[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
Date: Wed, 10 Jan 2007 20:40:32 -0800
Not sure where I lost you on that, Jim... That design does NOT use separate
domains...  They are part of the SAME DOMAIN.  It¹s exactly as Tom said...
You can¹t have an FE server in a separate domain anyway unless you then have
a trust relationship which is then ³the same thing² operationally.

This is really easy, and I¹m not sure how anyone can argue against this
point:

1: Box1 <-> FULL STACK <-> Box2
2: Box1 <-> Limited Protocols only for Functionality <-> Box2

2 will *always* be more secure than 1.  Always!! And we are not talking
³hard to implement² here.  Even if there is no DMZ, you could still stick in
1 more NIC in the border ISA box and hang your FE off of that, and you¹ll
still be better off than simply publishing an internal server...

WTF am I missing here?  Have you all started doing crack or something?

t


On 1/10/07 8:16 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:

> We¹re missing each other.
> I wholeheartedly agree with Tim¹s design  it uses completely separate domains
> in the LAN and DMZ  there is no relationship between them.
> I also agree with restricting access to eth Inet-facing hosts, but this
> doesn¹t have to mean physical relocation to a separate network to accomplish
> the task.  IPSec, baby  it works.
>  
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thomas W Shinder
> Sent: Wednesday, January 10, 2007 8:06 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>  
> Because it's more secure. Heck, that's what Tim's entire class was about --
> least priv. Why put two hosts that belong to two different security zones in
> the same security zone. Just becuase two hosts are members of the same domain
> isn't the end all and be all -- sure, its a security factor, but there are
> other, more important factors to take into account. That's why the Exchange FE
> or Exchange CAS, should be placed in an authenticated access DMZ, so that only
> required traffic is allowed to move between the CAS and other network devices.
> 
>  
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
> 
>  
>>  
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Jim Harrison
>> Sent: Wednesday, January 10, 2007 7:55 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> Nope; and the whole concept of ³separate domain² vs. ³remote member of the
>> same domain² is my point.
>> I agree that the Exch design choice harkens back to the bad ol¹ days of
>> ³ports bad².
>> I also agree that their design docs suck poo-poo; they *still* push the ³ISA
>> shouldn¹t be a domain member² noise, no matter how hard I try to fight it.
>> The point is; why extend your domain across security boundaries if you don¹t
>> have to?
>>  
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Thomas W Shinder
>> Sent: Wednesday, January 10, 2007 7:47 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>>  
>> There are plenty of reasons to do it. First, there is the current example,
>>  
>> Second, is an  internal network services segment where the DCs, BE Exchange,
>> SQL etc exist, and the untrusted corpnet clients, which are members of the
>> same domain, are on another segment, separate by the ISA Firewall.
>>  
>> Did you forget about least privilege?
>> 
>>  
>> Thomas W Shinder, M.D.
>> Site: www.isaserver.org <http://www.isaserver.org/>
>> Blog: http://blogs.isaserver.org/shinder
>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
>> MVP -- ISA Firewalls
>> 
>>  
>>>  
>>> 
>>> 
>>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>>> Behalf Of Jim Harrison
>>> Sent: Wednesday, January 10, 2007 7:13 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>>> Don¹t care; doesn¹t matter, misquoted.
>>> ³Desirable² meaning ³everyone wants to do it².
>>>  
>>> Publishing RPC (MAPI) traffic is completely different from splitting your
>>> domain membership across the firewall.
>>> There is *no* good reason to do this.
>>>  
>>> 
>>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>>> Behalf Of Jason Jones
>>> Sent: Wednesday, January 10, 2007 4:30 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>>>  
>>> Think you guys have completely misunderstood me, or I am amazed at your
>>> responses.
>>>  
>>> We are not talking about ANY firewall here, we are talking about ISA...one
>>> of the key advantages of ISA is that you can create perimeter networks even
>>> for domain members as ISA can perform RPC and other app filtering. Hence you
>>> can move domain members that represent more of a security risk away from
>>> other domain member servers.
>>>  
>>> Based upon your answers, you must all be in disagreement then with the
>>> models proposed by Tom for Exchange and network services protection????
>>> http://www.isaserver.org/articles/2004multidmzp1.html
>>> http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-Segme
>>> nt-Perimeter-Firewall-Part1.html
>>>  
>>> If so, I am very surprised.
>>>  
>>> I posted here in August with a least privilege model for Exchange security
>>> which placed Exchange FE's, BE's and DC's into ISA perimeter networks and
>>> got good feedback - what the hell is going on????
>>>  
>>> Jim's quote "Ah, yes. While this is a desirable design, it's also a very
>>> difficult one."
>>> Steve's quote "Hat's off to you for being committed to deploying
>>> security-in-depth with least-privilege and not acquiescing to the "whatever
>>> works" mentality.
>>> I know it's a hard thing to deploy and support.  While I have a similar
>>> topology, I only separate the clients from the servers with an
>>> infrastructure ISA box- not the BE's from the DC's; they're on the same
>>> "protected" network."
>>> Totally confused guys :-(
>>>  
>>>  
>>> 
>>> 
>>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>>> Behalf Of Steve Moffat
>>> Sent: 10 January 2007 23:08
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>>> That¹s what I said??..
>>>  
>>> 
>>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>>> Behalf Of Jim Harrison
>>> Sent: Wednesday, January 10, 2007 7:04 PM
>>> To: isapros@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>>>  
>>> 
>>> Why would you want to place a member of your internal domain in your DMZ,
>>> fer chrissakes?!?
>>> 
>>> Hosting any domain member in the DMZ is a difficult proposition; especially
>>> where NAT is the order of the day.
>>> 
>>> You can either use a network shotgun at your firewall or attempt to use your
>>> facvorite VPN tunnel across the firewall to the domain.
>>> 
>>>  
>>> 
>>> Jim 
>>> 
>>> 
>>> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
>>> Sent: Wed 1/10/2007 2:35 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>>> 
>>> From what I can gather, the new CAS role now uses RPC to communicate with
>>> the back-end (not sure of new name!) servers so I am guessing that this is
>>> an "RPC isn't safe across firewalls" type stance. Which I guess for a PIX,
>>> is a pretty true statement.
>>>  
>>> Just think how much safer the world will be when firewalls can understand
>>> dynamic protocols like RPC...maybe one day firewalls will even be able to
>>> understand and filter based upon RPC interface...maybe one day... :-D ;-)
>>>  
>>> Shame the Exchange team can't see how much ISA changes the traditional
>>> approach to DMZ thinking...kinda makes you think that both teams work for a
>>> different company :-(
>>> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44
>>> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
>>> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
>>> 
>>>  
>>>  
>>> 
>>> 
>>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>>> Behalf Of Greg Mulholland
>>> Sent: 10 January 2007 22:07
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>>> 
>>> I seriously hope that they have take different paths and these are not
>>> limitations on the software or it is going to mean a nice little redesign
>>> and break from custom..
>>> 
>>>  
>>> 
>>> Greg
>>>> 
>>>> ----- Original Message -----
>>>> 
>>>> From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
>>>> 
>>>> To: isapros@xxxxxxxxxxxxx
>>>> 
>>>> Sent: Thursday, January 11, 2007 8:25 AM
>>>> 
>>>> Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks
>>>> 
>>>>  
>>>> Hi All, 
>>>> 
>>>> I heard today from an Exchange MVP colleague that members of the Exchange
>>>> team (Scott Schnoll) are saying that they (Microsoft) do not support
>>>> placing the new Exchange 2007 Client Access Server (like the old Exch2k3 FE
>>>> role) role into a perimeter network. Has anyone else heard the same? This
>>>> sounds very similar to Exchange admins of old when they didn't really
>>>> understand modern application firewalls like ISA could do - RPC filter
>>>> anyone??? 
>>>> http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_th
>>>> read/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&h
>>>> l=en#4db165c21599cf9b
>>>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_t
>>>> hread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp
>>>> ;rnum=2&amp;hl=en#4db165c21599cf9b>
>>>> 
>>>> I have just about managed to convince Exchange colleagues (and customers)
>>>> of the value of placing Exchange FE servers in a separate security zone
>>>> from BE servers, DC's etc and now I here this?
>>>> 
>>>> Are the Exchange team confusing the old traditional DMZ's with what ISA can
>>>> achieve with perimeter networks?
>>>> 
>>>> From what I believe, it is good perimeter security practice to place
>>>> servers which are Internet accessible into different security zones than
>>>> servers that are purely internal. Therefore, the idea of placing Exchange
>>>> 2003 FE servers in an ISA auth access perimeter network with Exchange 2003
>>>> BE servers on the internal network has always seemed like a good approach.
>>>> It also follows a good least privilege model.
>>>> 
>>>> Is this another example of the Exchange and ISA teams following different
>>>> paths???? 
>>>> 
>>>> Please tell me that I am wrong and that I am not going to have to start
>>>> putting all Exchange roles, irrespective of security risk, on the same
>>>> network again!!!!
>>>> 
>>>> Comments? 
>>>> 
>>>> Cheers 
>>>> 
>>>> JJ 
>>>> 
>>>>  
>>> All mail to and from this domain is GFI-scanned.
>>> All mail to and from this domain is GFI-scanned.
>> All mail to and from this domain is GFI-scanned.
> All mail to and from this domain is GFI-scanned.
>
[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Other related posts:
