Question : ISA Server and Cisco equipment -- will it work/help?

Just for background, we have a copy of ISA server 2006 in a box over there on the shelf. We are also about to deploy a new web server running WS 03 Web Edition. We have also recently invested in some security hardware including a Cisco ASA 5505. We are a small web development company that has a few government clients -- federal and state stuff mostly. We have 5 employees who all access our file server and current web server daily by using windows file sharing.

My question is if I deploy an ISA server on our network, will it offer IPS functionality to stop port spoofing and other such attacks that can't be detected without an IPS system (aka that pass through the ASA)?. We had looked into getting a Cisco IDS Sensor (which is what is supposed to stop this kind of attack, right?), but it is roughly $7,000 USD for the lowest, basic model. Is there any point in using ISA? Will adding an ISA server help at all or will it just complicate things and make the network harder to manage? Does it sound like it could help? Also, I'd be worried about the ISA server being compromised too...  is it safe to put an ISA server in right after the Cisco ASA but before our network switches? Can our router work through ISA? Will the VPN clients that connect to the ASA be able to access the rest of the network? Will that "absorb" any attacks that come through or is this something that can't be avoided? Sorry about the questions... there are just so many variables and unknowns!

Basically, information on where to put an ISA into the network and if it will actually help us is what I'm getting at. We're trying to lock down big time. We had a break in and they stole an entire web app that we were making for a client, so we're going to have to start from the ground up on the app for security reasons. Thanks!

Answer : ISA Server and Cisco equipment -- will it work/help?

OK.

ISA is installed on a server with an appropriate operating system installed and patched in advance. Windows 2003 is fine for the purpose. ISA2004 or 2006 does not run on a 64-bit operating system - it needs to be a 32 bit. Do NOT install ISA on a DC, it should be a member server only.

Yes, it is best practice to have ISA on a dedicated server that is then hardened down and runs no other services. Its job is to provide protection. Anything else you put on the box will need additional ports etc opening and additional overhead, this is completely at odds with your stated requirements. If this means buying a new copy of the OS for that server, it is little cost against the cost of your compromised data.

Yes, you can feel extremely confident with that combination. Neither ISA nor ASA has had any known security breaches. This, of course, is assuming that the systems have been configured correctly. If you open inappropriate ports then you take the risks associated.

ISA server is an application running on a Windows server in the domain. Users do not connect to the ISA server directly so the CALs you have purchased cover you. ISA is licensed by processor based on its host machine.

ISA is managed by a GUI installed as part of the installation. Its basis is that you tell ISA server what IP addresses are inside on the secure side. Anything not listed will be treated as external. By configuring the ISA System policy you can allow other servers to control the ISA through the mmc snap-in - you need to run the ISA install on the server concerned and just select to install the management console. The preferable way is to just rdp onto the ISA server internally and do it that way. ISA also produces fantastic reports for useage, utilisation, traffic, top users etc.

ISA server will manage thousands of connections simultaneously. The 10-user limit you speak of applies to workgroup type scenarios where users actually log on to a device. This does not apply with ISA as the users are not looging into the box, they have logged on to the domain.

No issue having the kit installed on the same vlan together.