Not sure where I lost you on that, Jim... That design does NOT use separate domains... They are part of the SAME DOMAIN. It¹s exactly as Tom said... You can¹t have an FE server in a separate domain anyway unless you then have a trust relationship which is then ³the same thing² operationally. This is really easy, and I¹m not sure how anyone can argue against this point: 1: Box1 <-> FULL STACK <-> Box2 2: Box1 <-> Limited Protocols only for Functionality <-> Box2 2 will *always* be more secure than 1. Always!! And we are not talking ³hard to implement² here. Even if there is no DMZ, you could still stick in 1 more NIC in the border ISA box and hang your FE off of that, and you¹ll still be better off than simply publishing an internal server... WTF am I missing here? Have you all started doing crack or something? t On 1/10/07 8:16 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > We¹re missing each other. > I wholeheartedly agree with Tim¹s design it uses completely separate domains > in the LAN and DMZ there is no relationship between them. > I also agree with restricting access to eth Inet-facing hosts, but this > doesn¹t have to mean physical relocation to a separate network to accomplish > the task. IPSec, baby it works. > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Thomas W Shinder > Sent: Wednesday, January 10, 2007 8:06 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > Because it's more secure. Heck, that's what Tim's entire class was about -- > least priv. Why put two hosts that belong to two different security zones in > the same security zone. Just becuase two hosts are members of the same domain > isn't the end all and be all -- sure, its a security factor, but there are > other, more important factors to take into account. That's why the Exchange FE > or Exchange CAS, should be placed in an authenticated access DMZ, so that only > required traffic is allowed to move between the CAS and other network devices. > > > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > MVP -- ISA Firewalls > > >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >> Behalf Of Jim Harrison >> Sent: Wednesday, January 10, 2007 7:55 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> Nope; and the whole concept of ³separate domain² vs. ³remote member of the >> same domain² is my point. >> I agree that the Exch design choice harkens back to the bad ol¹ days of >> ³ports bad². >> I also agree that their design docs suck poo-poo; they *still* push the ³ISA >> shouldn¹t be a domain member² noise, no matter how hard I try to fight it. >> The point is; why extend your domain across security boundaries if you don¹t >> have to? >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >> Behalf Of Thomas W Shinder >> Sent: Wednesday, January 10, 2007 7:47 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> There are plenty of reasons to do it. First, there is the current example, >> >> Second, is an internal network services segment where the DCs, BE Exchange, >> SQL etc exist, and the untrusted corpnet clients, which are members of the >> same domain, are on another segment, separate by the ISA Firewall. >> >> Did you forget about least privilege? >> >> >> Thomas W Shinder, M.D. >> Site: www.isaserver.org <http://www.isaserver.org/> >> Blog: http://blogs.isaserver.org/shinder >> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> >> MVP -- ISA Firewalls >> >> >>> >>> >>> >>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >>> Behalf Of Jim Harrison >>> Sent: Wednesday, January 10, 2007 7:13 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >>> Don¹t care; doesn¹t matter, misquoted. >>> ³Desirable² meaning ³everyone wants to do it². >>> >>> Publishing RPC (MAPI) traffic is completely different from splitting your >>> domain membership across the firewall. >>> There is *no* good reason to do this. >>> >>> >>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >>> Behalf Of Jason Jones >>> Sent: Wednesday, January 10, 2007 4:30 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >>> >>> Think you guys have completely misunderstood me, or I am amazed at your >>> responses. >>> >>> We are not talking about ANY firewall here, we are talking about ISA...one >>> of the key advantages of ISA is that you can create perimeter networks even >>> for domain members as ISA can perform RPC and other app filtering. Hence you >>> can move domain members that represent more of a security risk away from >>> other domain member servers. >>> >>> Based upon your answers, you must all be in disagreement then with the >>> models proposed by Tom for Exchange and network services protection???? >>> http://www.isaserver.org/articles/2004multidmzp1.html >>> http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-Segme >>> nt-Perimeter-Firewall-Part1.html >>> >>> If so, I am very surprised. >>> >>> I posted here in August with a least privilege model for Exchange security >>> which placed Exchange FE's, BE's and DC's into ISA perimeter networks and >>> got good feedback - what the hell is going on???? >>> >>> Jim's quote "Ah, yes. While this is a desirable design, it's also a very >>> difficult one." >>> Steve's quote "Hat's off to you for being committed to deploying >>> security-in-depth with least-privilege and not acquiescing to the "whatever >>> works" mentality. >>> I know it's a hard thing to deploy and support. While I have a similar >>> topology, I only separate the clients from the servers with an >>> infrastructure ISA box- not the BE's from the DC's; they're on the same >>> "protected" network." >>> Totally confused guys :-( >>> >>> >>> >>> >>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >>> Behalf Of Steve Moffat >>> Sent: 10 January 2007 23:08 >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >>> That¹s what I said??.. >>> >>> >>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >>> Behalf Of Jim Harrison >>> Sent: Wednesday, January 10, 2007 7:04 PM >>> To: isapros@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >>> >>> >>> Why would you want to place a member of your internal domain in your DMZ, >>> fer chrissakes?!? >>> >>> Hosting any domain member in the DMZ is a difficult proposition; especially >>> where NAT is the order of the day. >>> >>> You can either use a network shotgun at your firewall or attempt to use your >>> facvorite VPN tunnel across the firewall to the domain. >>> >>> >>> >>> Jim >>> >>> >>> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones >>> Sent: Wed 1/10/2007 2:35 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >>> >>> From what I can gather, the new CAS role now uses RPC to communicate with >>> the back-end (not sure of new name!) servers so I am guessing that this is >>> an "RPC isn't safe across firewalls" type stance. Which I guess for a PIX, >>> is a pretty true statement. >>> >>> Just think how much safer the world will be when firewalls can understand >>> dynamic protocols like RPC...maybe one day firewalls will even be able to >>> understand and filter based upon RPC interface...maybe one day... :-D ;-) >>> >>> Shame the Exchange team can't see how much ISA changes the traditional >>> approach to DMZ thinking...kinda makes you think that both teams work for a >>> different company :-( >>> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 >>> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email: >>> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> >>> >>> >>> >>> >>> >>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >>> Behalf Of Greg Mulholland >>> Sent: 10 January 2007 22:07 >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >>> >>> I seriously hope that they have take different paths and these are not >>> limitations on the software or it is going to mean a nice little redesign >>> and break from custom.. >>> >>> >>> >>> Greg >>>> >>>> ----- Original Message ----- >>>> >>>> From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx> >>>> >>>> To: isapros@xxxxxxxxxxxxx >>>> >>>> Sent: Thursday, January 11, 2007 8:25 AM >>>> >>>> Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks >>>> >>>> >>>> Hi All, >>>> >>>> I heard today from an Exchange MVP colleague that members of the Exchange >>>> team (Scott Schnoll) are saying that they (Microsoft) do not support >>>> placing the new Exchange 2007 Client Access Server (like the old Exch2k3 FE >>>> role) role into a perimeter network. Has anyone else heard the same? This >>>> sounds very similar to Exchange admins of old when they didn't really >>>> understand modern application firewalls like ISA could do - RPC filter >>>> anyone??? >>>> http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_th >>>> read/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&h >>>> l=en#4db165c21599cf9b >>>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_t >>>> hread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa& >>>> ;rnum=2&hl=en#4db165c21599cf9b> >>>> >>>> I have just about managed to convince Exchange colleagues (and customers) >>>> of the value of placing Exchange FE servers in a separate security zone >>>> from BE servers, DC's etc and now I here this? >>>> >>>> Are the Exchange team confusing the old traditional DMZ's with what ISA can >>>> achieve with perimeter networks? >>>> >>>> From what I believe, it is good perimeter security practice to place >>>> servers which are Internet accessible into different security zones than >>>> servers that are purely internal. Therefore, the idea of placing Exchange >>>> 2003 FE servers in an ISA auth access perimeter network with Exchange 2003 >>>> BE servers on the internal network has always seemed like a good approach. >>>> It also follows a good least privilege model. >>>> >>>> Is this another example of the Exchange and ISA teams following different >>>> paths???? >>>> >>>> Please tell me that I am wrong and that I am not going to have to start >>>> putting all Exchange roles, irrespective of security risk, on the same >>>> network again!!!! >>>> >>>> Comments? >>>> >>>> Cheers >>>> >>>> JJ >>>> >>>> >>> All mail to and from this domain is GFI-scanned. >>> All mail to and from this domain is GFI-scanned. >> All mail to and from this domain is GFI-scanned. > All mail to and from this domain is GFI-scanned. >