[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Wed, 10 Jan 2007 21:40:40 -0800

Not all bad; I celebrated 4 years on the ISA SE team today...

..yes, Tom; it's really been that long.

That doesn't count the two years I spent supporting ISA 2000 out of the
kindness  of my heart (or the emptiness of my brains; not sure which).

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Greg Mulholland
Sent: Wednesday, January 10, 2007 9:14 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

 

Now that is a bad day :) dont ya hate that when ya leave stuff at work..

        ----- Original Message ----- 

        From: Jim Harrison <mailto:Jim@xxxxxxxxxxxx>  

        To: isapros@xxxxxxxxxxxxx 

        Sent: Thursday, January 11, 2007 4:09 PM

        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

         

        I hear ya - I'm supposed to oversee our lab move tomorrow, but I
don't see that happening.

        To top it off, I left work in such a hurry that I left the PS
for *my* laptop on my desk and my work laptop is beside it in the dock.

        ..and I just finished rebuilding *my* laptop with Vista Ultimate
& all the toys I wanted.

        Now I can't even use it for more than an hour (it's a beast).

        <sigh>

         

        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
        Sent: Wednesday, January 10, 2007 9:00 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

         

        lol ill keep an eye out for you tonight on the news.. :)

                ----- Original Message ----- 

                From: Thomas W Shinder <mailto:tshinder@xxxxxxxxxxx>  

                To: isapros@xxxxxxxxxxxxx 

                Sent: Thursday, January 11, 2007 3:55 PM

                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks

                 

                I know what you're saying. Been fighting the CES crowd
here in Vegas all week and feel like it's close to Texas Chain Saw
Massacre time.

                 

                Thomas W Shinder, M.D.
                Site: www.isaserver.org
                Blog: http://blogs.isaserver.org/shinder
                Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7> 
                MVP -- ISA Firewalls

                 

                         

________________________________

                        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
                        Sent: Wednesday, January 10, 2007 8:43 PM
                        To: isapros@xxxxxxxxxxxxx
                        Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks

                        Crap.  I totally forgot about your issues up
there today.  I'm sorry I was such a prick.  Didn't mean to be - hard
day myself.  We'll pick it up in the morning.
                        t
                        
                        
                        On 1/10/07 8:30 PM, "Jim Harrison"
<Jim@xxxxxxxxxxxx> spoketh to all:

                        ..maybe I'm just tired...
                        I spent two hours trying to get home tonight and
I'm clearly not in my mind (right or otherwise).
                        Forget I wrote and we'll start over tomorrow...
                         
                        
                        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
                        Sent: Wednesday, January 10, 2007 8:18 PM
                        To: isapros@xxxxxxxxxxxxx
                        Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
                         
                        That's exactly what I'm talking about.  And
precisely the configuration I deploy:
                        
                        My FE is in the authenticated segment of the DMZ
- and a member of my internal domain; however, the "recommended
protocols" the Exchange group recommends are not necessary- and thus,
Steve's contention that "CIFS and all that other stuff... Might as well
just be internal" I reject.  I only allow Kerberos-Sec, LDAP, LDAP GC,
Ping and DNS only from my FE to the internal DC's.  And only HTTP to the
BE's.  
                        
                        Even if the other prots WERE required, it would
still be far smarter to deploy the FE in the authenticated DMZ with
limited access than to just give full stack access to the ENTIRE
internal network.   This is a deployment of a services made available
(initially) to a global, anonymous, untrusted network. 
                        
                        Maybe I'm not properly articulating my point,
but I have to say I'm really surprised that we are having this
conversation...
                        
                        t
                        
                        
                        On 1/10/07 7:10 PM, "Jim Harrison"
<Jim@xxxxxxxxxxxx> spoketh to all:
                        C'mon, Tim; I know what your deployment
recommendations are; this isn't it.
                        He wants to extend his domain via "remote
membership"; not create a separate domain.
                         
                        
                        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
                        Sent: Wednesday, January 10, 2007 4:26 PM
                        To: isapros@xxxxxxxxxxxxx
                        Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
                         
                        Because it's safer that way, that's why...
That's what an authenticated access DMZ perimeter is for- with a CAS
server that presents logon services to any Internet user, I would (and,
in fact, require) that the server be in a least-privileged authenticated
access perimeter network that limits that servers communications to the
minimum required for required functionality - and only to the hosts it
needs to talk to.
                        
                        Let's say there is a front-end implementation
issue or coding vulnerability: the CAS on the internal network would
allow unfettered, full-stack access to the internal network.  A CAS in a
perimeter DMZ would mitigate potential exposure in the event of a 0day
or configuration issue. 
                        
                        "Safer on the internal network" is a complete
misnomer when it comes to servers presenting services to an untrusted
network. 
                        
                        t
                        
                        
                        On 1/10/07 3:04 PM, "Jim Harrison"
<Jim@xxxxxxxxxxxx> spoketh to all:
                        Why would you want to place a member of your
internal domain in your DMZ, fer chrissakes?!?
                        Hosting any domain member in the DMZ is a
difficult proposition; especially where NAT is the order of the day.
                        You can either use a network shotgun at your
firewall or attempt to use your facvorite VPN tunnel across the firewall
to the domain.
                        
                        Jim 

                        
________________________________


                        
                        
                        From: isapros-bounce@xxxxxxxxxxxxx on behalf of
Jason Jones
                        Sent: Wed 1/10/2007 2:35 PM
                        To: isapros@xxxxxxxxxxxxx
                        Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
                        
                        From what I can gather, the new CAS role now
uses RPC to communicate with the back-end (not sure of new name!)
servers so I am guessing that this is an "RPC isn't safe across
firewalls" type stance. Which I guess for a PIX, is a pretty true
statement.
                        
                        Just think how much safer the world will be when
firewalls can understand dynamic protocols like RPC...maybe one day
firewalls will even be able to understand and filter based upon RPC
interface...maybe one day... :-D ;-)
                        
                        Shame the Exchange team can't see how much ISA
changes the traditional approach to DMZ thinking...kinda makes you think
that both teams work for a different company :-(
                        Jason Jones | Silversands Limited | Desk: +44
(0)1202 360489 | Mobile: +44 (0)7971 500312 | Fax: +44 (0)1202 360900 |
Email: jason.jones@xxxxxxxxxxxxxxxxx
<mailto:jason.jones@xxxxxxxxxxxxxxxxx>
<mailto:jason.jones@xxxxxxxxxxxxxxxxx>  
                        
                          

                        
________________________________


                        
                        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
                        Sent: 10 January 2007 22:07
                        To: isapros@xxxxxxxxxxxxx
                        Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
                        
                        I seriously hope that they have take different
paths and these are not limitations on the software or it is going to
mean a nice little redesign and break from custom..
                        
                        Greg
                        ----- Original Message ----- 
                        From: Jason Jones
<mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
<mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>   
                        To: isapros@xxxxxxxxxxxxx 
                        Sent: Thursday, January 11, 2007 8:25 AM
                        Subject: [isapros] ISA, Exchange 2007 and
Perimeter Networks
                        
                        
                        Hi All, 
                        
                        I heard today from an Exchange MVP colleague
that members of the Exchange team (Scott Schnoll) are saying that they
(Microsoft) do not support placing the new Exchange 2007 Client Access
Server (like the old Exch2k3 FE role) role into a perimeter network. Has
anyone else heard the same? This sounds very similar to Exchange admins
of old when they didn't really understand modern application firewalls
like ISA could do - RPC filter anyone???
http://groups.google.co.uk/group/microsoft.public.exchange.design/browse
_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rn
um=2&hl=en#4db165c21599cf9b
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+i
sa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r
num=2&hl=en#4db165c21599cf9b>
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+i
sa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r
num=2&hl=en#4db165c21599cf9b>
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+i
sa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r
num=2&hl=en#4db165c21599cf9b>  
                        
                        I have just about managed to convince Exchange
colleagues (and customers) of the value of placing Exchange FE servers
in a separate security zone from BE servers, DC's etc and now I here
this...
                        
                        Are the Exchange team confusing the old
traditional DMZ's with what ISA can achieve with perimeter networks? 
                        
                        From what I believe, it is good perimeter
security practice to place servers which are Internet accessible into
different security zones than servers that are purely internal.
Therefore, the idea of placing Exchange 2003 FE servers in an ISA auth
access perimeter network with Exchange 2003 BE servers on the internal
network has always seemed like a good approach. It also follows a good
least privilege model. 
                        
                        Is this another example of the Exchange and ISA
teams following different paths???? 
                        
                        Please tell me that I am wrong and that I am not
going to have to start putting all Exchange roles, irrespective of
security risk, on the same network again!!!!
                        
                        Comments? 
                        
                        Cheers 
                        
                        JJ 

                        All mail to and from this domain is GFI-scanned.


                        
                        
                         
                        
                          

                        All mail to and from this domain is GFI-scanned.


                        
                         
                        
                          

                        All mail to and from this domain is GFI-scanned.


                         

                         

        All mail to and from this domain is GFI-scanned.


All mail to and from this domain is GFI-scanned.

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 01-2007