[isalist] Re: Virtualising ISA
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 26 Aug 2008 13:20:05 -0700
http://www.ISAserver.org
-------------------------------------------------------
That's only so much FUD.
If you apply the same security procedures to the virtual ISA as you do to a
physical ISA, it has no more chance of being "popped" than does a physical
server.
As far as the threat resulting from a "popped" guest, if it has access that
much to the parent or other guests, "getting popped" is the least of your
worries.
IOW, don't make it out to be more than it is, but by the same token, know what
you're doing when you do it.
Keep your eyes here:
http://technet.microsoft.com/en-us/forefront/edgesecurity/bb687298.aspx; the
article just "went live", but propagation may take a day.
Jim
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of John Wilson
Sent: Tuesday, August 26, 2008 10:32 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Virtualising ISA
I guess to put it in simpler terms, the point I was trying to make is that for
the ISA firewall facing the outside world, I'd always prefer a physical box. If
it gets popped, then it gets popped and the firewall wasn't locked down
correctly. The attacker has to still advance to the next box. However, if the
host OS gets popped, that's a different story. The attacker then essentially
owns the guest OS too. Much higher stakes.
Sincerely,
John C. Wilson
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jerry Young
Sent: Tuesday, August 26, 2008 1:25 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Virtualising ISA
Well...
I suppose it comes down to the scenario and requirements of the company.
A case might be able to be made using Server 2008 Core with Hyper-V (which
should be very well hardened) for a highly available web solution encapusated
in a Server 2008 Core Failver Cluster.
As a hosting provider, I can see the potential for a service offering that
includes a full "pod" of virtual servers. As a hosting customer, having direct
control over firewall policies may have appeal.
I think the same argument could be made for ESX Server, too, since it is a
hypervisor and so has a very small attack surface (if any?).
I'm taking a stab in the dark answering your question (and may be reaching) but
this is what I thought of. ;)
On 8/26/08, John Wilson <John@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
A little off topic here, but to me the question isn't necessarily whether or
not the ISA Server is supported in a virtual environment, but whether you would
really *want* to do that. If a virtual host platform (be it Microsoft Hyper-V,
ESX, or Virtual Server 2005) has an ISA virtual machine, then you have a NIC
connected either directly or indirectly to what ISA considers the outside world
(either directly to the ISP, or to the Cisco router connected to the ISP, or
what have you). Even with VLANS that concept would make me extremely nervous.
The only way I would validate an ISA virtual machine would be if the ISA server
was only acting in Web proxy mode behind other firewalls for general security,
or if the ISA virtual box was the second box in a chained or back-to-back
config. It's just that in a virtual environment, you'd have to worry about
hardening the host and Guest OS.
However, you guys may be more experienced than I and have a different
perspective. Correct me if I'm wrong.
Sincerely,
John C. Wilson
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jerry Young
Sent: Tuesday, August 26, 2008 12:20 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Virtualising ISA
Doncha just love arguing semantics? :)
My problem with linking the SVVP page (or even 944987) to this KB Article: The
KB Article topic is supported virtualization environments. I see it as guilt
by association.
I just don't think it is 1) realistic or 2) pratical to assume that the
majority of readers who are looking for a statement of support are going to dig
to the level required to understand that a non-Microsoft virtualization
environment is not supported for any of the applications listed.
A simple statement as an additional note at the end of the introduction section
that states something like, "At this time, the applications listed in this KB
Article are only supported on Hyper-V; non-Microsoft virtualization
environments are not supported. As this changes, updates will be reflected."
would really make this discussion go away. ;)
It's like being told to read the fine print: we all know we have to but are
irritated that it can't just simply be put forth up front because of the
frustration it causes.
You're right, though. The reader should take enough of an interest to fully
understand what's written. That's simple due diligence. I'm just saying make
it easier to do so. :)
On 8/26/08, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org <http://www.isaserver.org/>
-------------------------------------------------------
While it's true that the burden of communication rests primarily with the
speaker, some of the responsibility rests with the listener (reader) to
actually absorb the content. If you're only looking for keywords and -phrases,
you'll find what you seek.
In fact, this is stated on the SVVP page; which coincidentally, is the
reference point for the SVVP program. This is why only Hyper-V is listed in
this KB. The last thing we need is multiple places to clean up when (not if)
the support statement changes for the various 3rd-party virtualization
offerings.
SVVP is the primary place to go and this is why it's "linked to" from that KB.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jerry Young
Sent: Tuesday, August 26, 2008 7:35 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Virtualising ISA
Jim,
"Right now, there are *_NO_* validated non-MS platforms."
This is what needs to be clearly stated. Again, depending on how you read it,
a user may not get this. My point is really simply that; when specifically put
forth in the same way you just put it, there's no room for argument. My guess
is a lot of users out there will read into this the same way I did
(optimistically), or worse yet, move forward thinking that support will come,
only to run into an issue with said support when a problem occurs that requires
it. At the end of the day, fair or not, Microsoft gets the black eye. By
making it clear (without having to dig through links and guess at implied
statements) upfront, I think greater value and service to the customers is
provided.
On 8/26/08, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org <http://www.isaserver.org/>
-------------------------------------------------------
It's only misleading if you read into it. Let's take each bullet in
turn:
* Windows Server 2008 with Hyper-V
* Microsoft Hyper-V Server 2008
[Jim] - ok; we'll take two at a time. Hyper-V Server and Windows 2008
with Hyper-V are the same thing from the guest OS perspective and ISA is
supported there.
* Supported partners' virtualization software
For more information, click the following article number to view
the article in the Microsoft Knowledge Base:
944987 (http://support.microsoft.com/kb/944987/) Support partners
for non-Microsoft hardware virtualization software
[Jim] This article doesn't list supported virtualization products. It
lists virtualization support partners. Novel has signed on to help provide
support for non-MS virtualization; nothing more. The bullet title in this
article is misleading, but the article linked to is not.
* Server Virtualization Validation Program (SVVP)
For more information, visit the following Microsoft Web site:
http://www.windowsservercatalog.com/svvp/
(http://www.windowsservercatalog.com/svvp/)
[Jim] - go read this link. Right now, there are *_NO_* validated non-MS
platforms. Therefore, there are no supported 3rd-party hardware virtualization
products (yet). Therefore, no Microsoft products are supported on 3rd-party
virtualization. The vendors listed on that site are "participating"; their
products *_have not_* completed testing.
Jim
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jerry Young
Sent: Tuesday, August 26, 2008 7:02 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Virtualising ISA
Jim,
Then the KB Article 957006 is extremely misleading. :(
Here's an excerpt (in full) taken from the Introduction section.
This article discusses the support policy for running Microsoft server
software in the following supported virtualization environments:
* Windows Server 2008 with Hyper-V
* Microsoft Hyper-V Server 2008
* Supported partners' virtualization software
For more information, click the following article number to view
the article in the Microsoft Knowledge Base:
944987 (http://support.microsoft.com/kb/944987/) Support partners
for non-Microsoft hardware virtualization software
* Server Virtualization Validation Program (SVVP)
For more information, visit the following Microsoft Web site:
http://www.windowsservercatalog.com/svvp/
(http://www.windowsservercatalog.com/svvp/)
In my interpreted version of this statement into layman terms, I read it
as saying all of the bulleted environments are supported; specifically, any
environment that is part of the Server Virtualization Validation Program.
If you visit that page, VMWare, Inc. is listed as a participating
vendor. If you then visit the Support link from that page, the first sentence
states, "Technical support will be available for customers running a Windows
Server operating system on a validated third-party hypervisor." Since ESX
Server is a hypervisor and participation implies (at this time, based on
language) validation, the support statement does appear to be transitive.
I could not find anything specifically stating that the applications
identified in the KB Article are only currently being supported in Hyper-V
virtualized environments.
If Microsoft is going to withhold support of the applications identified
in the KB Article on other vendor's virtualization environments, then some kind
of language should be used indicating that such support is pending [insert
qualifier].
Just my $0.02 worth.
On 8/26/08, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org <http://www.isaserver.org/>
-------------------------------------------------------
That KB lists the products that are supported on Hypervisor.
Greg's questions was specific to VMWare ESX.
This will be a very sticky question and
http://support.microsoft.com/kb/897615/ provides the support limits.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young
Sent: Tuesday, August 26, 2008 3:46 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Virtualising ISA
Greg,
ISA Server is supported.
See the following KB Article for the full details on all
supported virtualized applications from Microsoft.
http://support.microsoft.com/kb/957006
On 8/26/08, Greg Mulholland <greg@xxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org <http://www.isaserver.org/>
-------------------------------------------------------
Jim and/or others
Is there an official standpoint from MS as to supported
requirements for ISA virtualised in production environments? (specifically ESX)
Cheers
Greg
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other
sites:
http://www.techgenix.com <http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
No virus found in this incoming message.
Checked by AVG - http://www.avg.com <http://www.avg.com/>
Version: 8.0.138 / Virus Database: 270.6.7/1631 - Release Date: 8/24/2008 12:15
PM
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.6.7/1631 - Release Date: 8/24/2008 12:15
PM
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
