[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
Date: Wed, 10 Jan 2007 20:34:23 -0800
Except that if I ³own² that box, the one on the internal network, then all
my down-range attacks are sourced from that server, and thus, ARE PART OF
the IPSec policy.  You¹ve just made it even harder to detect what I¹m up to.

t


On 1/10/07 8:14 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:

> If IPSe4 restrictions are deployed in the domain, you can do the same thing
> without separating the host from the domain via firewalls.
> Since IPSec policies can be handled via GPO, manglement becomes easier.
> The whole point using ISA to separate the Inet-facing host from the Inet is
> that the attack surface is reduced to only that traffic that ISA will allow to
> the Inet-facing host.  To me, this is lesser-priv than trying to mitigate the
> results of traffic the Inet-facing host should never have seen in the first
> place.
>  
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thomas W Shinder
> Sent: Wednesday, January 10, 2007 8:04 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>  
> If the host is in the same domain, traffic between the domain member in the
> DMZ segment is limited to only the required traffic, not all traffic. This is
> least priv. Since SMTP, NNTP, IRC, H.323, SIP, etc., etc., aren't allowed from
> that segment to the other, we've locked out those exploits. Plus, we have a
> device in the path between the two security zones that is logging these
> attempts at illegitmate traffic and can provide information for further
> analysis. If you have an unincumbered path between the Internet facing host
> (which has a much larger "attacker surface") than the non-Internet facing
> host, then you're violating least priv and asking for problems you needent
> have.
> 
>  
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
> 
>  
>>  
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Jim Harrison
>> Sent: Wednesday, January 10, 2007 7:52 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> What¹s the diff between allowing domain traffic to the same DC you¹re trying
>> to protect?
>> The 1d10t cry of ³what if it gets compromised?² is the core issue in this
>> question.
>> A host belonging to a separate domain is one thing; a  member of  the
>> internal domain is quite another.
>>  
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Thomas W Shinder
>> Sent: Wednesday, January 10, 2007 7:45 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>>  
>> What's wrong with that? There is granularity of security zone definitions and
>> membership, even within a domain. Just like what we've done with the FE
>> Exchange Server, there's no qualitative or quanitative differences here that
>> I can tell.
>> 
>>  
>> Thomas W Shinder, M.D.
>> Site: www.isaserver.org <http://www.isaserver.org/>
>> Blog: http://blogs.isaserver.org/shinder
>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
>> MVP -- ISA Firewalls
>> 
>>  
>>>  
>>> 
>>> 
>>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>>> Behalf Of Jim Harrison
>>> Sent: Wednesday, January 10, 2007 7:11 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>>> C¹mon, Tim; I know what your deployment recommendations are; this isn¹t it.
>>> He wants to extend his domain via ³remote membership²; not create a separate
>>> domain.
>>>  
>>> 
>>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>>> Behalf Of Thor (Hammer of God)
>>> Sent: Wednesday, January 10, 2007 4:26 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>>>  
>>> Because it¹s safer that way, that¹s why... That¹s what an authenticated
>>> access DMZ perimeter is for? with a CAS server that presents logon services
>>> to any Internet user, I would (and, in fact, require) that the server be in
>>> a least-privileged authenticated access perimeter network that limits that
>>> servers communications to the minimum required for required functionality 
>>> and only to the hosts it needs to talk to.
>>> 
>>> Let¹s say there is a front-end implementation issue or coding vulnerability:
>>> the CAS on the internal network would allow unfettered, full-stack access to
>>> the internal network.  A CAS in a perimeter DMZ would mitigate potential
>>> exposure in the event of a 0day or configuration issue.
>>> 
>>> ³Safer on the internal network² is a complete misnomer when it comes to
>>> servers presenting services to an untrusted network.
>>> 
>>> t
>>> 
>>> 
>>> On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
>>> Why would you want to place a member of your internal domain in your DMZ,
>>> fer chrissakes?!?
>>> Hosting any domain member in the DMZ is a difficult proposition; especially
>>> where NAT is the order of the day.
>>> You can either use a network shotgun at your firewall or attempt to use your
>>> facvorite VPN tunnel across the firewall to the domain.
>>> 
>>> Jim 
>>> 
>>> 
>>> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
>>> Sent: Wed 1/10/2007 2:35 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>>> 
>>> From what I can gather, the new CAS role now uses RPC to communicate with
>>> the back-end (not sure of new name!) servers so I am guessing that this is
>>> an "RPC isn't safe across firewalls" type stance. Which I guess for a PIX,
>>> is a pretty true statement.
>>> 
>>> Just think how much safer the world will be when firewalls can understand
>>> dynamic protocols like RPC...maybe one day firewalls will even be able to
>>> understand and filter based upon RPC interface...maybe one day... :-D ;-)
>>> 
>>> Shame the Exchange team can't see how much ISA changes the traditional
>>> approach to DMZ thinking...kinda makes you think that both teams work for a
>>> different company :-(
>>> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44
>>> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
>>> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
>>> 
>>>  
>>> 
>>> 
>>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>>> Behalf Of Greg Mulholland
>>> Sent: 10 January 2007 22:07
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>>> 
>>> I seriously hope that they have take different paths and these are not
>>> limitations on the software or it is going to mean a nice little redesign
>>> and break from custom..
>>> 
>>> Greg
>>> ----- Original Message -----
>>> From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
>>> To: isapros@xxxxxxxxxxxxx
>>> Sent: Thursday, January 11, 2007 8:25 AM
>>> Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks
>>> 
>>> 
>>> Hi All, 
>>> 
>>> I heard today from an Exchange MVP colleague that members of the Exchange
>>> team (Scott Schnoll) are saying that they (Microsoft) do not support placing
>>> the new Exchange 2007 Client Access Server (like the old Exch2k3 FE role)
>>> role into a perimeter network. Has anyone else heard the same? This sounds
>>> very similar to Exchange admins of old when they didn't really understand
>>> modern application firewalls like ISA could do - RPC filter anyone???
>>> http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr
>>> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=
>>> en#4db165c21599cf9b
>>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_th
>>> read/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;r
>>> num=2&amp;hl=en#4db165c21599cf9b>
>>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_th
>>> read/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;r
>>> num=2&amp;hl=en#4db165c21599cf9b>
>>> 
>>> I have just about managed to convince Exchange colleagues (and customers) of
>>> the value of placing Exchange FE servers in a separate security zone from BE
>>> servers, DC's etc and now I here this?
>>> 
>>> Are the Exchange team confusing the old traditional DMZ's with what ISA can
>>> achieve with perimeter networks?
>>> 
>>> From what I believe, it is good perimeter security practice to place servers
>>> which are Internet accessible into different security zones than servers
>>> that are purely internal. Therefore, the idea of placing Exchange 2003 FE
>>> servers in an ISA auth access perimeter network with Exchange 2003 BE
>>> servers on the internal network has always seemed like a good approach. It
>>> also follows a good least privilege model.
>>> 
>>> Is this another example of the Exchange and ISA teams following different
>>> paths???? 
>>> 
>>> Please tell me that I am wrong and that I am not going to have to start
>>> putting all Exchange roles, irrespective of security risk, on the same
>>> network again!!!!
>>> 
>>> Comments? 
>>> 
>>> Cheers 
>>> 
>>> JJ 
>>> All mail to and from this domain is GFI-scanned.
>>> 
>>>  
>>> 
>>>  
>>> All mail to and from this domain is GFI-scanned.
>> All mail to and from this domain is GFI-scanned.
> All mail to and from this domain is GFI-scanned.
>
[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Other related posts:
