[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Date: Mon, 26 Feb 2007 06:02:41 -0800
Documentation always follows the product, which is barely on the
streets.

I've seen some regarding WM6, but the basic concepts are the same.

..coming soon to a website near you...

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Jones
Sent: Monday, February 26, 2007 3:31 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

 

Hi All,

 

Anyone (Tim?) had chance to look at the least privilige approach with
Exchange 2007 yet?

 

From what I am hearing the "CAS not supported in perimeter" statement is
based more on "we haven't tested it yet" more than "we don't think it is
a good idea".

 

I have a few customers looking at placing the entire Exchange
architecture behind ISA (very untrusted LANs) - I have done this with
Exch2k3, but has anyone looked at this for Exch2k7?

 

I am guessing this is not supported either, but documentation is very
thin on the ground with reference to 2k7 and periemeter networking....

 

Cheers

 

JJ

 

 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: 15 January 2007 15:27
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Right you are...  The analogy fits when you use "comparative logic" as
opposed to just thinking of the zone in singularity... Compared to the
areas on either side of the DMZ, it should be easy to discern any
activity at all in the DMZ itself- particularly hostile activities.
There are strict policies about what can go on in the Korean DMZ, as
there should be in one's network DMZ.   Internet traffic is chaotic, and
I don't even bother trying to determine what is going on out on my
Internet segment- I can't control it anyway (other than my policy of
implementing router ACL's to match inbound/outbound traffic policies at
my border router).  Internal traffic isn't chaotic, but it is  hard to
monitor for "hostile" packets given the sheer volume and type of traffic
being generated by internal users, servers, services, etc to any number
of different hosts and clients.  But in the DMZ, you should be able to
immediately notice when something out of the ordinary is going on.  For
instance, if I see POP3 logon traffic, I know something is FUBAR, as I
don't support POP3 in my DMZ at all.  If I see modal enumeration by way
of a null session, I know something is going on.  And etc, etc. 

So, to me, it fits, and that is the term I choose to use.  I won't be
changing ;)

t


On 1/15/07 6:40 AM, "Gerald G. Young" <g.young@xxxxxxxx> spoketh to all:

The DMZ in Korea itself isn't crawling with military.  Either side of it
is, ensuring that the definition of a demilitarized zone is observed and
maintained.  Before the advent of DMZs in networking, a DMZ meant an
area from which military forces, operations, and installations were
prohibited.  Essentially, it's a wide empty area that constitutes a
border with forces on either side pointing guns into it.
 
I've always thought the adaptation of the acronym to the world of
networking a bit strange.  "Oh!  We got activity in our networked DMZ!
Kill it!" J


Cordially yours,
Jerry G. Young II
Product Engineer - Senior
Platform Engineering, Enterprise Hosting
NTT America, an NTT Communications Company
 
22451 Shaw Rd.
Sterling, VA 20166
 
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Sunday, January 14, 2007 7:08 PM
To: isapros@xxxxxxxxxxxxx
Subject: RE: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks


That's what it means to me too. Can't see the Korean no mans' land as
qualifying as a DMZ when it's crawling with military. 

 

In this conversation we have to take into consideration that CAS also
includes the capability to provide access to folders and files right in
OWA. This may be the thing that the Exchange team thinks throws a monkey
wrench into the secure deployment of CAS in a a DMZ. 

  

________________________________


From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
Sent: Sat 1/13/2007 6:46 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

For me, DMZ means scary place completely untrusted, perimeter network
means less scary place trusted to a degree, but strongly controlled

________________________________


From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: 12 January 2007 23:51
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
Interesting... Probably a good idea for us to actually articulate what
we really mean when we say DMZ.

I guess to some it means "free for all network" but for me, it should be
the network where you have the most restrictive policies controlling
each service so that it is obvious when malicious traffic hits the wire.
Thoughts>
t


On 1/12/07 3:30 PM, "Steve Moffat" <steve@xxxxxxxxxx> spoketh to all:
That's what I thought, now it's what I know....
 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Friday, January 12, 2007 6:35 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Aside from normal router & switch ACLs, ISA is the single line of
defense.
"..we don't need no stinking DMZs"
 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Friday, January 12, 2007 12:12 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Ahh...just had a thought.
 
It's all labeling.
 
Jason, and others (not Jason's fault), have been using the term DMZ.
 
Historically, is the term DMZ not taken literally as being completely
firewalled off from the trusted networks, and what Jason is talking
about is trusted network segmentation.
 
I betcha that's why the Exchange team don't support it...they think it's
a typical run of the mill DMZ...
 
Jim, isn't MS's Internal network segmented by usin ISA?? Including your
mail servers?
 
S 

All mail to and from this domain is GFI-scanned. 


 

 

 


All mail to and from this domain is GFI-scanned.
References:
- [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
  - From: Jason Jones
[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Other related posts:
