[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Fri, 12 Jan 2007 00:15:57 -0000

Hi Amy,
 
I am not really sure for their reasoning, but think it is based around
the "Swiss cheese", don't pass intradomain traffic across a normal
firewall argument.
 
Sorry, my bad for using the term DMZ, the exact phrase used by Scholl is
"It's true. The Client Access Server (CAS), which among other things
includes the OWA feature, is not supported in a perimeter network (aka a
DMZ).  Instead you'll deploy one or more CASs inside your organization
and put a robust firewall such as ISA 2006 in front of it." I am
guessing from experience of other Exchange team recommendations that
when they say perimeter network they really mean a traditional DMZ which
is created using traditional packet filter firewalls. The recommended
deployment is to put the CAS on the internal network e.g. on the same
network as the Exchange back-end servers. Once the CAS is on the
internal network, it should then be published to the Internet using ISA.
 
This design if fine if you want a simple open network where all servers
exist in the same security zone and hence all trust each other, but many
people are now trying to better this design by placing different types
of servers into different security zones based upon their risk level and
internet presence - say hello to the ISA auth access perimeter network!
;-) 
 
Basically I think it all harks back to the "don't put domain members in
a DMZ" mantra which is a pretty fair statement when using PF firewalls
like PIX, but things have moved on as least privilege authenticated
access perimeter networks with ISA are now getting advanced enough to
challenge this argument. Maybe the difference between a PIX firewall and
ISA firewall is just too subtle for some people???
 
Think we have now done this to death now!! - be very surprised if the
Exchange team go back on these type of statements though. I remember Tom
banging his head against a brick wall with Henrik based upon one of his
MSExchange.org articles which said "not in the DMZ" type statements.
 
JJ

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: 11 January 2007 23:15
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks



Jason,

 

What's the reasoning behind CAS not in the DMZ? Where to they want it?
Handing nude off the router? Behind a firewall?

 

If the later, then just drop the out dated DMZ language. Most firewall
admins think that DMZ means nude off the other port on my nat box. Your
least priv design puts CAS safely behind a firewall.

 

Amy Babinchak

Harbor Computer Services

 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Jones
Sent: Thursday, January 11, 2007 5:58 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

 

Thanks Amy - maybe I am being a little oversensitive, just didn't expect
some of the initial responses.

 

I tend to avoid most of the main mailing lists, probably for similar
reasons as others, and I tend to hang out at isaserver.org 95% of the
time. Hence maybe why only Tom (and Stefan) tend to see my input and
views on stuff.

 

Tom invited me to this list as he felt it would be a good place for me
to pose all the questions that he can't answer or go unreplied on
isaserver.org

 

I really do value the combined "ISA brain power" here, but just think it
could be a little more forgiving and friendly at times...having said
that I have found answers here that I just couldn't get elsewhere, so
don't misunderstand me as ungrateful.

 

Anyhow back to the "core issue", from what I hearing from Exchange MVP
contacts, MS are playing the "CAS in a DMZ is totally unsupported" tune
very strongly. This is a real shame as it looks like I will never be
able to deploy the existing least privilege design with Exchange 2007
without fear of customers coming back to us after trying to log PSS
calls or getting other non-ISA firewall guys in who slate the
design...oh well, at least ISA will still involved to some degree, just
not as cool as it could be...

 

JJ  

 

 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: 11 January 2007 15:09
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Jason don't get discouraged. The changes in Exchange are monumental so
there are bound to be disagreements and changes of opinion on how to
best secure it. The concept of an authenticated access DMZ in a separate
security zone allowing only a very minimal set of protocols is a
completely foreign concept to 99% of firewall admins out there. That
fact you are even thinking about this stuff put you in an elite class.
The rest are still poking holes and setting up VLANs. 

 

Tom, Thor and Jim can be a bit clubby and a little overly poky to new
comers. It's a twitch they developed after participating on the ISA
server mailing list. It got worse when they decided to join a general
purpose SBS list. I'm not sure that they'll ever completely recover.  

 

Amy 

 

 

 

 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Jones
Sent: Thursday, January 11, 2007 5:47 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

 

Wish I had never asked now...sometimes, some of you guys really don't
make it easy for new people to try express their views and pose
questions for comment without being slapped down. One minute I am being
labelled as an "idiot" for my comments/views, the next minute someone
else who says the same thing as me is now right and not challenged. What
gives?  

 

I know many of you guys don't know me from Adam, but kinda unfair to
just assume I know jack about ISA and secure network design just because
I'm not "part of the club".

 

Anyhow, thanks to Tim and Tom for seeming to share my disappointment
with the decision made by the Exchange 2007 team...I think I need to try
and find out how "official" their lack of support with 2k7 is going to
be before I can continue recommending the least privilege model I have
been using for Exchange 2003.

 

________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: 11 January 2007 04:30
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

..maybe I'm just tired...

I spent two hours trying to get home tonight and I'm clearly not in my
mind (right or otherwise).

Forget I wrote and we'll start over tomorrow...

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Wednesday, January 10, 2007 8:18 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

 

That's exactly what I'm talking about.  And precisely the configuration
I deploy:

My FE is in the authenticated segment of the DMZ - and a member of my
internal domain; however, the "recommended protocols" the Exchange group
recommends are not necessary- and thus, Steve's contention that "CIFS
and all that other stuff... Might as well just be internal" I reject.  I
only allow Kerberos-Sec, LDAP, LDAP GC, Ping and DNS only from my FE to
the internal DC's.  And only HTTP to the BE's.  

Even if the other prots WERE required, it would still be far smarter to
deploy the FE in the authenticated DMZ with limited access than to just
give full stack access to the ENTIRE internal network.   This is a
deployment of a services made available (initially) to a global,
anonymous, untrusted network. 

Maybe I'm not properly articulating my point, but I have to say I'm
really surprised that we are having this conversation...

t


On 1/10/07 7:10 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:

C'mon, Tim; I know what your deployment recommendations are; this isn't
it.
He wants to extend his domain via "remote membership"; not create a
separate domain.
 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Thor (Hammer of
God)
Sent: Wednesday, January 10, 2007 4:26 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
 
Because it's safer that way, that's why... That's what an authenticated
access DMZ perimeter is for- with a CAS server that presents logon
services to any Internet user, I would (and, in fact, require) that the
server be in a least-privileged authenticated access perimeter network
that limits that servers communications to the minimum required for
required functionality - and only to the hosts it needs to talk to.

Let's say there is a front-end implementation issue or coding
vulnerability: the CAS on the internal network would allow unfettered,
full-stack access to the internal network.  A CAS in a perimeter DMZ
would mitigate potential exposure in the event of a 0day or
configuration issue. 

"Safer on the internal network" is a complete misnomer when it comes to
servers presenting services to an untrusted network. 

t


On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
Why would you want to place a member of your internal domain in your
DMZ, fer chrissakes?!?
Hosting any domain member in the DMZ is a difficult proposition;
especially where NAT is the order of the day.
You can either use a network shotgun at your firewall or attempt to use
your facvorite VPN tunnel across the firewall to the domain.

Jim 

________________________________


From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
Sent: Wed 1/10/2007 2:35 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From what I can gather, the new CAS role now uses RPC to communicate
with the back-end (not sure of new name!) servers so I am guessing that
this is an "RPC isn't safe across firewalls" type stance. Which I guess
for a PIX, is a pretty true statement.

Just think how much safer the world will be when firewalls can
understand dynamic protocols like RPC...maybe one day firewalls will
even be able to understand and filter based upon RPC interface...maybe
one day... :-D ;-)

Shame the Exchange team can't see how much ISA changes the traditional
approach to DMZ thinking...kinda makes you think that both teams work
for a different company :-(
Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile:
+44 (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
<mailto:jason.jones@xxxxxxxxxxxxxxxxx>  

  

________________________________


From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Greg Mulholland
Sent: 10 January 2007 22:07
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

I seriously hope that they have take different paths and these are not
limitations on the software or it is going to mean a nice little
redesign and break from custom..

Greg
----- Original Message ----- 
From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
<mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>   
To: isapros@xxxxxxxxxxxxx 
Sent: Thursday, January 11, 2007 8:25 AM
Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks


Hi All, 

I heard today from an Exchange MVP colleague that members of the
Exchange team (Scott Schnoll) are saying that they (Microsoft) do not
support placing the new Exchange 2007 Client Access Server (like the old
Exch2k3 FE role) role into a perimeter network. Has anyone else heard
the same? This sounds very similar to Exchange admins of old when they
didn't really understand modern application firewalls like ISA could do
- RPC filter anyone???
http://groups.google.co.uk/group/microsoft.public.exchange.design/browse
_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rn
um=2&hl=en#4db165c21599cf9b
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+i
sa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r
num=2&hl=en#4db165c21599cf9b>
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+i
sa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r
num=2&hl=en#4db165c21599cf9b>  

I have just about managed to convince Exchange colleagues (and
customers) of the value of placing Exchange FE servers in a separate
security zone from BE servers, DC's etc and now I here this...

Are the Exchange team confusing the old traditional DMZ's with what ISA
can achieve with perimeter networks? 

From what I believe, it is good perimeter security practice to place
servers which are Internet accessible into different security zones than
servers that are purely internal. Therefore, the idea of placing
Exchange 2003 FE servers in an ISA auth access perimeter network with
Exchange 2003 BE servers on the internal network has always seemed like
a good approach. It also follows a good least privilege model. 

Is this another example of the Exchange and ISA teams following
different paths???? 

Please tell me that I am wrong and that I am not going to have to start
putting all Exchange roles, irrespective of security risk, on the same
network again!!!!

Comments? 

Cheers 

JJ 

All mail to and from this domain is GFI-scanned. 


 

  

All mail to and from this domain is GFI-scanned. 

 

 

All mail to and from this domain is GFI-scanned.

Other related posts: