a look at IAG. This was designed to address inbound access, and can function as a WAF, having already built-in protection for certain applications, and has ISA Server to protect it.
From a security point of view, in practice, it may not matter the level of security a device can offer, it may only matter the level of security that an admin can configure that device to offer. And this may answer your question indirectly, if you are unfamiliar with Apache, for the moment, stick with what you know best, until you dig deeper in that area.

Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ljones10)
Post #: 4
RE: Apache vs ISA - 2.Sep.2009 7:59:01 PM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
Who's managing it?  I'd much rather configure ISA than muck about in Apache configs.  In addition to features they have now, what you need and what you plan to do in the future, it may be sensible to compare the managability and ease of integration into a windows/AD environment.

I have nothing against linux, but I think adding a module to apache to make it secure would be like doing that with IIS.  .. Not something I'd be quick to trust.

(in reply to adimcev)
Post #: 5
RE: Apache vs ISA - 3.Sep.2009 3:46:00 AM   
ljones10

 

Posts: 100
Joined: 14.Oct.2008
Status: offline
Hi Everyone,

Thanks for the replys to this question.

Adimcev sorry that post seemed a little vague, but to be honest i have found it very difficult to get my head around what Apache can do for reverse web proxy.  I have no experience of the software and when looking on google it is very hard to know where to start.  I have had a look through some of the sites you listed but without understanding the mechanisims of Apache fully it is hard to list PRO'S and CONS vs ISA.

Ferrix to answer your question this is going to be managed by our web team.

Cheers

Lee

(in reply to ljones10)
Post #: 6
RE: Apache vs ISA - 3.Sep.2009 5:09:14 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
If you are publishing Microsoft based web applications/services, I would think ISA would have the edge unless you have a specific requirement it cannot meet...

The recent "better together..." MS marketing blurb is actually pretty true for ISA as it provides fantastic integration if you use Active Directory and MS web services like IIS/SharePoint/Exchange etc.

Some good examples here:

http://www.isaserver.org/tutorials/ISA-2006-Firewall-Web-Publishing-Rules.html

http://technet.microsoft.com/en-us/library/bb794854.aspx

Cheers

JJ 

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to ljones10)
Post #: 7
RE: Apache vs ISA - 3.Sep.2009 6:11:57 AM   
ljones10

 

Posts: 100
Joined: 14.Oct.2008
Status: offline
Hi Jason,

Thanks for your reply.

Lee

(in reply to Jason Jones)
Post #: 8
RE: Apache vs ISA - 3.Sep.2009 11:05:45 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
Maybe you want more details on what Apache as a "reverse proxy" can do, as you already know what ISA Server can do ?
As I've already linked you to modsecurity, let's take a quick look at it(I suppose you don't want to run Apache as reverse proxy butt naked).
I've linked you first the FAQ section because you need to first check something with your web team if you want to proceed on this path:
quote:

Building a ModSecurity reverse proxy appliance is a non-trivial task as you need specific skill sets - expert in Apache, web application security, and ModSecurity.

If this check fails, forget about it.

In theory the HTTP requests should be analysed before they get handled by the web server, but in practice some "processing" might be done before it reaches the needed mod.
It can detect protocol violations.
It supports encoding types such as multipart/form-data or application/x-www-form-urlencoded.
It can intercept requests and responses bodies, and can analyze XML payloads.
It can parse cookies(format validation, value normalization).
It uses various normalization operations, and not only normalizes URLs, say if you use path names as input for a HTML form field it can analyze that to avoid evasion.
It is able to "understand" what you have in the back, say php, asp, IIS, Apache, etc., thus to have certain filters on for protection.
It includes conditional execution, say if the transaction payload is XML, it can use a certain set of rules.
It can detect business logic flaws.
It can create more complex conditions using logical operators along with logical expressions.
It can inspect and verify uploaded files.
It has some really good logging capabilities.
Obviously it can do HTTPS filtering.
So as you can see it is able to break the HTTP flow into parts, and analyze them, say headers, requests and responses bodies, parameters, etc.(headers, POST payloads, environment variables, server variables, individual page variables, cookies, scripts output).
It can operate using the negative security mode, the positive security model, extrusion detection model and virtual patching(this one can fall into the negative security model or the positive security model).
It can be used to detect and to prevent attacks or just to detect attacks.
It comes with a free Core Rules set, which is a collection of rules that will detect the most common web attacks. This is a generic set of rules, that will implement a negative security model.
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
You can develop a positive security model for your something, say OWA, assuming you know how OWA works. Breach has an enhanced set of rules which they say uses a positive security model for OWA.
You may need to do some work to harden the box itself. Much more work than with ISA Server itself. ISA has network layer protection features that modsecurity does not provide as it focuses on something else.

