RE: Anti-virus on Exchange

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 15 Feb 2005 21:28:34 -0600

Hi Danny,

What if your box is compromised? What if the sky fell? I field this type
of question every day, but the fact is that the Windows OS is NOT NOT
NOT an issue. If the ISA firewall is properly configured, its as secure
as any so-called hardware firewall. Period, fact. However, if you can
take over a properly configured ISA firewall, and own the box, then
you've done something that no one has ever been able to do, not even
with the ISA Server 2000 box, which was no where as secure as the ISA
Server 2004 box.

I don't mean go "go off" on this, but the "it runs on Windows" response
from security "wankers" doesn't hold water. Prove it first, then beat me
over the head with it. All OSs are vulnerable, and just because CNET
makes a big deal of Microsoft issues, doesn't make any real difference
in the present discussion.

 Just for fun, the rest is inline....
-----Original Message-----
From: Danny [mailto:nocmonkey@xxxxxxxxx] 
Sent: Tuesday, February 15, 2005 8:12 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Anti-virus on Exchange

On Tue, 15 Feb 2005 17:08:17 -0600, Thomas W Shinder
<tshinder@xxxxxxxxxxx> wrote:
> Hi Danny,
> Where is the:
> -- RADIUS based pre-authetication for OWA/OMA/ActiveSync/RPC over HTTP
> access?

RADIUS, yes. The rest is probably possible.
TOM==>Are you sure? RADIUS auth for the reverse proxy? OK, how about
built-in support for SecurID two-factor authentication? How about RADIUS
support for OWA forms-based auth, which can also be extended to support
forms-based auth for other Web sites?

> -- Where is the SSL to SSL bridging feature that prevents exploits
> being tunneled inside an SSL tunnel?

If your ISA Windows box is compromised (just last week, MS released
patches for over 60 vulnerabilities - ouch!), valid SSL sessions could
be read.
TOM==>What do you mean by "valid SSL sessions"? What is a valid SSL
session? What I'm talking about is inspecting the HTTP datastream that
is completely hidden from the firewall that doesn't perform SSL
termination and initiation. I suspect, but I don't know because I
haven't researched it, that the Fortigate performs SSL tunneling, not
SSL bridging, so you might as well drive a MAC truck through that
firewall because I can do whatever I want to your OWA/OMA/ActiveSync
sites through that tunnel, and I'll also try some RPC exploits inside an
HTTPS/RPC proxy connection too :-)

> -- Where is the forms-based authentication that generates the form at
> the firewall, so as to allow for pre-authentication, session limits
> attachment control?

Haven't looked into it.  Attachment control? We block all executables.
TOM==> The ISA firewall can block all Windows executables, regardless of
the file extension, but you can also block based on file extension, and
on virtually any aspect of the HTTP request and response header, or
response body.

> -- Where is the per user/per group, per protocol, per server, per time
> of day, stateful filtering and stateful application layer inspection
> VPN remote access client connections?

Done and done.
TOM==> How? Can you give an example? I'm not talking about port
filtering or packet filters applied to VPN clients on a global basis,
I'm talking about granular, per user, per group, per protocol, per
server, per time of day, fine-tuned control and logging and app layer
inspection for the VPN clients. What application layer inspection is
done on the VPN clients? Can you allow full access to Exchange using the
full MAPI client to VPN users and allow them to access ONLY the Exchange
Server using MAPI/RPC and be completely protected from Blaster and
Blaster varients?

> -- Where is the stateful application layer support for Secure Exchange
> RPC publishing, so that your entire organization doesn't have to
> to OL2003, and even if they did, where is the RPC scrubbing for the
> de-tunneled connections?

What do you expect from a $500 firewall?  My initial comparison was
the BASE model Fortigate firewall.
TOM==>Fair enough. For 500 bucks, its not a bad deal.

> In addition to that, ISA does have:
> -Anti-malware (virus, worms, etc.) protection (HTTP, POP3, SMTP, etc.)
> as part of its HTTP Security Filter at NO extra cost or licensing
> restriction

Out-of-the-box, ISA 2004 scans for brand new and old viruses?  Which
engine does it use?
TOM==>You don't need AV updates to block network worms, you just need to
know their signatures. Once a CERT annoucement is made, you configure
the firewall. No addition costs. ISA doesn't have AV out of the box,

> -Grayware protection
> ISA does have this, as part of its built-in and add only suites of
> application layer inspection filters

Add-on, then? Who provides updates to grayware and spyware definitions?
TOM==>SurfControl, WebSense and more! Or, keep track of these things
yourself and configure Access Rules and the ISA app filters yourself.

> -Signature and custom Intrusion Prevention and Protection
> I can use the built-in ISA firewall's IDS/IPS, add-on 3rd party
> or use Snort.

Who updates ISA's IDS/IPS signatures?
TOM==> If you use Snort, you do. If you use an add-on IDS/IPS, they do. 

> -Anti-spam - RBL, content, etc.
> You can add this on to the ISA firewall, and includes basic SMTP
> filtering and inspection right out of the box with its SMTP Filter and
> SMTP Message Screener.

A.K.A Add-on...
TOM==>>The SMTP Message Screener and SMTP filter aren't add ons. Since
anti-spam, RBL, etc are built into Exchange, you don't need the same
comprehensive filtering on the firewall itself, although you can if you
like. I HATE RBLs and would never use them, but I would like it if they
made ISA a bit easier to use for keyword and pattern matching blocking.

> -Email content and attachment blocking/filtering
> The ISA firewall has this right out of the box.

'bout time.

> -ActiveX, java, cookie, protection
> Again, the ISA firewall has this right out of the box. Just configure
> it!


> -Web URL and content filtering
> The ISA firewall has this right out of the box.


> -End-to-end VPN (IPSec, PPTP, L2TP, and multiple encryption level
> options) solution
> This ISA firewall also has this right out of the box, and also has VPN
> Quaratine support right out of the box.

Sweet. How about AES256?
TOM==>What do I need it? Do you have a lot of people renting out
supercomputing time breaking your encrypted sessions? I'd worry a LOT
more about your authentication scheme than the encryption algothrm. If
AES256 is really that important, we better all bail out on using SSL
:-))  I'm very serious about the authentication method, if you're not
using certificate based or other EAP authentication, your encryption
method can be AES1024 and it won't matter. Actually AES256 doesn't
matter either, unless you're running the NSA or CIA and you have people
dedicating a significant number of resources to break into the data

> -Client VPN software which includes firewall and anti-virus component
> Why use proprietary VPN client software when *every version of
> has a VPN client built-in. Best of all, no finger pointing when
> something goes haywire! :)

Microsoft has built-in anti-virus, egress and ingress stateful
firewall, and IPSec VPN support in *every version of Windows*?
TOM==>>Yes. That's why they implemented L2TP/IPSec, which is IETF
compliant, and the haX0rEd version of IPSec remote access client
software that every vendor users is marginally so. Regardless of that
issue, IPSec in the L2TP/IPSec is exactly what it is, except I beat the
haX0rED proprietary lock in VPN client piece with the Fortigate doesn't
support user certificate authentication or two-factor EAP auth. If they
two, then they get TEN social credits!  :-)  That's what VPN-Q is about,
client hygiene, and with the ISA firewall's strong stateful packet
inspection and application layer inspection mechanisms, users only get
to the resoruces they need via the VPN link, so I don't give a rats ***
about outbound access control from the VPN client. Plus, the ISA
firewall has connection limits, so if a VPN client starts barfing
packets on the wireless, the ISA firewall shuts it down and say "bye
bye". Not bad, eh? And the VPN Q piece is included in the box.

> -Traffic shaping
> Not included with the ISA firewall :(

Uh oh.

> -Syslog output
> ISA includes right out of the box, text logging, MDSE logging and SQL
> logging. Can get it to work with MySQL and Access if you like.

I output to syslog running a FreeBSD box. 

> -Protocol authentication
> Not sure what you mean, but I'll bet its not as comprehensive as
> if you mean that you can control user/group access to ALL protocols
> through the miracle of the Firewall client (the generic Winsock Proxy
> client)

LDAP, RADIUS, etc. authentication for specific protocol-based (HTTP,
etc.) access.
TOM==>>HTTP sure, because that's HTTP 1.1 compliant Web proxy. What I'm
talking about is transparent authenticaiton for ALL Winsock protocols,
without every challanging a user for authentication unless you want them
to receive the challenge, and not just for HTTP Web proxy connections,
but for ALL Winsock connections.

> -VLAN support
> ISA supports this right out of the box, we're using in a couple places
> in product now.


> -HTTPS and SSH admin access
> ISA supports FIPS compliant encrypted RDP -- much more secure!

SSH2 works well here.

> -Support & Maintenance includes virus and attack definitions
> Same when we install GFI add-ons

No add-ons necessary here. Second year maintenance is cheap; less than
half the price of unit.
TOM:==>You got me there. We do need to pay for AV add-ons and licenses

> -NAT or transparent mode
> The ISA firewall supports both NAT and Route relationships. No
> transparent mode though, MAC exploits are too problematic from my
> of view to want support for this.

Fortinet has this covered in the least with IPS.

Defense in depth: NAT firewall, then a transparent one logically
behind it. Ohhh man I love it.
TOM:==>>Intelligent men can genuinely disagree on some subjects and both
be right and wrong. This is one of them :))

> You can also purchase the ISA firewall as a hardware appliance from
> Network Engines, RimApp and Celestix. In fact, not even Microsoft PSS
> can break into the Network Engines ISA hardware firewall, even when
> have console access!

Do we have to bring up how many Microsoft software vulnerabilities
were exposed just last week?  And I want my border firewall running on
what? Microsoft software?
TOM:==> I have NO doubt at all that not only you can, but you should.
The ISA firewall isn't ZoneAlarm for Windows, and its not the ICF or the
Windows Firewall. It integrates at the lowest levels of the stack and
inspects traffic before theoretical "sky is falling" explantions every
get a chance to become a glint their daddy's eye. Again, if you can
PROVE, I mean really prove, that there is a real risk, and then carry
out that exploit on a real, properly configured ISA firewall, then I'll
turn on a dime and change my tune completely. But everytime I encounter
a security wanker who says the same thing, once they're presented with
the opportunity to carry out the "sky is falling" hypothesis, they fail
miserably. I'm never suprized because I know the "but it runs on
Windows" argument is about as valid as "the earth is flat, the moon is
made of green cheese, and life is fair". While some of us might want to
believe those things, it doesn't make them true. And just believing that
security fixes for applications that network users will NEVER have
access to on the ISA firewall somehow represent problems to a correctly
configured ISA firewall is just repeating what the "groupthing" folks
like to tell each other over and over again -- which I understand,
because somehow chanting feels good, and that's what it is, a chant "it
can be seucre if it runs on Windows, it can't be secure if it runs on
Windows, it can't be secure if it runs on Windows" and chanting in
groups feels even better. That why so many people do it. However, there
is no evidence backing up the superstition.

ISA is a great product, but for my current environments is too
expensive up-front and in the long-term from a cost point of view and
a risk point of view.
TOM==>You know your price point better than I so absolutely right about
that. However, you are absolutely wrong about the security piece, and in
fact, you have a lower level of security than what you would have with
an ISA firewall. I KNOW that to be true.

> Fortigate does cost less, but you don't get as much either.

RPC(oh boy, ask the security experts about good ol' RPC)/HTTP/OWA
integrations aside, the Fortigate is not comparable in cost.
TOM==>Yes, I also know those "security experts". However, pin them down
on how the ISA firewall's secure Exchange RPC filter is a security risk,
and they start waving their hands, getting sweaty, and then start
chanting "it can't be secure if it runs on Windows". That makes them
feel better :-))
        Good discussion! However, I've used much more time on this than
I should have! Now my wife is going to make me work doubletime tomorrow!



List Archives:
Exchange Newsletters:
Exchange FAQ:
Other Internet Software Marketing Sites:
World of Windows Networking:
Leading Network Software Directory:
No.1 ISA Server Resource Site:
Windows Security Resource Site:
Network Security Library:
Windows 2000/NT Fax Solutions:
You are currently subscribed to this Discussion List as:
To unsubscribe visit
Report abuse to listadmin@xxxxxxxxxxxxxx

Other related posts: