Beruflich Dokumente
Kultur Dokumente
Why?
Because the *both* run on software that is loaded onto hardware. The fact
that one stores the software on a harddrive while the other stores it on a
chip is irrelevant.
ISA can be purchased as an Appliance and has been ever since ISA2004. There
are 7 different companies producing different variations of them in this
link below.
In the last Secunia Reports I saw,...ISA had 2 security flaws,...the ASA had
6. both companies have their products patched now,...but it started out
with "2 to 6" with cisco having the most flaws.
ISA Server 2000 was Microsoft’s first full fledged firewall product, and it offered a host of new features
not found in its predecessor, Proxy Server 2.0, nor in most of the third party commercial firewall
products in its price class. These included:
Multi-layered filtering (packet filtering at the network layer, circuit filtering at the transport
layer, and application filtering at the application layer)
Integrated remote access virtual private networking (VPN) and site to site VPN gateway
Active Directory integration
Secure Network Address Translation (SecureNAT)
Secure server publishing
Email content screening via SMTP filters
H.323 gateway support for use of Microsoft NetMeeting and other H.323 conferencing
software
ISA 2004 was the first major overhaul of Microsoft ISA Server since its introduction in 2000. ISA
firewall admins found improvements in three key areas:
Advanced protection
Ease of use
High performance
More specifically, ISA 2004 raised the bar on application layer security capabilities through
enforcement of comprehensive and flexible application layer inspection policies, customizable protocol
filters and network routing relationships that can help protect IT assets and corporate intellectual
property from hackers, viruses and unauthorized use. Simple, easy to learn and use management tools,
along with an enhanced user interface, shortened ramp-up time for new security administrators and
helped customers avoid security breaches that can occur because of firewall misconfiguration.
While ISA 2004 put the ISA firewall product in head to head competition with Check Point and Cisco
ASA/PIX in the network level firewall market, the ISA 2004 firewall lacked some features that made it
harder than it should have been to compete with Blue Coat as the forward and reverse Web proxy server
of choice. While it was clear that the ISA 2004 firewall and Web proxy server was more secure and
more flexible than Blue Coat, the primary thrust of the ISA 2004 improvements were focused on its
network stateful packet inspection and application layer inspection firewall feature set and not on its
Web proxy components.
So, while ISA 2004 was focused on making the ISA firewall product equal or superior to the Check
Point, Cisco ASA/PIX and Netscreen firewall products, the ISA 2006 enhancements are aimed at
making the ISA firewall product line superior to Blue Coat in three core scenarios:
The ISA 2006 firewall and Web proxy and caching product is at this point so impressive, that in my
considered opinion no network security professional would consider providing remote access to
Exchange, SharePoint Portal Server or IIS without an ISA firewall in place to protect them and to do
otherwise would reflect on the decision maker’s judgment and motivations.
Before going into the details of ISA 2006, let’s roll back a bit and take a look at what ISA 2004 brought
to the table. Since the ISA 2006 firewall includes all the ISA 2004 SP2 features and capabilities, it will
give you a better idea of the ISA 2006 firewall’s feature set.
All of those new features add functionality and flexibility above and beyond that provided by ISA 2000
and are included in the ISA 2006 firewall. But what do they really mean to you?
Multi-networking support greatly increased ISA 2004’s scalability and flexibility and gives
much more granular control by applying different levels of security and access for different
networks.
New VPN features made it easier and more secure to use virtual private networking through the
ISA firewall. The ability to publish PPTP VPN servers is important to businesses that, for
whatever reasons, don’t want to implement L2TP/IPSec for all VPN connections. VPN
quarantine enhanced network security by allowing you to set security criteria VPN clients must
meet before being allowed access to the corporate network. IPSec tunnel mode support greatly
increased ISA 2004 firewall’s interoperability with a wide array of third-party VPN gateways.
New firewall features (and improvements to those that were included in ISA 2000) provided
more precise control over what does and doesn’t enter the network. These enhancements
positioned the ISA 2004 firewall to compete directly with third party firewall products, such as
Check Point and PIX/ASA.
New Web cache and Web proxy features made it easier to publish Web sites, giving ISA firewall
admins more control over Web caching, and enhanced the security of all published Web sites.
New remote access features increased usability and security of Outlook Web Access (OWA),
Outlook Mobile Access (OMA), Exchange ActiveSync (EAS), terminal services and Outlook
RPC/HTTP. The ability to block unencrypted Exchange RPC communications greatly enhanced
security in secure Exchange RPC publishing scenarios. In ISA 2000 out of the box, if Exchange
RPC was allowed, you couldn’t distinguish between encrypted and unencrypted communications
– all Exchange RPC communications were allowed. The ability to block unencrypted ones was
included in feature pack 1 for ISA Server 2000, but required editing of the registry to enable.
ISA 2004 made it as simple as checking a checkbox.
New application layer inspection features extended the level of control administrators had over
Web and e-mail content, making it easier to block exactly what you want to block, and ensuring
that users who need access to resources will have it. For example, signature blocking could be
used as a spam control mechanism, allowing you to block keywords and strings in the message
content. It could also be used as an anti-virus mechanism and a way to recognize and block
common SMTP attacks. Unfortunately, the SMTP Message Screener was dropped in ISA Server
2006, with the expectation that customers would prefer to use Antigen for spam and anti-virus
control. However, at this time, Antigen for SMTP has not been integrated with the ISA Server
2006 product line.
New monitoring and reporting capabilities are more important than ever in today’s regulated
business environment, where it is vital to be able to provide detailed documentation to prove
compliance with government and industry rules that require that specific security standards be
met. The ability to import and export configuration information makes it easy to back up that
information or to create multiple servers with the same configuration.
Link translation is important when you publish sites that contain links to internal resources (for
example, SharePoint sites that you want to make available to external users). This capability was
included in feature pack 1 for ISA 2000, but was made much easier to use in ISA 2004. ISA
Server 2006 further enhances support for Link Translation, especially for SharePoint Portal
Server Sites
New wizards such as the Delegated Permissions wizard, Outlook Web Access (OWA)
Publishing wizard and the Secure Web Publishing wizard helped you to accomplish common
tasks more quickly and easily, and help to prevent misconfiguration (which is one of the most
common reasons for firewall failure). ISA Server 2006 further refines and enhances the Web
Publishing Wizards included with ISA 2004.
With advanced security for your Microsoft applications, ISA Server 2004 protected the customer’s
critical business assets and helped the organization stay on top of communications demands. In addition,
ISA server 2004 provided security around the most common usage scenarios, such as collaboration,
remote access, and server publishing. ISA Server 2006 includes all these features and includes
significant feature enhancements over those provided by ISA 2004, which will be discussed later in this
section.
The new interface put common ISA firewall management tasks at your fingertips, eliminating the need
to search through Help files or click through multiple dialog boxes to find the configuration options you
want.
Why ISA 2006 Firewalls are Better than ISA 2000/2004 Firewalls
Many ISA firewall admins who are currently running ISA Server 2000 or 2004 will want to know why
they should upgrade to ISA Server 2006. While the upgrade from ISA Server 2000 to ISA 2004 was an
easy one to understand because of the major improvements and changes made between ISA Server 2000
and ISA 2004, the changes included with ISA 2006 versus ISA 2004 are more incremental and provide a
much smoother transition than the upgrade from 2000 to 2004.
Most of the new features and capabilities seen in ISA 2006 compared to 2004 are difficult for the
average ISA firewall admin to see if only a superficial look at the product is taken. The user interface is
the same, the networking model is same, there have been no changes in terms of how the ISA firewall
performs outbound access control, and there have been no changes to the core networking and
traditional firewall feature set.
The bulk of the improvements seen with the ISA 2006 firewall are focused on secure Web publishing.
While the Microsoft marketing message focuses on the three pillars of
Technical decision makers will quickly discover that ISA 2006 adds relatively little to ISA 2004 SP2 in
the outbound access control and protection and branch office gateway scenarios. However, they will
notice that there are some profound improvements in secure application publishing. To be more specific,
to secure Web Publishing.
The other major difference between ISA 2006 and ISA 2004 is that ISA 2006 has a much more robust
mechanism for handling worm and other types of flood attacks. Some ISA 2004 servers have suffered
from worm and DNS flood attack situations (note that these attacks never compromised the ISA
firewall, but affected performance). ISA 2006 includes built in mechanism to prevent exhaustion of non-
paged pool memory so that even when under heavy denial of service type worm or DNS flood attacks,
the ISA 2006 firewall will be able to stand up even when the ISA 2004 firewall might fall over and need
to be rebooted.
My recommendations for upgrading from ISA 2004 to ISA 2006 include the following:
ISA 2006 worm and DNS flood protection will increase uptime and stability. The ISA 2006
updates to its stateful packet inspection and IDS/IPS functionality make it worth the upgrade.
Significant enhancements have been made in increasing the security for remote access
connections to Outlook Web Access (OWA), Outlook Mobile Access (OMA), Exchange
ActiveSync (EAS) and RPC/HTTP (Outlook Anywhere). You will be able to do things such as
customize the log on form, enable password changes from the log on form, and be able to
automatically inform users of how many days there are until a password change is required in the
log on form
ISA firewall admins publishing SharePoint Portal servers may have frustrations and incomplete
functionality when using ISA 2004. If you have SharePoint Portal Server in place that you will
be able to get full functionality from your SPS deployments when publishing through an ISA
2006 firewall, as it is purpose designed to provide secure remote access to SharePoint Portal
Servers
For all ISA firewall admins publishing Web sites, including Exchange and SharePoint Portal
Server sites, you’ll be able to use forms-based authentication for any type of Web publishing
scenario, and that editing the log on form is now completely supported by Microsoft
For any ISA firewall admin publishing secure sites requiring pre-authentication at the ISA
firewall, there are additional authentication mechanisms available, including LDAP
authentication and RADIUS One-time password. Both these authentication methods allow the
ISA firewall publishing the Web sites to be removed from the Active Directory domain, but still
authenticate users belonging to the domain. RADIUS OTP provides ISA firewall admins who
don’t wish to use SecurID with another two-factor authentication option.
Any ISA firewall admin interested in publishing a Web farm will benefit greatly by upgrading
from ISA 2004 to ISA 2006. This is especially the case if you have front-end Exchange Servers
and want to have two or more front-end Exchange Servers configured as a fault tolerant and
redundant Web farm. The ISA 2006 Web farm load balancing feature removes the requirement
to make the FE Exchange Servers SecureNET clients when NLB was enabled on the FE
Exchange Server array. In fact, ISA 2006 Web farm load balancing completely removes the
requirement for NLB on the FE Exchange Server array or a third-party hardware load balancer.
You can completely remove the third party load balancer and benefit from higher security, better
performance and better session management that you would have with the “hardware” load
balancer and you get all this at no additional cost.
While it might seem that there is a relatively small feature set on which to base upgrades from 2004 to
2006, the improvements included with ISA Server 2006 make it worth upgrading for any company that
publishes Web sites. This might appear to you at first to represent a relatively small percentage of the
entire ISA firewall feature set, but from my discussions with ISA customer base at large, it appears that
ISA firewall’s largest deployment scenario is for reverse proxy, and this is exactly the feature set that the
ISA Server development team has focused upon.
What’s New and Improved in the ISA 2006 Firewall and Web
Proxy and Caching Solution
The table below provides a comprehensive, but not necessarily complete list of new and updated
features included in the ISA 2006 firewall.
What’s New and Improved in ISA Server 2006
New Feature What it does
Web Farm Load ISA 2006 Web Farm Load Balancing enables the ISA
Balancing firewall administrator to publish a farm of Web servers
that host the same content or perform similar roles. The
NEW ISA firewall provides both load balancing and fail over
and fail back for the published Web farm and does not
require NLB to enabled on the ISA firewall array or on
the Web farm. Customers benefit from this feature
because they do not need to enable NLB on the farm
warm (which would require that the farm members be
SecureNET clients) and the customer does not need to
purchase an expensive external load balancer, such as
F5.
Forms-based In ISA 2004, Forms-based authentication was supported
authentication support only for Outlook Web Access Web Publishing Rules.
for all Web Publishing ISA Server 2006 expands its forms-based authentication
Rules support by enabling forms-based authentication for all
Web sites published using Web Publishing Rules.
NEW
Kerberos Constrained In ISA 2004, User Certificate authentication could be
Delegation performed by the ISA firewall, but the user’s credentials
could not be forwarded to the published Web server.
NEW This generated multiple authentication prompts. In ISA
Server 2006, a user can pre-authenticate with the ISA
firewall and then that users credentials can be delegated
as Kerberos credentials to the published Web servers,
thus avoiding multiple authentication prompts and
improving the end-user experience.
Enhanced Delegation of ISA 2004 supported only delegation of basic
Authentication support authentication. ISA Server 2006 enhances support for
authentication delegation by enabling credentials to be
delegated as Kerberos, Integrated, Negotiate or basic.
This increases the flexibility of deployment for ISA
firewalls since many published Web servers do not
support basic authentication. In addition, the increases
security for Web Publishing scenarios where SSL to
SSL bridging is not an option and prevents the clear text
basic credentials from being intercepted on the wire.
Separate name In ISA 2004, the same name was used for name
resolution from resolution and the CONNECT name sent to the
CONNECT name in published Web server. This created a situation where the
Web Publishing Rules ISA firewall administrator had to create a split DNS, or
enter a customer HOSTS file entry on the ISA firewall
NEW so that the CONNECT name resolved to the IP address
of the published server on the internal network. ISA
Server 2006 solves this problem by allowing you to
specific a name or IP address that is separate from the
CONNECT name used by the Web Publishing Rule.
Improved Exchange The ISA Server 2006 Exchange Server Web Publishing
Server Web Publishing Wizard includes a number of improvements that makes
Rule Wizard publishing all versions of Exchange, from version 5.5 to
2007 easier than ever.
Integrated support for In ISA 2004, there was little or no support for allowing
Password changes on log the users to change their passwords when using Forms-
on form based authentication. ISA Server 2006 solves this
problem by integrating the ability for a user to change
NEW his password right in the log on form. No special
configuration tasks are required on the ISA firewall or
published OWA Server
Integrated support for In ISA 2004, there was no integrated support for
Password change providing users information about pending password
notification on log on expiration dates. ISA 2006 solves this problem by
form making the option available to the ISA firewall
administrator to inform users of pending password
NEW expiration dates. You can customized the warning
period by specifying the number of days in advance that
you want users to be aware of password expiration.
Improved Mail Server In ISA 2004, a single Mail Server Publishing Wizard
Publishing Wizard was used to published both Exchange Web services and
non-Web services. ISA Server 2006 breaks out Web
from non-Web publishing tasks into two separate
wizards, making it easier to publish non-Web protocols
for your Exchange mail server.
SharePoint Portal It was possible to publish SharePoint Portal Servers
Server Publishing using ISA 2004, but the process was potentially
Wizard complex and not all features were available from the
Internet because of problem with link translation. ISA
NEW Server 2006 solves this problem with enhanced support
for SharePoint Portal Server publishing and an updated
link translation dictionary that takes all the complexity
of successfully publishing a SharePoint Portal Server
deployment.
