[isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- From: "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Thu, 11 Jan 2007 00:35:38 -0000
Sorry t - the quote in my last post should have been from you, and not
Steve. Thought I was going mad until you posted!
Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile:
+44 (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
________________________________
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: 11 January 2007 00:26
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
Because it's safer that way, that's why... That's what an authenticated
access DMZ perimeter is for- with a CAS server that presents logon
services to any Internet user, I would (and, in fact, require) that the
server be in a least-privileged authenticated access perimeter network
that limits that servers communications to the minimum required for
required functionality - and only to the hosts it needs to talk to.
Let's say there is a front-end implementation issue or coding
vulnerability: the CAS on the internal network would allow unfettered,
full-stack access to the internal network. A CAS in a perimeter DMZ
would mitigate potential exposure in the event of a 0day or
configuration issue.
"Safer on the internal network" is a complete misnomer when it comes to
servers presenting services to an untrusted network.
t
On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
Why would you want to place a member of your internal domain in
your DMZ, fer chrissakes?!?
Hosting any domain member in the DMZ is a difficult proposition;
especially where NAT is the order of the day.
You can either use a network shotgun at your firewall or attempt
to use your facvorite VPN tunnel across the firewall to the domain.
Jim
________________________________
From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
Sent: Wed 1/10/2007 2:35 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
From what I can gather, the new CAS role now uses RPC to
communicate with the back-end (not sure of new name!) servers so I am
guessing that this is an "RPC isn't safe across firewalls" type stance.
Which I guess for a PIX, is a pretty true statement.
Just think how much safer the world will be when firewalls can
understand dynamic protocols like RPC...maybe one day firewalls will
even be able to understand and filter based upon RPC interface...maybe
one day... :-D ;-)
Shame the Exchange team can't see how much ISA changes the
traditional approach to DMZ thinking...kinda makes you think that both
teams work for a different company :-(
Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 |
Mobile: +44 (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
<mailto:jason.jones@xxxxxxxxxxxxxxxxx>
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
Sent: 10 January 2007 22:07
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
I seriously hope that they have take different paths and these
are not limitations on the software or it is going to mean a nice little
redesign and break from custom..
Greg
----- Original Message -----
From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
<mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
To: isapros@xxxxxxxxxxxxx
Sent: Thursday, January 11, 2007 8:25 AM
Subject: [isapros] ISA, Exchange 2007 and Perimeter
Networks
Hi All,
I heard today from an Exchange MVP colleague that
members of the Exchange team (Scott Schnoll) are saying that they
(Microsoft) do not support placing the new Exchange 2007 Client Access
Server (like the old Exch2k3 FE role) role into a perimeter network. Has
anyone else heard the same? This sounds very similar to Exchange admins
of old when they didn't really understand modern application firewalls
like ISA could do - RPC filter anyone???
http://groups.google.co.uk/group/microsoft.public.exchange.design/browse
_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rn
um=2&hl=en#4db165c21599cf9b
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+i
sa&rnum=2&hl=en#4db165c21599cf9b>
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r
num=2&hl=en#4db165c21599cf9b>
I have just about managed to convince Exchange
colleagues (and customers) of the value of placing Exchange FE servers
in a separate security zone from BE servers, DC's etc and now I here
this...
Are the Exchange team confusing the old traditional
DMZ's with what ISA can achieve with perimeter networks?
From what I believe, it is good perimeter security
practice to place servers which are Internet accessible into different
security zones than servers that are purely internal. Therefore, the
idea of placing Exchange 2003 FE servers in an ISA auth access perimeter
network with Exchange 2003 BE servers on the internal network has always
seemed like a good approach. It also follows a good least privilege
model.
Is this another example of the Exchange and ISA teams
following different paths????
Please tell me that I am wrong and that I am not going
to have to start putting all Exchange roles, irrespective of security
risk, on the same network again!!!!
Comments?
Cheers
JJ
All mail to and from this domain is GFI-scanned.
Other related posts:
- » [isapros] ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks