[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
  • To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
  • Date: Wed, 10 Jan 2007 16:57:18 -0800

Np ;)  I totally agree with you.  I¹m even deploying an ³internal²
least-privilege ISA box between my internal clients and servers.

And to Steve¹s post, do you mean ³on the domain² or ³on the internal
network?²  The CAS box has to be a domain member, but it does not have to be
(and should not be) on the internal network.

t


On 1/10/07 4:35 PM, "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx> spoketh to
all:

> Sorry t - the quote in my last post should have been from you, and not Steve.
> Thought I was going mad until you posted!
> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44
> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
> 
>  
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thor (Hammer of God)
> Sent: 11 January 2007 00:26
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> Because it¹s safer that way, that¹s why... That¹s what an authenticated access
> DMZ perimeter is for? with a CAS server that presents logon services to any
> Internet user, I would (and, in fact, require) that the server be in a
> least-privileged authenticated access perimeter network that limits that
> servers communications to the minimum required for required functionality ­
> and only to the hosts it needs to talk to.
> 
> Let¹s say there is a front-end implementation issue or coding vulnerability:
> the CAS on the internal network would allow unfettered, full-stack access to
> the internal network.  A CAS in a perimeter DMZ would mitigate potential
> exposure in the event of a 0day or configuration issue.
> 
> ³Safer on the internal network² is a complete misnomer when it comes to
> servers presenting services to an untrusted network.
> 
> t
> 
> 
> On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
> 
>> Why would you want  to place a member of your internal domain in your DMZ,
>> fer  chrissakes?!?
>> Hosting any domain member in the DMZ is a difficult  proposition; especially
>> where NAT is the order of the day.
>> You can either  use a network shotgun at your firewall or attempt to use your
>> facvorite VPN  tunnel across the firewall to the domain.
>> 
>> Jim
>>  
>> 
>>  From: isapros-bounce@xxxxxxxxxxxxx on behalf  of Jason Jones
>> Sent: Wed 1/10/2007 2:35 PM
>> To:  isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and  Perimeter Networks
>> 
>> From what I can gather, the new CAS role now uses RPC to  communicate with
>> the back-end (not sure of new name!) servers so I am guessing  that this is
>> an "RPC isn't safe across firewalls" type stance. Which I guess  for a PIX,
>> is a pretty true statement.
>> 
>> Just think how much safer the world will be when firewalls can  understand
>> dynamic protocols like RPC...maybe one day firewalls will even be  able to
>> understand and filter based upon RPC interface...maybe one day... :-D  ;-)
>> 
>> Shame the Exchange team can't see how much ISA  changes the traditional
>> approach to DMZ thinking...kinda makes you think that  both teams work for a
>> different company :-(
>> Jason Jones |  Silversands Limited | Desk: +44 (0)1202 360489 |  Mobile: +44
>> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
>> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
>> 
>>  
>> 
>>  
>> 
>>  From:  isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Greg Mulholland
>> Sent: 10 January 2007  22:07
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re:  ISA, Exchange 2007 and Perimeter Networks
>> 
>> I seriously hope  that they have take different paths and these are not
>> limitations on the  software or it is going to mean a nice little redesign
>> and break from  custom..
>> 
>> Greg
>>  
>>> ----- Original Message -----
>>> From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
>>> To: isapros@xxxxxxxxxxxxx
>>> Sent: Thursday,  January 11, 2007 8:25 AM
>>> Subject: [isapros] ISA, Exchange 2007 and  Perimeter Networks
>>> 
>>> 
>>> Hi All, 
>>> 
>>> I heard  today from an Exchange MVP colleague that members of the Exchange
>>> team  (Scott Schnoll) are saying that they (Microsoft) do not support
>>> placing the  new Exchange 2007 Client Access Server (like the old Exch2k3 FE
>>> role) role  into a perimeter network. Has anyone else heard the same? This
>>> sounds very  similar to Exchange admins of old when they didn't really
>>> understand modern  application firewalls like ISA could do - RPC filter
>>> anyone??? 
>>> http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr
>>> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=
>>> en#4db165c21599cf9b
>>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_th
>>> read/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;r
>>> num=2&amp;hl=en#4db165c21599cf9b>
>>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_th
>>> read/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;r
>>> num=2&amp;hl=en#4db165c21599cf9b>
>>> 
>>> I have just about managed to convince  Exchange colleagues (and customers)
>>> of the value of placing Exchange FE  servers in a separate security zone
>>> from BE servers, DC's etc and now I here  this?
>>> 
>>> Are the Exchange team confusing the old traditional DMZ's with  what ISA can
>>> achieve with perimeter networks?
>>> 
>>> From what I  believe, it is good perimeter security practice to place
>>> servers which are  Internet accessible into different security zones than
>>> servers that are  purely internal. Therefore, the idea of placing Exchange
>>> 2003 FE servers in  an ISA auth access perimeter network with Exchange 2003
>>> BE servers on the  internal network has always seemed like a good approach.
>>> It also follows a  good least privilege model.
>>> 
>>> Is this another  example of the Exchange and ISA teams following different
>>> paths???? 
>>> 
>>> Please tell me that I am wrong and that I am not going to have to  start
>>> putting all Exchange roles, irrespective of security risk, on the same
>>> network again!!!!
>>> 
>>> Comments?  
>>> 
>>> Cheers 
>>> 
>>> JJ  
>>> 
>>  
>> All mail to and from this domain is GFI-scanned.
>> 
> 
> 


Other related posts: