[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
  • To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
  • Date: Wed, 10 Jan 2007 16:26:02 -0800

Because it¹s safer that way, that¹s why... That¹s what an authenticated
access DMZ perimeter is for? with a CAS server that presents logon services
to any Internet user, I would (and, in fact, require) that the server be in
a least-privileged authenticated access perimeter network that limits that
servers communications to the minimum required for required functionality ­
and only to the hosts it needs to talk to.

Let¹s say there is a front-end implementation issue or coding vulnerability:
the CAS on the internal network would allow unfettered, full-stack access to
the internal network.  A CAS in a perimeter DMZ would mitigate potential
exposure in the event of a 0day or configuration issue.

³Safer on the internal network² is a complete misnomer when it comes to
servers presenting services to an untrusted network.

t


On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:

> Why would you want to place a member of your internal domain in your DMZ, fer
> chrissakes?!?
> Hosting any domain member in the DMZ is a difficult proposition; especially
> where NAT is the order of the day.
> You can either use a network shotgun at your firewall or attempt to use your
> facvorite VPN tunnel across the firewall to the domain.
>  
> Jim
> 
> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
> Sent: Wed 1/10/2007 2:35 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> From what I can gather, the new CAS role now uses RPC to communicate with the
> back-end (not sure of new name!) servers so I am guessing that this is an "RPC
> isn't safe across firewalls" type stance. Which I guess for a PIX, is a pretty
> true statement.
>  
> Just think how much safer the world will be when firewalls can understand
> dynamic protocols like RPC...maybe one day firewalls will even be able to
> understand and filter based upon RPC interface...maybe one day... :-D ;-)
>  
> Shame the Exchange team can't see how much ISA changes the traditional
> approach to DMZ thinking...kinda makes you think that both teams work for a
> different company :-(
> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44
> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
> 
>  
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Greg Mulholland
> Sent: 10 January 2007 22:07
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> I seriously hope that they have take different paths and these are not
> limitations on the software or it is going to mean a nice little redesign and
> break from custom..
>  
> Greg
>> ----- Original Message -----
>> From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
>> To: isapros@xxxxxxxxxxxxx
>> Sent: Thursday, January 11, 2007 8:25 AM
>> Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks
>> 
>> 
>> Hi All, 
>> 
>> I heard today from an Exchange MVP colleague that members of the Exchange
>> team (Scott Schnoll) are saying that they (Microsoft) do not support placing
>> the new Exchange 2007 Client Access Server (like the old Exch2k3 FE role)
>> role into a perimeter network. Has anyone else heard the same? This sounds
>> very similar to Exchange admins of old when they didn't really understand
>> modern application firewalls like ISA could do - RPC filter anyone???
>> http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thre
>> ad/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en
>> #4db165c21599cf9b
>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr
>> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnu
>> m=2&amp;hl=en#4db165c21599cf9b>
>> 
>> I have just about managed to convince Exchange colleagues (and customers) of
>> the value of placing Exchange FE servers in a separate security zone from BE
>> servers, DC's etc and now I here this?
>> 
>> Are the Exchange team confusing the old traditional DMZ's with what ISA can
>> achieve with perimeter networks?
>> 
>> From what I believe, it is good perimeter security practice to place servers
>> which are Internet accessible into different security zones than servers that
>> are purely internal. Therefore, the idea of placing Exchange 2003 FE servers
>> in an ISA auth access perimeter network with Exchange 2003 BE servers on the
>> internal network has always seemed like a good approach. It also follows a
>> good least privilege model.
>> 
>> Is this another example of the Exchange and ISA teams following different
>> paths???? 
>> 
>> Please tell me that I am wrong and that I am not going to have to start
>> putting all Exchange roles, irrespective of security risk, on the same
>> network again!!!!
>> 
>> Comments? 
>> 
>> Cheers 
>> 
>> JJ 
>> 
> 
> All mail to and from this domain is GFI-scanned.
>

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 01-2007