[isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Sun, 14 Jan 2007 17:29:36 -0600
I've told them it's insane, but they're echoing stuff that's in ISA UE
documentation. It adds needless complexity and no additional security,
which is what I've told them hundreds of times, but who am I to tell
them anything?
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
Sent: Sunday, January 14, 2007 5:01 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
Maybe you can give Network Engines a good kicking about this
recommendation in their documentation then! :-)
Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 |
Mobile: +44 (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: 14 January 2007 22:33
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
No, I think it's absurd -- they're cow-towing to the Syphco rep
trained port-opener "network guys".
There is no additional security conferred IMHO.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
Sent: Sunday, January 14, 2007 4:07 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks
Jim/Tom,
I noticed that quite a lot of the ISA firewall appliance
vendor promote the "ISA in a new forest, with a one way trust to the
existing forest" model. Do you have the same view on this?
Jason Jones | Silversands Limited | Desk: +44 (0)1202
360489 | Mobile: +44 (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: 14 January 2007 16:53
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks
No; the Exch team (or certain author-wanna-bees,
anyway).
I've tech-reviewed three Exch-created docs last year and
without exception, they all carried this verbal virus with them.
It's an incredible fight to get this removed and I have
to admit that I haven't been entirely successful.
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Sunday, January 14, 2007 8:36 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks
You mean the ISA UE is pushing the domain=bad crapola?
How do you tell a secure EAS publishing story without it?
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Saturday, January 13, 2007 9:48 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
They do ask; they just don't listen.
I was asked to review a doc on EAS via ISA
that's coming out soon and couldn't get them to drop the "ISA as domain
member == bad" mantra...
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
Sent: Saturday, January 13, 2007 3:46 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
Can't believe they just make their own decision
terminology/security architecture rather than asking ISA product team
for advise on what they should be saying....maybe that is just me being
incredibly naive though ;-)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: 13 January 2007 17:32
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
However, one thing I DON'T want to get back to
is the "single model" DMZ -- because the entire point of this
conversation is that there is a heterogeniety of DMZs and that the
problem with the Exchange team is that they didn't understand this in
the first place. :)
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Saturday, January 13, 2007 11:23
AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange
2007 and Perimeter Networks
It's interesting how the canaille
misinterprets the term DMZ, like they do for most things :)
Think about the Korean DMZ -- is that
really a "free for all" place? Or one of the most monitored and secured
areas in the world, where nothing happens without someone knowing about
it almost immediately?
That what you get when the Syphco reps
teach a generation of "port openers"....
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>
Blog:
http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Friday, January 12, 2007 5:51 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange
2007 and Perimeter Networks
Interesting... Probably a good idea for
us to actually articulate what we really mean when we say DMZ.
I guess to some it means "free for all
network" but for me, it should be the network where you have the most
restrictive policies controlling each service so that it is obvious when
malicious traffic hits the wire. Thoughts>
t
On 1/12/07 3:30 PM, "Steve Moffat"
<steve@xxxxxxxxxx> spoketh to all:
That's what I thought, now it's what I
know....
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Friday, January 12, 2007 6:35 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange
2007 and Perimeter Networks
Aside from normal router & switch ACLs,
ISA is the single line of defense.
"..we don't need no stinking DMZs"
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
Sent: Friday, January 12, 2007 12:12 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange
2007 and Perimeter Networks
Ahh...just had a thought.
It's all labeling.
Jason, and others (not Jason's fault),
have been using the term DMZ.
Historically, is the term DMZ not taken
literally as being completely firewalled off from the trusted networks,
and what Jason is talking about is trusted network segmentation.
I betcha that's why the Exchange team
don't support it...they think it's a typical run of the mill DMZ...
Jim, isn't MS's Internal network
segmented by usin ISA?? Including your mail servers?
S
All mail to and from this domain is
GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
- » [isapros] ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