Single Sign-on One of the most requested features that didn’t make its
way into ISA 2004 was single sign-on. In ISA 2004,
NEW users had to reauthenticate even if they were connecting
to a Web server in the same domain as the original Web
server. ISA Server 2006 solves this problem by enabling
single sign-on on a per-listen/per-domain basis. If
multiple Web sites belong to the same domain, and are
published by the same Web listener, then users will not
be required to reauthenticate and cached credentials are
used.
Support for wildcard ISA 2004 supported wildcard certificates on its Web
certificates on the listener, but did not support wildcard certificates on the
published Web Server published Web server located behind the ISA firewall.
ISA Server 2006 improves on wildcard certificate
NEW support by allowing the ISA firewall administrator to
use a wildcard certificate on the published Web server.
Advanced Client A completely new feature included with ISA Server
Certificate Restrictions 2006 is Client Certificate Restrictions and configurable
and Configurable Certificate Trust List.
Certificate Trust List
The Client Certificate Restrictions feature allows you to
NEW set restrictions on the certificates users can provide
when User Certificate authentication is enabled.
Restrictions can be defined based on:
- Issuer
- Subject
- Extensions
Conclusion
As you can see, there is a lot more included in the new ISA 2006 firewall than initially meets the eye.
While the ISA 2006 firewall doesn't provide the world shaking differences we saw with the upgrade
from ISA Server 2000, I think you’ll find that the upgrade to ISA 2006 is well worth the effort both in
terms of increased functionality and user satisfaction, and increased uptime and reliability.
If you have questions about what the new ISA 2006 firewall has to offer your organization, feel free to
post a question on the Web boards in the links provided in this article. If you wish to contact me
privately, you can contact me at tshinder@isaserver.org and I can help provide information that will
help you make a compelling argument to your business decision makers who sign the checks for your
ISA firewall upgrade. I can also help you deal with the “network guys” who don’t understand the ISA
firewall and might push back at your attempts to secure your network and networked applications.
In addition to enhanced security, there are some other benefits to using the ASA (or another firewall) at
the network edge. If someone were to circumvent the access controls that are in place on that edge
firewall, they would not be able to use those same methods of exploitation on the ISA firewall. If I
practice security in layers but deploy the same model firewall at each layer, an attacker can use the same
method used to bypass my internal firewalls as they used to bypass my edge firewall.
An additional benefit by using another firewall at the network edge is that by squelching ‘Internet
noise’, the logs on the ISA firewall become much more meaningful. It allows me to find important
information much more quickly than having to sift through mountains of data this is mostly port scans
and probes that occur constantly on the public Internet. This also frees up resources on my ISA firewall
that are better put to use on inspecting important traffic.
Every business organization that’s connected to the Internet needs a firewall to protect the internal
network from attacks, but selecting the right firewall can be an overwhelming task. There are a plethora
of products on the market, ranging in price from a few hundred dollars to tens of thousands. Software
firewalls, hardware firewalls, “personal” firewalls, enterprise firewalls – how do you even begin to
evaluate their features and determine what you need and what you don’t?
As attackers grew more sophisticated and began to exploit higher layer protocols (DNS, SMTP, POP3,
etc.), firewalls had to do more. Most business-class firewalls today perform at least some application
layer filtering, or ALF. See my article “ALF: What is it and How Does it Fit into Your Security Plan” on
this site for details. ALF is necessary to prevent application layer attacks and to filter for spam and
viruses, or to perform content filtering to block objectionable Web sites based on content rather than just
IP address.
Firewalls today are often more than “sentries” at the network gate. Vendors have added other features
that aren’t strictly firewall functions, such as VPN gateway and Web caching. Almost all modern
firewalls other than those at the very low end support VPN, and many either include caching to
accelerate Web performance or offer add-on modules for that purpose. In fact, many vendors have
started calling their products “multifunction security” devices or software, instead of simply “firewalls.”
Network firewalls can protect multiple computers. However, not all network firewalls are created equal.
Some are simple devices or programs that cost little more than personal firewalls. Many consumer-grade
DSL and cable routers include this type of firewall technology. Simple network firewalls perform packet
filtering, but usually don’t do more than very rudimentary ALF.
Enterprise firewalls are “all business,” designed for large, complex networks. It goes without saying that
they cost much more. They will handle many more users, have faster throughput, and have advanced
features, such as:
Cost for host-based firewalls is usually around $100 or less. Enterprise firewalls can cost over $25,000.
The most popular medium-range business firewalls cost from $1500 to around $5000. But that’s just the
initial purchase price. As we’ll see later, many vendors charge extra for functionalities that others
include free.
Hardware firewalls can be further divided into those that are basically dedicated PCs with hard disks and
those that are solid state devices built on ASIC (Application Specific Integrated Circuit) architecture.
ASIC firewalls are generally faster performers and don’t have the hard disk (a mechanical device) as a
potential point of failure.
Software firewalls include Microsoft ISA Server, CheckPoint FW-1 and Symantec Enterprise Firewall
at the enterprise level, as well as most personal firewalls. ISA Server runs on Windows 2000/2003, and
FW-1 runs on Windows NT/2000, Solaris, Linux, and AIX, as well as proprietary appliance operating
systems. Symantec EF runs on Windows and Solaris.
Hardware firewalls include Cisco PIX, Nokia (which runs CheckPoint FW-1 on top of their IPSO
operating system), SonicWall, NetScreen, Watchguard, and Symantec’s 5400 series appliances (which
run their Enterprise Firewall software).
Hardware firewalls are often marketed as “turn key” because you don’t have to install the software or
worry about hardware configuration or conflicts. Those that run proprietary operating systems claim
greater security because the OS is already “hardened” (however, many of the proprietary systems have
been exploited nonetheless). A disadvantage of hardware firewalls is that you’re locked into the
vendor’s specs. For instance, a firewall appliance will have a certain number of network interfaces, and
you’re stuck with that number. With a software firewall, you can add NICs to the machine on which it’s
running to increase the number of available interfaces. You can also more easily upgrade the standard
PC on which the software firewall runs, easily adding standard RAM or even multiple processors for
better performance.
Important Firewall Features
Most businesses need more than a personal or simple network firewall can offer, but unless you’re
running an ISP or datacenter, the top of the line enterprise firewalls are probably overkill (not to mention
the way they can kill your budget). Assuming you have a medium sized business and are in the market
for a firewall in the $2000-10,000 range, what’s out there and what’s the difference between them?
Architecture: do you prefer a software firewall that you can install on a new or existing PC or a
dedicated appliance?
How many concurrent firewall sessions does the firewall need to support?
How many VPN tunnels do you need to be able to run concurrently?
What VPN protocols do you want to use (IPSec, PPTP, L2TP)?
Do you need integration with Exchange mail servers or SharePoint collaboration servers?
What type of management user interface (UI) do you prefer: command line interface (CLI),
graphical management console, Web-based interface? Do you need to manage the firewall via
SSH, Telnet, or SNMP? Do you need centralized management of multiple firewalls?
Do you need high availability (load balancing, failover) features?
There is no One Perfect Firewall. Each product has strengths and weaknesses, and after you’ve
evaluated your needs and decided which features are most important for your organization, you should
carefully compare the technical specs and datasheets of different firewall products to determine which
meet your own needs best.
For example, the Cisco PIX firewalls are reliable and well-liked, but many administrators don’t like the
PIX Device Manager (PDM) Web interface and prefer to use the CLI. If you’re uncomfortable with the
command line, this might be a factor in your choice. SonicWall mid-range Pro 230 firewalls offer a big
price advantage over other brands, but support fewer VPN tunnels (500 as compared to 12,500 for the
mid-range Nokia 350 and 8000 for the mid-range Watchguard V80). On the other hand, the NetScreen
50, which costs $4000 more than the SonicWall, provides fewer VPN tunnels (100) and fewer
concurrent sessions (8000 vs. SonicWall’s 30,000).
Web caching
Centralized management and reporting
Spam filtering
High availability
URL screening
Anti-virus
With other firewalls, some or all of these features are built in. For example, ISA Server’s management
console can be used to manage multiple ISA Servers, and its ALF functions can be used for rudimentary
spam filtering, while ISA can use the Windows server operating system’s built in load balancing
functionality.
Another consideration is throughput (amount of data transferred per second). Performance is important
in a busy network where people depend on accessing resources quickly. Firewall throughput can range
from 150Mbps to over 1Gbps. When comparing vendors’ throughput claims, look closely to be sure you
aren’t comparing apples and oranges. VPN throughput, especially with strong encryption, will be far
slower than firewall throughput. Also, some vendors will list throughput as bidirectional. Of course,
throughput doesn’t determine access speed to the Internet; you’re still limited by the speed of your
Internet connection.
Some special considerations dictate the use of a particular firewall. For example, no other product
integrates with and protects Exchange servers and Outlook Web Access (OWA) users as well as ISA
Server, because both products are made by Microsoft to work seamlessly together. ISA Server is also
designed from the ground up to work with SharePoint Portal Servers (SPS). If protecting your Exchange
and SPS servers is a high priority, ISA is your logical first choice.
Licensing schemes vary widely and some are so complex that they’re confusing. For example, some
vendors charge extra for every VPN client. If you have 1000 VPN clients, even at $15 each, that adds up
to $15,000. Other vendors, such as Microsoft, don’t require client licenses for VPN connections, and
their VPN client software (PPTP and L2TP clients) are built into every modern Microsoft operating
system. Some vendors also base the initial cost of the firewall on a specified number of users, and if you
exceed that, you’ll have to buy an upgraded license.
A firewall solution that looks like the least expensive based on list price for the software or appliance
might end up costing much more when you purchase all the necessary licenses and add-on modules or
services.
Summary
Buying a firewall for your organization can be a daunting task, but it’s made easier by being properly
prepared. That means knowing how many users it needs to support (and taking future growth into
account), whether you’ll have VPN users and how many, whether you have Exchange and SharePoint
servers you need to protect, whether you need to manage multiple servers centrally, and whether you
want extra features such as Web caching. You’ll also want to determine whether you prefer that extra
functions be performed “off box” (which increases the amount of hardware required but puts less load
on the firewall’s processor) or “on box” which may be more convenient and reduce cost. There are many
decisions to make when you start to evaluate firewall options. In this article, we’ve discussed just a few
of the items you should consider.
Knowing
4. how many users it needs to support (and taking future growth into account),
5. VPN users and how many,
6. Exchange and SharePoint servers you need to protect,
7. manage multiple servers centrally, and
8. Web caching.
9. extra functions be performed “off box” (which increases the amount of hardware
required but puts less load on the firewall’s processor) or “on box” which may be more
convenient and reduce cost.
This convergence can impact in two ways. On the positive side, if the Editor's choice
appliance is easy to manage and it fits the application and environment About RMIT
perfectly then go for it. On the negative side, with all the eggs in one
basket, poorly scoped deployments, or situations where the product does
not quite fit the environment, it can be a trigger for disaster. If the device
lacks the redundancy needed for that deployment, a single failure in one
subsystem can mean that the whole device is offline.
The most common baseline requirement these days is Stateful Packet Inspection (SPI). Vendors also generally
incorporate forms of individual packet filtering as well as port filtering. There are two other features now
commonly found in most mainstream firewalls -- these are; that they act as application gateways or proxies,
and can also have rule/policy-based access control lists-referencing IP addresses/ranges, network user-IDs
etc. Some vendors also enable the administrator of the device to set up advanced rule sets to enforce the
enterprise's security policies and framework, be it content filtering, Web access/content control,
blacklists/whitelists, or even bandwidth shaping and management.
Virtual firewalls and virtual policies/rule-sets are now making an appearance -- allowing several administrators
to have access to their own areas and rules on the one appliance.
If a Trojan has managed to breach the other security defences due to a negligent user--the SPI firewall will
allow that data through as it seemingly comes from a legitimate request on the LAN. Where SPI firewalls come
into their own is in conjunction with other methods of data scanning within the firewall, or with another
firewall on the LAN. SPI provides a percentage of coverage while still maintaining performance across the
network.
If a large enterprise was looking to protect its corporate network and if every single packet of data both
inbound and outbound needed to be captured, logged, scanned for strange characteristics, and then traced,
the network bandwidth hit would be unacceptable and the firewall would cause a bottleneck. While not an
ideal solution, SPI can ease the pain while other techniques can be implemented to handle its deficiencies. A
benefit of SPI is that it can be utilised as an additional technology to protect a Demilitarized Zone (DMZ) or a
network that is required to allow public access to some machines/servers. It can allow specific individual IP
addresses or segments on the LAN to have open ports, so the administrator can essentially select from a list
-- ports to open/close for any given machine's IP address on the LAN.
The majority of these devices are more than just firewalls but we have kept our focus on firewall
considerations for the time being -- see the feature tables for some of the additional extras.
I'm about to get my first broadband connection, and I know I need to get a firewall.
However, I've been getting some conflicting advice as to what type of firewall I need. Some
people tell me I should get a hardware firewall, while others tell me a software firewall is
preferred. What's the difference, and more importantly, which is better?
Good question. The truth is that in a typical home office environment, one type of firewall
isn't necessarily better than the other. They are some differences, though, and they can be
used together to give you an even greater degree of protection.
Hardware firewalls are important because they provide a strong degree of protection from most
forms of attack coming from the outside world. Additionally, in most cases, they can be
effective with little or no configuration, and they can protect every machine on a local network.
A hardware firewall in a typical broadband router employs a technique called packet filtering,
which examines the header of a packet to determine its source and destination addresses.
This information is compared to a set of predefined and/or user-created rules that determine
whether the packet is to be forwarded or dropped. A more advanced technique called Stateful
Packet Inspection (SPI), looks at additional characteristics such as a packet's actual origin (i.e.
did it come from the Internet or from the local network) and whether incoming traffic is a
response to existing outgoing connections, like a request for a Web page.
But most hardware residential firewalls have an Achilles' heel in that they typically treat any kind
of traffic traveling from the local network out to the Internet as safe, which can sometimes be a
problem.
Consider this scenario: What would happen if you received an e-mail message or visited a
website that contained a concealed program? Let's say this program was designed to install
itself on your machine and then surreptitiously communicate with someone via the Internet —
a distributed denial of service (DDoS) attack zombie or a keystroke logger, for example? And
trust me, this is by no means an unlikely scenario.
To most broadband hardware firewalls, the traffic generated by such programs would appear
legitimate since it originated inside your network and would most likely be let through. This
malevolent traffic might be blocked if the hardware firewall was configured to block outgoing
traffic on the specific Transmission Control Protocol/Internet Protocol (TCP/IP) port(s) the
program was using, but given that there are over 65,000 possible ports and there's no way to
know which ports a program of this nature might use, the odds of the right ones being blocked
are slim.
Moreover, blocking too many ports would almost certainly adversely affect your ability to use
some programs (many games, for instance). Also, some broadband router firewalls don't even
provide the ability to restrict outgoing traffic, only incoming traffic.
Related Articles
Another potential scenario where a software firewall would be useful is in the case of an e-mail
worm with its own e-mail sever, like the recent "SoBig" worm. Its built-in mail server could
attempt to send mail on the valid Simple Mail Transfer Protocol (SMTP) port (25), which would
probably pass through the router because of its trusted origin.
On the other hand, a software firewall could be configured to only allow Microsoft Outlook to
use port 25 (assuming Outlook is your e-mail client). Any attempt by another application to use
the port would be dropped, or blocked pending user confirmation. For that matter, the
application's attempt to use any port would be blocked if the firewall was configured that way.
By comparison, a hardware firewall that had the ability to filter outgoing traffic might allow you
to block most kinds of traffic from a particular PC, but it wouldn't be able to flag you and alert
you to repeated attempts to infiltrate your computer.
One obvious downside to software firewalls is that they can only protect the machine they're
installed on, so if you have multiple computers (which many small offices do), you need to buy,
install, and configure a software firewall separately on each machine. This can get expensive
and can be difficult to manage if you have a lot of computers.
But the fact of the matter is that software firewalls generally offer the best measure of
protection against certain types of situations like Trojan programs or e-mail worms. Speaking
of which, a firewall isn't the only protection method available to you. Whether you end up using
a software firewall or a hardware firewall, you should always supplement it with anti-virus
software.
A good anti-virus package is just as important as a firewall, and I would seriously suggest that
you invest in a good one (I'm partial to both Norton and McAfee myself). However, keeping
your virus definitions updated is far more important than which program you use. I cannot
stress the importance of this enough. Making sure your definitions are current is absolutely
critical to maintaining your protection. Many Anti-virus programs today can be configured to
automatically update themselves, so you have no excuse for not maintaining them.
The bottom line is that with any home-office broadband connection, a hardware firewall should
be considered a bare minimum, and supplementing it with a software firewall on one or more
computers (and don't forget anti-virus software) is almost always a good idea.
A hardware firewall uses packet filtering to examine the header of a packet to determine its source
and destination. This information is compared to a set of predefined or user-created rules that
determine whether the packet is to be forwarded or dropped.
As with any electronic equipment, a computer user with general computer knowledge can plug in a
firewall, adjust a few settings and have it work. To ensure that your firewall is configured for optimal
security and protect however, consumers will no doubt need to learn the specific features of their
hardware firewall, how to enable them, and how to test the firewall to ensure its doing a good job of
protecting your network.
Not all firewalls are created equal, and to this end it is important to read the manual and
documentation that comes with your product. Additionally the manufacturer's Web site will usually
provide a knowledgebase or FAQ to help you get started. If the terminology is a bit too tech-
oriented, you can also use the Webopedia search to help you get a better understanding of some of
the tech and computer terms you will encounter while setting up your hardware firewall.
To test your hardware firewall security, you can purchase third-party test software or search the
Internet for a free online-based firewall testing service. Firewall testing is an important part of
maintenance to ensure your system is always configured for optimal protection.
Software Firewalls
For individual home users, the most popular firewall choice is a software firewall. Software firewalls
are installed on your computer (like any software) and you can customize it; allowing you some
control over its function and protection features. A software firewall will protect your computer from
outside attempts to control or gain access your computer, and, depending on your choice of
software firewall, it could also provide protection against the most common Trojan programs or e-
mail worms. Many software firewalls have user defined controls for setting up safe file and printer
sharing and to block unsafe applications from running on your system. Additionally, software
firewalls may also incorporate privacy controls, web filtering and more. The downside to software
firewalls is that they will only protect the computer they are installed on, not a network, so each
computer will need to have a software firewall installed on it.
Like hardware firewalls there is a vast number of software firewalls to choose from. To get started
you may wish to read reviews of software firewalls and search out the product Web site to glean
some information first. Because your software firewall will always be running on your computer, you
should make note of the system resources it will require to run and any incompatibilities with your
operating system. A good software firewall will run in the background on your system and use only a
small amount of system resources. It is important to monitor a software firewall once installed and to
download any updates available from the developer.
The differences between a software and hardware firewall are vast, and the best protection for your
computer and network is to use both, as each offers different but much-needed security features
and benefits. Updating your firewall and your operating system is essential to maintaining optimal
protection, as is testing your firewall to ensure it is connected and working correctly.
Overview
Juniper Networks NetScreen hardware firewall is the recommended hardware firewall appliance for use
at the University Pennsylvania. (The information below relates to SSG series appliances. Updates to this
document are coming soon to include information about the SRX series and JunOS.) The firewall
appliance is a security tool that, when configured correctly, filters traffic between trusted zones (private)
and un-trusted zones (PennNet). A firewall allows or blocks network traffic between the trusted and the
un-trusted zone based on policies defined by the firewall administrator.
A number of schools and centers (School of Arts and Sciences, the Annenberg School, Facilities
Services, Vice Provost for University Life, Law School) have successfully deployed various NetScreen
hardware firewalls and have spoken highly of the appliance's reliability, effectiveness and ease of use,
especially when deployed in a Layer 2 transparent mode.
There are a number of other hardware firewalls in use on campus such as CISCO PIX, Nokia IP350 and
Checkpoint Firewall 1NG. To read more about feedback on the different models of hardware firewall in
use on campus please visit the Hardware Firewall Evaluation - Fall 2004.
The table below lists the NetScreen firewall appliances that run on ScreenOS 5.x and that support Layer
2 and Layer 3 operations mode. Updates to this chart are coming soon to address the Juniper SRX Series
and JunOS.
Netscree Interfaces Maximum Maximum Maximu Maximu
n Firewall Throughpu Sessions m m
t VPN Policies
Tunnels
2-ports
10/100/100
0
Layer 2 mode
Layer 3 mode
Routing: In this mode, the NetScreen firewall functions as a Layer 3
router, and will require the administrator to manually configure a static
routing table.
Network Address Translation (NAT): In this mode, the appliance is
configured so that internal addresses and port number are translated to
the outbound public interface with a dynamically-assigned port number.
NAT can be configured for NAT-src, NAT-dst with Mapped IP (MIP) and
Virtual IP (VIP).
Consider firewall design and implementation issues. Where will you place the firewall? Do you intend
to create a large perimeter to protect all your servers and desktops?
Don't rely only on the firewall for your domain security. It's essential to focus on properly configuring,
securing, and patching your domain controllers, servers and desktops. Always secure your domain
through Microsoft security configuration first, and then use a hardware firewall as another layer of
security. Security in depth is recommended.
Threats exist from all devices allowed through the firewall as well as from external sources. A
firewall does not protect a server or desktops on the same side of the firewall, so it is critical that all
workstations, printers or other network devices are properly secured and are up to date with operating
system security and anti-virus patches.
Secure and verify laptops and mobile devices. Be aware of threats and vulnerabilities of remote users
laptops brought in and connected on the trusted side of the firewall.
Proper maintenance of the firewall is critical. The firewall operating system must be maintained at the
latest release and patch level to address security vulnerabilities.
Backup firewall configuration. Store a copy of the configuration file on an external device to facilitate
restoration of the file in case of disaster.
Enable traffic log monitoring. Use traffic logs to monitor session activities to verify the effectiveness of
policies.
When a firewall is used with a vLAN, a firewall administrator can establish a large secure perimeter
around systems by limiting the flow of traffic. All network traffic between the private vLAN and PennNet is
examined by the firewall to see if it meets certain criteria defined by policy. Criteria commonly used to
allow or block traffic are IP addresses/ranges and the network ports which support specific services.
OSI Model
The OSI, or Open System Interconnection, model defines a networking framework for implementing
protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in
one station, proceeding to the bottom layer, over the channel to the next station and back up the
hierarchy. See Webopedia, the online dictionary, for an explanation of the 7 Layers of the OSI Model.
A number of schools and centers (School of Arts and Sciences, the Annenberg School, Facilities Services,
Vice Provost for University Life, Law School) have successfully deployed various NetScreen hardware
firewalls and have spoken highly of the appliance's reliability, effectiveness and ease of use, especially
when deployed in a Layer 2 transparent mode.
There are a number of other hardware firewalls in use on campus such as CISCO PIX, Nokia IP350 and
Checkpoint Firewall 1NG. To read more about feedback on the different models of hardware firewall in
use on campus please visit the Hardware Firewall Evaluation - Fall 2004.
Netscreen Firewall
Interfaces
Maximum
Throughput
Maximum
Sessions
Maximum
VPN Tunnels
Maximum
Policies
SSG 5
7-ports 10/100 160Mbps 8,000/16,000 25/40 200
SSG 140 8-ports 10/100
2-ports 10/100/1000
300 Mbps 48,000 150 1000
SSG 520 4x-ports 10/100/1000 600 Mbps 64,000 500 1000
SSG 550 4x-ports 10/100/1000 1 Gbps 128,000 1000 4000
Supported Modes of Operation
Layer 2 mode
Transparent bridging. In this mode, the NetScreen firewall functions as a Layer 2 forwarding device or
router, allowing quick deployment of the firewall appliance without changes to the existing network
topology. Servers can continue to use public PennNet IP addresses.
Layer 3 mode
Routing: In this mode, the NetScreen firewall functions as a Layer 3 router, and will require the
administrator to manually configure a static routing table.
Network Address Translation (NAT): In this mode, the appliance is configured so that internal addresses
and port number are translated to the outbound public interface with a dynamically-assigned port
number. NAT can be configured for NAT-src, NAT-dst with Mapped IP (MIP) and Virtual IP (VIP).
OSI Model
The OSI, or Open System Interconnection, model defines a networking framework for implementing
protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in
one station, proceeding to the bottom layer, over the channel to the next station and back up the
hierarchy. See Webopedia, the online dictionary, for an explanation of the 7 Layers of the OSI Model.
Thin Computing vs. Desktop PCs vs. Datacenters
Moving problems from one place to another...
Most companies worldwide are using a quite large number of desktop systems and as that number grows by the year,
so does the cost of the energy bill, alongside with additional costs like service and maintenance. Desktop virtualization
aims at replacing the currently large number of desktop computer systems that are typically used in companies with a
few powerful servers that are able to sustain a high number of thin clients. The Australian Computer Society, ACS for
short, recommended this course of action after a study showed that desktop computer systems are among the most
important factors that contribute to the eight million tonnes of CO2 produced by Australian enterprises each
year.
According to the news site zdnet.com, the Australian association claims that the thin clients are less energy intensive
and they need less power to operate than their desktop counterparts. While the thin client approach may reduce the
overall energy consumption, Kris Kumar, director of data center design specialists 3i Group, said that this is not the
best solution as it simply moves the intense energy consumption from desktop systems to server rooms, which are
already quite energy hungry already. "If you adopt a thin computing approach and then realize the datacentre cannot
cope, you will use band-aid approaches to fixing that problem, which will never be optimum," he said.
The main problem, according to him, is that most companies and enterprises are not using a global strategy to
diminish their energy footprint and they are simply patching problems as they go and that approach leads to a "major
chaos in global markets in the datacentre space". While the carbon emissions are certainly important, they are only a
small part of the whole environmental problem caused by the computer industry and Ward Nash, from the thin
computing manufacturing company WYSE, said that the thin clients are offering a better alternative to the desktop
computer systems because they have an increase lifespan over their counterparts which are typically rated to last
around three years. Apart from this advantage, thin clients are more environmentally friendly because they are simple
machines, so they require fewer materials to build.
Ward Nash also said that using the thin client approach, most companies can get rid of the burden of old and useless
hardware, while benefiting from lower management costs and better security, as all the data and applications are
stored on a secure server system and not on every desktop computer.
What is RAID?
Back in the late 1980's and early 1990's, computer information servers were encountering a dramatic increase
in the amount of data they needed to serve and store. Storage technologies were getting very expensive to
place a large number of high capacity hard drives in the servers. A solution was needed and thus RAID was
born.
So what exactly is RAID? First of all, the acronym stands for Redundant Array of Inexpensive Disks. It was a
system developed whereby a large number of low cost hard drives could be linked together to form a single
large capacity storage device that offered superior performance, storage capacity and reliability over older
storage solutions. It has been widely used and deployed method for storage in the enterprise and server
markets, but over the past 5 years has become much more common in end user systems.
Sponsored Links
FL Keys Premier DivingGorgeous reef & wreck trips Resort, diving & lesson packageswww.hallsdiving.com
俐通集團回收電腦零件 電子產品 各類電子成品 承接各大生產商及零售商回收處理計劃 www.litong.com
Parallel ComputingStay on top of trends in parallel computing. Read our expert blog!www.drdobbs.com/Go-
Parallel
Advantages of RAID
Redundancy
Increased Performance
Lower Costs
Redundancy is the most important factor in the development of RAID for server environments. This allowed
for a form of backup of the data in the storage array in the event of a failure. If one of the drives in the array
failed, it could either be swapped out for a new drive without turning the systems off (referred to as hot
swappable) or the redundant drive could be used. The method of redundancy depends on which version of
RAID is used.
The increased performance is only found when specific versions of the RAID are used. Performance will also be
dependent upon the number of drives used in the array and the controller.
All managers of IT departments like low costs. When the RAID standards were being developed, cost was also
a key issue. The point of a RAID array is to provide the same or greater storage capacity for a system
compared to using individual high capacity hard drives. A good example of this can be seen in the price
differences between the highest capacity hard drives and lower capacity drives. Three drives of a smaller size
could cost less than an individual high-capacity drive but provide more capacity.
There are typically three forms of RAID used for desktop computer systems: RAID 0, RAID 1 and RAID 5. In
most cases, only the first two of these versions is available and one of the two technically is not a form of
RAID.
RAID 0
The lowest designated level of RAID, level 0, is actually not a valid type of RAID. It was given the designation
of level 0 because it fails to provide any level of redundancy for the data stored in the array. Thus, if one of
the drives fails, all the data is damaged.
RAID 0 uses a method called striping. Striping takes a single chunk of data like a graphic image, and spreads
that data across multiple drives. The advantage that striping has is in improved performance. Twice the
amount of data can be written in a given time frame to the two drives compared to that same data being
written to a single drive.
Below is an example of how data is written in a RAID 0 implementation. Each row in the chart represents a
physical block on the drive and each column is the individual drive. The numbers in the table represent the
data blocks. Duplicate numbers indicate a duplicated data block.
Drive 1 Drive 2
Block 1 1 2
Block 2 3 4
Block 3 5 6
Thus, if the 6 blocks of data above constitute a single data file, it can be read and written to the drive much
faster than if it were on a single drive. Each drive working in parallel could read only 3 physical blocks while it
would take a single drive twice as long because it has to read 6 physical blocks. The drawback of course is
that if one drive fails, the data is no longer functional. All 6 data blocks are needed for the file, but only three
are accessible.
Advantages:
Disadvantages:
No redundancy of data
RAID 1
RAID version 1 was the first real implementation of RAID. It provides a simple form of redundancy for data
through a process called mirroring. This form typically requires two individual drives of similar capacity. One
drive is the active drive and the secondary drive is the mirror. When data is written to the active drive, the
same data is written to the mirror drive.
The following is an example of how the data is written in a RAID 1 implementation. Each row in the chart
represents a physical block on the drive and each column is the individual drive. The numbers in the table
represent the data blocks. Duplicate numbers indicate a duplicated data block.
Drive 1 Drive 2
Block 1 1 1
Block 2 2 2
Block 3 3 3
This provides a full level of redundancy for the data on the system. If one of the drives fails, the other drive
still has all the data that existed in the system. The big drawback of course is that the capacity of the RAID
will only be as big as the smallest of the two drives, effectively halving the amount of storage capacity if the
two drives were used independently.
Advantages:
Disadvantages
RAID 0+1
This is a hybrid form of RAID that some manufacturers have implemented to try and give the advantages of
each of the two versions combined. Typically this can only be done on a system with a minimum of 4 hard
drives. It then combines the methods of mirroring and striping to provide the performance and redundancy.
The first set of drives will be active and have the data striped across them while the second set of drives will
be a mirror of the data on the first two.
Below is an example of how data is written in a RAID 0+1 implementation. Each row in the chart represents a
physical block on the drive and each column is the individual drive. The numbers in the table represent the
data blocks. Duplicate numbers indicate a duplicated data block.
Block 1 1 2 1 2
Block 2 3 4 3 4
Block 3 5 6 5 6
In this case, the data blocks will be striped across the drives within each of the two sets while it is mirrors
between the sets. This gives the increased performance of RAID 0 because it takes the drive half the time to
write the data compared to a single drive and it provides redundancy. The major drawback of course is the
cost. This implementation requires a minimum of 4 hard drives.
Advantages:
Increased performance
Data is fully redundant
Disadvantages:
RAID 10 or 1+0
RAID 10 is effectively a similar version to RAID 0+1. Rather than striping data between the disk sets and then
mirroring them, the first two drives in the set are a mirrored together. The second two drives form another set
of disks that is are mirror of one another but store striped data with the first pair. This is a form of nested
RAID setup. Drives 1 and 2 are a RAID 1 mirror and drives 3 and 4 are also a mirror. These two sets are then
setup as stripped array.
Below is an example of how data is written in a RAID 10 implementation. Each row in the chart represents a
physical block on the drive and each column is the individual drive. The numbers in the table represent the
data blocks. Duplicate numbers indicate a duplicated data block.
Block 1 1 1 2 2
Block 2 3 3 4 4
Block 3 5 5 6 6
Just like the RAID 0+1 setup, RAID 10 requires a minimum of four hard drives to function. Performance is
pretty much the same but the data is a bit more protected than the RAID 0+1 setup.
Advantages:
Increased performance
Data is fully redundant
Disadvantages:
RAID 5
This is the most powerful form of RAID that can be found in a desktop computer system. Typically it requires
the form of a hardware controller card to manage the array, but some desktop operating systems can create
these via software. This method uses a form of striping with parity to maintain data redundancy. A minimum
of three drives is required to build a RAID 5 array and they should be identical drives for the best
performance.
Parity is essentially a form of binary math that compares two blocks a data and forms a third data block based
upon the first two. The easiest way to explain it is even and odd. If the sum of the two data blocks is even,
then the parity bit is even. If the sum of the two data blocks is odd, the parity bit is odd. So 0+0 and 1+1
both equal 0 while 0+1 or 1+0 will equal 1. Based on this form of binary math, a failure in one drive in the
array will allow the parity bit to reconstruct the data when the drive is replaced.
With that information in mind, here is an example of how a RAID 5 array would work. Each row in the chart
represents a physical block on the drive and each column is the individual drive. The numbers in the table
represent the data blocks. Duplicate numbers indicate a duplicated data block. A "P" indicates a parity bit for
two blocks of data.
Block 2 3 P 4
Block 3 P 5 6
The parity bit shifts between the drives to increase the performance and reliability of the data. The drive array
will still have increased performance over a single drive because the multiple drives can write the data faster
than a single drive. The data is also fully redundant because of the parity bits. In the case of drive 2 failing,
the data can be rebuilt based on the data and parity bits on the two remaining drives. Data capacity is
reduced due to the parity data blocks. In practice the capacity of the array is based on the following equation
where n is the number of drives and z is the capacity:
In the case of three 500 gigabyte hard drives, the total capacity would be (3-1)x500GB or 1000 gigabytes.
Hardware RAID 5 implementations can also have a function called hot swap. This allows for drives to be
replaced while the array is still functioning to either increase the drives capacity or to replace a damaged
drive. The drive controller then takes time while the array is running to rebuild the data array across the
drives. This is a valuable feature for systems that require 24x7 operation.
Advantages:
Disadvantages
In order for RAID to function, there needs to be software either through the operating system or via dedicated
hardware to properly handle the flow of data from the computer system to the drive array. This is particularly
important when it comes to RAID 5 due to the large amount of computing required to generate the parity
calculations.
In the case of software implementations, CPU cycles are taken away from the general computing environment
to perform the necessary tasks for the RAID interface. Software implementations are very low cost monetarily
because all that is necessary to implement one is the hard drives. The problem with software RAID
implementations is the performance drop of the system. In general, this performance hit can be anywhere
from 5% or even greater depending upon the processor, memory, drives used and the level of RAID
implemented. Most people do not use software RAID anymore due to the decreasing costs of hardware RAID
controllers over the years.
Hardware RAID has the advantage of dedicated circuitry to handle all the RAID drive array calculations outside
of the processor. This provides excellent performance for the storage array. The drawbacks to hardware RAID
have been the costs. In the case of RAID 0/1 controllers, those costs have become so low that many chipset
and motherboard manufacturers are including these capabilities on the motherboards. The real costs rest with
RAID 5 hardware that require more circuitry for added computing ability.
Drive Selection
What a lot of people don't realize is that the performance and capacity of a RAID array is heavily dependent
upon the hard drives used in the array. For the best results, all hard drives in the array should be the same
brand and model. This means that all of the hard drives will have the same capacity and performance levels.
It is not a requirement that the drives be matched, but mismatching the drives can actually hurt the RAID
array.
The capacity of the RAID array will depend upon the method implemented. In the case of RAID 0, the striping
can only be done across an equal amount of space on the two drives. As a result, if an 80GB and 100GB drive
are used to make the array, the final capacity of the array would only be 160GB. Similarly, in RAID 1 the
drives can only mirror data equal to the smallest size. Thus based on the two drives mentioned before, the
final data size would only be 80GB. RAID 5 is a bit more complicated because of the formula mentioned
before. Once again the smallest capacity would be used. So if a 80GB, 100 GB and 120GB drive were used to
make a RAID 5 array, the final capacity would be 160GB of data.
Performance of the array is also dependent upon the drives. In order for the array to function properly, it
must wait for the data to be written to each of the drives before it can continue. This means that in the
example charts for the RAID arrays, the controller must wait until all physical data has been written to block 1
across all the drives in the array before it can continue to the next set of data for the drives. This means an
array where one drive has half the performance of the other two will slow down the overall performance of the
other drives.
Conclusions
Overall RAID provides systems with a variety of benefits depending upon the version implemented. Most
consumer users will likely opt to use the RAID 0 for increased performance without the loss of storage space.
This is primarily because redundancy is not an issue for the average user. In fact, most computer systems will
only offer either RAID 0 or 1. The costs of implementing a RAID 0+1 or RAID 5 system generally are too
expensive for the average consumer and are only found in high-end workstation or server level systems.
There are two possible RAID approaches: Hardware RAID and Software RAID.
An example of a Hardware RAID device would be one that connects to a SCSI controller and presents
the RAID arrays as a single SCSI drive. An external RAID system moves all RAID handling
"intelligence" into a controller located in the external disk subsystem. The whole subsystem is connected
to the host via a normal SCSI controller and appears to the host as a single disk.
RAID controllers also come in the form of cards that act like a SCSI controller to the operating system
but handle all of the actual drive communications themselves. In these cases, you plug the drives into the
RAID controller just like you would a SCSI controller, but then you add them to the RAID controller's
configuration, and the operating system never knows the difference.
The MD driver in the Linux kernel is an example of a RAID solution that is completely hardware
independent. The performance of a software-based array is dependent on the server CPU performance
and load.
For information on configuring Software RAID in the Red Hat Linux installation program, refer to the
Chapter 10 Software RAID Configuration.
For those interested in learning more about what Software RAID has to offer, here is a brief list of the
most important features:
A hot-swap chassis allows you to remove a hard drive without having to power-down your
[1]
system.
Disk arrays are used to improve performance and reliability. The amount of improvement depends
on the application programs that you run on the server and the RAID levels that you assign to the
logical drive.
Each RAID level provides different levels of fault-tolerance (data redundancy), utilization of
physical drive capacity, and read and write performance. In addition, the RAID levels differ in
regard to the minimum and maximum number of physical drives that are supported.
When selecting a RAID level for your system, consider the following factors.
Note: Not all RAID levels are supported by all ServeRAID controllers.
Physical drive utilization, read performance, and write performance depend on the number of
drives in the array. Generally, the more drives in the array, the better the performance.
I don’t think you should simply avoid RAID 60 at all costs; instead, make the decision on a case by case basis
with an understanding of the tradeoffs that you’ll face. In fact, you might find that RAID 60 is a great fit when
you need higher usable capacity and better reliability and can trade a little in write performance for it.
With RAID 60, you’re going to lose anywhere from around 12% to 50% of your usable space to parity
information. This is not a bad thing, and the whole design of RAID 6 is built around the idea that using more
space (two disk’s worth to be exact) to enhance reliability is a good thing. If you’re ultra-concerned about
reliability, are you more likely to use fewer disks per individual RAID 6 set? If so, this would decrease the
overall usable capacity of the solution. In fact, in the diagram above, you’d lose 50% of your disk space to
parity, so why not just go with RAID 10 in that scenario?
With RAID 6, you will take a performance hit (more so than with RAID 50) when it comes to writes, but reads
will be boosted, as is the case with RAID 10 and RAID 50. The exact performance hit you take with writes
under RAID 60 is largely dependent on the quality of your RAID controller and on what you’re doing. If you’re
considering implementing a RAID 60 that eats 50% of your space in overhead, it’s time to consider just using
RAID 10, which will provide similar read performance and better overall write performance and provide
similar levels of redundancy.
From a pure reliability perspective, a RAID 60 array is orders of magnitude more reliable than even RAID 50
arrays due largely to the extra parity disk employed in RAID 60.
The more disks you add to each individual RAID 6 set in a RAID 60 array, the higher percentage of usable
space you get from the overall RAID 60 array. Perhaps the biggest tradeoff in RAID 60 is that you can build
larger individual RAID 60 sets in a safer manner than is possible under RAID 50, so from that perspective,
perhaps you can get more safely usable space from a RAID 60 array.
Conclusion
When it comes to RAID 60, I don’t think IT pros should have a one-size-fits-all mentality. And before you
jump on the RAID 60 train, be aware that there are potential downsides for usable space and performance
that need to be considered, so choose wisely. For more information, I recommend checking out IBM’s article
and chart about selecting a RAID level.
Windows Server 2008 R2 System Requirements
To use Windows Server 2008 R2, you need:*
Component Requirement
Memory
Maximum: 8 GB (Foundation) or 32 GB (Standard) or 2 TB (Enterprise, Datacenter, and Itanium-Based
Systems)
Minimum: 32 GB or greater
Disk Space
Requirements Note: Computers with more than 16 GB of RAM will require more disk space for paging, hibernation, and
dump files
Other DVD Drive, Keyboard and Microsoft Mouse (or compatible pointing device), Internet access (fees may apply)
* Actual requirements will vary based on your system configuration, and the applications and features you choose to install. Processor
performance is dependent upon not only the clock frequency of the processor, but the number of cores and the size of the processor
cache. Disk space requirements for the system partition are approximate. Additional available hard disk space may be required if you
are installing over a network.
Edition Comparison by Technical Specification
= Not =
KEY:
Available Available
IA64 RAM 2 TB
IA64 Sockets 64
Host + 1
Virtual Image Use Rights Guest Host + 1 VM Host + 4 VM Unlimited Unlimited
VM
X64 RAM 32 GB 32 GB 2 TB 2 TB 8 GB 128 GB
X64 Sockets 4 4 8 64 1 4
= Not = = Full
KEY:
Available Partial/Limited
Application Server
DHCP Server
DNS Server
Fax Server
File Services 2 2 2
Hyper-V
HPC Edition is limited in use to running clustered HPC applications or providing job scheduling services for HPC applications.
1 Limited to creating Certificate Authorities – no other ADCS features (NDES, Online Responder Service). See ADCS role
documentation on TechNet for more information.
3 Limited to 250 RRAS connections, 50 IAS connections and 2 IAS Server Groups.
= Not =
KEY:
Available Available
Feature Enterprise Datacenter Standard Web Itanium Foundation HPC
.NET 3.0
.NET Framework 3.5.1
Features
Administration Tools
Desktop Experience
DirectAccess Management
Failover Clustering
Group Policy Management
Console
Ink and Handwriting
Services
Internet Printing Client
Remote Assistance
Remote Differential
Compression
Remote Server Admin Tools
SMTP
SNMP
Storage SAN Manager for
SANS
Subsystem for Unix-Based
Applications (SUA)
Telnet Client
Telnet Server
TFTP Client
Windows Biometric
Framework
Windows Internal Database
Windows Internet Naming
Service (WINS)
Windows Network Load
Balancing (WNLB)
Windows PowerShell
Integrated Scripting
Environment (ISE)
Windows PowerShell
Windows Process Activation
Server
Windows Server Backup
Windows Server Backup
Features
Windows Server Migration
Tools
Windows System Resource
Manager (WSRM)
Windows TIFF IFilter
WINS Server
Wireless Client
XPS Viewer
Document size*1
Document thickness*2
Feeding capacity*2
Scanning element
Light source
Scanning modes
Scanning speed
(A4/LTR, Landscape, 200 dpi)
Interface
Scanner driver
Application software
Useful functions
Power requirements
Power consumption
Operating environment
Dimensions (W x D x H)
Weight
Options/Consumables
Width: 139.7 – 304.8 mm (5.5 – 12 in.)
Length: 128 – 432 mm (5 – 17 in.)
B&W documents (Simplex): 0.06 – 0.15 mm, 42 – 128 g/m2
B&W documents (Duplex): 0.07 – 0.15 mm, 50 – 128 g/m2
B&W/Color documents (Mixed): 0.07 – 0.15 mm, 50 – 128 g/m2
Color documents: 0.08 – 0.15 mm, 64 – 128 g/m2
100 sheets (A4/LTR)
3-line CCD
Xenon lamp
Simplex / Duplex
Black and White, Advanced Text Enhancement, Error Diffusion
Grayscale (8-bit)
Color (24-bit)
Resolution: 100 dpi • 150 dpi • 200 dpi • 240 dpi
300 dpi • 400 dpi • 600 dpi
Black and White: 70 ppm (Simplex), 36 ipm (Duplex)
Grayscale: 70 ppm (Simplex), 36 ipm (Duplex)
Color: 70 ppm (Simplex), 36 ipm (Duplex)
SCSI-III / Hi-Speed USB 2.0
ISIS / TWAIN
Canon CapturePerfect
Automatic Paper Thickness Adjustment, Batch Separation,
Border Removal, Color Dropout, Deskew, Job Function, Gamma
Correction, MultiStreamTM, Page Size Detection, Skip Blank
Page, Text Orientation Recognition
AC120V, 60Hz
AC220 – 240V, 50/60Hz
150W or less (Energy Saving Mode: 12W or less)
15 – 30°C (59 – 86°F), 25 – 80% RH
575 x 602 x 300 mm (22.6 x 23.7 x 11.8 in.)
Approx. 33.6 kg (74 lb.)
Please refer to the back cover of this brochure.