As you can see ISA Server cannot match ModSecurity in certain areas, nor it has to do that, as Microsoft has another solution for that.
You can take a look here:
http://www.microsoft.com/forefront/edgesecurity/en/us/secure-application-access.aspx

To be more specific, see what ISA Server, IAG, and Breach(using modsecurity), say can do for OWA:
http://technet.microsoft.com/en-us/library/aa996545.aspx
http://www.microsoft.com/forefront/edgesecurity/iag/en/us/technologies.aspx
http://www.modsecurity.org/breach/index.html

When it comes down to filtering configuration, ISA server's main "disadvantage"(it may be a harsh word, as it was designed for a specific role, which does not necessarily means this is a disadvantage, and the comparison we make here is not quite fair) is that application protection is mostly based on attack signatures, whitelisting is done on a limited base(for paths, request methods, etc.), and that request and response bodies are not actually getting much inspection, see this example:
http://technet.microsoft.com/en-us/library/cc302627.aspx

Actually, did you looked at this roadmap, two pennies for some sharp eyes:
http://www.modsecurity.org/projects/modsecurity/apache/roadmap.html

Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ljones10)
Post #: 9
RE: Apache vs ISA - 4.Sep.2009 9:41:06 AM   
ljones10

 

Posts: 100
Joined: 14.Oct.2008
Status: offline
Hi Adrian,

Thank you very much for taking the time to compile this information it is very much appreciated. 

Lee

(in reply to ljones10)
Post #: 10
RE: Apache vs ISA - 4.Sep.2009 11:37:57 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
No probs.
I saw Ivan(he is no longer with Breach) talking some time ago about porting modsecurity to IIS/ISA, and according to the roadmap, they might do that with version 3.0.
That would be interesting if it will happen, as it will turn ISA Server into an WAF. Remains to be seen at what costs, performance hits, integration, TMG is knocking on the door, etc.
If they get it right, could be a hit coupled with ISA's features(like pre-authentication, authentication delegation, SSO).

Cheers!
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ljones10)
Post #: 11
RE: Apache vs ISA - 4.Sep.2009 12:39:22 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: adimcev

No probs.
I saw Ivan(he is no longer with Breach) talking some time ago about porting modsecurity to IIS/ISA, and according to the roadmap, they might do that with version 3.0.
That would be interesting if it will happen, as it will turn ISA Server into an WAF. Remains to be seen at what costs, performance hits, integration, TMG is knocking on the door, etc.
If they get it right, could be a hit coupled with ISA's features(like pre-authentication, authentication delegation, SSO).

Cheers!
Adrian


I guess MS would prefer you to go down the UAG route

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to adimcev)
Post #: 12
RE: Apache vs ISA - 4.Sep.2009 2:18:29 PM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
I'm most sure they want that.
But if modsecurity will still be free, assuming it will integrate nice with ISA(TMG), it might be fun to give it a try...

Cheers!
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Jason Jones)
Post #: 13
RE: Apache vs ISA - 5.Sep.2009 6:48:24 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: adimcev

I'm most sure they want that.
But if modsecurity will still be free, assuming it will integrate nice with ISA(TMG), it might be fun to give it a try...

Cheers!
Adrian



True...

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to adimcev)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> Apache vs ISA Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts