Except that if I ³own² that box, the one on the internal network, then all my down-range attacks are sourced from that server, and thus, ARE PART OF the IPSec policy. You¹ve just made it even harder to detect what I¹m up to. t On 1/10/07 8:14 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > If IPSe4 restrictions are deployed in the domain, you can do the same thing > without separating the host from the domain via firewalls. > Since IPSec policies can be handled via GPO, manglement becomes easier. > The whole point using ISA to separate the Inet-facing host from the Inet is > that the attack surface is reduced to only that traffic that ISA will allow to > the Inet-facing host. To me, this is lesser-priv than trying to mitigate the > results of traffic the Inet-facing host should never have seen in the first > place. > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Thomas W Shinder > Sent: Wednesday, January 10, 2007 8:04 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > If the host is in the same domain, traffic between the domain member in the > DMZ segment is limited to only the required traffic, not all traffic. This is > least priv. Since SMTP, NNTP, IRC, H.323, SIP, etc., etc., aren't allowed from > that segment to the other, we've locked out those exploits. Plus, we have a > device in the path between the two security zones that is logging these > attempts at illegitmate traffic and can provide information for further > analysis. If you have an unincumbered path between the Internet facing host > (which has a much larger "attacker surface") than the non-Internet facing > host, then you're violating least priv and asking for problems you needent > have. > > > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > MVP -- ISA Firewalls > > >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >> Behalf Of Jim Harrison >> Sent: Wednesday, January 10, 2007 7:52 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> What¹s the diff between allowing domain traffic to the same DC you¹re trying >> to protect? >> The 1d10t cry of ³what if it gets compromised?² is the core issue in this >> question. >> A host belonging to a separate domain is one thing; a member of the >> internal domain is quite another. >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >> Behalf Of Thomas W Shinder >> Sent: Wednesday, January 10, 2007 7:45 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> What's wrong with that? There is granularity of security zone definitions and >> membership, even within a domain. Just like what we've done with the FE >> Exchange Server, there's no qualitative or quanitative differences here that >> I can tell. >> >> >> Thomas W Shinder, M.D. >> Site: www.isaserver.org <http://www.isaserver.org/> >> Blog: http://blogs.isaserver.org/shinder >> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> >> MVP -- ISA Firewalls >> >> >>> >>> >>> >>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >>> Behalf Of Jim Harrison >>> Sent: Wednesday, January 10, 2007 7:11 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >>> C¹mon, Tim; I know what your deployment recommendations are; this isn¹t it. >>> He wants to extend his domain via ³remote membership²; not create a separate >>> domain. >>> >>> >>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >>> Behalf Of Thor (Hammer of God) >>> Sent: Wednesday, January 10, 2007 4:26 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >>> >>> Because it¹s safer that way, that¹s why... That¹s what an authenticated >>> access DMZ perimeter is for? with a CAS server that presents logon services >>> to any Internet user, I would (and, in fact, require) that the server be in >>> a least-privileged authenticated access perimeter network that limits that >>> servers communications to the minimum required for required functionality >>> and only to the hosts it needs to talk to. >>> >>> Let¹s say there is a front-end implementation issue or coding vulnerability: >>> the CAS on the internal network would allow unfettered, full-stack access to >>> the internal network. A CAS in a perimeter DMZ would mitigate potential >>> exposure in the event of a 0day or configuration issue. >>> >>> ³Safer on the internal network² is a complete misnomer when it comes to >>> servers presenting services to an untrusted network. >>> >>> t >>> >>> >>> On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: >>> Why would you want to place a member of your internal domain in your DMZ, >>> fer chrissakes?!? >>> Hosting any domain member in the DMZ is a difficult proposition; especially >>> where NAT is the order of the day. >>> You can either use a network shotgun at your firewall or attempt to use your >>> facvorite VPN tunnel across the firewall to the domain. >>> >>> Jim >>> >>> >>> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones >>> Sent: Wed 1/10/2007 2:35 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >>> >>> From what I can gather, the new CAS role now uses RPC to communicate with >>> the back-end (not sure of new name!) servers so I am guessing that this is >>> an "RPC isn't safe across firewalls" type stance. Which I guess for a PIX, >>> is a pretty true statement. >>> >>> Just think how much safer the world will be when firewalls can understand >>> dynamic protocols like RPC...maybe one day firewalls will even be able to >>> understand and filter based upon RPC interface...maybe one day... :-D ;-) >>> >>> Shame the Exchange team can't see how much ISA changes the traditional >>> approach to DMZ thinking...kinda makes you think that both teams work for a >>> different company :-( >>> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 >>> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email: >>> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> >>> >>> >>> >>> >>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >>> Behalf Of Greg Mulholland >>> Sent: 10 January 2007 22:07 >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >>> >>> I seriously hope that they have take different paths and these are not >>> limitations on the software or it is going to mean a nice little redesign >>> and break from custom.. >>> >>> Greg >>> ----- Original Message ----- >>> From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx> >>> To: isapros@xxxxxxxxxxxxx >>> Sent: Thursday, January 11, 2007 8:25 AM >>> Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks >>> >>> >>> Hi All, >>> >>> I heard today from an Exchange MVP colleague that members of the Exchange >>> team (Scott Schnoll) are saying that they (Microsoft) do not support placing >>> the new Exchange 2007 Client Access Server (like the old Exch2k3 FE role) >>> role into a perimeter network. Has anyone else heard the same? This sounds >>> very similar to Exchange admins of old when they didn't really understand >>> modern application firewalls like ISA could do - RPC filter anyone??? >>> http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr >>> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl= >>> en#4db165c21599cf9b >>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_th >>> read/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r >>> num=2&hl=en#4db165c21599cf9b> >>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_th >>> read/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r >>> num=2&hl=en#4db165c21599cf9b> >>> >>> I have just about managed to convince Exchange colleagues (and customers) of >>> the value of placing Exchange FE servers in a separate security zone from BE >>> servers, DC's etc and now I here this? >>> >>> Are the Exchange team confusing the old traditional DMZ's with what ISA can >>> achieve with perimeter networks? >>> >>> From what I believe, it is good perimeter security practice to place servers >>> which are Internet accessible into different security zones than servers >>> that are purely internal. Therefore, the idea of placing Exchange 2003 FE >>> servers in an ISA auth access perimeter network with Exchange 2003 BE >>> servers on the internal network has always seemed like a good approach. It >>> also follows a good least privilege model. >>> >>> Is this another example of the Exchange and ISA teams following different >>> paths???? >>> >>> Please tell me that I am wrong and that I am not going to have to start >>> putting all Exchange roles, irrespective of security risk, on the same >>> network again!!!! >>> >>> Comments? >>> >>> Cheers >>> >>> JJ >>> All mail to and from this domain is GFI-scanned. >>> >>> >>> >>> >>> All mail to and from this domain is GFI-scanned. >> All mail to and from this domain is GFI-scanned. > All mail to and from this domain is GFI-scanned. >