[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
Date: Wed, 10 Jan 2007 20:18:17 -0800
That¹s exactly what I¹m talking about.  And precisely the configuration I
deploy:

My FE is in the authenticated segment of the DMZ  and a member of my
internal domain; however, the ³recommended protocols² the Exchange group
recommends are not necessary- and thus, Steve¹s contention that ³CIFS and
all that other stuff... Might as well just be internal² I reject.  I only
allow Kerberos-Sec, LDAP, LDAP GC, Ping and DNS only from my FE to the
internal DC¹s.  And only HTTP to the BE¹s.

Even if the other prots WERE required, it would still be far smarter to
deploy the FE in the authenticated DMZ with limited access than to just give
full stack access to the ENTIRE internal network.   This is a deployment of
a services made available (initially) to a global, anonymous, untrusted
network. 

Maybe I¹m not properly articulating my point, but I have to say I¹m really
surprised that we are having this conversation...

t


On 1/10/07 7:10 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:

> C¹mon, Tim; I know what your deployment recommendations are; this isn¹t it.
> He wants to extend his domain via ³remote membership²; not create a separate
> domain.
>  
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thor (Hammer of God)
> Sent: Wednesday, January 10, 2007 4:26 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>  
> Because it¹s safer that way, that¹s why... That¹s what an authenticated access
> DMZ perimeter is for? with a CAS server that presents logon services to any
> Internet user, I would (and, in fact, require) that the server be in a
> least-privileged authenticated access perimeter network that limits that
> servers communications to the minimum required for required functionality 
> and only to the hosts it needs to talk to.
> 
> Let¹s say there is a front-end implementation issue or coding vulnerability:
> the CAS on the internal network would allow unfettered, full-stack access to
> the internal network.  A CAS in a perimeter DMZ would mitigate potential
> exposure in the event of a 0day or configuration issue.
> 
> ³Safer on the internal network² is a complete misnomer when it comes to
> servers presenting services to an untrusted network.
> 
> t
> 
> 
> On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
> Why would you want to place a member of your internal domain in your DMZ, fer
> chrissakes?!?
> Hosting any domain member in the DMZ is a difficult proposition; especially
> where NAT is the order of the day.
> You can either use a network shotgun at your firewall or attempt to use your
> facvorite VPN tunnel across the firewall to the domain.
> 
> Jim 
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
> Sent: Wed 1/10/2007 2:35 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> From what I can gather, the new CAS role now uses RPC to communicate with the
> back-end (not sure of new name!) servers so I am guessing that this is an "RPC
> isn't safe across firewalls" type stance. Which I guess for a PIX, is a pretty
> true statement.
> 
> Just think how much safer the world will be when firewalls can understand
> dynamic protocols like RPC...maybe one day firewalls will even be able to
> understand and filter based upon RPC interface...maybe one day... :-D ;-)
> 
> Shame the Exchange team can't see how much ISA changes the traditional
> approach to DMZ thinking...kinda makes you think that both teams work for a
> different company :-(
> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44
> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
> 
>  
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Greg Mulholland
> Sent: 10 January 2007 22:07
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> I seriously hope that they have take different paths and these are not
> limitations on the software or it is going to mean a nice little redesign and
> break from custom..
> 
> Greg
> ----- Original Message -----
> From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
> To: isapros@xxxxxxxxxxxxx
> Sent: Thursday, January 11, 2007 8:25 AM
> Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks
> 
> 
> Hi All, 
> 
> I heard today from an Exchange MVP colleague that members of the Exchange team
> (Scott Schnoll) are saying that they (Microsoft) do not support placing the
> new Exchange 2007 Client Access Server (like the old Exch2k3 FE role) role
> into a perimeter network. Has anyone else heard the same? This sounds very
> similar to Exchange admins of old when they didn't really understand modern
> application firewalls like ISA could do - RPC filter anyone???
> http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_threa
> d/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en#4
> db165c21599cf9b 
> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thre
> ad/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum=
> 2&amp;hl=en#4db165c21599cf9b>
> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thre
> ad/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum=
> 2&amp;hl=en#4db165c21599cf9b>
> 
> I have just about managed to convince Exchange colleagues (and customers) of
> the value of placing Exchange FE servers in a separate security zone from BE
> servers, DC's etc and now I here this?
> 
> Are the Exchange team confusing the old traditional DMZ's with what ISA can
> achieve with perimeter networks?
> 
> From what I believe, it is good perimeter security practice to place servers
> which are Internet accessible into different security zones than servers that
> are purely internal. Therefore, the idea of placing Exchange 2003 FE servers
> in an ISA auth access perimeter network with Exchange 2003 BE servers on the
> internal network has always seemed like a good approach. It also follows a
> good least privilege model.
> 
> Is this another example of the Exchange and ISA teams following different
> paths???? 
> 
> Please tell me that I am wrong and that I am not going to have to start
> putting all Exchange roles, irrespective of security risk, on the same network
> again!!!!
> 
> Comments? 
> 
> Cheers 
> 
> JJ 
> All mail to and from this domain is GFI-scanned.
> 
>  
> 
>  
> All mail to and from this domain is GFI-scanned.
>
Follow-Ups:
- [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
  - From: Jim Harrison
[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Other related posts:
