ISA is not a "software firewall" and the ASA is not a "hardware firewall"

Why?

Because the *both* run on software that is loaded onto hardware. The fact
that one stores the software on a harddrive while the other stores it on a
chip is irrelevant.

The difference is "appliance based" -vs- "PC based"

ISA can be purchased as an Appliance and has been ever since ISA2004. There
are 7 different companies producing different variations of them in this
link below.

Microsoft ISA Server Partners: Partner Hardware Solutions

http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx

In the last Secunia Reports I saw,...ISA had 2 security flaws,...the ASA had
6. both companies have their products patched now,...but it started out
with "2 to 6" with cisco having the most flaws.

ISA Server 2000 was Microsoft’s first full fledged firewall product, and it offered a host of new features
not found in its predecessor, Proxy Server 2.0, nor in most of the third party commercial firewall
products in its price class. These included:

 Multi-layered filtering (packet filtering at the network layer, circuit filtering at the transport
layer, and application filtering at the application layer)
 Integrated remote access virtual private networking (VPN) and site to site VPN gateway
 Active Directory integration
 Secure Network Address Translation (SecureNAT)
 Secure server publishing
 Email content screening via SMTP filters
 H.323 gateway support for use of Microsoft NetMeeting and other H.323 conferencing
software

ISA 2004 was the first major overhaul of Microsoft ISA Server since its introduction in 2000. ISA
firewall admins found improvements in three key areas:

 Advanced protection
 Ease of use
 High performance

More specifically, ISA 2004 raised the bar on application layer security capabilities through
enforcement of comprehensive and flexible application layer inspection policies, customizable protocol
filters and network routing relationships that can help protect IT assets and corporate intellectual
property from hackers, viruses and unauthorized use. Simple, easy to learn and use management tools,
along with an enhanced user interface, shortened ramp-up time for new security administrators and
helped customers avoid security breaches that can occur because of firewall misconfiguration.
While ISA 2004 put the ISA firewall product in head to head competition with Check Point and Cisco
ASA/PIX in the network level firewall market, the ISA 2004 firewall lacked some features that made it
harder than it should have been to compete with Blue Coat as the forward and reverse Web proxy server
of choice. While it was clear that the ISA 2004 firewall and Web proxy server was more secure and
more flexible than Blue Coat, the primary thrust of the ISA 2004 improvements were focused on its
network stateful packet inspection and application layer inspection firewall feature set and not on its
Web proxy components.

So, while ISA 2004 was focused on making the ISA firewall product equal or superior to the Check
Point, Cisco ASA/PIX and Netscreen firewall products, the ISA 2006 enhancements are aimed at
making the ISA firewall product line superior to Blue Coat in three core scenarios:

1. Exchange Web services publishing,

2. SharePoint Portal Server Publishing, and
3. Internet Information Server (IIS) publishing.

The ISA 2006 firewall and Web proxy and caching product is at this point so impressive, that in my
considered opinion no network security professional would consider providing remote access to
Exchange, SharePoint Portal Server or IIS without an ISA firewall in place to protect them and to do
otherwise would reflect on the decision maker’s judgment and motivations.

Before going into the details of ISA 2006, let’s roll back a bit and take a look at what ISA 2004 brought
to the table. Since the ISA 2006 firewall includes all the ISA 2004 SP2 features and capabilities, it will
give you a better idea of the ISA 2006 firewall’s feature set.

What was New in ISA 2004

ISA Server 2004 added many new features and improved others, along with completely revamping the
interface, to greatly increase the functionality, especially at the enterprise level. As a refresher, the table
below shows what was new in ISA 2004:

What was New in ISA Server 2004

New Feature What it does
Multiple Network Allows you to configure more than one network, each
support with distinct relationships to other networks. You can
define access policies relative to the networks. Unlike
ISA Server 2000, where all network traffic was
inspected relative to a local address table (LAT) that
only included addresses on the local network, with ISA
Server 2004 you can apply the firewall and security
features to traffic between any networks or network
objects.
Per-network policies The new multi-networking features of ISA Server 2004
enable you to protect your network against internal and
external security threats, by limiting communication
between clients even within your own organization.
Multi-networking functionality supports sophisticated
perimeter network (also known as a DMZ, demilitarized
zone, or screened subnet) scenarios, allowing you to
configure how clients in different networks access the
perimeter network. Access policy between networks can
then be based on the unique security zone represented
 by each network.
Routed and NAT You can use ISA Server 2004 to define routing
network relationships relationship between networks, depending on the type of
access and communication required between the
networks. In some cases, you may want more secure,
less transparent communication between the networks;
for these scenarios you can define a network address
translation (NAT) relationship. In other scenarios you
want to simply route traffic through ISA Server; in this
case, you can define a routed relationship. In contrast to
ISA Server 2000, packets moving between routed
networks are fully exposed to ISA Server 2004 stateful
filtering and inspection mechanisms.
Stateful packet and Virtual private network (VPN) clients are configured as
application layer a separate network zone. Therefore, you can create
inspection for Remote distinct policies for VPN clients. The firewall rule
Access VPN Connection engine discriminately checks requests from VPN clients,
statefully filtering and inspecting these requests and
dynamically opening connections, based on the access
policy.
Stateful packet and Networks joined by an ISA Server 2000 site to site link
Application layer where considered trusted network and firewall policy
inspection for traffic was not applied to communication moving through the
moving through site to link. ISA Server 2004 introduces stateful packet and
site VPN tunnel application layer inspection for all communications
moving through a site to site VPN connection. This
allows you to control resources specific hosts or
networks can access on the opposite side of the link.
User/group based access policies can be used to gain
granular control over resource utilization via the link.
Secure NAT client With ISA Server 2000, only VPN clients configured as
support for VPN clients Firewall clients could access the Internet via their
connected to ISA Server connected ISA Server 2000 VPN server. ISA Server
2004 VPN server 2004 expands VPN client support by allowing
SecureNAT clients to access the Internet without the
Firewall client installed on the client system. You can
also enhance corporate network security by forcing
user/group based firewall policy on VPN SecureNAT
clients.
VPN Quarantine ISA Server 2004 leverages the Windows Server 2003
SP1 VPN Quarantine feature. VPN Quarantine allows
you to quarantine VPN clients on a separate network
until they meet a predefined set of security
requirements. VPN clients passing security tests are
allowed network access based on VPN client firewall
policies. VPN clients who fail security testing may be
provided limited access to servers that will help them
meet network security requirements.
Ability to publish PPTP You could only publish L2TP/IPSec NAT-T VPN
VPN servers servers using ISA Server 2000. ISA Server 2004 Server
Publishing Rules allow you to publish all IP protocols
and allows you to publish PPTP servers. The ISA Server
 2004 smart PPTP application filter performs the
complex connection management. In addition, you can
easily publish the Windows Server 2003 NAT-T
L2TP/IPSec VPN server using ISA Server 2006 Server
Publishing.
IPSec tunnel mode ISA Server 2000 could use the PPTP and L2TP/IPSec
support for site to site VPN protocols to join networks over the Internet using a
VPN links VPN site to site link. ISA Server 2004 improves site to
site link support by allowing you to use IPSec tunnel
mode as the VPN protocol.
Extended protocol ISA Server 2004 extends ISA Server 2000 functionality,
support by allowing you to control access and usage of any
protocol, including IP-level protocols. This enables
users to use applications such as ping and tracert, and to
create VPN connections using the Point-to-Point
Tunneling Protocol (PPTP). In addition, Internet
Protocol security (IPSec) traffic can be enabled through
ISA Server.
Support for complex Many streaming media and voice/video applications
protocols requiring require that the firewall manage complex protocols. ISA
multiple primary Server 2000 was able to manage complex protocols, but
connections required that the firewall administrator create complex
scripts to create protocol definitions requiring multiple
primary outbound connections. ISA Server 2004 greatly
improves this situation by allowing you to create
protocol definitions within an easy to use New Protocol
Wizard.
Customizable protocol ISA Server 2004 allows you to control the source and
definitions destination port number for any protocol for which you
create a Firewall Rule. This allows the ISA Server 2004
firewall administrator a very high level of control over
what packets are allowed inbound and outbound through
the firewall.
Firewall user groups ISA Server 2000 utilized users and groups created in the
Active Directory or on the local firewall computer for
user/group based access control. ISA Server 2004 also
uses these sources, but allows you to create custom
firewall groups that are comprised of preexisting groups
in the local accounts database or Active Directory
domain. This increases your flexibility to control access
based on user or group membership because the firewall
administrator can create custom security groups from
these existing groups. This removes the requirement that
the firewall administrator be a domain administrator in
order to credit custom security groups for inbound or
outbound access control.
Forwarding of firewall The ISA Server 2000 HTTP Redirector had to forward
client credentials to Web requests to the Web Proxy service in order for firewall
Proxy service clients to benefit from the Web cache in ISA Server
2000. User credentials were removed during this process
and the request failed if user credentials were required.
ISA Server 2004 removes the problem by allowing
 Firewall clients to access the Web cache via the Web
Proxy filter without requiring separate authentication
with the Web Proxy service (which no longer exists in
ISA 2004 and beyond).
RADIUS support for In order for ISA Server 2000 to authenticate Web proxy
Web Proxy client clients, the machine must have been a member of the
authentication Active Directory domain or the user account must exist
on the firewall computers local user database. ISA
Server 2004 allows you to authenticate users in the
Active Directory and other authentication databases by
using RADIUS to query the Active Directory. Web
publishing rules can also use RADIUS to authenticate
remote access connections.
Delegation of basic Published Web sites are protected from unauthenticated
authentication access by requiring the ISA Server 2004 firewall to
authenticate the user before the connection is forwarded
to the published Web site. This prevents exploits from
unauthenticated users from ever reaching the published
Web server.
Preservation of source ISA Server 2000 Web Publishing Rules replaced the
IP address in Web source IP address of the remote client with the IP
publishing rules address of the internal interface of the firewall before
forwarding the request to the published Web server. ISA
Server 2004 corrects this problem by allowing you to
choose on a per-rule basis whether the firewall should
replace the original IP address with its own, or forward
the original IP address of the remote client to the Web
server.
Insert ISA Server IP ISA Server 2000 Server Publishing Rules required you
Address as Source IP to preserve the source IP address of the external client.
address for Server This required that the published server be a SecureNET
Publishing Rules client of the ISA firewall. In ISA 2004, you were given
the option to preserve the client source IP address, or
replace the client source IP address with the IP address
of the ISA firewall. This removed the requirement of
making the published server a SecureNET client and
enabled more flexible deployment options.
SecurID authentication ISA Server 2004 can authenticate remote connections
for Web proxy clients using SecurID two-factor authentication. This provides a
very high level of authentication security because a user
must “know” something and “have” something to gain
access to the published Web server.
Forms based ISA Server 2004 can generate the forms used by
authentication for OWA Outlook Web Access sites for forms-based
Access authentication. This enhances security for remote access
to OWA sites by preventing unauthenticated users from
contacting the OWA server.
Secure Web Publishing The new Secure Web Server Publishing Wizard allows
Wizard you to create secure SSL VPN tunnels to Web sites on
your internal network. The SSL Bridging option allows
ISA Server 2004 to decrypt encrypted traffic and expose
the traffic to the HTTP policy’s stateful inspection
 mechanism. The SSL Tunneling option relays
unmodified encrypted traffic to the published Web
server.
Forced encryption for RPC policy can be set on the ISA Server 2004 firewall
secure Exchange RPC to prevent non-encrypted communications from remote
connections Outlook MAPI clients connecting over the Internet. This
enhances network and Exchange security by preventing
user credentials and data from being exchanged in a
non-encrypted format.
HTTP filtering on a per- ISA Server 2004 HTTP policy allows the firewall to
rule basis perform deep HTTP application layer inspection
(application layer filtering). The extent of the inspection
is configured on a per-rule basis. This allows you to
configure custom constraints for HTTP inbound and
outbound access.
Ability to block access to You can configure ISA Server 2004 HTTP policy to
all executable content block all connection attempts to Windows executable
content, regardless of the file extension used on the
resource.
Ability to control HTTP ISA Server 2004 HTTP policy allows you allow all files
file downloads by file extensions, allow all except a specified group of
extension extensions, or block all extensions except for a specified
group.
Application of HTTP ISA Server 2000 could block content for Web Proxy
filtering to all ISA client based HTTP and FTP connections via MIME type
Server 2004 client (for HTTP) or file extension (for FTP). ISA Server 2004
connections HTTP policy allows you to control HTTP access for all
ISA Server 2004 client connections.
Ability to block HTTP ISA Server 2004 deep HTTP inspection allows you to
content based on create “HTTP Signatures” that can be compared against
keywords or strings the Request URL, Request headers, Request body,
(signatures) Response headers and Response body. This allows you
extremely precise control over what content internal and
external users can access through the ISA Server 2004
firewall.
Ability to control which You can control which HTTP methods are allowed
HTTP methods are through the firewall by setting access controls on user
allowed access to various methods. For example, you can limit
the HTTP POST method to prevent users from sending
data to Web sites using the HTTP POST method.
Ability block ISA Server 2004 Secure Exchange Server Publishing
unencrypted Exchange Rules allow remote users to connect to Exchange using
RPC connections from the fully functional Outlook MAPI client over the
full Outlook MAPI Internet. However, the Outlook client must be
clients configured to use secure RPC so that the connection is
encrypted. ISA Server 2004 RPC policy allows you to
block all non-encrypted Outlook MAPI client
connections.
FTP policy ISA Server 2004 FTP policy can be configured to allow
users to upload and download via FTP, or you can limit
user FTP access to download only.
Link Translator Some published Web sites may include references to
 internal names of computers. Because only the ISA
Server 2004 firewall and external namespace, and not
the internal network namespace, is available to external
clients, these references will appear as broken links. ISA
Server 2004 includes a link translation feature, that
allows you to create a dictionary of definitions for
internal computer names that map to publicly-known
names.
Real-time monitoring of ISA Server 2004 allows you to see Firewall, Web Proxy
log entries and SMTP Message Screener logs in real time. The
monitoring console displays the log entries as they are
recorded in the firewall’s log file.
Built-in log query You can query the log files using the built-in log query
facility facility. Logs can be queried for information contained
in any field recorded in the logs. You can limit the scope
of the query to a specific time frame. The results appear
in the ISA Server 2004 console and can be copied to the
clipboard and pasted into another application for more
detailed analysis.
Connectivity verifiers You can verify connectivity by regularly monitoring
connections to a specific computer or URL from the ISA
Server 2004 computer using Connection Verifiers. You
can configure which method to use to determine
connectivity: ping, TCP connect to a port, or HTTP
GET. You can select which connection to monitor, by
specifying an IP address, computer name, or URL.
Report publishing ISA Server 2004 report jobs can be configured to
automatically save a copy of a report to a local folder or
network file share. The folder or file share the reports
are saved in can be mapped to Web site virtual directory
so that other users can view the report. You can also
manually publish reports that have not been configured
to automatically publish after report creation.
E-mail notification of You can configure a report job to send you an e-mail
report creation message after a report job is completed.
Ability to customize time ISA Server 2000 was hard-coded to create log
for log summary summaries at 12:30 AM. Reports are based on
creation information contained in log summaries. ISA Server
2004 allows you to easily customize the time when log
summaries are created. This gives you increased
flexibility in determining the time of day reports are
created.
Ability to log to an Logs can now be stored in MSDE format by default.
MSDE database Logging to a local database enhances query speed and
flexibility.
Ability to import and ISA Server introduces the ability to export and import
export configuration configuration information. You can use this feature to
data save configuration parameters to an XML file, and then
import the information from the file to another server.
Delegated Permissions The Administration Delegation Wizard helps you assign
Wizard for firewall administrative roles to user and to groups of users.
administrator roles These predefined roles delegate the level of
 administrative control users are allowed over specified
ISA Server 2006 services.

All of those new features add functionality and flexibility above and beyond that provided by ISA 2000
and are included in the ISA 2006 firewall. But what do they really mean to you?

 Multi-networking support greatly increased ISA 2004’s scalability and flexibility and gives
much more granular control by applying different levels of security and access for different
networks.
 New VPN features made it easier and more secure to use virtual private networking through the
ISA firewall. The ability to publish PPTP VPN servers is important to businesses that, for
whatever reasons, don’t want to implement L2TP/IPSec for all VPN connections. VPN
quarantine enhanced network security by allowing you to set security criteria VPN clients must
meet before being allowed access to the corporate network. IPSec tunnel mode support greatly
increased ISA 2004 firewall’s interoperability with a wide array of third-party VPN gateways.
 New firewall features (and improvements to those that were included in ISA 2000) provided
more precise control over what does and doesn’t enter the network. These enhancements
positioned the ISA 2004 firewall to compete directly with third party firewall products, such as
Check Point and PIX/ASA.
 New Web cache and Web proxy features made it easier to publish Web sites, giving ISA firewall
admins more control over Web caching, and enhanced the security of all published Web sites.
 New remote access features increased usability and security of Outlook Web Access (OWA),
Outlook Mobile Access (OMA), Exchange ActiveSync (EAS), terminal services and Outlook
RPC/HTTP. The ability to block unencrypted Exchange RPC communications greatly enhanced
security in secure Exchange RPC publishing scenarios. In ISA 2000 out of the box, if Exchange
RPC was allowed, you couldn’t distinguish between encrypted and unencrypted communications
– all Exchange RPC communications were allowed. The ability to block unencrypted ones was
included in feature pack 1 for ISA Server 2000, but required editing of the registry to enable.
ISA 2004 made it as simple as checking a checkbox.
 New application layer inspection features extended the level of control administrators had over
Web and e-mail content, making it easier to block exactly what you want to block, and ensuring
that users who need access to resources will have it. For example, signature blocking could be
used as a spam control mechanism, allowing you to block keywords and strings in the message
content. It could also be used as an anti-virus mechanism and a way to recognize and block
common SMTP attacks. Unfortunately, the SMTP Message Screener was dropped in ISA Server
2006, with the expectation that customers would prefer to use Antigen for spam and anti-virus
control. However, at this time, Antigen for SMTP has not been integrated with the ISA Server
2006 product line.
 New monitoring and reporting capabilities are more important than ever in today’s regulated
business environment, where it is vital to be able to provide detailed documentation to prove
compliance with government and industry rules that require that specific security standards be
met. The ability to import and export configuration information makes it easy to back up that
information or to create multiple servers with the same configuration.
 Link translation is important when you publish sites that contain links to internal resources (for
example, SharePoint sites that you want to make available to external users). This capability was
included in feature pack 1 for ISA 2000, but was made much easier to use in ISA 2004. ISA
Server 2006 further enhances support for Link Translation, especially for SharePoint Portal
Server Sites
 New wizards such as the Delegated Permissions wizard, Outlook Web Access (OWA)
Publishing wizard and the Secure Web Publishing wizard helped you to accomplish common
 tasks more quickly and easily, and help to prevent misconfiguration (which is one of the most
common reasons for firewall failure). ISA Server 2006 further refines and enhances the Web
Publishing Wizards included with ISA 2004.

With advanced security for your Microsoft applications, ISA Server 2004 protected the customer’s
critical business assets and helped the organization stay on top of communications demands. In addition,
ISA server 2004 provided security around the most common usage scenarios, such as collaboration,
remote access, and server publishing. ISA Server 2006 includes all these features and includes
significant feature enhancements over those provided by ISA 2004, which will be discussed later in this
section.

Enhanced Usability in ISA Server 2004

The user interface in ISA Server 2004 was a dramatic departure from the ISA 2000 firewall console. The
new interface was more intuitive and functional, and the three-pane layout and tabbed interface of the
ISA Management console made it easier than ever to configure and manage ISA Server.

The new interface put common ISA firewall management tasks at your fingertips, eliminating the need
to search through Help files or click through multiple dialog boxes to find the configuration options you
want.

Why ISA 2006 Firewalls are Better than ISA 2000/2004 Firewalls
Many ISA firewall admins who are currently running ISA Server 2000 or 2004 will want to know why
they should upgrade to ISA Server 2006. While the upgrade from ISA Server 2000 to ISA 2004 was an
easy one to understand because of the major improvements and changes made between ISA Server 2000
and ISA 2004, the changes included with ISA 2006 versus ISA 2004 are more incremental and provide a
much smoother transition than the upgrade from 2000 to 2004.

Most of the new features and capabilities seen in ISA 2006 compared to 2004 are difficult for the
average ISA firewall admin to see if only a superficial look at the product is taken. The user interface is
the same, the networking model is same, there have been no changes in terms of how the ISA firewall
performs outbound access control, and there have been no changes to the core networking and
traditional firewall feature set.

The bulk of the improvements seen with the ISA 2006 firewall are focused on secure Web publishing.
While the Microsoft marketing message focuses on the three pillars of

 secure application publishing

 branch office gateway
 Web access protection

Technical decision makers will quickly discover that ISA 2006 adds relatively little to ISA 2004 SP2 in
the outbound access control and protection and branch office gateway scenarios. However, they will
notice that there are some profound improvements in secure application publishing. To be more specific,
to secure Web Publishing.

The other major difference between ISA 2006 and ISA 2004 is that ISA 2006 has a much more robust
mechanism for handling worm and other types of flood attacks. Some ISA 2004 servers have suffered
from worm and DNS flood attack situations (note that these attacks never compromised the ISA
firewall, but affected performance). ISA 2006 includes built in mechanism to prevent exhaustion of non-
paged pool memory so that even when under heavy denial of service type worm or DNS flood attacks,
the ISA 2006 firewall will be able to stand up even when the ISA 2004 firewall might fall over and need
to be rebooted.

My recommendations for upgrading from ISA 2004 to ISA 2006 include the following:

 ISA 2006 worm and DNS flood protection will increase uptime and stability. The ISA 2006
updates to its stateful packet inspection and IDS/IPS functionality make it worth the upgrade.
 Significant enhancements have been made in increasing the security for remote access
connections to Outlook Web Access (OWA), Outlook Mobile Access (OMA), Exchange
ActiveSync (EAS) and RPC/HTTP (Outlook Anywhere). You will be able to do things such as
customize the log on form, enable password changes from the log on form, and be able to
automatically inform users of how many days there are until a password change is required in the
log on form
 ISA firewall admins publishing SharePoint Portal servers may have frustrations and incomplete
functionality when using ISA 2004. If you have SharePoint Portal Server in place that you will
be able to get full functionality from your SPS deployments when publishing through an ISA
2006 firewall, as it is purpose designed to provide secure remote access to SharePoint Portal
Servers
 For all ISA firewall admins publishing Web sites, including Exchange and SharePoint Portal
Server sites, you’ll be able to use forms-based authentication for any type of Web publishing
scenario, and that editing the log on form is now completely supported by Microsoft
 For any ISA firewall admin publishing secure sites requiring pre-authentication at the ISA
firewall, there are additional authentication mechanisms available, including LDAP
authentication and RADIUS One-time password. Both these authentication methods allow the
ISA firewall publishing the Web sites to be removed from the Active Directory domain, but still
authenticate users belonging to the domain. RADIUS OTP provides ISA firewall admins who
don’t wish to use SecurID with another two-factor authentication option.
 Any ISA firewall admin interested in publishing a Web farm will benefit greatly by upgrading
from ISA 2004 to ISA 2006. This is especially the case if you have front-end Exchange Servers
and want to have two or more front-end Exchange Servers configured as a fault tolerant and
redundant Web farm. The ISA 2006 Web farm load balancing feature removes the requirement
to make the FE Exchange Servers SecureNET clients when NLB was enabled on the FE
Exchange Server array. In fact, ISA 2006 Web farm load balancing completely removes the
requirement for NLB on the FE Exchange Server array or a third-party hardware load balancer.
You can completely remove the third party load balancer and benefit from higher security, better
performance and better session management that you would have with the “hardware” load
balancer and you get all this at no additional cost.

While it might seem that there is a relatively small feature set on which to base upgrades from 2004 to
2006, the improvements included with ISA Server 2006 make it worth upgrading for any company that
publishes Web sites. This might appear to you at first to represent a relatively small percentage of the
entire ISA firewall feature set, but from my discussions with ISA customer base at large, it appears that
ISA firewall’s largest deployment scenario is for reverse proxy, and this is exactly the feature set that the
ISA Server development team has focused upon.

What’s New and Improved in the ISA 2006 Firewall and Web
Proxy and Caching Solution
The table below provides a comprehensive, but not necessarily complete list of new and updated
features included in the ISA 2006 firewall.
 What’s New and Improved in ISA Server 2006
New Feature What it does
Web Farm Load ISA 2006 Web Farm Load Balancing enables the ISA
Balancing firewall administrator to publish a farm of Web servers
that host the same content or perform similar roles. The
NEW ISA firewall provides both load balancing and fail over
and fail back for the published Web farm and does not
require NLB to enabled on the ISA firewall array or on
the Web farm. Customers benefit from this feature
because they do not need to enable NLB on the farm
warm (which would require that the farm members be
SecureNET clients) and the customer does not need to
purchase an expensive external load balancer, such as
F5.
Forms-based In ISA 2004, Forms-based authentication was supported
authentication support only for Outlook Web Access Web Publishing Rules.
for all Web Publishing ISA Server 2006 expands its forms-based authentication
Rules support by enabling forms-based authentication for all
Web sites published using Web Publishing Rules.
NEW
Kerberos Constrained In ISA 2004, User Certificate authentication could be
Delegation performed by the ISA firewall, but the user’s credentials
could not be forwarded to the published Web server.
NEW This generated multiple authentication prompts. In ISA
Server 2006, a user can pre-authenticate with the ISA
firewall and then that users credentials can be delegated
as Kerberos credentials to the published Web servers,
thus avoiding multiple authentication prompts and
improving the end-user experience.
Enhanced Delegation of ISA 2004 supported only delegation of basic
Authentication support authentication. ISA Server 2006 enhances support for
authentication delegation by enabling credentials to be
delegated as Kerberos, Integrated, Negotiate or basic.
This increases the flexibility of deployment for ISA
firewalls since many published Web servers do not
support basic authentication. In addition, the increases
security for Web Publishing scenarios where SSL to
SSL bridging is not an option and prevents the clear text
basic credentials from being intercepted on the wire.
Separate name In ISA 2004, the same name was used for name
resolution from resolution and the CONNECT name sent to the
CONNECT name in published Web server. This created a situation where the
Web Publishing Rules ISA firewall administrator had to create a split DNS, or
enter a customer HOSTS file entry on the ISA firewall
NEW so that the CONNECT name resolved to the IP address
of the published server on the internal network. ISA
Server 2006 solves this problem by allowing you to
specific a name or IP address that is separate from the
CONNECT name used by the Web Publishing Rule.
Improved Exchange The ISA Server 2006 Exchange Server Web Publishing
Server Web Publishing Wizard includes a number of improvements that makes
Rule Wizard publishing all versions of Exchange, from version 5.5 to
 2007 easier than ever.
Integrated support for In ISA 2004, there was little or no support for allowing
Password changes on log the users to change their passwords when using Forms-
on form based authentication. ISA Server 2006 solves this
problem by integrating the ability for a user to change
NEW his password right in the log on form. No special
configuration tasks are required on the ISA firewall or
published OWA Server
Integrated support for In ISA 2004, there was no integrated support for
Password change providing users information about pending password
notification on log on expiration dates. ISA 2006 solves this problem by
form making the option available to the ISA firewall
administrator to inform users of pending password
NEW expiration dates. You can customized the warning
period by specifying the number of days in advance that
you want users to be aware of password expiration.
Improved Mail Server In ISA 2004, a single Mail Server Publishing Wizard
Publishing Wizard was used to published both Exchange Web services and
non-Web services. ISA Server 2006 breaks out Web
from non-Web publishing tasks into two separate
wizards, making it easier to publish non-Web protocols
for your Exchange mail server.
SharePoint Portal It was possible to publish SharePoint Portal Servers
Server Publishing using ISA 2004, but the process was potentially
Wizard complex and not all features were available from the
Internet because of problem with link translation. ISA
NEW Server 2006 solves this problem with enhanced support
for SharePoint Portal Server publishing and an updated
link translation dictionary that takes all the complexity
of successfully publishing a SharePoint Portal Server
deployment.
Single Sign-on One of the most requested features that didn’t make its
way into ISA 2004 was single sign-on. In ISA 2004,
NEW users had to reauthenticate even if they were connecting
to a Web server in the same domain as the original Web
server. ISA Server 2006 solves this problem by enabling
single sign-on on a per-listen/per-domain basis. If
multiple Web sites belong to the same domain, and are
published by the same Web listener, then users will not
be required to reauthenticate and cached credentials are
used.
Support for wildcard ISA 2004 supported wildcard certificates on its Web
certificates on the listener, but did not support wildcard certificates on the
published Web Server published Web server located behind the ISA firewall.
ISA Server 2006 improves on wildcard certificate
NEW support by allowing the ISA firewall administrator to
use a wildcard certificate on the published Web server.
Advanced Client A completely new feature included with ISA Server
Certificate Restrictions 2006 is Client Certificate Restrictions and configurable
and Configurable Certificate Trust List.
Certificate Trust List
The Client Certificate Restrictions feature allows you to
NEW set restrictions on the certificates users can provide
when User Certificate authentication is enabled.
Restrictions can be defined based on:

- Issuer

- Subject

- Enhanced Key Usage

- Extensions

In addition, you can set restrictions on the OID (object

ID) presented by the User Certificate

The Configurable Trust List option enables you to set

specific trusted CAs on a per-Web Listener basis. This
list of trusted CAs is separate and distinct from the ISA
firewall machine’s list of Trusted CAs. This enables the
ISA firewall administrator to limit the User Certificates
that can be used to authenticate with the ISA firewall to
those issued only by a specific set of CAs, such as the
company’s private CAs. This allows you to implement
User Certificate Authentication as a method to limit
access only to corporate managed machines and devices,
such as PDAs and PDA enabled phones.
Fall back to basic One of the major problems ISA firewall administrators
authentication for non- had with ISA 2004 was that they needed to create two
Web browser clients listeners, requiring two different certificates, to publish
both RPC/HTTP and OWA sites when forms-based
NEW authentication was enabled on the OWA Web listener.
ISA Server 2006 solves this problem by detecting the
user-agent string in the client request and falling back to
basic authentication when the client is not a Web
browser. This allows you to publish OWA with forms-
based authentication enabled and RPC/HTTP using the
same Web listener. The end result is that if the customer
has only a single external IP address, both OWA with
FBA and RPC/HTTP can be published using that single
IP address, something not possible with ISA 2004.
Enhanced Link Link translation dictionaries are used to change the
Translation Dictionary contents of pages returned to external users. This is
helpful when Web applications imbed private computer
names in responses sent to external clients, since
external clients are not able to connect to servers using
their Internal names. ISA Server 2006 includes an
enhanced link translation dictionary that automatically
populates itself based on settings in your Web
Publishing Rules. This allows the ISA firewall
administrator to provide a seamless experience for
external users who need to access multiple sites
 published by the ISA firewall. For example, this feature
allows OWA users to receive links to SharePoint Portal
Server messages in their OWA e-mail and access those
links automatically, without complex reconfiguration
required on the OWA and SharePoint Portal Server or
even on the ISA firewall itself.
Cross array link Cross array link translation allows you to publish Web
translation sites across multiple arrays and have the link translation
dictionary available for all arrays in the same ISA
NEW Enterprise Edition enterprise group. This greatly
simplifies large deployments by automatically
populating the link translation list and avoiding the
requirement for manual reconfiguration.
Improved CARP Changes were made to the CARP algorithm with the
Support in ISA 2006 release of ISA 2004 SP2. These changes have been
Enterprise Edition carried over to ISA Server 2006 so that instead of
requiring CARP exceptions to URLs you don’t want to
be load balanced, you now create CARP exceptions for
URLs that you do want load balanced.

This change was made within the context of another

change included with ISA 2004 SP2, where instead of
using the URL to predetermine which array member
handled the request, the FQDN is now used instead. The
prevents problems with session handling for connections
that might be spread across multiple array members for
specific URLs contained within the same page or
session.
BITS Caching for BITS caching for Microsoft Updates was introduced
Microsoft Update Sites with ISA 2004 SP2. This feature has been carried over
and included with ISA Server 2006. BITS caching for
Microsoft updates greatly improves bandwidth
utilization over site to site or WAN links, making more
bandwidth available to branch offices that would
otherwise be overwhelmed with update traffic from
servers located at the main office or the Internet. Main
office servers also benefit from bandwidth optimization
provided by BITS update caching.
HTTP Compression Support for HTTP Compression was introduced in ISA
support 2004 SP2 and carried over to ISA Server 2006. HTTP
compression allows the ISA firewall administrator to
control from where clients can ask for HTTP
compression and from what servers can return HTTP
compression. HTTP compression is very useful in a
branch office scenario where bandwidth to the main
office is at a premium.
Diffserv QoS Support Diffserv QoS support was introduced with ISA 2004
for HTTP SP2 and carried over to ISA Server 2006. Diffserv is a
communications method that can be used on Diffserv enabled networks
to give preference to certain packets over others. The
ISA firewall administrator can use Diffserv to prioritize
packets destined to certain server over those of non-
 priority servers
Add multiple VIPs ISA 2004 supported multiple VIP IP addresses.
within the ISA Server However, in order to add more than one VIP, the ISA
management console firewall administrator had to drop out of the ISA
management console and enter these IP addresses in the
NEW TCP/IP configuration of the NIC. ISA Server 2006
improves this situation by allowing the administrator to
enter addition VIPs in the ISA management console.
Branch office With ISA 2004, deploying branch office ISA firewalls
Connectivity Wizard was potentially complex, sometime requiring a site to
site VPN connection to be configured and then trying to
NEW join the branch office ISA firewall to the domain after
the site to site VPN tunnel was established. ISA Server
2006 takes the complexity out of branch office
deployment by introducing a branch office deployment
wizard, that enables the ISA firewall administrator to
create a simple answer file that allows a non-technical
user to plug a branch office ISA firewall device and run
the answer file from a simple link.
Ability to assign multiple ISA 2004 allowed the ISA firewall administrator to bind
certificates to a single only a single certificate to a Web listener. This was
Web listener problematic when you wanted to use the same Web
listener to publish multiple secure Web sties. ISA Server
NEW 2006 solves this problem by allowing you to bind
multiple certificates to the same Web listener and
assigning that Web listener to multiple Web Publishing
Rules, enabling single sign-on and an improved end-
user experience.
Support for customized ISA 2004 supported forms-based authentication only for
forms for Forms-based publishing OWA sites and customizing the form was not
authentication supported. With ISA Server 2006, you can now use
forms-based authentication to publish any site and forms
NEW customization is supported.
LDAP authentication for With ISA 2004, if the ISA firewall machine was not a
Web Publishing Rules member of the domain, the only viable method of pre-
authenticating users at the ISA firewall was to use
NEW RADIUS authentication for Web Publishing Rules.
RADIUS is limited because it does not allow the
administrator to leverage Active Directory Groups. With
ISA Server 2006, you can use LDAP authentication for
ISA firewalls that are not domain members and take
advantage of Active Directory Groups. In addition, the
ISA 2006 firewall can be configured to use multiple
LDAP servers and rules can be configured to look at
authentication strings and forward the authentication
request to the appropriate LDAP server (Active
Directory domain controller).
RADIUS One-Time Another authentication option now available to non-
Passwords (OTP) for domain member for Web Publishing Rules is RADIUS
Web Publishing Rules One-Time passwords (OTP). RADIUS OTP allows
users to authenticate using a password that is valid on a
NEW single attempt and cannot be reused.
Improved cookie ISA 2004 did not provide a administrator accessible
management method for managing cookies on client machines
connecting to published Web resources. With ISA
Server 2006, the administrator is provided several
options for controlling how cookies are validated and
configurable credentials caching.
Enhanced Flood ISA 2004 included a basic flood mitigation feature that
Mitigation Settings helped protect the networks that the ISA firewall was
connected, in addition to the ISA firewall machine itself.
ISA Server 2006 builds on the ISA 2004 flood
protection mechanism to help protect against more types
of flood attacks
Customer Experience The customer experience program provides a
Program mechanism where Microsoft can obtain information
about how ISA Server is deployed and used in
NEW production environments. No personally identifiable
information is sent to Microsoft, and this information is
used to help Microsoft understand how to improve the
product in service packs and future releases. The
Customer Experience Program was first introduced with
ISA 2004 SP2.
Support for Published ISA Server 2006 enables the administrator to connect to
Configuration Storage Configuration Storage Servers at the main office even
Servers when the site to site VPN connection between branch
and main offices becomes unavailable. You can publish
NEW the main office Configuration Storage Server and
configure the branch office ISA firewall to connect to
the published Configuration Storage Server over the
Internet in the event that the site to site VPN connection
becomes unavailable.
Enhanced support for When an NLB array of ISA firewall’s publishes secure
SSL Accelerators in SSL Web sites, the same Web site certificate must be
NLB Scenarios installed on all the array members accepting incoming
connections for the published Web site. This can be
NEW problematic when SSL accelerator cards are used and
require that different certificates be bound to each SSL
card in the NLB array. ISA Server 2006 supports
binding different certificates to each card in the array to
better support SSL accelerator cards.
Support for outbound Although not a feature in the base product, ISA firewall
SSL Bridging (add-on administrators can significantly increase the network
required) security by using an ISA Server add-on product named
ClearTunnel (www.collectivesoftware.com)
NEW ClearTunnel enables the ISA firewall to perform
application layer inspection on outbound SSL
connections and prevents potential exploits from being
downloaded from the Internet through an encrypted SSL
tunnel. SSL connections outbound represent a major
security threat to corporate networks today, so the
ability to inspect outbound SSL communications is a
great enhancement to the network security that ISA
Server can provide.
Updated MOM ISA Server 2006 includes an updated MOM pack.
Management Pack
Improved Alerting ISA Server 2006 builds on the configuration and
security alerts includes with ISA 2004 and adds a
number of new alerts that help information the ISA
administrator of configuration issues, certificate issue,
security issues, and threat triggers. The new alerts
included with ISA Server 2006 will make it easier than
ever to troubleshoot ISA firewall related problems.
Site to Site VPN Wizard ISA Server 2000 included a comprehensive site to site
and Unattended Answer VPN wizard that took the complexities out of
File support configuring a site to site VPN connection. This feature
was removed from ISA 2004. In ISA Server 2006, the
NEW site to site VPN wizard returns and makes creating site
to site VPN connections easier than ever. In addition to
simplifying the creation of a site to site VPN, the new
ISA 2006 site to site VPN wizards allows the main
office ISA firewall administrator to create a simple
answer file that a non-technical users at a branch office
can use to automatically connect the branch office ISA
firewall to the main office corporate network.
Logging supports A common complaint among ISA firewall
Referring Server administrators was the inability to log the referring
server for connections made to servers published using
NEW Web Publishing Rules. ISA Server 2006 solves this
problem by adding the ability to log the referring server
in the ISA firewall’s Web proxy log files.

Conclusion
As you can see, there is a lot more included in the new ISA 2006 firewall than initially meets the eye.
While the ISA 2006 firewall doesn't provide the world shaking differences we saw with the upgrade
from ISA Server 2000, I think you’ll find that the upgrade to ISA 2006 is well worth the effort both in
terms of increased functionality and user satisfaction, and increased uptime and reliability.

If you have questions about what the new ISA 2006 firewall has to offer your organization, feel free to
post a question on the Web boards in the links provided in this article. If you wish to contact me
privately, you can contact me at tshinder@isaserver.org and I can help provide information that will
help you make a compelling argument to your business decision makers who sign the checks for your
ISA firewall upgrade. I can also help you deal with the “network guys” who don’t understand the ISA
firewall and might push back at your attempts to secure your network and networked applications.

ISA Behind a Cisco ASA?

Several people have written to me in response to my earlier blog post ‘HTTP 2.0 Specification?‘ asking
why I would have my ISA firewall behind a Cisco ASA. The answer is simple: enhanced security! I am
following a long standing security best practice by implementing security in layers; defense in depth.
Now, it’s not that the ISA firewall isn’t totally and completely capable of acting as an edge firewall,
because it most certainly is. In this case though, I have elected to use an ASA as my edge firewall
because I don’t need any real intelligence there. All I want is to do some very simple packet filtering
here; basically just filtering out the bulk of the noise from the Internet and allowing my internal ISA
firewall, with its advanced deep application layer inspection capabilities and granular user and group
based access controls to do the important network communication inspection.

In addition to enhanced security, there are some other benefits to using the ASA (or another firewall) at
the network edge. If someone were to circumvent the access controls that are in place on that edge
firewall, they would not be able to use those same methods of exploitation on the ISA firewall. If I
practice security in layers but deploy the same model firewall at each layer, an attacker can use the same
method used to bypass my internal firewalls as they used to bypass my edge firewall.

An additional benefit by using another firewall at the network edge is that by squelching ‘Internet
noise’, the logs on the ISA firewall become much more meaningful. It allows me to find important
information much more quickly than having to sift through mountains of data this is mostly port scans
and probes that occur constantly on the public Internet. This also frees up resources on my ISA firewall
that are better put to use on inspecting important traffic.

Every business organization that’s connected to the Internet needs a firewall to protect the internal
network from attacks, but selecting the right firewall can be an overwhelming task. There are a plethora
of products on the market, ranging in price from a few hundred dollars to tens of thousands. Software
firewalls, hardware firewalls, “personal” firewalls, enterprise firewalls – how do you even begin to
evaluate their features and determine what you need and what you don’t?

Not Your Father’s Firewall

Computer and network security needs have changed drastically over the past several years, and firewall
technology has evolved to meet those new, more demanding needs. The traditional firewall was a fairly
simple construct: it sat between the LAN (or in the case of personal firewalls, an individual computer)
and the “outside world” of the Internet, and filtered packets coming in – and in some cases, going out –
based on information in the Layer 3 and 4 headers (IP, TCP, UDP, ICMP). The decision to accept or
reject a packet was usually based on the source or destination address or port number.

As attackers grew more sophisticated and began to exploit higher layer protocols (DNS, SMTP, POP3,
etc.), firewalls had to do more. Most business-class firewalls today perform at least some application
layer filtering, or ALF. See my article “ALF: What is it and How Does it Fit into Your Security Plan” on
this site for details. ALF is necessary to prevent application layer attacks and to filter for spam and
viruses, or to perform content filtering to block objectionable Web sites based on content rather than just
IP address.

Firewalls today are often more than “sentries” at the network gate. Vendors have added other features
that aren’t strictly firewall functions, such as VPN gateway and Web caching. Almost all modern
firewalls other than those at the very low end support VPN, and many either include caching to
accelerate Web performance or offer add-on modules for that purpose. In fact, many vendors have
started calling their products “multifunction security” devices or software, instead of simply “firewalls.”

Host-based vs. Network Firewalls

Host-based firewalls (sometimes called “personal” firewalls) are simple, low cost programs or devices
intended to protect a single computer. Examples include ZoneAlarm, Norton Personal Firewall, and the
Internet Connection Firewall (ICF) built into Windows XP.

Network firewalls can protect multiple computers. However, not all network firewalls are created equal.
Some are simple devices or programs that cost little more than personal firewalls. Many consumer-grade
DSL and cable routers include this type of firewall technology. Simple network firewalls perform packet
filtering, but usually don’t do more than very rudimentary ALF.

Enterprise firewalls are “all business,” designed for large, complex networks. It goes without saying that
they cost much more. They will handle many more users, have faster throughput, and have advanced
features, such as:

 Incorporation of VPN gateways

 Ability to manage multiple firewalls centrally
 Sophisticated monitoring and reporting mechanisms
 Can be extended through add-on modules or plug-ins
 Ability to control access via policies and apply different policies to different users
 More sophisticated authentication mechanisms
 High availability with load balancing and failover

Cost for host-based firewalls is usually around $100 or less. Enterprise firewalls can cost over $25,000.
The most popular medium-range business firewalls cost from $1500 to around $5000. But that’s just the
initial purchase price. As we’ll see later, many vendors charge extra for functionalities that others
include free.

Hardware vs. Software Firewalls

All firewalls run firewall software, and they all run it on some sort of hardware, but the terms hardware
firewall and software firewall are used to distinguish between products marketed as an integrated
appliance that comes with the software preinstalled, usually on a proprietary operating system, and
firewall programs that can be installed on general purpose network operating systems such as Windows
or UNIX.

Hardware firewalls can be further divided into those that are basically dedicated PCs with hard disks and
those that are solid state devices built on ASIC (Application Specific Integrated Circuit) architecture.
ASIC firewalls are generally faster performers and don’t have the hard disk (a mechanical device) as a
potential point of failure.

Software firewalls include Microsoft ISA Server, CheckPoint FW-1 and Symantec Enterprise Firewall
at the enterprise level, as well as most personal firewalls. ISA Server runs on Windows 2000/2003, and
FW-1 runs on Windows NT/2000, Solaris, Linux, and AIX, as well as proprietary appliance operating
systems. Symantec EF runs on Windows and Solaris.

Hardware firewalls include Cisco PIX, Nokia (which runs CheckPoint FW-1 on top of their IPSO
operating system), SonicWall, NetScreen, Watchguard, and Symantec’s 5400 series appliances (which
run their Enterprise Firewall software).

Hardware firewalls are often marketed as “turn key” because you don’t have to install the software or
worry about hardware configuration or conflicts. Those that run proprietary operating systems claim
greater security because the OS is already “hardened” (however, many of the proprietary systems have
been exploited nonetheless). A disadvantage of hardware firewalls is that you’re locked into the
vendor’s specs. For instance, a firewall appliance will have a certain number of network interfaces, and
you’re stuck with that number. With a software firewall, you can add NICs to the machine on which it’s
running to increase the number of available interfaces. You can also more easily upgrade the standard
PC on which the software firewall runs, easily adding standard RAM or even multiple processors for
better performance.
Important Firewall Features
Most businesses need more than a personal or simple network firewall can offer, but unless you’re
running an ISP or datacenter, the top of the line enterprise firewalls are probably overkill (not to mention
the way they can kill your budget). Assuming you have a medium sized business and are in the market
for a firewall in the $2000-10,000 range, what’s out there and what’s the difference between them?

Here are some things you’ll want to look for:

 Architecture: do you prefer a software firewall that you can install on a new or existing PC or a
dedicated appliance?
 How many concurrent firewall sessions does the firewall need to support?
 How many VPN tunnels do you need to be able to run concurrently?
 What VPN protocols do you want to use (IPSec, PPTP, L2TP)?
 Do you need integration with Exchange mail servers or SharePoint collaboration servers?
 What type of management user interface (UI) do you prefer: command line interface (CLI),
graphical management console, Web-based interface? Do you need to manage the firewall via
SSH, Telnet, or SNMP? Do you need centralized management of multiple firewalls?
 Do you need high availability (load balancing, failover) features?

There is no One Perfect Firewall. Each product has strengths and weaknesses, and after you’ve
evaluated your needs and decided which features are most important for your organization, you should
carefully compare the technical specs and datasheets of different firewall products to determine which
meet your own needs best.

For example, the Cisco PIX firewalls are reliable and well-liked, but many administrators don’t like the
PIX Device Manager (PDM) Web interface and prefer to use the CLI. If you’re uncomfortable with the
command line, this might be a factor in your choice. SonicWall mid-range Pro 230 firewalls offer a big
price advantage over other brands, but support fewer VPN tunnels (500 as compared to 12,500 for the
mid-range Nokia 350 and 8000 for the mid-range Watchguard V80). On the other hand, the NetScreen
50, which costs $4000 more than the SonicWall, provides fewer VPN tunnels (100) and fewer
concurrent sessions (8000 vs. SonicWall’s 30,000).

Do You Need Extra Features?

Some features cost extra from some vendors (for example, you may have to buy an extra license to use
3DES encryption, or content filtering may be done through a subscription service such as SonicWall’s
CFS or a third party such as Websense). Some features are included at no cost with some firewalls, not
available at all with some others and require optional add-ons with others (for example, Web caching is
included standard with ISA Server, can be added to CheckPoint via an add-on product, must be done
“off box” with PIX, and is part of the content filtering service with SonicWall).

Features for which you might have to pay extra include:

 Web caching
 Centralized management and reporting
 Spam filtering
 High availability
 URL screening
 Anti-virus
With other firewalls, some or all of these features are built in. For example, ISA Server’s management
console can be used to manage multiple ISA Servers, and its ALF functions can be used for rudimentary
spam filtering, while ISA can use the Windows server operating system’s built in load balancing
functionality.

Another consideration is throughput (amount of data transferred per second). Performance is important
in a busy network where people depend on accessing resources quickly. Firewall throughput can range
from 150Mbps to over 1Gbps. When comparing vendors’ throughput claims, look closely to be sure you
aren’t comparing apples and oranges. VPN throughput, especially with strong encryption, will be far
slower than firewall throughput. Also, some vendors will list throughput as bidirectional. Of course,
throughput doesn’t determine access speed to the Internet; you’re still limited by the speed of your
Internet connection.

Some special considerations dictate the use of a particular firewall. For example, no other product
integrates with and protects Exchange servers and Outlook Web Access (OWA) users as well as ISA
Server, because both products are made by Microsoft to work seamlessly together. ISA Server is also
designed from the ground up to work with SharePoint Portal Servers (SPS). If protecting your Exchange
and SPS servers is a high priority, ISA is your logical first choice.

Important Cost Considerations

When you compare the costs of different firewalls, then, you need to take into account any of the extra
cost features that you need to implement. If you don’t need Web caching, it might cost less to buy a
SonicWall box than to buy a PC plus the Windows server operating system plus ISA Server. On the
other hand, if you DO need caching and you already have an extra box on which ISA can be installed,
this might be much more cost effectively than buying the SonicWall plus a Web caching server or
appliance.

Licensing schemes vary widely and some are so complex that they’re confusing. For example, some
vendors charge extra for every VPN client. If you have 1000 VPN clients, even at $15 each, that adds up
to $15,000. Other vendors, such as Microsoft, don’t require client licenses for VPN connections, and
their VPN client software (PPTP and L2TP clients) are built into every modern Microsoft operating
system. Some vendors also base the initial cost of the firewall on a specified number of users, and if you
exceed that, you’ll have to buy an upgraded license.

