[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Thu, 11 Jan 2007 00:58:39 -0000

Hopefully he will chip-in and let us know...

Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile:
+44 (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> 

 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: 11 January 2007 00:44
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks



Tom does rollouts, documents....and scenarios, he doesn't necessarily
recommend them...J

 

S

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Jones
Sent: Wednesday, January 10, 2007 8:30 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

 

Think you guys have completely misunderstood me, or I am amazed at your
responses.

 

We are not talking about ANY firewall here, we are talking about
ISA...one of the key advantages of ISA is that you can create perimeter
networks even for domain members as ISA can perform RPC and other app
filtering. Hence you can move domain members that represent more of a
security risk away from other domain member servers.  

 

Based upon your answers, you must all be in disagreement then with the
models proposed by Tom for Exchange and network services protection????

http://www.isaserver.org/articles/2004multidmzp1.html

http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-S
egment-Perimeter-Firewall-Part1.html

 

If so, I am very surprised.

 

I posted here in August with a least privilege model for Exchange
security which placed Exchange FE's, BE's and DC's into ISA perimeter
networks and got good feedback - what the hell is going on????

 

Jim's quote "Ah, yes. While this is a desirable design, it's also a very
difficult one."

Steve's quote "Hat's off to you for being committed to deploying
security-in-depth with least-privilege and not acquiescing to the
"whatever works" mentality.
I know it's a hard thing to deploy and support.  While I have a similar
topology, I only separate the clients from the servers with an
infrastructure ISA box- not the BE's from the DC's; they're on the same
"protected" network." 

Totally confused guys :-(

 

 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: 10 January 2007 23:08
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

That's what I said........

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Wednesday, January 10, 2007 7:04 PM
To: isapros@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

 

Why would you want to place a member of your internal domain in your
DMZ, fer chrissakes?!?

Hosting any domain member in the DMZ is a difficult proposition;
especially where NAT is the order of the day.

You can either use a network shotgun at your firewall or attempt to use
your facvorite VPN tunnel across the firewall to the domain.

 

Jim

________________________________

From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
Sent: Wed 1/10/2007 2:35 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From what I can gather, the new CAS role now uses RPC to communicate
with the back-end (not sure of new name!) servers so I am guessing that
this is an "RPC isn't safe across firewalls" type stance. Which I guess
for a PIX, is a pretty true statement.

 

Just think how much safer the world will be when firewalls can
understand dynamic protocols like RPC...maybe one day firewalls will
even be able to understand and filter based upon RPC interface...maybe
one day... :-D ;-)

 

Shame the Exchange team can't see how much ISA changes the traditional
approach to DMZ thinking...kinda makes you think that both teams work
for a different company :-(

Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile:
+44 (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> 

 

 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Greg Mulholland
Sent: 10 January 2007 22:07
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

I seriously hope that they have take different paths and these are not
limitations on the software or it is going to mean a nice little
redesign and break from custom..

 

Greg

        ----- Original Message ----- 

        From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>  

        To: isapros@xxxxxxxxxxxxx 

        Sent: Thursday, January 11, 2007 8:25 AM

        Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks

         

        Hi All, 

        I heard today from an Exchange MVP colleague that members of the
Exchange team (Scott Schnoll) are saying that they (Microsoft) do not
support placing the new Exchange 2007 Client Access Server (like the old
Exch2k3 FE role) role into a perimeter network. Has anyone else heard
the same? This sounds very similar to Exchange admins of old when they
didn't really understand modern application firewalls like ISA could do
- RPC filter anyone???
http://groups.google.co.uk/group/microsoft.public.exchange.design/browse
_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rn
um=2&hl=en#4db165c21599cf9b
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r
num=2&hl=en#4db165c21599cf9b> 

        I have just about managed to convince Exchange colleagues (and
customers) of the value of placing Exchange FE servers in a separate
security zone from BE servers, DC's etc and now I here this...

        Are the Exchange team confusing the old traditional DMZ's with
what ISA can achieve with perimeter networks? 

        From what I believe, it is good perimeter security practice to
place servers which are Internet accessible into different security
zones than servers that are purely internal. Therefore, the idea of
placing Exchange 2003 FE servers in an ISA auth access perimeter network
with Exchange 2003 BE servers on the internal network has always seemed
like a good approach. It also follows a good least privilege model. 

        Is this another example of the Exchange and ISA teams following
different paths???? 

        Please tell me that I am wrong and that I am not going to have
to start putting all Exchange roles, irrespective of security risk, on
the same network again!!!!

        Comments? 

        Cheers 

        JJ 

         

All mail to and from this domain is GFI-scanned.

Other related posts: