Thomas Shinder Blog RSS

All Blogs  »  Thomas Shinder Blog  »  News ISA Central  »  Blog article: Why You Should Use the ISA Firewall for SOX and HIPAA Compliance

Why You Should Use the ISA Firewall for SOX and HIPAA Compliance

SOX and HIPAA compliance requires that you exercise tight control over information moving between the protected network and the Internet. In order to meet these requirements, you must use an advanced stateful packet and application layer inspection firewall, such as the ISA Firewall. Simple firewalls such as the outdated PIX or similar “hardware” firewalls clearly don’t meet these requirements.

What makes the ISA Firewall so secure? Check out this list of checks and tests the ISA Firewall Team does to make sure your company meets the high security requirements suggested by SOX and HIPAA:

  1. Threat Modeling – Together with subject matter security experts we performed a security design review for each component to identify design weaknesses, evaluate security architecture, identify threats to be tested and ensure that default settings are secure.
  2. Manual and Automatic Code Reviews – We’ve ensured that all code undergoes human code reviews and that that all issues detected by static code analysis tools, such as PREfast, are fixed, to ensure code has no vulnerabilities.
  3. 3rd party penetration (pen-testing) – We employed the services of the best pen-test companies in the industry to perform security audit and penetration testing of the product.
  4. Pen-testing and fuzzing – Our internal pen-test team tested every component for security vulnerabilities, especially buffer overruns. Moreover, to facilitate this work the ISA Server team developed the FuzzGuru fuzzing framework that was later adopted by many other teams in Microsoft and is used to look for buffer overruns and access violations.
  5. Monitoring public security research  – We track security research in areas relevant to ISA Server – HTTP, VPN, PKI, proxies, firewalls, etc. I personally spend hours reading mailing lists, such as BugTrack and DailyDave, reviewing security research papers from DefCon/BlackHat/Usenix and other conferences. I regularly monitor CVEs - security vulnerabilities of other products. For each of them I evaluate whether it or a similar one may affect ISA Server.
  6. We review the user interface and product documentation to ensure they clearly provide security best practices.
  7. We regularly ship service packs fixing security vulnerabilities for shipped products, when we find new ones using pen-testing methodologies and tools that emerged since the previous release.

For the complete story on how the ISA Firewall was designed as an edge firewall to protect large enterprises, check out this post by John Neystadt on the ISA Team Blog at http://blogs.technet.com/isablog/archive/2007/07/0...x.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

This entry was posted on Friday, July 27th, 2007 at 9:09 am and is filed under News, ISA Central. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 Responses to “Why You Should Use the ISA Firewall for SOX and HIPAA Compliance”

  1. steavg Says:

    July 28th, 2007 at 2:52 am

    Hi Tom,

    Having been a fan of ISA server from the early stages (proxy 2.0 certified :) ) and always following your site and comments with much interest, I find it kinda sad that you keep fudging the (what you call) hardware firewalls.

    I do understand your angle of critique but calling the PIX outdated and not compliant with the above is simply not true.

    You should compare apples with apples and keep your readers informed in a neutral way. The PIX/ASA product portfolio complies to all above requirements (and more) and does outperform the ISA server in many area’s.

    So just keep your information up to date and objective to serve your audience right.

    Cheers,

    stefan

  2. Tom Shinder Says:

    July 28th, 2007 at 7:56 am

    Hi Stefan,
    As always, these issues are a matter of opinion. And it’s the opinion of the compliance tester that applies in this situation. If I were to do a compliance check for an organization and found that they only used an outdated PIX packet filtering device, I would definitely call them out for being out of compliance because a PIX can’t really provide the required inbound and outbound access controls required to be in compliance, it just can’t, in my opinion. However, in your opinion it would, which is good for you :)

    Also, just because the PIX/ASA passes expliots much faster than an ISA Firewall is not a good thing — in fact, it would be better that the PIX/ASA be much slower, then the exploits would get in and more slowly! Personally, I could never recommend a PIX for security reason and never recommend an ASA because of it’s bugs and large number of reported exploits

    The most important issue here, I think, is that it’s all a matter of opinion. You can present your evidence and I can present mine — if either of us can’t or won’t present evidence, then the opinion with the most supportive evidence wins!

    Thanks!
    Tom

  3. steavg Says:

    August 9th, 2007 at 5:11 am

    Hi Tom,

    Thanks for taking the time to reflect on my thoughts. As you state accurately, it’s all about opinions. And if I wasn’t clear in my first post I would like to apologize, since I do believe that that the compliance tester will find the possibilities of the ISA firewall to be of good quality.

    As you stated also, presenting evidence is what it is all about. So i just want to make sure that I didn’t misunderstood you:

    - If the PIX used would be outdated, you would call the company using it out of compliance (= opinion). Well I totally agree on that one. If the company would be using an ISA 2000 version, I would also call them out of compliance (my opinion). If the company would however be using an updated version of the PIX/ASA let’s say version ASA 7.X and above, I would call them within compliance (but hey that’s my opinion, and the opinion of DoD, NIST, etc).

    - It’s also your opinion that the PIX/ASA passes exploits faster than an ISA firewall. Well it does pass it faster (if you allow it), but it even can filter and stop it faster then the ISA (and that is not an opinion but rather a fact).

    - Your bug and exploit opinion might be a little bit fuzzed in the same way as some people have the “it’s Microsoft so it’s unsafe” vision. If you compare the bugtraq list of the ISA 2000 with the PIX..slight advantage for the ISA but very narrow margin…ISA 2004 compared to the ASA is a draw…so you see opinions and facts are sometimes better to be stated clearly to avoid confusion……

    Cheers,

    stefan

  4. Beefcake Says:

    August 16th, 2007 at 6:26 pm

    Amen Stefan! Good for you! Finally someone responds with an objective statement and hits the nail on the head. Defense in depth, accept no other! :)

    The latest version of the products in question are worlds ahead of their previous versions. Both of these products with (ASA w/Cisco IPS and 3rd party add ons to ISA) work great together. But then again, just my opinion. If you are in this market you also know these two products are only a small portion of the overall scheme.

    Using the statement PIX, specifically 6.2 and less is like comparing to isa 2000 or Checkpoint on the white box running NT4 back in the day. Don’t waste our reading time! :)

    Cheers!

  5. Tom Shinder Says:

    August 17th, 2007 at 7:22 am

    Hi Beefcake,

    Thanks! I’m glad you agree with me that a PIX and even an ASA would not meet the specifications of regulatory requirements given the security and functionality issues with these “firewalls”. At least the ISA Firewall can be used to shore up the security and fucntionality problems with those devices.

    Thanks!
    Tom

  6. steavg Says:

    August 19th, 2007 at 9:18 am

    Hi Beefcake, Tom

    This thread is getting really interesting ….. let’s keep the objective of this thread in focus…facts and opinions.

    Well Tom it seems that again you’re posting an opinion “PIX and even an ASA would not meet the specifications of regulatory requirements given the security and functionality issues with these “firewalls”

    Which I would like to answer with a fact:

    1. Your statement regarding EAL certification:

    http://blogs.isaserver.org/shinder/2006/03/26/isa-...teria/ clearly states that the EAL certification ensures secure and reliable products

    2. The list of Cisco EAL certified firewalls: http://www.commoncriteriaportal.org/public/consume...ex.php
    Not only are the ASA and PIX certified EAL4+ but guess what…heaps of other Cisco firewall products…now that is a fact !

    Well I would like to give you my opinion…about your postings that is…biased and not really fact driven…but hey ….. just my opinion….might become a fact is others agree….

    BTW Beefcake thanks for your support…defense in depth all the way…trust no one…

    Cheers,
    stefan

  7. steavg Says:

    September 2nd, 2007 at 1:37 pm

    Well….thanks:

    http://www.windowsnetworking.com/news/WindowsNetwo...7.html

    Cheers,

    Stefan

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 5 chars within 0..9 and A..F, and submit the form.

  

If CAPTCHA image is missing or you cannot read the characters above, please generate a




Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Solution Center