A firewall solution that looks like the least expensive based on list price for the software or appliance
might end up costing much more when you purchase all the necessary licenses and add-on modules or
services.

Summary
Buying a firewall for your organization can be a daunting task, but it’s made easier by being properly
prepared. That means knowing how many users it needs to support (and taking future growth into
account), whether you’ll have VPN users and how many, whether you have Exchange and SharePoint
servers you need to protect, whether you need to manage multiple servers centrally, and whether you
want extra features such as Web caching. You’ll also want to determine whether you prefer that extra
functions be performed “off box” (which increases the amount of hardware required but puts less load
on the firewall’s processor) or “on box” which may be more convenient and reduce cost. There are many
decisions to make when you start to evaluate firewall options. In this article, we’ve discussed just a few
of the items you should consider.

Knowing
 4. how many users it needs to support (and taking future growth into account),
5. VPN users and how many,
6. Exchange and SharePoint servers you need to protect,
7. manage multiple servers centrally, and
8. Web caching.
9. extra functions be performed “off box” (which increases the amount of hardware
required but puts less load on the firewall’s processor) or “on box” which may be more
convenient and reduce cost.

You're reading the ancient 2005 version of this article! There's a

new one, published in June 2009. Click this link to find out what Contents
the best firewalls currently are. Introduction
Cyberguard SG710
Firewalls are old hat these days. The majority of firewall vendors are now
Fortinet FortiGate
leveraging their firewall technologies and hardware as a basis for security
200A
appliances that provide services far in excess of the tasks a humble
Juniper ISG1000
firewall used to provide.
Lucent Brick 150
Netgear FVX538
Network Box RM-300
SonicWALL PRO
5060c
Jobs such as antivirus filtering, intrusion detection and/or prevention,
Symantec SGS 5420
network traffic filtering, content filtering, spyware detection and/or
WatchGuard X1000
filtering amongst a host of others are now being incorporated or offered as
Specifications
optional extra "golden screwdriver" upgrades to the average box.
How we tested

This convergence can impact in two ways. On the positive side, if the Editor's choice

appliance is easy to manage and it fits the application and environment About RMIT

perfectly then go for it. On the negative side, with all the eggs in one
basket, poorly scoped deployments, or situations where the product does
not quite fit the environment, it can be a trigger for disaster. If the device
lacks the redundancy needed for that deployment, a single failure in one
subsystem can mean that the whole device is offline.

Likewise a security administrator who mis-configures one of the services

may also cause detrimental effects on other services running on that box. Even minor glitches, which may
require the redundant system to kick in and take over, can be a nightmare -- particularly when all the various
connection states need to be maintained in a mirrored environment. This is where loads really need to be
considered. Careful evaluation and testing needs to be performed before committing to any single security
appliance.

Firewall technology evolution

Fundamental firewall technology has not changed much in recent times. It separates into a few broad
categories and most vendors incorporate some or all of them into their toolset.

The most common baseline requirement these days is Stateful Packet Inspection (SPI). Vendors also generally
incorporate forms of individual packet filtering as well as port filtering. There are two other features now
commonly found in most mainstream firewalls -- these are; that they act as application gateways or proxies,
 and can also have rule/policy-based access control lists-referencing IP addresses/ranges, network user-IDs
etc. Some vendors also enable the administrator of the device to set up advanced rule sets to enforce the
enterprise's security policies and framework, be it content filtering, Web access/content control,
blacklists/whitelists, or even bandwidth shaping and management.

Virtual firewalls and virtual policies/rule-sets are now making an appearance -- allowing several administrators
to have access to their own areas and rules on the one appliance.

Stateful Packet Inspection

Stateful Packet Inspection (SPI) is a simple form of data scanning whereby data is scanned on a packet-by-
packet basis according to whether or not the firewall deems the data to be legitimate. Any suspicious or non-
requested packets are flagged, logged, or simply denied. Packets are only allowed to pass through the firewall
if they are associated with a valid session initiated from within the network.

If a Trojan has managed to breach the other security defences due to a negligent user--the SPI firewall will
allow that data through as it seemingly comes from a legitimate request on the LAN. Where SPI firewalls come
into their own is in conjunction with other methods of data scanning within the firewall, or with another
firewall on the LAN. SPI provides a percentage of coverage while still maintaining performance across the
network.

If a large enterprise was looking to protect its corporate network and if every single packet of data both
inbound and outbound needed to be captured, logged, scanned for strange characteristics, and then traced,
the network bandwidth hit would be unacceptable and the firewall would cause a bottleneck. While not an
ideal solution, SPI can ease the pain while other techniques can be implemented to handle its deficiencies. A
benefit of SPI is that it can be utilised as an additional technology to protect a Demilitarized Zone (DMZ) or a
network that is required to allow public access to some machines/servers. It can allow specific individual IP
addresses or segments on the LAN to have open ports, so the administrator can essentially select from a list
-- ports to open/close for any given machine's IP address on the LAN.

The majority of these devices are more than just firewalls but we have kept our focus on firewall
considerations for the time being -- see the feature tables for some of the additional extras.

Firewall Debate: Hardware vs. Software

 November 4, 2003
 By Ronald V. Pacchiano
 Send Email »
 More Articles »

I'm about to get my first broadband connection, and I know I need to get a firewall.
However, I've been getting some conflicting advice as to what type of firewall I need. Some
people tell me I should get a hardware firewall, while others tell me a software firewall is
preferred. What's the difference, and more importantly, which is better?

Good question. The truth is that in a typical home office environment, one type of firewall
isn't necessarily better than the other. They are some differences, though, and they can be
used together to give you an even greater degree of protection.
Hardware firewalls are important because they provide a strong degree of protection from most
forms of attack coming from the outside world. Additionally, in most cases, they can be
effective with little or no configuration, and they can protect every machine on a local network.

A hardware firewall in a typical broadband router employs a technique called packet filtering,
which examines the header of a packet to determine its source and destination addresses.
This information is compared to a set of predefined and/or user-created rules that determine
whether the packet is to be forwarded or dropped. A more advanced technique called Stateful
Packet Inspection (SPI), looks at additional characteristics such as a packet's actual origin (i.e.
did it come from the Internet or from the local network) and whether incoming traffic is a
response to existing outgoing connections, like a request for a Web page.

But most hardware residential firewalls have an Achilles' heel in that they typically treat any kind
of traffic traveling from the local network out to the Internet as safe, which can sometimes be a
problem.

Consider this scenario: What would happen if you received an e-mail message or visited a
website that contained a concealed program? Let's say this program was designed to install
itself on your machine and then surreptitiously communicate with someone via the Internet —
a distributed denial of service (DDoS) attack zombie or a keystroke logger, for example? And
trust me, this is by no means an unlikely scenario.

To most broadband hardware firewalls, the traffic generated by such programs would appear
legitimate since it originated inside your network and would most likely be let through. This
malevolent traffic might be blocked if the hardware firewall was configured to block outgoing
traffic on the specific Transmission Control Protocol/Internet Protocol (TCP/IP) port(s) the
program was using, but given that there are over 65,000 possible ports and there's no way to
know which ports a program of this nature might use, the odds of the right ones being blocked
are slim.

Moreover, blocking too many ports would almost certainly adversely affect your ability to use
some programs (many games, for instance). Also, some broadband router firewalls don't even
provide the ability to restrict outgoing traffic, only incoming traffic.

Related Articles

 WatchGuard on Setting a Security Policy

 Pestware 101
 Diagnosing Net Connection Problems

Advantages of Software Firewalls

Now consider what a software firewall might do in the aforementioned scenario. When you first
set up a software firewall, you can specify which applications are allowed to communicate over
the Internet from that PC. Programs that aren't explicitly allowed to do so are either blocked or
else the user is prompted for confirmation before the traffic is allowed to pass. Therefore, it
would likely intercept this kind of traffic before it left your computer.

Another potential scenario where a software firewall would be useful is in the case of an e-mail
worm with its own e-mail sever, like the recent "SoBig" worm. Its built-in mail server could
attempt to send mail on the valid Simple Mail Transfer Protocol (SMTP) port (25), which would
probably pass through the router because of its trusted origin.

On the other hand, a software firewall could be configured to only allow Microsoft Outlook to
use port 25 (assuming Outlook is your e-mail client). Any attempt by another application to use
the port would be dropped, or blocked pending user confirmation. For that matter, the
application's attempt to use any port would be blocked if the firewall was configured that way.

By comparison, a hardware firewall that had the ability to filter outgoing traffic might allow you
to block most kinds of traffic from a particular PC, but it wouldn't be able to flag you and alert
you to repeated attempts to infiltrate your computer.

One obvious downside to software firewalls is that they can only protect the machine they're
installed on, so if you have multiple computers (which many small offices do), you need to buy,
install, and configure a software firewall separately on each machine. This can get expensive
and can be difficult to manage if you have a lot of computers.

But the fact of the matter is that software firewalls generally offer the best measure of
protection against certain types of situations like Trojan programs or e-mail worms. Speaking
of which, a firewall isn't the only protection method available to you. Whether you end up using
a software firewall or a hardware firewall, you should always supplement it with anti-virus
software.

A good anti-virus package is just as important as a firewall, and I would seriously suggest that
you invest in a good one (I'm partial to both Norton and McAfee myself). However, keeping
your virus definitions updated is far more important than which program you use. I cannot
stress the importance of this enough. Making sure your definitions are current is absolutely
critical to maintaining your protection. Many Anti-virus programs today can be configured to
automatically update themselves, so you have no excuse for not maintaining them.

The bottom line is that with any home-office broadband connection, a hardware firewall should
be considered a bare minimum, and supplementing it with a software firewall on one or more
computers (and don't forget anti-virus software) is almost always a good idea.

Adapted from PracticallyNetworked.com.

The Differences and Features of Hardware &

Software Firewalls
 Hardware and Software Firewalls Explained
Last updated January 28, 2010

A firewall is a protective system that lies, in essence, between 

your computer network and the Internet. When used correctly,
a firewall prevents unauthorized use and access to your
network. The job of a firewall is to carefully analyze data
entering and exiting the network based on your configuration. It
ignores information that comes from an unsecured, unknown
or suspicious locations. A firewall plays an important role on
any network as it provides a protective barrier against most
forms of attack coming from the outside world.

Firewalls can be either hardware or software. The ideal firewall

configuration will consist of both. In addition to limiting access
to you computer and network, a firewall is also useful for
allowing remote access to a private network through secure
authentication certificates and logins.

While many people do not completely understand the

importance and necessity of a firewall, or consider it to be a
product for businesses only, if your network or computer has
access to the outside world via the Internet then you need
have a firewall to protect your network, individual computer and
data therein.
Hardware Firewalls
Hardware firewalls can be purchased as a stand-alone product but more recently hardware firewalls
are typically found in broadband routers, and should be considered an important part of your system
and network set-up, especially for anyone on a broadband connection. Hardware firewalls can be
effective with little or no configuration, and they can protect every machine on a local network. Most
hardware firewalls will have a minimum of four network ports to connect other computers, but for
larger networks, business networking firewall solutions are available.

A hardware firewall  uses packet filtering to examine the header of a packet to determine its source
and destination. This information is compared to a set of predefined or user-created rules that
determine whether the packet is to be forwarded or dropped.

As with any electronic equipment, a computer user with general computer knowledge can plug in a
firewall, adjust a few settings and have it work. To ensure that your firewall is configured for optimal
security and protect however, consumers will no doubt need to learn the specific features of their
hardware firewall, how to enable them, and how to test the firewall to ensure its doing a good job of
protecting your network.

Not all firewalls are created equal, and to this end it is important to read the manual and
documentation that comes with your product. Additionally the manufacturer's Web site will usually
provide a knowledgebase or FAQ to help you get started. If the terminology is a bit too tech-
oriented, you can also use the Webopedia search to help you get a better understanding of some of
the tech and computer terms you will encounter while setting up your hardware firewall.

To test your hardware firewall security, you can purchase third-party test software or search the
Internet for a free online-based firewall testing service. Firewall testing is an important part of
maintenance to ensure your system is always configured for optimal protection.

Software Firewalls
For individual home users, the most popular firewall choice is a software firewall. Software firewalls
are installed on your computer (like any software) and you can customize it; allowing you some
control over its function and protection features. A software firewall will protect your computer from
outside attempts to control or gain access your computer, and, depending on your choice of
software firewall, it could also provide protection against the most common Trojan programs or e-
 mail worms. Many software firewalls have user defined controls for setting up safe file and printer
sharing and to block unsafe applications from running on your system. Additionally, software
firewalls may also incorporate privacy controls, web filtering and more. The downside to software
firewalls is that they will only protect the computer they are installed on, not a network, so each
computer will need to have a software firewall installed on it.

Like hardware firewalls there is a vast number of software firewalls to choose from. To get started
you may wish to read reviews of software firewalls and search out the product Web site to glean
some information first. Because your software firewall will always be running on your computer, you
should make note of the system resources it will require to run and any incompatibilities with your
operating system. A good software firewall will run in the background on your system and use only a
small amount of system resources. It is important to monitor a software firewall once installed and to
download any updates available from the developer.

The differences between a software and hardware firewall are vast, and the best protection for your
computer and network is to use both, as each offers different but much-needed security features
and benefits. Updating your firewall and your operating system is essential to maintaining optimal
protection, as is testing your firewall to ensure it is connected and working correctly.

Recommended Hardware Firewall

 Overview
 Juniper NetScreen firewall strength and features
 Recommended Juniper NetScreen firewall appliances
 Best practices for deploying a hardware firewall
 OSI model
 Related resources

Overview

Juniper Networks NetScreen hardware firewall is the recommended hardware firewall appliance for use
at the University Pennsylvania. (The information below relates to SSG series appliances. Updates to this
document are coming soon to include information about the SRX series and JunOS.) The firewall
appliance is a security tool that, when configured correctly, filters traffic between trusted zones (private)
and un-trusted zones (PennNet). A firewall allows or blocks network traffic between the trusted and the
un-trusted zone based on policies defined by the firewall administrator.

A number of schools and centers (School of Arts and Sciences, the Annenberg School, Facilities
Services, Vice Provost for University Life, Law School) have successfully deployed various NetScreen
hardware firewalls and have spoken highly of the appliance's reliability, effectiveness and ease of use,
especially when deployed in a Layer 2 transparent mode.

There are a number of other hardware firewalls in use on campus such as CISCO PIX, Nokia IP350 and
Checkpoint Firewall 1NG. To read more about feedback on the different models of hardware firewall in
use on campus please visit the Hardware Firewall Evaluation - Fall 2004.

Juniper NetScreen Firewall Strength and Features

 Well designed and constructed web based administrator interface.

 Highly rated for its management capabilities and interface (Gartner).
 Same operating system used throughout the entire hardware firewall product line.
 Juniper ranked as a leader among Network Firewall vendors (Gartner).
 On campus knowledge and experience.
 Competitive pricing.
 Recommended appliance ships with:
  Support for Layer 2 and Layer 3 operations mode.
 High availability feature - Several firewalls can be linked, and a failover function can be used so
that a second firewall takes over if the first one goes down.
 WebAuth authentication - Users must enter username/password before traffic is permitted
through the firewall.
 Policy scheduling - Enable or disable policy based on time of day.
 Attack prevention - Blocks DoS-type attacks, simple exploitation/buffer, overflow attacks and URL
filtering.
 Virtual Private Network (VPN) connections - Support for VPN tunnels.
 Anti-virus application defense integration.
 Deep Packet inspection integration - A subset of the Deep Inspection functionality has been
integrated into the firewall products. NetScreen offers a separate Deep Inspection appliance for
network protection.

Recommended NetScreen Firewall Appliances

The table below lists the NetScreen firewall appliances that run on ScreenOS 5.x and that support Layer
2 and Layer 3 operations mode. Updates to this chart are coming soon to address the Juniper SRX Series
and JunOS.

 
Netscree Interfaces Maximum Maximum Maximu Maximu
  n Firewall Throughpu Sessions m m
t VPN Policies
  Tunnels

SSG 5 7-ports 160Mbps 8,000/16,00 25/40 200

Scree 10/100 0
n OS
6.x
SSG 140 8-ports 300 Mbps 48,000 150 1000
10/100

2-ports
10/100/100
0

SSG 520 4x-ports 600 Mbps 64,000 500 1000

10/100/1000

SSG 550 4x-ports 1 Gbps 128,000 1000 4000

10/100/1000

Supported Modes of Operation

Layer 2 mode

Transparent bridging. In this mode, the NetScreen firewall functions as a

Layer 2 forwarding device or router, allowing quick deployment of the
firewall appliance without changes to the existing network topology.
Servers can continue to use public PennNet IP addresses.

Layer 3 mode
  Routing: In this mode, the NetScreen firewall functions as a Layer 3
router, and will require the administrator to manually configure a static
routing table.
 Network Address Translation (NAT): In this mode, the appliance is
configured so that internal addresses and port number are translated to
the outbound public interface with a dynamically-assigned port number.
NAT can be configured for NAT-src, NAT-dst with Mapped IP (MIP) and
Virtual IP (VIP).

Best Practices for Deploying a Hardware Firewall

 Consider firewall design and implementation issues. Where will you place the firewall? Do you intend
to create a large perimeter to protect all your servers and desktops?

 Don't rely only on the firewall for your domain security. It's essential to focus on properly configuring,
securing, and patching your domain controllers, servers and desktops. Always secure your domain
through Microsoft security configuration first, and then use a hardware firewall as another layer of
security. Security in depth is recommended.

 Threats exist from all devices allowed through the firewall as well as from external sources. A
firewall does not protect a server or desktops on the same side of the firewall, so it is critical that all
workstations, printers or other network devices are properly secured and are up to date with operating
system security and anti-virus patches.

 Secure and verify laptops and mobile devices. Be aware of threats and vulnerabilities of remote users
laptops brought in and connected on the trusted side of the firewall.

 Proper maintenance of the firewall is critical. The firewall operating system must be maintained at the
latest release and patch level to address security vulnerabilities.

 Backup firewall configuration. Store a copy of the configuration file on an external device to facilitate
restoration of the file in case of disaster.

 Enable traffic log monitoring. Use traffic logs to monitor session activities to verify the effectiveness of
policies.

 When a firewall is used with a vLAN, a firewall administrator can establish a large secure perimeter
around systems by limiting the flow of traffic. All network traffic between the private vLAN and PennNet is
examined by the firewall to see if it meets certain criteria defined by policy. Criteria commonly used to
allow or block traffic are IP addresses/ranges and the network ports which support specific services.

OSI Model

The OSI, or Open System Interconnection, model defines a networking framework for implementing
protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in
one station, proceeding to the bottom layer, over the channel to the next station and back up the
hierarchy. See Webopedia, the online dictionary, for an explanation of the 7 Layers of the OSI Model.

Recommended Hardware Firewall

Overview
Juniper NetScreen firewall strength and features
Recommended Juniper NetScreen firewall appliances
Best practices for deploying a hardware firewall
OSI model
Related resources
Overview
Juniper Networks NetScreen hardware firewall is the recommended hardware firewall appliance for use
at the University Pennsylvania. (The information below relates to SSG series appliances. Updates to this
document are coming soon to include information about the SRX series and JunOS.) The firewall
appliance is a security tool that, when configured correctly, filters traffic between trusted zones (private)
and un-trusted zones (PennNet). A firewall allows or blocks network traffic between the trusted and the
un-trusted zone based on policies defined by the firewall administrator.

A number of schools and centers (School of Arts and Sciences, the Annenberg School, Facilities Services,
Vice Provost for University Life, Law School) have successfully deployed various NetScreen hardware
firewalls and have spoken highly of the appliance's reliability, effectiveness and ease of use, especially
when deployed in a Layer 2 transparent mode.

There are a number of other hardware firewalls in use on campus such as CISCO PIX, Nokia IP350 and
Checkpoint Firewall 1NG. To read more about feedback on the different models of hardware firewall in
use on campus please visit the Hardware Firewall Evaluation - Fall 2004.

Juniper NetScreen Firewall Strength and Features

Well designed and constructed web based administrator interface.
Highly rated for its management capabilities and interface (Gartner).
Same operating system used throughout the entire hardware firewall product line.
Juniper ranked as a leader among Network Firewall vendors (Gartner).
On campus knowledge and experience.
Competitive pricing.
Recommended appliance ships with:
Support for Layer 2 and Layer 3 operations mode.
High availability feature - Several firewalls can be linked, and a failover function can be used so that a
second firewall takes over if the first one goes down.
WebAuth authentication - Users must enter username/password before traffic is permitted through the
firewall.
Policy scheduling - Enable or disable policy based on time of day.
Attack prevention - Blocks DoS-type attacks, simple exploitation/buffer, overflow attacks and URL
filtering.
Virtual Private Network (VPN) connections - Support for VPN tunnels.
Anti-virus application defense integration.
Deep Packet inspection integration - A subset of the Deep Inspection functionality has been integrated
into the firewall products. NetScreen offers a separate Deep Inspection appliance for network protection.
Recommended NetScreen Firewall Appliances
The table below lists the NetScreen firewall appliances that run on ScreenOS 5.x and that support Layer 2
and Layer 3 operations mode. Updates to this chart are coming soon to address the Juniper SRX Series
and JunOS.
Screen OS 6.x

Netscreen Firewall
Interfaces
Maximum
Throughput
Maximum
Sessions

Maximum
VPN Tunnels
Maximum
Policies
SSG 5
7-ports 10/100 160Mbps 8,000/16,000 25/40 200
SSG 140 8-ports 10/100

2-ports 10/100/1000
300 Mbps 48,000 150 1000
SSG 520 4x-ports 10/100/1000 600 Mbps 64,000 500 1000
SSG 550 4x-ports 10/100/1000 1 Gbps 128,000 1000 4000
Supported Modes of Operation
Layer 2 mode
Transparent bridging. In this mode, the NetScreen firewall functions as a Layer 2 forwarding device or
router, allowing quick deployment of the firewall appliance without changes to the existing network
topology. Servers can continue to use public PennNet IP addresses.

Layer 3 mode
Routing: In this mode, the NetScreen firewall functions as a Layer 3 router, and will require the
administrator to manually configure a static routing table.
Network Address Translation (NAT): In this mode, the appliance is configured so that internal addresses
and port number are translated to the outbound public interface with a dynamically-assigned port
number. NAT can be configured for NAT-src, NAT-dst with Mapped IP (MIP) and Virtual IP (VIP).

Best Practices for Deploying a Hardware Firewall

Consider firewall design and implementation issues. Where will you place the firewall? Do you intend to
create a large perimeter to protect all your servers and desktops?
Don't rely only on the firewall for your domain security. It's essential to focus on properly configuring,
securing, and patching your domain controllers, servers and desktops. Always secure your domain
through Microsoft security configuration first, and then use a hardware firewall as another layer of
security. Security in depth is recommended.
Threats exist from all devices allowed through the firewall as well as from external sources. A firewall
does not protect a server or desktops on the same side of the firewall, so it is critical that all
workstations, printers or other network devices are properly secured and are up to date with operating
system security and anti-virus patches.
Secure and verify laptops and mobile devices. Be aware of threats and vulnerabilities of remote users
laptops brought in and connected on the trusted side of the firewall.
Proper maintenance of the firewall is critical. The firewall operating system must be maintained at the
latest release and patch level to address security vulnerabilities.
Backup firewall configuration. Store a copy of the configuration file on an external device to facilitate
restoration of the file in case of disaster.
Enable traffic log monitoring. Use traffic logs to monitor session activities to verify the effectiveness of
policies.
When a firewall is used with a vLAN, a firewall administrator can establish a large secure perimeter
around systems by limiting the flow of traffic. All network traffic between the private vLAN and PennNet
is examined by the firewall to see if it meets certain criteria defined by policy. Criteria commonly used to
allow or block traffic are IP addresses/ranges and the network ports which support specific services.

OSI Model
The OSI, or Open System Interconnection, model defines a networking framework for implementing
protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in
one station, proceeding to the bottom layer, over the channel to the next station and back up the
hierarchy. See Webopedia, the online dictionary, for an explanation of the 7 Layers of the OSI Model.
Thin Computing vs. Desktop PCs vs. Datacenters
Moving problems from one place to another...

Most companies worldwide are using a quite large number of desktop systems and as that number grows by the year,
so does the cost of the energy bill, alongside with additional costs like service and maintenance. Desktop virtualization
aims at replacing the currently large number of desktop computer systems that are typically used in companies with a
few powerful servers that are able to sustain a high number of thin clients. The Australian Computer Society, ACS for
short, recommended this course of action after a study showed that desktop computer systems are among the most
important factors that contribute to the eight million tonnes of CO2 produced by Australian enterprises each

year.

According to the news site zdnet.com, the Australian association claims that the thin clients are less energy intensive
and they need less power to operate than their desktop counterparts. While the thin client approach may reduce the
overall energy consumption, Kris Kumar, director of data center design specialists 3i Group, said that this is not the
best solution as it simply moves the intense energy consumption from desktop systems to server rooms, which are
already quite energy hungry already. "If you adopt a thin computing approach and then realize the datacentre cannot
cope, you will use band-aid approaches to fixing that problem, which will never be optimum," he said.

The main problem, according to him, is that most companies and enterprises are not using a global strategy to
diminish their energy footprint and they are simply patching problems as they go and that approach leads to a "major
chaos in global markets in the datacentre space". While the carbon emissions are certainly important, they are only a
small part of the whole environmental problem caused by the computer industry and Ward Nash, from the thin
computing manufacturing company WYSE, said that the thin clients are offering a better alternative to the desktop
computer systems because they have an increase lifespan over their counterparts which are typically rated to last
around three years. Apart from this advantage, thin clients are more environmentally friendly because they are simple
machines, so they require fewer materials to build.

Ward Nash also said that using the thin client approach, most companies can get rid of the burden of old and useless
hardware, while benefiting from lower management costs and better security, as all the data and applications are
stored on a secure server system and not on every desktop computer.

What is RAID?

Using Multiple Hard Drives for Performance and Reliability

 Introduction

Back in the late 1980's and early 1990's, computer information servers were encountering a dramatic increase
in the amount of data they needed to serve and store. Storage technologies were getting very expensive to
place a large number of high capacity hard drives in the servers. A solution was needed and thus RAID was
born.

So what exactly is RAID? First of all, the acronym stands for Redundant Array of Inexpensive Disks. It was a
system developed whereby a large number of low cost hard drives could be linked together to form a single
large capacity storage device that offered superior performance, storage capacity and reliability over older
storage solutions. It has been widely used and deployed method for storage in the enterprise and server
markets, but over the past 5 years has become much more common in end user systems.

Sponsored Links

FL Keys Premier DivingGorgeous reef & wreck trips Resort, diving & lesson packageswww.hallsdiving.com
俐通集團回收電腦零件 電子產品 各類電子成品 承接各大生產商及零售商回收處理計劃 www.litong.com

Parallel ComputingStay on top of trends in parallel computing. Read our expert blog!www.drdobbs.com/Go-
Parallel

Advantages of RAID

There are three primary reasons that RAID was implemented:

 Redundancy
 Increased Performance
 Lower Costs

Redundancy is the most important factor in the development of RAID for server environments. This allowed
for a form of backup of the data in the storage array in the event of a failure. If one of the drives in the array
failed, it could either be swapped out for a new drive without turning the systems off (referred to as hot
swappable) or the redundant drive could be used. The method of redundancy depends on which version of
RAID is used.

The increased performance is only found when specific versions of the RAID are used. Performance will also be
dependent upon the number of drives used in the array and the controller.

All managers of IT departments like low costs. When the RAID standards were being developed, cost was also
a key issue. The point of a RAID array is to provide the same or greater storage capacity for a system
compared to using individual high capacity hard drives. A good example of this can be seen in the price
differences between the highest capacity hard drives and lower capacity drives. Three drives of a smaller size
could cost less than an individual high-capacity drive but provide more capacity.

There are typically three forms of RAID used for desktop computer systems: RAID 0, RAID 1 and RAID 5. In
most cases, only the first two of these versions is available and one of the two technically is not a form of
RAID.

RAID 0

The lowest designated level of RAID, level 0, is actually not a valid type of RAID. It was given the designation
of level 0 because it fails to provide any level of redundancy for the data stored in the array. Thus, if one of
the drives fails, all the data is damaged.
 RAID 0 uses a method called striping. Striping takes a single chunk of data like a graphic image, and spreads
that data across multiple drives. The advantage that striping has is in improved performance. Twice the
amount of data can be written in a given time frame to the two drives compared to that same data being
written to a single drive.

Below is an example of how data is written in a RAID 0 implementation. Each row in the chart represents a
physical block on the drive and each column is the individual drive. The numbers in the table represent the
data blocks. Duplicate numbers indicate a duplicated data block.

Drive 1 Drive 2

Block 1 1 2

Block 2 3 4

Block 3 5 6

Thus, if the 6 blocks of data above constitute a single data file, it can be read and written to the drive much
faster than if it were on a single drive. Each drive working in parallel could read only 3 physical blocks while it
would take a single drive twice as long because it has to read 6 physical blocks. The drawback of course is
that if one drive fails, the data is no longer functional. All 6 data blocks are needed for the file, but only three
are accessible.

Advantages:

 Increased storage performance

 No loss in data capacity

Disadvantages:

 No redundancy of data

RAID 1

RAID version 1 was the first real implementation of RAID. It provides a simple form of redundancy for data
through a process called mirroring. This form typically requires two individual drives of similar capacity. One
drive is the active drive and the secondary drive is the mirror. When data is written to the active drive, the
same data is written to the mirror drive.

The following is an example of how the data is written in a RAID 1 implementation. Each row in the chart
represents a physical block on the drive and each column is the individual drive. The numbers in the table
represent the data blocks. Duplicate numbers indicate a duplicated data block.

Drive 1 Drive 2

Block 1 1 1

Block 2 2 2

Block 3 3 3
 This provides a full level of redundancy for the data on the system. If one of the drives fails, the other drive
still has all the data that existed in the system. The big drawback of course is that the capacity of the RAID
will only be as big as the smallest of the two drives, effectively halving the amount of storage capacity if the
two drives were used independently.

Advantages:

 Provides full redundancy of data

Disadvantages

 Storage capacity is only as large as the smallest drive

 No performance increases
 Some downtime to change active drive during a failure

RAID 0+1

This is a hybrid form of RAID that some manufacturers have implemented to try and give the advantages of
each of the two versions combined. Typically this can only be done on a system with a minimum of 4 hard
drives. It then combines the methods of mirroring and striping to provide the performance and redundancy.
The first set of drives will be active and have the data striped across them while the second set of drives will
be a mirror of the data on the first two.

Below is an example of how data is written in a RAID 0+1 implementation. Each row in the chart represents a
physical block on the drive and each column is the individual drive. The numbers in the table represent the
data blocks. Duplicate numbers indicate a duplicated data block.

Drive 1 Drive 2 Drive 3 Drive 4

Block 1 1 2 1 2

Block 2 3 4 3 4

Block 3 5 6 5 6

In this case, the data blocks will be striped across the drives within each of the two sets while it is mirrors
between the sets. This gives the increased performance of RAID 0 because it takes the drive half the time to
write the data compared to a single drive and it provides redundancy. The major drawback of course is the
cost. This implementation requires a minimum of 4 hard drives.

Advantages:

 Increased performance
 Data is fully redundant

Disadvantages:

 Large number of drives required

 Effective data capacity is halved

RAID 10 or 1+0
 RAID 10 is effectively a similar version to RAID 0+1. Rather than striping data between the disk sets and then
mirroring them, the first two drives in the set are a mirrored together. The second two drives form another set
of disks that is are mirror of one another but store striped data with the first pair. This is a form of nested
RAID setup. Drives 1 and 2 are a RAID 1 mirror and drives 3 and 4 are also a mirror. These two sets are then
setup as stripped array.

Below is an example of how data is written in a RAID 10 implementation. Each row in the chart represents a
physical block on the drive and each column is the individual drive. The numbers in the table represent the
data blocks. Duplicate numbers indicate a duplicated data block.

Drive 1 Drive 2 Drive 3 Drive 4

Block 1 1 1 2 2

Block 2 3 3 4 4

Block 3 5 5 6 6

Just like the RAID 0+1 setup, RAID 10 requires a minimum of four hard drives to function. Performance is
pretty much the same but the data is a bit more protected than the RAID 0+1 setup.

Advantages:

 Increased performance
 Data is fully redundant

Disadvantages:

 Large number of drives required

 Effective data capacity is halved

RAID 5

This is the most powerful form of RAID that can be found in a desktop computer system. Typically it requires
the form of a hardware controller card to manage the array, but some desktop operating systems can create
these via software. This method uses a form of striping with parity to maintain data redundancy. A minimum
of three drives is required to build a RAID 5 array and they should be identical drives for the best
performance.

Parity is essentially a form of binary math that compares two blocks a data and forms a third data block based
upon the first two. The easiest way to explain it is even and odd. If the sum of the two data blocks is even,
then the parity bit is even. If the sum of the two data blocks is odd, the parity bit is odd. So 0+0 and 1+1
both equal 0 while 0+1 or 1+0 will equal 1. Based on this form of binary math, a failure in one drive in the
array will allow the parity bit to reconstruct the data when the drive is replaced.

With that information in mind, here is an example of how a RAID 5 array would work. Each row in the chart
represents a physical block on the drive and each column is the individual drive. The numbers in the table
represent the data blocks. Duplicate numbers indicate a duplicated data block. A "P" indicates a parity bit for
two blocks of data.

Drive 1 Drive 2 Drive 3

 Block 1 1 2 P

Block 2 3 P 4

Block 3 P 5 6

The parity bit shifts between the drives to increase the performance and reliability of the data. The drive array
will still have increased performance over a single drive because the multiple drives can write the data faster
than a single drive. The data is also fully redundant because of the parity bits. In the case of drive 2 failing,
the data can be rebuilt based on the data and parity bits on the two remaining drives. Data capacity is
reduced due to the parity data blocks. In practice the capacity of the array is based on the following equation
where n is the number of drives and z is the capacity:

(n-1)z = Array Capacity

In the case of three 500 gigabyte hard drives, the total capacity would be (3-1)x500GB or 1000 gigabytes.

Hardware RAID 5 implementations can also have a function called hot swap. This allows for drives to be
replaced while the array is still functioning to either increase the drives capacity or to replace a damaged
drive. The drive controller then takes time while the array is running to rebuild the data array across the
drives. This is a valuable feature for systems that require 24x7 operation.

Advantages:

 Increased storage array performance

 Full data redundancy
 Ability to run 24x7 with hot swap

Disadvantages

 High costs to implement

 Performance degrades during rebuilding

Software vs. Hardware RAID

In order for RAID to function, there needs to be software either through the operating system or via dedicated
hardware to properly handle the flow of data from the computer system to the drive array. This is particularly
important when it comes to RAID 5 due to the large amount of computing required to generate the parity
calculations.

In the case of software implementations, CPU cycles are taken away from the general computing environment
to perform the necessary tasks for the RAID interface. Software implementations are very low cost monetarily
because all that is necessary to implement one is the hard drives. The problem with software RAID
implementations is the performance drop of the system. In general, this performance hit can be anywhere
from 5% or even greater depending upon the processor, memory, drives used and the level of RAID
implemented. Most people do not use software RAID anymore due to the decreasing costs of hardware RAID
controllers over the years.

Hardware RAID has the advantage of dedicated circuitry to handle all the RAID drive array calculations outside
of the processor. This provides excellent performance for the storage array. The drawbacks to hardware RAID
have been the costs. In the case of RAID 0/1 controllers, those costs have become so low that many chipset
and motherboard manufacturers are including these capabilities on the motherboards. The real costs rest with
RAID 5 hardware that require more circuitry for added computing ability.
Drive Selection

What a lot of people don't realize is that the performance and capacity of a RAID array is heavily dependent
upon the hard drives used in the array. For the best results, all hard drives in the array should be the same
brand and model. This means that all of the hard drives will have the same capacity and performance levels.
It is not a requirement that the drives be matched, but mismatching the drives can actually hurt the RAID
array.

The capacity of the RAID array will depend upon the method implemented. In the case of RAID 0, the striping
can only be done across an equal amount of space on the two drives. As a result, if an 80GB and 100GB drive
are used to make the array, the final capacity of the array would only be 160GB. Similarly, in RAID 1 the
drives can only mirror data equal to the smallest size. Thus based on the two drives mentioned before, the
final data size would only be 80GB. RAID 5 is a bit more complicated because of the formula mentioned
before. Once again the smallest capacity would be used. So if a 80GB, 100 GB and 120GB drive were used to
make a RAID 5 array, the final capacity would be 160GB of data.

Performance of the array is also dependent upon the drives. In order for the array to function properly, it
must wait for the data to be written to each of the drives before it can continue. This means that in the
example charts for the RAID arrays, the controller must wait until all physical data has been written to block 1
across all the drives in the array before it can continue to the next set of data for the drives. This means an
array where one drive has half the performance of the other two will slow down the overall performance of the
other drives.

Conclusions

Overall RAID provides systems with a variety of benefits depending upon the version implemented. Most
consumer users will likely opt to use the RAID 0 for increased performance without the loss of storage space.
This is primarily because redundancy is not an issue for the average user. In fact, most computer systems will
only offer either RAID 0 or 1. The costs of implementing a RAID 0+1 or RAID 5 system generally are too
expensive for the average consumer and are only found in high-end workstation or server level systems.

3.3. Hardware RAID versus Software RAID

There are two possible RAID approaches: Hardware RAID and Software RAID.

3.3.1. Hardware RAID

The hardware-based system manages the RAID subsystem independently from the host and presents to
the host only a single disk per RAID array.

An example of a Hardware RAID device would be one that connects to a SCSI controller and presents
the RAID arrays as a single SCSI drive. An external RAID system moves all RAID handling
"intelligence" into a controller located in the external disk subsystem. The whole subsystem is connected
to the host via a normal SCSI controller and appears to the host as a single disk.

RAID controllers also come in the form of cards that act like a SCSI controller to the operating system
but handle all of the actual drive communications themselves. In these cases, you plug the drives into the
RAID controller just like you would a SCSI controller, but then you add them to the RAID controller's
configuration, and the operating system never knows the difference.

3.3.2. Software RAID

Software RAID implements the various RAID levels in the kernel disk (block device) code. It offers the
cheapest possible solution, as expensive disk controller cards or hot-swap chassis [1] are not required.
Software RAID also works with cheaper IDE disks as well as SCSI disks. With today's fast CPUs,
Software RAID performance can excel against Hardware RAID.

The MD driver in the Linux kernel is an example of a RAID solution that is completely hardware
independent. The performance of a software-based array is dependent on the server CPU performance
and load.

For information on configuring Software RAID in the Red Hat Linux installation program, refer to the
Chapter 10 Software RAID Configuration.

For those interested in learning more about what Software RAID has to offer, here is a brief list of the
most important features:

 Threaded rebuild process

 Kernel-based configuration
 Portability of arrays between Linux machines without reconstruction
 Backgrounded array reconstruction using idle system resources
 Hot-swappable drive support
 Automatic CPU detection to take advantage of certain CPU optimizations
Notes

A hot-swap chassis allows you to remove a hard drive without having to power-down your
[1]
system.

Selecting a RAID level and tuning performance

Disk arrays are used to improve performance and reliability. The amount of improvement depends
on the application programs that you run on the server and the RAID levels that you assign to the
logical drive.

Each RAID level provides different levels of fault-tolerance (data redundancy), utilization of
physical drive capacity, and read and write performance. In addition, the RAID levels differ in
regard to the minimum and maximum number of physical drives that are supported.

When selecting a RAID level for your system, consider the following factors.

Note: Not all RAID levels are supported by all ServeRAID controllers.

RAID Data Physical Read Write Built- Min. Max.

level redundancy drive performance performance in number number
capacity spare of drives of drives
utilization drive

RAID No 100% Superior Superior No 1 16

level-0
 RAID Data Physical Read Write Built- Min. Max.
level redundancy drive performance performance in number number
capacity spare of drives of drives
utilization drive

RAID Yes 50% Very high Very high No 2 2

level-1

RAID Yes 50% Very high Very high No 3 16

level-1E

RAID Yes 67% to 94% Superior High No 3 16

level-5

RAID Yes 50% to 88% Superior High Yes 4 16

level-5E

RAID Yes 50% to 88% Superior High Yes 4 16

level-5EE

RAID Yes 50% to 88% Very High High No 4 16

level-6

RAID No 100% Superior Superior No 2 60

level-00

RAID Yes 50% Very high Very high No 4 16

level-10

RAID Yes 50% Very high Very high No 6 60

level-1E0

RAID Yes 67% to 94% Superior High No 6 60 (SCSI)

level-50 128 (SAS,
SATA)

RAID Yes 50% to 88% Very High High No 8 128

level-60

Spanned No 100% Superior Superior No 2 48

Volume

RAID No 50% to 100% Superior Superior No 4 48

Volume

Physical drive utilization, read performance, and write performance depend on the number of
drives in the array. Generally, the more drives in the array, the better the performance.

RAID 60 benefits and drawbacks

I like RAID 50 a lot, so you might think that I’m a big believer in taking that to the next level and that I would
like RAID 60 even more; to be honest, I’m not sure. I see RAID 50 as a great balance between capacity,
performance, and reliability, and I see RAID 60 as potentially imbalanced on the capacity side (to the
negative) in order to support the increased reliability inherent in RAID 60.

I don’t think you should simply avoid RAID 60 at all costs; instead, make the decision on a case by case basis
with an understanding of the tradeoffs that you’ll face. In fact, you might find that RAID 60 is a great fit when
you need higher usable capacity and better reliability and can trade a little in write performance for it.

With RAID 60, you’re going to lose anywhere from around 12% to 50% of your usable space to parity
information. This is not a bad thing, and the whole design of RAID 6 is built around the idea that using more
space (two disk’s worth to be exact) to enhance reliability is a good thing. If you’re ultra-concerned about
reliability, are you more likely to use fewer disks per individual RAID 6 set? If so, this would decrease the
overall usable capacity of the solution. In fact, in the diagram above, you’d lose 50% of your disk space to
parity, so why not just go with RAID 10 in that scenario?

With RAID 6, you will take a performance hit (more so than with RAID 50) when it comes to writes, but reads
will be boosted, as is the case with RAID 10 and RAID 50. The exact performance hit you take with writes
under RAID 60 is largely dependent on the quality of your RAID controller and on what you’re doing. If you’re
considering implementing a RAID 60 that eats 50% of your space in overhead, it’s time to consider just using
RAID 10, which will provide similar read performance and better overall write performance and provide
similar levels of redundancy.

From a pure reliability perspective, a RAID 60 array is orders of magnitude more reliable than even RAID 50
arrays due largely to the extra parity disk employed in RAID 60.

The more disks you add to each individual RAID 6 set in a RAID 60 array, the higher percentage of usable
space you get from the overall RAID 60 array. Perhaps the biggest tradeoff in RAID 60 is that you can build
larger individual RAID 60 sets in a safer manner than is possible under RAID 50, so from that perspective,
perhaps you can get more safely usable space from a RAID 60 array.

Conclusion
When it comes to RAID 60, I don’t think IT pros should have a one-size-fits-all mentality. And before you
jump on the RAID 60 train, be aware that there are potential downsides for usable space and performance
that need to be considered, so choose wisely. For more information, I recommend checking out IBM’s article
and chart about selecting a RAID level.
Windows Server 2008 R2 System Requirements
To use Windows Server 2008 R2, you need:*

Component Requirement

Minimum: 1.4 GHz (x64 processor)

Processor
Note: An Intel Itanium 2 processor is required for Windows Server 2008 R2 for Itanium-Based Systems

Minimum: 512 MB RAM

Memory
Maximum: 8 GB (Foundation) or 32 GB (Standard) or 2 TB (Enterprise, Datacenter, and Itanium-Based
Systems)

Minimum: 32 GB or greater
Disk Space
Requirements Note: Computers with more than 16 GB of RAM will require more disk space for paging, hibernation, and
dump files

Display Super VGA (800 × 600) or higher resolution monitor

Other DVD Drive, Keyboard and Microsoft Mouse (or compatible pointing device), Internet access (fees may apply)

* Actual requirements will vary based on your system configuration, and the applications and features you choose to install. Processor
performance is dependent upon not only the clock frequency of the processor, but the number of cores and the size of the processor
cache. Disk space requirements for the system partition are approximate. Additional available hard disk space may be required if you
are installing over a network.
Edition Comparison by Technical Specification

= Not =
KEY:
Available Available

Specification Web Standard Enterprise Datacenter Itanium Foundation      HPC

Cross-File Replication (DFS-R)

Failover Cluster Nodes (Nodes) 16 16 8

Fault Tolerant Memory Sync

Hot Add Memory

Hot Add Processors

Hot Replace Memory

Hot Replace Processors

IA64 RAM 2 TB

IA64 Sockets 64

Network Access Connections (IAS) 50 Unlimited Unlimited 2 10

Network Access Connections

250 Unlimited Unlimited 50 250
(RRAS)

Remote Desktop Admin

2 2 2 2 2 2 2
Connections

Remote Desktop Services Gateway 250 Unlimited Unlimited 50

Host + 1
Virtual Image Use Rights Guest Host + 1 VM Host + 4 VM Unlimited Unlimited
VM
X64 RAM 32 GB 32 GB 2 TB 2 TB 8 GB 128 GB

X64 Sockets 4 4 8 64 1 4

Edition Comparison by Server Role

= Not = = Full
KEY:
Available Partial/Limited

Server Role Enterprise Datacenter   Standard   Itanium Web Foundation HPC

Active Directory Certificate Services 1 1 1

Active Directory Domain Services

Active Directory Federation Services

Active Directory Lightweight Directory

Services

Active Directory Rights Management

Services

Application Server

DHCP Server

DNS Server

Fax Server

File Services 2 2 2

Hyper-V

Network Policy and Access Services 3 5 3

Print and Document Services

Remote Desktop Services 4 6 4

Web Services (IIS)

Windows Deployment Services

Windows Server Update Services (WSUS)

HPC Edition is limited in use to running clustered HPC applications or providing job scheduling services for HPC applications.
1 Limited to creating Certificate Authorities – no other ADCS features (NDES, Online Responder Service). See ADCS role
documentation on TechNet for more information.

2 Limited to 1 standalone DFS root.

3 Limited to 250 RRAS connections, 50 IAS connections and 2 IAS Server Groups.

4 Limited to 250 Remote Desktop Services Gateway connections.

5 Limited to 50 RRAS connections, 10 IAS connections.

6 Limited to 50 Terminal Service Gateway connections.

Differentiated Feature Comparison by Edition

= Not =
KEY:
Available Available
Feature Enterprise Datacenter Standard Web Itanium Foundation HPC
.NET 3.0
.NET Framework 3.5.1
Features
Administration Tools

BitLocker Drive Encryption

BITS Server Extensions

BranchCache Content Server

BranchCache Hosted Server

Desktop Experience

DirectAccess Management

Failover Clustering
Group Policy Management
Console
Ink and Handwriting
Services
Internet Printing Client

LPR Port Monitor

Microsoft Message Queuing
(MSMQ)
Multipath I/O
Peer Name Resolution
Protocol
Quality Windows Audio
Video Experience
RAS Connection Manager
Administrator Kit
RDC

Remote Assistance
Remote Differential
Compression
Remote Server Admin Tools

RPC Over HTTP Proxy

Simple TCP/IP Services

SMTP

SNMP
Storage SAN Manager for
SANS
Subsystem for Unix-Based
Applications (SUA)
Telnet Client

Telnet Server

TFTP Client
Windows Biometric
Framework
Windows Internal Database
Windows Internet Naming
Service (WINS)
Windows Network Load
Balancing (WNLB)
Windows PowerShell
Integrated Scripting
Environment (ISE)
Windows PowerShell
Windows Process Activation
Server
Windows Server Backup
Windows Server Backup
Features
Windows Server Migration
Tools
Windows System Resource
Manager (WSRM)
Windows TIFF IFilter

WINS Server

Wireless Client

Wireless LAN Service

XPS Viewer

Type Desktop ADF (Automatic Document Feeder) / flatbed scanner

Document feeding Automatic sheet feeding / flatbed

Document size*1
Document thickness*2
Feeding capacity*2
Scanning element
Light source
Scanning modes
Scanning speed
(A4/LTR, Landscape, 200 dpi)
Interface
Scanner driver
Application software
Useful functions
Power requirements
Power consumption
Operating environment
Dimensions (W x D x H)
Weight
Options/Consumables
Width: 139.7 – 304.8 mm (5.5 – 12 in.)
Length: 128 – 432 mm (5 – 17 in.)
B&W documents (Simplex): 0.06 – 0.15 mm, 42 – 128 g/m2
B&W documents (Duplex): 0.07 – 0.15 mm, 50 – 128 g/m2
B&W/Color documents (Mixed): 0.07 – 0.15 mm, 50 – 128 g/m2
Color documents: 0.08 – 0.15 mm, 64 – 128 g/m2
100 sheets (A4/LTR)
3-line CCD
Xenon lamp
Simplex / Duplex
Black and White, Advanced Text Enhancement, Error Diffusion
Grayscale (8-bit)
Color (24-bit)
Resolution: 100 dpi • 150 dpi • 200 dpi • 240 dpi
300 dpi • 400 dpi • 600 dpi
Black and White: 70 ppm (Simplex), 36 ipm (Duplex)
Grayscale: 70 ppm (Simplex), 36 ipm (Duplex)
Color: 70 ppm (Simplex), 36 ipm (Duplex)
SCSI-III / Hi-Speed USB 2.0
ISIS / TWAIN
Canon CapturePerfect
Automatic Paper Thickness Adjustment, Batch Separation,
Border Removal, Color Dropout, Deskew, Job Function, Gamma
Correction, MultiStreamTM, Page Size Detection, Skip Blank
Page, Text Orientation Recognition
AC120V, 60Hz
AC220 – 240V, 50/60Hz
150W or less (Energy Saving Mode: 12W or less)
15 – 30°C (59 – 86°F), 25 – 80% RH
575 x 602 x 300 mm (22.6 x 23.7 x 11.8 in.)
Approx. 33.6 kg (74 lb.)
Please refer to the back cover of this brochure.