[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Tue, 16 Jan 2007 08:54:20 -0500

Gee you guys fell silent all of a sudden. Problem solved?

________________________________

From: isapros-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
Sent: Mon 1/15/2007 10:27 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks


Right you are...  The analogy fits when you use "comparative logic" as opposed 
to just thinking of the zone in singularity... Compared to the areas on either 
side of the DMZ, it should be easy to discern any activity at all in the DMZ 
itself- particularly hostile activities.  There are strict policies about what 
can go on in the Korean DMZ, as there should be in one's network DMZ.   
Internet traffic is chaotic, and I don't even bother trying to determine what 
is going on out on my Internet segment- I can't control it anyway (other than 
my policy of implementing router ACL's to match inbound/outbound traffic 
policies at my border router).  Internal traffic isn't chaotic, but it is  hard 
to monitor for "hostile" packets given the sheer volume and type of traffic 
being generated by internal users, servers, services, etc to any number of 
different hosts and clients.  But in the DMZ, you should be able to immediately 
notice when something out of the ordinary is going on.  For instance, if I see 
POP3 logon traffic, I know something is FUBAR, as I don't support POP3 in my 
DMZ at all.  If I see modal enumeration by way of a null session, I know 
something is going on.  And etc, etc. 

So, to me, it fits, and that is the term I choose to use.  I won't be changing 
;)

t


On 1/15/07 6:40 AM, "Gerald G. Young" <g.young@xxxxxxxx> spoketh to all:



        The DMZ in Korea itself isn't crawling with military.  Either side of 
it is, ensuring that the definition of a demilitarized zone is observed and 
maintained.  Before the advent of DMZs in networking, a DMZ meant an area from 
which military forces, operations, and installations were prohibited.  
Essentially, it's a wide empty area that constitutes a border with forces on 
either side pointing guns into it.
         
        I've always thought the adaptation of the acronym to the world of 
networking a bit strange.  "Oh!  We got activity in our networked DMZ!  Kill 
it!" :-)
        
        
        Cordially yours,
        Jerry G. Young II
        Product Engineer - Senior
        Platform Engineering, Enterprise Hosting
        NTT America, an NTT Communications Company
         
        22451 Shaw Rd.
        Sterling, VA 20166
         
        Office: 571-434-1319
        Fax: 703-333-6749
        Email: g.young@xxxxxxxx
         
        
        From: isapros-bounce@xxxxxxxxxxxxx 
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
        Sent: Sunday, January 14, 2007 7:08 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: RE: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        
        
        That's what it means to me too. Can't see the Korean no mans' land as 
qualifying as a DMZ when it's crawling with military. 
        
         
        
        In this conversation we have to take into consideration that CAS also 
includes the capability to provide access to folders and files right in OWA. 
This may be the thing that the Exchange team thinks throws a monkey wrench into 
the secure deployment of CAS in a a DMZ. 
        
          

        
________________________________


        
        From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
        Sent: Sat 1/13/2007 6:46 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        
        For me, DMZ means scary place completely untrusted, perimeter network 
means less scary place trusted to a degree, but strongly controlled
        

        
________________________________


        
        From: isapros-bounce@xxxxxxxxxxxxx 
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
        Sent: 12 January 2007 23:51
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        Interesting... Probably a good idea for us to actually articulate what 
we really mean when we say DMZ.
        
        I guess to some it means "free for all network" but for me, it should 
be the network where you have the most restrictive policies controlling each 
service so that it is obvious when malicious traffic hits the wire.  Thoughts>
        t
        
        
        On 1/12/07 3:30 PM, "Steve Moffat" <steve@xxxxxxxxxx> spoketh to all:
        That's what I thought, now it's what I know....
         
        
        From: isapros-bounce@xxxxxxxxxxxxx 
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: Friday, January 12, 2007 6:35 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        
        Aside from normal router & switch ACLs, ISA is the single line of 
defense.
        "..we don't need no stinking DMZs"
         
        
        From: isapros-bounce@xxxxxxxxxxxxx 
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
        Sent: Friday, January 12, 2007 12:12 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        
        Ahh...just had a thought.
         
        It's all labeling.
         
        Jason, and others (not Jason's fault), have been using the term DMZ.
         
        Historically, is the term DMZ not taken literally as being completely 
firewalled off from the trusted networks, and what Jason is talking about is 
trusted network segmentation.
         
        I betcha that's why the Exchange team don't support it...they think 
it's a typical run of the mill DMZ...
         
        Jim, isn't MS's Internal network segmented by usin ISA?? Including your 
mail servers?
         
        S 

        All mail to and from this domain is GFI-scanned.

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 01-2007