[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
Date: Wed, 10 Jan 2007 21:06:36 -0800
None inferred.

And I still stand by my ³Scenario 2 is always more secure² statements ;)

t


On 1/10/07 8:59 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:

> Didn¹t expect you to know, honestly.
> No offense taken, hopefully none inferred?
>  
> I still stand by my MAPI vs. RPC/HTTP statements, though.
>  
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thor (Hammer of God)
> Sent: Wednesday, January 10, 2007 8:43 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>  
> Crap.  I totally forgot about your issues up there today.  I¹m sorry I was
> such a prick.  Didn¹t mean to be - hard day myself.  We¹ll pick it up in the
> morning.
> t
> 
> 
> On 1/10/07 8:30 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
> ..maybe I¹m just tired?
> I spent two hours trying to get home tonight and I¹m clearly not in my mind
> (right or otherwise).
> Forget I wrote and we¹ll start over tomorrow?
>  
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thor (Hammer of God)
> Sent: Wednesday, January 10, 2007 8:18 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>  
> That¹s exactly what I¹m talking about.  And precisely the configuration I
> deploy:
> 
> My FE is in the authenticated segment of the DMZ  and a member of my internal
> domain; however, the ³recommended protocols² the Exchange group recommends are
> not necessary- and thus, Steve¹s contention that ³CIFS and all that other
> stuff... Might as well just be internal² I reject.  I only allow Kerberos-Sec,
> LDAP, LDAP GC, Ping and DNS only from my FE to the internal DC¹s.  And only
> HTTP to the BE¹s.
> 
> Even if the other prots WERE required, it would still be far smarter to deploy
> the FE in the authenticated DMZ with limited access than to just give full
> stack access to the ENTIRE internal network.   This is a deployment of a
> services made available (initially) to a global, anonymous, untrusted network.
> 
> Maybe I¹m not properly articulating my point, but I have to say I¹m really
> surprised that we are having this conversation...
> 
> t
> 
> 
> On 1/10/07 7:10 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
> C¹mon, Tim; I know what your deployment recommendations are; this isn¹t it.
> He wants to extend his domain via ³remote membership²; not create a separate
> domain.
>  
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thor (Hammer of God)
> Sent: Wednesday, January 10, 2007 4:26 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>  
> Because it¹s safer that way, that¹s why... That¹s what an authenticated access
> DMZ perimeter is for? with a CAS server that presents logon services to any
> Internet user, I would (and, in fact, require) that the server be in a
> least-privileged authenticated access perimeter network that limits that
> servers communications to the minimum required for required functionality 
> and only to the hosts it needs to talk to.
> 
> Let¹s say there is a front-end implementation issue or coding vulnerability:
> the CAS on the internal network would allow unfettered, full-stack access to
> the internal network.  A CAS in a perimeter DMZ would mitigate potential
> exposure in the event of a 0day or configuration issue.
> 
> ³Safer on the internal network² is a complete misnomer when it comes to
> servers presenting services to an untrusted network.
> 
> t
> 
> 
> On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
> Why would you want to place a member of your internal domain in your DMZ, fer
> chrissakes?!?
> Hosting any domain member in the DMZ is a difficult proposition; especially
> where NAT is the order of the day.
> You can either use a network shotgun at your firewall or attempt to use your
> facvorite VPN tunnel across the firewall to the domain.
> 
> Jim 
> 
> 
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
> Sent: Wed 1/10/2007 2:35 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> From what I can gather, the new CAS role now uses RPC to communicate with the
> back-end (not sure of new name!) servers so I am guessing that this is an "RPC
> isn't safe across firewalls" type stance. Which I guess for a PIX, is a pretty
> true statement.
> 
> Just think how much safer the world will be when firewalls can understand
> dynamic protocols like RPC...maybe one day firewalls will even be able to
> understand and filter based upon RPC interface...maybe one day... :-D ;-)
> 
> Shame the Exchange team can't see how much ISA changes the traditional
> approach to DMZ thinking...kinda makes you think that both teams work for a
> different company :-(
> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44
> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
> 
>   
> 
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Greg Mulholland
> Sent: 10 January 2007 22:07
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> I seriously hope that they have take different paths and these are not
> limitations on the software or it is going to mean a nice little redesign and
> break from custom..
> 
> Greg
> ----- Original Message -----
> From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
> To: isapros@xxxxxxxxxxxxx
> Sent: Thursday, January 11, 2007 8:25 AM
> Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks
> 
> 
> Hi All, 
> 
> I heard today from an Exchange MVP colleague that members of the Exchange team
> (Scott Schnoll) are saying that they (Microsoft) do not support placing the
> new Exchange 2007 Client Access Server (like the old Exch2k3 FE role) role
> into a perimeter network. Has anyone else heard the same? This sounds very
> similar to Exchange admins of old when they didn't really understand modern
> application firewalls like ISA could do - RPC filter anyone???
> http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_threa
> d/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en#4
> db165c21599cf9b 
> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thre
> ad/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum=
> 2&amp;hl=en#4db165c21599cf9b>
> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thre
> ad/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum=
> 2&amp;hl=en#4db165c21599cf9b>
> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thre
> ad/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum=
> 2&amp;hl=en#4db165c21599cf9b>
> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thre
> ad/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum=
> 2&amp;hl=en#4db165c21599cf9b>
> 
> I have just about managed to convince Exchange colleagues (and customers) of
> the value of placing Exchange FE servers in a separate security zone from BE
> servers, DC's etc and now I here this?
> 
> Are the Exchange team confusing the old traditional DMZ's with what ISA can
> achieve with perimeter networks?
> 
> From what I believe, it is good perimeter security practice to place servers
> which are Internet accessible into different security zones than servers that
> are purely internal. Therefore, the idea of placing Exchange 2003 FE servers
> in an ISA auth access perimeter network with Exchange 2003 BE servers on the
> internal network has always seemed like a good approach. It also follows a
> good least privilege model.
> 
> Is this another example of the Exchange and ISA teams following different
> paths???? 
> 
> Please tell me that I am wrong and that I am not going to have to start
> putting all Exchange roles, irrespective of security risk, on the same network
> again!!!!
> 
> Comments? 
> 
> Cheers 
> 
> JJ 
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> 
>  
> 
>   
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
>  
> 
>   
> 
> All mail to and from this domain is GFI-scanned.
> 
>  
> 
>  
> All mail to and from this domain is GFI-scanned.
>
Follow-Ups:
- [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
  - From: Greg Mulholland
[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Other related posts:
