[isalist] Re: New Articles on Tales

  • From: Jim Harrison <Jim@xxxxxxxxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Sun, 16 Aug 2009 09:48:58 -0700

http://www.ISAserver.org
-------------------------------------------------------

As usual, you prefer to cherry-pick than read.
I'm not arguing that Exch Edge "should" be a DM; rather that it *can* be a DM 
and still meet the business and security needs of the deployment.  In fact, 
many of the same arguments Tom offers in his "ISA as a domain member" article 
apply equally to the Exch Edge deployment; management, patching, access 
controls, etc...

Perhaps it was poorly stated in my initial response, but my argument is with 
those who "always" or "never".  There are exceptions to every "rule" and many 
of those with good reason.  Anyone who proposes that "this is always better" 
ignores the requirements and limitations of the environment and business needs 
and thus serves their customers poorly.

For instance, while I strongly dislike the SBS deployment model (much prefer 
the EBS model for small business), there are valid business reasons to deploy 
it; most of them dictated by $$.  In the EBS deployment, your edge server is a 
DM and is as secure as it can be, given the goals of the typical EBS deployment.

To your comparison of ISA and TMG as DM, while offering AD-focused features, 
they also provide features targeted at those deployments where the 
firewall/proxy is not a domain member. These were added to serve the 
non-DM-minded folks; whether they be TFHC or DiD.  In fact, the majority of 
comments received by the FF Edge team arguing against placing a DM at the edge 
were not reasoned, DiD-based discussions, but rather "the security team says 
'NO FREAKIN WAY!!!' and they won't discuss alternatives". Since MS is a 
profit-based company and profit is negatively affected by a lack of sales, we 
tend to remove sales blockers, even if the blocker is based on unreasoned 
requirements. I fight this on a daily basis.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
Sent: Sunday, August 16, 2009 9:05 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales

http://www.ISAserver.org
-------------------------------------------------------
  
You are the only one who said "must always" or "must never," no one else... But 
I notice that a lot when people find they must inject superlatives in order to 
prop up manufactured straw man arguments. 

And yes, you got me.  I clearly number myself among the "knee-jerk deployment 
methodology crowds." :/

It's sad that your reaction actually speaks more for my point than your 
argument, but I'm used to that.  I'm sure you'll come back with something 
"clever" (positioned as a postulate) that dances all around the non-point 
you're not making, but I'm used to that too.

I find it funny that the PM of a MSFT security product would call those who 
choose to deploy DMZ/edge assets in a more secure manner when it is not 
necessary a "tinfoil hat crowd." Is it too much cool-aid, or not enough meds?

Why not share with the rest of the class the pressing reasons to deploy an 
Exchange Edge role on a domain member rather than an isolated WG?  Feel free to 
manufacture whatever deployment scenario suits your needs in order to 
substantiate the point you are trying to make. And try to stay focused... terms 
like "irrational, knee-jerk, tinfoil hat, sadly, and cookie-cutter" just take 
away from the point you are failing to make.

ISA/TMG as a domain member provides tangible authentication benefits, and is a 
"requirement" for most of that functionality. This is not the case with Edge. 
As such, I'm looking forward to your list of reasons why one should deploy 
Exchange Edge as a DM, and how that can increase (or even maintain) the same 
security posture as WG mode for that role.

t

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Sunday, August 16, 2009 8:27 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales

http://www.ISAserver.org
-------------------------------------------------------
  
DiD is not satisfied by cookie-cutter deployment methodology, nor will the 
*required* threat modeling be defined, much less understood.
Anyone who tells you that you "must always" or "must never" with regard to any 
computer deployment is failing to do what we have both stated - perform a 
threat model based on the environment and business needs. Sadly, the Exchange 
team has historically contributed to this irrational mindset.
Even Tom's extreme dislike for the "hork-mode sandwich" is tempered with "it's 
your choice, but..."
I thought I knew you better than this, but if you number yourself among the 
knee-jerk deployment methodology crowd, well; feel free to feel insulted.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
Sent: Sunday, August 16, 2009 8:14 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales

http://www.ISAserver.org
-------------------------------------------------------
  
It is *hardly* a tinfoil hat crowd.  It's called "security in depth" and "least 
privilege."  The local ADAM instance provides the necessary functionality to 
the edge role server, thus reducing some of the REAL threats and the perceived 
benefit of making it a domain member. Exchange Edge doesn't "support" WG 
membership, it is specifically designed to provide that functionality based on 
"real word" issues that are present in true enterprise topologies.  

Do whatever you want to do to suit your needs, but don't call people who have 
to consider the security ramifications of infrastructure designs beyond "mom 
and pop" as "tinfoil hat crowd."  It's insulting.

t

 

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Sunday, August 16, 2009 7:32 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales

http://www.ISAserver.org
-------------------------------------------------------
  
There is no "always" or "never" to either of them. It's situational and 
requires that the deployment team perform their own threat modeling.
Exchange supports placing the edge role on a WG server to appease the "no 
domain members at the edge" tinfoil hat crowd, but when you combine it with 
TMG, the attack surface and thus the perceived threat of having the Exch edge 
role as a domain member is greatly reduced; even over that offered by Windows 
Firewall policies.

Jim

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Han Valk
Sent: Saturday, August 15, 2009 11:54 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: New Articles on Tales

http://www.ISAserver.org
-------------------------------------------------------
  
As far as I know Exchange Edge is to be installed on a workgroup server while 
TMG does its best job when domain joined. So this is a bit of a contradiction 
to me. I would love to see guidance from Microsoft on that. Maybe this can be 
added to the Q&A in Understanding Email Protection on TMG.

Han.


> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Sunday, August 16, 2009 00:35
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] New Articles on Tales
> 
> http://blogs.technet.com/isablog/archive/2009/08/15/new-tales-from-the-
> edge-articles.aspx

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 08-2009