Re: [isapros] Re: ISA, Exchange 2007 and Perimeter Networksinterested in their reasoning Jim. doesnt it pain you to have two different carts being pulled by basically the same horse? "bring out ya dead" ----- Original Message ----- From: Jim Harrison To: isapros@xxxxxxxxxxxxx Sent: Sunday, January 14, 2007 2:47 PM Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks They do ask; they just don't listen. I was asked to review a doc on EAS via ISA that's coming out soon and couldn't get them to drop the "ISA as domain member == bad" mantra. From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Saturday, January 13, 2007 3:46 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks Can't believe they just make their own decision terminology/security architecture rather than asking ISA product team for advise on what they should be saying....maybe that is just me being incredibly naive though ;-) ------------------------------------------------------------------------------ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: 13 January 2007 17:32 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks However, one thing I DON'T want to get back to is the "single model" DMZ -- because the entire point of this conversation is that there is a heterogeniety of DMZs and that the problem with the Exchange team is that they didn't understand this in the first place. :) Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ---------------------------------------------------------------------------- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Saturday, January 13, 2007 11:23 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks It's interesting how the canaille misinterprets the term DMZ, like they do for most things :) Think about the Korean DMZ -- is that really a "free for all" place? Or one of the most monitored and secured areas in the world, where nothing happens without someone knowing about it almost immediately? That what you get when the Syphco reps teach a generation of "port openers".... Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) -------------------------------------------------------------------------- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Friday, January 12, 2007 5:51 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks Interesting... Probably a good idea for us to actually articulate what we really mean when we say DMZ. I guess to some it means "free for all network" but for me, it should be the network where you have the most restrictive policies controlling each service so that it is obvious when malicious traffic hits the wire. Thoughts> t On 1/12/07 3:30 PM, "Steve Moffat" <steve@xxxxxxxxxx> spoketh to all: That's what I thought, now it's what I know.. From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Friday, January 12, 2007 6:35 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks Aside from normal router & switch ACLs, ISA is the single line of defense. "..we don't need no stinking DMZs" From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Friday, January 12, 2007 12:12 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks Ahh.just had a thought. It's all labeling. Jason, and others (not Jason's fault), have been using the term DMZ. Historically, is the term DMZ not taken literally as being completely firewalled off from the trusted networks, and what Jason is talking about is trusted network segmentation. I betcha that's why the Exchange team don't support it.they think it's a typical run of the mill DMZ. Jim, isn't MS's Internal network segmented by usin ISA?? Including your mail servers? S All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned.