[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Wed, 10 Jan 2007 22:40:18 -0600

They can't be separate domains, since the FE and BE must belong to the
same domain. The auth access DMZ hosts are in the same domain as the
internal domain.
 
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls

 


________________________________

        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: Wednesday, January 10, 2007 8:16 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        
        

        We're missing each other.

        I wholeheartedly agree with Tim's design - it uses completely
separate domains in the LAN and DMZ - there is no relationship between
them.

        I also agree with restricting access to eth Inet-facing hosts,
but this doesn't have to mean physical relocation to a separate network
to accomplish the task.  IPSec, baby - it works.

         

        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
        Sent: Wednesday, January 10, 2007 8:06 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

         

        Because it's more secure. Heck, that's what Tim's entire class
was about -- least priv. Why put two hosts that belong to two different
security zones in the same security zone. Just becuase two hosts are
members of the same domain isn't the end all and be all -- sure, its a
security factor, but there are other, more important factors to take
into account. That's why the Exchange FE or Exchange CAS, should be
placed in an authenticated access DMZ, so that only required traffic is
allowed to move between the CAS and other network devices.

         

        Thomas W Shinder, M.D.
        Site: www.isaserver.org <http://www.isaserver.org/> 
        Blog: http://blogs.isaserver.org/shinder
        Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
        MVP -- ISA Firewalls

         

                 

________________________________

                From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
                Sent: Wednesday, January 10, 2007 7:55 PM
                To: isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks

                Nope; and the whole concept of "separate domain" vs.
"remote member of the same domain" is my point.

                I agree that the Exch design choice harkens back to the
bad ol' days of "ports bad".

                I also agree that their design docs suck poo-poo; they
*still* push the "ISA shouldn't be a domain member" noise, no matter how
hard I try to fight it.

                The point is; why extend your domain across security
boundaries if you don't have to?

                 

                From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
                Sent: Wednesday, January 10, 2007 7:47 PM
                To: isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks

                 

                There are plenty of reasons to do it. First, there is
the current example,

                 

                Second, is an  internal network services segment where
the DCs, BE Exchange, SQL etc exist, and the untrusted corpnet clients,
which are members of the same domain, are on another segment, separate
by the ISA Firewall.

                 

                Did you forget about least privilege?

                 

                Thomas W Shinder, M.D.
                Site: www.isaserver.org <http://www.isaserver.org/> 
                Blog: http://blogs.isaserver.org/shinder
                Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7> 
                MVP -- ISA Firewalls

                 

                         

________________________________

                        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
                        Sent: Wednesday, January 10, 2007 7:13 PM
                        To: isapros@xxxxxxxxxxxxx
                        Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks

                        Don't care; doesn't matter, misquoted.

                        "Desirable" meaning "everyone wants to do it".

                         

                        Publishing RPC (MAPI) traffic is completely
different from splitting your domain membership across the firewall.

                        There is *no* good reason to do this.

                         

                        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
                        Sent: Wednesday, January 10, 2007 4:30 PM
                        To: isapros@xxxxxxxxxxxxx
                        Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks

                         

                        Think you guys have completely misunderstood me,
or I am amazed at your responses.

                         

                        We are not talking about ANY firewall here, we
are talking about ISA...one of the key advantages of ISA is that you can
create perimeter networks even for domain members as ISA can perform RPC
and other app filtering. Hence you can move domain members that
represent more of a security risk away from other domain member servers.


                         

                        Based upon your answers, you must all be in
disagreement then with the models proposed by Tom for Exchange and
network services protection????

        
http://www.isaserver.org/articles/2004multidmzp1.html

        
http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-S
egment-Perimeter-Firewall-Part1.html

                         

                        If so, I am very surprised.

                         

                        I posted here in August with a least privilege
model for Exchange security which placed Exchange FE's, BE's and DC's
into ISA perimeter networks and got good feedback - what the hell is
going on????

                         

                        Jim's quote "Ah, yes. While this is a desirable
design, it's also a very difficult one."

                        Steve's quote "Hat's off to you for being
committed to deploying security-in-depth with least-privilege and not
acquiescing to the "whatever works" mentality.
                        I know it's a hard thing to deploy and support.
While I have a similar topology, I only separate the clients from the
servers with an infrastructure ISA box- not the BE's from the DC's;
they're on the same "protected" network." 

                        Totally confused guys :-(

                         

                         

________________________________

                        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
                        Sent: 10 January 2007 23:08
                        To: isapros@xxxxxxxxxxxxx
                        Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks

                        That's what I said........

                         

                        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
                        Sent: Wednesday, January 10, 2007 7:04 PM
                        To: isapros@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx
                        Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks

                         

                        Why would you want to place a member of your
internal domain in your DMZ, fer chrissakes?!?

                        Hosting any domain member in the DMZ is a
difficult proposition; especially where NAT is the order of the day.

                        You can either use a network shotgun at your
firewall or attempt to use your facvorite VPN tunnel across the firewall
to the domain.

                         

                        Jim

________________________________

                        From: isapros-bounce@xxxxxxxxxxxxx on behalf of
Jason Jones
                        Sent: Wed 1/10/2007 2:35 PM
                        To: isapros@xxxxxxxxxxxxx
                        Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks

                        From what I can gather, the new CAS role now
uses RPC to communicate with the back-end (not sure of new name!)
servers so I am guessing that this is an "RPC isn't safe across
firewalls" type stance. Which I guess for a PIX, is a pretty true
statement.

                         

                        Just think how much safer the world will be when
firewalls can understand dynamic protocols like RPC...maybe one day
firewalls will even be able to understand and filter based upon RPC
interface...maybe one day... :-D ;-)

                         

                        Shame the Exchange team can't see how much ISA
changes the traditional approach to DMZ thinking...kinda makes you think
that both teams work for a different company :-(

                        Jason Jones | Silversands Limited | Desk: +44
(0)1202 360489 | Mobile: +44 (0)7971 500312 | Fax: +44 (0)1202 360900 |
Email: jason.jones@xxxxxxxxxxxxxxxxx
<mailto:jason.jones@xxxxxxxxxxxxxxxxx> 

                         

                         

________________________________

                        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
                        Sent: 10 January 2007 22:07
                        To: isapros@xxxxxxxxxxxxx
                        Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks

                        I seriously hope that they have take different
paths and these are not limitations on the software or it is going to
mean a nice little redesign and break from custom..

                         

                        Greg

                                ----- Original Message ----- 

                                From: Jason Jones
<mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>  

                                To: isapros@xxxxxxxxxxxxx 

                                Sent: Thursday, January 11, 2007 8:25 AM

                                Subject: [isapros] ISA, Exchange 2007
and Perimeter Networks

                                 

                                Hi All, 

                                I heard today from an Exchange MVP
colleague that members of the Exchange team (Scott Schnoll) are saying
that they (Microsoft) do not support placing the new Exchange 2007
Client Access Server (like the old Exch2k3 FE role) role into a
perimeter network. Has anyone else heard the same? This sounds very
similar to Exchange admins of old when they didn't really understand
modern application firewalls like ISA could do - RPC filter anyone???
http://groups.google.co.uk/group/microsoft.public.exchange.design/browse
_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rn
um=2&hl=en#4db165c21599cf9b
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r
num=2&hl=en#4db165c21599cf9b> 

                                I have just about managed to convince
Exchange colleagues (and customers) of the value of placing Exchange FE
servers in a separate security zone from BE servers, DC's etc and now I
here this...

                                Are the Exchange team confusing the old
traditional DMZ's with what ISA can achieve with perimeter networks? 

                                From what I believe, it is good
perimeter security practice to place servers which are Internet
accessible into different security zones than servers that are purely
internal. Therefore, the idea of placing Exchange 2003 FE servers in an
ISA auth access perimeter network with Exchange 2003 BE servers on the
internal network has always seemed like a good approach. It also follows
a good least privilege model. 

                                Is this another example of the Exchange
and ISA teams following different paths???? 

                                Please tell me that I am wrong and that
I am not going to have to start putting all Exchange roles, irrespective
of security risk, on the same network again!!!!

                                Comments? 

                                Cheers 

                                JJ 

                                 

                        All mail to and from this domain is GFI-scanned.

                        All mail to and from this domain is GFI-scanned.

                All mail to and from this domain is GFI-scanned.

        All mail to and from this domain is GFI-scanned.

Other related posts: