A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. Since their creation, a battle has raged between those who believe a hardware or software firewall is better. In truth, even the hardware devices utilize some type of software and every product has its own strengths and weaknesses.
No matter what your opinion, the fact remains that Microsoft Internet Security and Acceleration (ISA) is the best protection for a Microsoft environment. The reason is because ISA authenticates access at the edge of the network rather than allow traffic to penetrate the firewall and access a server directly. For Outlook Web Access, Terminal Services Gateway, or SharePoint, ISA authenticates logons before any servers are accessed. For hardware devices, the appropriate port and URL is opened and direct access is provided to the server through the firewall. Conceptually, once you have access to the server it’s much easier to do harm.
Typical arguments tend to follow:
ISA is not a real firewall.
It has more than a 10 year history of use in all sectors including high security Government and Financial customers with highest certifications in the industry.
Windows has too many vulnerabilities.
Every system has discovered flaws and Windows/ISA has no more than any other offering. Further, ISA has Microsoft Update for security patches and enhancements while hardware updates are manual.
Hardware firewalls are faster.
Server processor, RAM, and NICs all offer higher performance and more expandability.
Hardware firewalls are cheaper.
Like everything in technology, it depends upon the offering and configuration on what is more expensive. Microsoft software generally has a 5 year standard and 10 year extended life cycle with servers warranted for 4 years. Most hardware firewalls have a warranty of 3 years with annual maintenance, so total cost of ownership over life of the equipment tends to be higher.
If you prescribe to the notion of having two firewalls from different manufacturers, you can put a hardware firewall in front of ISA and still enjoy the edge authentication and perks like Active Directory integration to filter by user/group instead of just IP address. If you must have a box to put in the rack, then purchase an appliance that has ISA. In 2010, ISA runs on Windows Server 2008 with more features and a new name of Forefront Threat Gateway.