[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
  • To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
  • Date: Wed, 10 Jan 2007 20:19:39 -0800

Testify!!!

t


On 1/10/07 7:38 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
all:

> Actually, an Internet facing host should NEVER be placed in the same security
> zone as non-Internet facing hosts. Since the CAS is an Internet facing host,
> it should be placed in a separate security zone, such as an authenticated
> access DMZ. The Exchange guys horks another green one with their doltish
> recommendations for the CAS -- no doubt due to their abject lack of
> understanding of the heterogeneity of "DMZs".
>  
> Also, someone in this thread mixed up domain segmentation with network
> physical and logical segmentation -- a common N00b error, since there is no
> pre-defined relationship between the two.
>  
> I would never put the CAS on my non-Internet facing host zone, no matter what
> the boneheads on the Exchange Team "think" -- heck, they're still putting the
> ISA Firewall between two "firewalls" in their docs. Those guys are the last
> ones I'd look to for guidance in network security (OK, Syphco guys are *the*
> last, but the Exchange guys and barely in front of them.
>  
> Tom
>  
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
> 
>  
> 
>>  
>>  
>> 
>>  From: isapros-bounce@xxxxxxxxxxxxx  [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Jim  Harrison
>> Sent: Wednesday, January 10, 2007 7:13 PM
>> To:  isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and  Perimeter Networks
>> 
>>  
>>  
>>  
>> 
>> Don¹t  care; doesn¹t matter, misquoted.
>>  
>> ³Desirable²  meaning ³everyone wants to do it².
>>  
>>  
>>  
>> Publishing  RPC (MAPI) traffic is completely different from splitting your
>> domain  membership across the firewall.
>>  
>> There  is *no* good reason to do this.
>>  
>>  
>>  
>>  
>>  
>> 
>> From:  isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Jason Jones
>> Sent: Wednesday, January 10, 2007 4:30  PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA,  Exchange 2007 and Perimeter Networks
>>  
>>  
>>  
>> Think  you guys have completely misunderstood me, or I am amazed at your
>> responses.
>>  
>>  
>>  
>> We are  not talking about ANY firewall here, we are talking about ISA...one
>> of the key  advantages of ISA is that you can create perimeter networks even
>> for domain  members as ISA can perform RPC and other app filtering. Hence you
>> can move  domain members that represent more of a security risk away from
>> other domain  member servers.
>>  
>>  
>>  
>> Based  upon your answers, you must all be in disagreement then with the
>> models  proposed by Tom for Exchange and network services protection????
>>  
>> http://www.isaserver.org/articles/2004multidmzp1.html
>>  
>> http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-Segmen
>> t-Perimeter-Firewall-Part1.html
>>  
>>  
>>  
>> If so,  I am very surprised.
>>  
>>  
>>  
>> I  posted here in August with a least privilege model for Exchange security
>> which placed Exchange FE's, BE's and DC's into ISA perimeter networks and got
>> good feedback - what the hell is going on????
>>  
>>  
>>  
>> Jim's  quote "Ah, yes. While this is a desirable design, it's also a very
>> difficult  one."
>>  
>> Steve's  quote "Hat's off to you for being committed to deploying
>> security-in-depth  with least-privilege and not acquiescing to the "whatever
>> works"  mentality.
>> I know it's a hard thing to deploy and support.  While I  have a similar
>> topology, I only separate the clients from the servers with an
>> infrastructure ISA box- not the BE's from the DC's; they're on the same
>> "protected" network."
>>  
>> Totally  confused guys :-(
>>  
>>  
>>  
>>  
>>  
>>  
>>  
>> 
>>  
>>  
>> 
>> From:  isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Steve Moffat
>> Sent: 10 January 2007 23:08
>> To:  isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and  Perimeter Networks
>>  
>> That¹s  what I said??..
>>  
>>  
>>  
>>  
>>  
>> 
>> From:  isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Jim Harrison
>> Sent: Wednesday, January 10, 2007 7:04  PM
>> To: isapros@xxxxxxxxxxxxx;  isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and  Perimeter Networks
>>  
>>  
>>  
>>  
>>  
>> 
>> Why  would you want to place a member of your internal domain in your DMZ,
>> fer  chrissakes?!?
>>  
>>  
>> 
>> Hosting  any domain member in the DMZ is a difficult proposition; especially
>> where NAT  is the order of the day.
>>  
>>  
>> 
>> You can either use  a network shotgun at your firewall or attempt to use your
>> facvorite VPN tunnel  across the firewall to the domain.
>>  
>>  
>> 
>>  
>>  
>>  
>> 
>> Jim
>>  
>>  
>> 
>>  
>>  
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx on  behalf of Jason Jones
>> Sent: Wed 1/10/2007 2:35 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject:  [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>>  
>>  
>> 
>> From  what I can gather, the new CAS role now uses RPC to communicate with
>> the  back-end (not sure of new name!) servers so I am guessing that this is
>> an "RPC  isn't safe across firewalls" type stance. Which I guess for a PIX,
>> is a  pretty true statement.
>>  
>>  
>>  
>> Just  think how much safer the world will be when firewalls can understand
>> dynamic  protocols like RPC...maybe one day firewalls will even be able to
>> understand and filter based upon RPC interface...maybe one day... :-D  ;-)
>>  
>>  
>>  
>> Shame  the Exchange team can't see how much ISA changes the traditional
>> approach  to DMZ thinking...kinda makes you think that both teams work for a
>> different  company :-(
>>  
>> Jason  Jones | Silversands  Limited | Desk: +44 (0)1202 360489 | Mobile: +44
>> (0)7971 500312 | Fax: +44  (0)1202 360900 | Email:
>> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
>>  
>>  
>> 
>>  
>>  
>>  
>>  
>>  
>> 
>>  
>>  
>> 
>> From:  isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Greg Mulholland
>> Sent: 10 January 2007  22:07
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re:  ISA, Exchange 2007 and Perimeter Networks
>>  
>>  
>> 
>> I seriously hope  that they have take different paths and these are not
>> limitations on the  software or it is going to mean a nice little redesign
>> and break from  custom..
>>  
>>  
>> 
>>  
>>  
>>  
>> 
>> Greg
>>  
>>>  
>>>  
>>> 
>>> ----- Original  Message -----
>>>  
>>>  
>>> 
>>> From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
>>>  
>>>  
>>> 
>>> To: isapros@xxxxxxxxxxxxx
>>>  
>>>  
>>> 
>>> Sent: Thursday,  January 11, 2007 8:25 AM
>>>  
>>>  
>>> 
>>> Subject: [isapros] ISA,  Exchange 2007 and Perimeter Networks
>>>  
>>>  
>>> 
>>>  
>>>  
>>> Hi  All, 
>>>  
>>> 
>>> I heard  today from an Exchange MVP colleague that members of the Exchange
>>> team  (Scott Schnoll) are saying that they (Microsoft) do not support
>>> placing the  new Exchange 2007 Client Access Server (like the old Exch2k3 FE
>>> role) role  into a perimeter network. Has anyone else heard the same? This
>>> sounds very  similar to Exchange admins of old when they didn't really
>>> understand modern  application firewalls like ISA could do - RPC filter
>>> anyone??? 
>>> http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr
>>> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=
>>> en#4db165c21599cf9b
>>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_th
>>> read/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;r
>>> num=2&amp;hl=en#4db165c21599cf9b>
>>>  
>>> 
>>> I have  just about managed to convince Exchange colleagues (and customers)
>>> of the  value of placing Exchange FE servers in a separate security zone
>>> from BE  servers, DC's etc and now I here this?
>>>  
>>> 
>>> Are the  Exchange team confusing the old traditional DMZ's with what ISA can
>>> achieve  with perimeter networks?
>>>  
>>> 
>>> From  what I believe, it is good perimeter security practice to place
>>> servers  which are Internet accessible into different security zones than
>>> servers  that are purely internal. Therefore, the idea of placing Exchange
>>> 2003 FE  servers in an ISA auth access perimeter network with Exchange 2003
>>> BE  servers on the internal network has always seemed like a good approach.
>>> It  also follows a good least privilege model.
>>>  
>>> 
>>> Is this  another example of the Exchange and ISA teams following different
>>> paths???? 
>>>  
>>> 
>>> Please  tell me that I am wrong and that I am not going to have to start
>>> putting all  Exchange roles, irrespective of security risk, on the same
>>> network  again!!!!
>>>  
>>> 
>>> Comments?  
>>>  
>>> 
>>> Cheers 
>>>  
>>> 
>>> JJ 
>>>  
>>> 
>>>  
>>  
>> All  mail to and from this domain is GFI-scanned.
>>  
>> All mail to and  from this domain is GFI-scanned.
>

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 01-2007