Over the last few years just about every network administrator I’ve worked with has laughed at the idea of a Microsoft firewall in an enterprise environment (at least as a front line of defence – many organisations use Microsoft ISA Server behind another firewall). When forced by the American parent company to run Check Point FireWall-1 on a Windows platform instead of a Nokia appliance server, one of my ex-colleagues in the European subsidiary of a major fashion design, marketing and retail company was disgusted; but in all honesty, a well-patched and well-managed Windows system can just as secure as a well-patched Linux one (and conversely badly patched systems are badly patched, whoever the operating system vendor).
The Common Criteria Evaluation and Certification Scheme (CCS) is an independent third party evaluation and certification service for measuring the trustworthiness of IT security products, recognised by governments in Canada, the United States, United Kingdom, Netherlands, Germany and France.
Windows 2000 Professional, Server, and Advanced Server with service pack 3 and the hotfix described in Microsoft knowledge base article 326886 has been certified for common criteria evaluation assurance level (EAL) 4+; and ISA Server 2000 with service pack 1 and feature pack 1 (in firewall mode) has EAL 2 certification. According to Microsoft, Windows XP with service pack 2, Windows Server 2003 with service pack 1 and ISA Server 2004 are all undergoing EAL 4+ certification at present.
In addition, ICSA Labs tests firewall products against a standard yet evolving set of criteria and Microsoft ISA Server 2000 with service pack 1 running on Windows server 2000 with service pack 4 has been certified by ICSA. As a side note, for anyone looking at the area of firewalls, the ICSA firewall buyer’s guide is worth a read.
So it seems that a Windows server can be secure enough to run a firewall; and that Microsoft’s firewall product is also pretty secure. EAL 2 might not be the highest certification level, but if ISA Server 2004 achieves EAL 4+, then maybe all of those network administrators’ minds can be put to rest.
Back in October 2005, Steve Lamb reported that ISA Server 2004 did achieve EAL4+ common criteria.