I¹ve separated out ³authentication traffic² rules from my ³services² rules. I define ³limited intradomain traffic² as the required AD authentication/domain membership (GPO, LDAP, site assignment, etc) traffic between the FE and the DC¹s. The other traffic, like POP, IMAP, etc are for what ³services² I choose to support for external users, but yes, you can apply whatever rules you want to. I don¹t support external POP or IMAP access, so those protocols are not even defined in my ruleset. ³Least privilege² rules (for me) are broken down into ³full-time required protocols² and ³temporary access on-demand² protocols. For the most part, this applies to ³dangerous² protocols such as CIFS and RPC when used for authentication and are applied from the FE to the DC¹s. Other ³access² services like HTTP, POP, IMAP are enabled as needed, and only from the FE to the BE(s). Regarding Direct Push, I though you could accomplish that via SMTP out directly to the mobile provider. That¹s how I did it way back when, anyway. But you are totally correct labbing this stuff is the way to go. First I look at the ³full access² traffic and then see how much I can carve it down to a minimum set of rules required on a service-by-service, host-by-host basis. t On 1/12/07 9:40 AM, "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx> spoketh to all: > Tim, > > Does this "limited intradomain traffic" approach work for other FE services > like RPC/HTTP, POP, IMAP etc or is it a OWA only thing? > > I am guessing that RPC/HTTP should be ok as it uses the 6001, 6002 and 6004 > ports but just wondered if the RPC proxy threw a spanner in the works without > CIFS or RPC??? > > Are you guys also aware that in addition to FE=>BE & DC rules you also need to > create BE=>FE rules to allow for Direct Push? Guess this is still needed for > the CAS roles??? > > Definitely time for a lab exercise! > > JJ > Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 > (0)7971 500312 | Fax: +44 (0)1202 360900 | Email: > jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Thor (Hammer of God) > Sent: 12 January 2007 17:22 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks > > I can¹t yet comment on what protocols will be necessary for CAS to perform > particular functions as I have not yet analyzed the required traffic, but even > with Ex2k3, ³full time² intradomain protocol support is totally unnecessary > for the FE to act as the OWA front end once it has been properly initiated > into the Exchange organization I mentioned this in a past post, but as part > of my ³least privileged² configuration, CIFS and RPC (All interfaces) are > disabled, and only Kerberos-UDP, LDAP, LDAP GC, Ping and DNS are enabled from > the FE to my DC¹s object, and only HTTP from the FE to the BE. This works > perfectly. But, if I need to log on to the FE perimeter box box or use System > Manager from that box, then I enable the CIFS/RPC rule to the DC¹s, get ?er > done, and disable again. This is completely different than the ³official² > Exchange documentation, but it is about as secure as you could hope for in > such an easily maintained configuration. This is because I think the Exchange > group is not necessarily explicitly aware of the authentication negotiation > process, and just assumes that CIFS is required for authentication but, if > the client can¹t establish a standard SMB channel, it will fall back to > Kerberos UDP. Given what one can do with an established authenticated CIFS > connection, I choose to disable it for security reasons. > > My guess (again, I¹m not sure) is that different operations will require > different protocol support. For standard OWA access, I¹m sure we can get away > with similar limited protocols. If you want to be able to map drives via the > OWA interface (which CAS will let you do) you¹ll most probably need to allow > CIFS to the host (but ONLY to that host). Even so, it¹s a far better > configuration considering the ³universal access² to the FE. > > When I deploy this, I¹ll know better. And even if PSS gives me crap about it > not being supported, I just won¹t tell them. I¹ll put the CAS ³behind ISA² > like they say and keep my perimeter DMZ configuration to myself. > > t > > > On 1/12/07 3:56 AM, "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx> spoketh to > all: > >> From what I have read, the CAS is similar to the FE but with the addition >> some new features - I would *imagine* it would use very similar protocols, >> and if anything hopefully it will use less protocols for more efficient >> communications. I am sure it will still need to core intradomain protocols >> as it will be a domain member, but I think they have moved away from the >> FE>BE HTTP, POP3, IMAP model. >> >> Need to lab it really to get a good idea. >> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 >> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email: >> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> >> >> >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] >> On Behalf Of Thomas W Shinder >> Sent: 12 January 2007 04:23 >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> WORD! >> >> I¹ll gladly joining you in that public nut-kicking when the time comes. What >> I want to understand first is what are the protocol requirements for the CAS >> to the back-end components, and what their rationale is for making the >> statements that have been reported so far. They might have a good point, and >> if they have it, I want to hear it. But if the point is ?it¹s too hard² or >> ³I don¹t understand network security, I just say what my boss tells me to >> say² or ³I¹m on the take with Syphco² then those aren¹t valid and body parts >> will deserve some shaking up in the public square. The least they can do is >> state ³we don¹t have the time or inclination to show you have to provide the >> highest level of network security, but it is possible to do it right, we¹re >> just not going to show you how to do it² as a disclaimer. With that, we can >> then go ahead and help those who want to be helped J >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >> Behalf Of Thor (Hammer of God) >> Sent: Thursday, January 11, 2007 6:40 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> It may be just this type of ³beating it to death² that is required to get >> the Exchange group¹s attention. I don¹t really care if they don¹t support >> ³perimeter network² deployments as long as ISA is an exception. I have >> every intention to ensure that an ISA authenticated perimeter network DMZ >> segment ³in front² of the CAS server is fully supported if the proper >> protocols are allowed. I will make sure to press them into officially >> stating why it is not supported. Even so, if they try that, I will publicly >> kick them in the nuts. >> >> t >> >> >> On 1/11/07 4:15 PM, "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx> spoketh to >> all: >> Hi Amy, >> >> I am not really sure for their reasoning, but think it is based around the >> "Swiss cheese", don't pass intradomain traffic across a normal firewall >> argument. >> >> Sorry, my bad for using the term DMZ, the exact phrase used by Scholl is >> "It's true. The Client Access Server (CAS), which among other things >> includes the OWA feature, is not supported in a perimeter network (aka a >> DMZ). Instead you'll deploy one or more CASs inside your organization and >> put a robust firewall such as ISA 2006 in front of it." I am guessing from >> experience of other Exchange team recommendations that when they say >> perimeter network they really mean a traditional DMZ which is created using >> traditional packet filter firewalls. The recommended deployment is to put >> the CAS on the internal network e.g. on the same network as the Exchange >> back-end servers. Once the CAS is on the internal network, it should then be >> published to the Internet using ISA. >> >> This design if fine if you want a simple open network where all servers >> exist in the same security zone and hence all trust each other, but many >> people are now trying to better this design by placing different types of >> servers into different security zones based upon their risk level and >> internet presence - say hello to the ISA auth access perimeter network! ;-) >> >> Basically I think it all harks back to the "don't put domain members in a >> DMZ" mantra which is a pretty fair statement when using PF firewalls like >> PIX, but things have moved on as least privilege authenticated access >> perimeter networks with ISA are now getting advanced enough to challenge >> this argument. Maybe the difference between a PIX firewall and ISA firewall >> is just too subtle for some people??? >> >> Think we have now done this to death now!! - be very surprised if the >> Exchange team go back on these type of statements though. I remember Tom >> banging his head against a brick wall with Henrik based upon one of his >> MSExchange.org articles which said "not in the DMZ" type statements. >> >> JJ >> >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >> Behalf Of Amy Babinchak >> Sent: 11 January 2007 23:15 >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> Jason, >> >> What¹s the reasoning behind CAS not in the DMZ? Where to they want it? >> Handing nude off the router? Behind a firewall? >> >> If the later, then just drop the out dated DMZ language. Most firewall >> admins think that DMZ means nude off the other port on my nat box. Your >> least priv design puts CAS safely behind a firewall. >> >> >> Amy Babinchak >> Harbor Computer Services >> >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >> Behalf Of Jason Jones >> Sent: Thursday, January 11, 2007 5:58 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> Thanks Amy - maybe I am being a little oversensitive, just didn't expect >> some of the initial responses. >> >> I tend to avoid most of the main mailing lists, probably for similar reasons >> as others, and I tend to hang out at isaserver.org 95% of the time. Hence >> maybe why only Tom (and Stefan) tend to see my input and views on stuff. >> >> Tom invited me to this list as he felt it would be a good place for me to >> pose all the questions that he can't answer or go unreplied on isaserver.org >> >> I really do value the combined "ISA brain power" here, but just think it >> could be a little more forgiving and friendly at times...having said that I >> have found answers here that I just couldn't get elsewhere, so don't >> misunderstand me as ungrateful. >> >> Anyhow back to the "core issue", from what I hearing from Exchange MVP >> contacts, MS are playing the "CAS in a DMZ is totally unsupported" tune very >> strongly. This is a real shame as it looks like I will never be able to >> deploy the existing least privilege design with Exchange 2007 without fear >> of customers coming back to us after trying to log PSS calls or getting >> other non-ISA firewall guys in who slate the design...oh well, at least ISA >> will still involved to some degree, just not as cool as it could be... >> >> JJ >> >> >> >> >> >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >> Behalf Of Amy Babinchak >> Sent: 11 January 2007 15:09 >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> Jason don¹t get discouraged. The changes in Exchange are monumental so there >> are bound to be disagreements and changes of opinion on how to best secure >> it. The concept of an authenticated access DMZ in a separate security zone >> allowing only a very minimal set of protocols is a completely foreign >> concept to 99% of firewall admins out there. That fact you are even thinking >> about this stuff put you in an elite class. The rest are still poking holes >> and setting up VLANs. >> >> Tom, Thor and Jim can be a bit clubby and a little overly poky to new >> comers. It¹s a twitch they developed after participating on the ISA server >> mailing list. It got worse when they decided to join a general purpose SBS >> list. I¹m not sure that they¹ll ever completely recover. >> >> >> Amy >> >> >> >> >> >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >> Behalf Of Jason Jones >> Sent: Thursday, January 11, 2007 5:47 AM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> Wish I had never asked now...sometimes, some of you guys really don't make >> it easy for new people to try express their views and pose questions for >> comment without being slapped down. One minute I am being labelled as an >> "idiot" for my comments/views, the next minute someone else who says the >> same thing as me is now right and not challenged. What gives? >> >> I know many of you guys don't know me from Adam, but kinda unfair to just >> assume I know jack about ISA and secure network design just because I'm not >> "part of the club". >> >> >> Anyhow, thanks to Tim and Tom for seeming to share my disappointment with >> the decision made by the Exchange 2007 team...I think I need to try and find >> out how "official" their lack of support with 2k7 is going to be before I >> can continue recommending the least privilege model I have been using for >> Exchange 2003. >> >> >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >> Behalf Of Jim Harrison >> Sent: 11 January 2007 04:30 >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> ..maybe I¹m just tired? >> I spent two hours trying to get home tonight and I¹m clearly not in my mind >> (right or otherwise). >> Forget I wrote and we¹ll start over tomorrow? >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >> Behalf Of Thor (Hammer of God) >> Sent: Wednesday, January 10, 2007 8:18 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> That¹s exactly what I¹m talking about. And precisely the configuration I >> deploy: >> >> My FE is in the authenticated segment of the DMZ and a member of my >> internal domain; however, the ³recommended protocols² the Exchange group >> recommends are not necessary- and thus, Steve¹s contention that ³CIFS and all >> that other stuff... Might as well just be internal² I reject. I only allow >> Kerberos-Sec, LDAP, LDAP GC, Ping and DNS only from my FE to the internal >> DC¹s. And only HTTP to the BE¹s. >> >> Even if the other prots WERE required, it would still be far smarter to >> deploy the FE in the authenticated DMZ with limited access than to just give >> full stack access to the ENTIRE internal network. This is a deployment of >> a services made available (initially) to a global, anonymous, untrusted >> network. >> >> Maybe I¹m not properly articulating my point, but I have to say I¹m really >> surprised that we are having this conversation... >> >> t >> >> >> On 1/10/07 7:10 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: >> C¹mon, Tim; I know what your deployment recommendations are; this isn¹t it. >> He wants to extend his domain via ³remote membership²; not create a separate >> domain. >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] >> <mailto:isapros-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of God) >> Sent: Wednesday, January 10, 2007 4:26 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> Because it¹s safer that way, that¹s why... That¹s what an authenticated >> access DMZ perimeter is for? with a CAS server that presents logon services >> to any Internet user, I would (and, in fact, require) that the server be in >> a least-privileged authenticated access perimeter network that limits that >> servers communications to the minimum required for required functionality >> and only to the hosts it needs to talk to. >> >> Let¹s say there is a front-end implementation issue or coding vulnerability: >> the CAS on the internal network would allow unfettered, full-stack access to >> the internal network. A CAS in a perimeter DMZ would mitigate potential >> exposure in the event of a 0day or configuration issue. >> >> ³Safer on the internal network² is a complete misnomer when it comes to >> servers presenting services to an untrusted network. >> >> t >> >> >> On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: >> Why would you want to place a member of your internal domain in your DMZ, >> fer chrissakes?!? >> Hosting any domain member in the DMZ is a difficult proposition; especially >> where NAT is the order of the day. >> You can either use a network shotgun at your firewall or attempt to use your >> facvorite VPN tunnel across the firewall to the domain. >> >> Jim >> >> >> >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones >> Sent: Wed 1/10/2007 2:35 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> From what I can gather, the new CAS role now uses RPC to communicate with >> the back-end (not sure of new name!) servers so I am guessing that this is >> an "RPC isn't safe across firewalls" type stance. Which I guess for a PIX, >> is a pretty true statement. >> >> Just think how much safer the world will be when firewalls can understand >> dynamic protocols like RPC...maybe one day firewalls will even be able to >> understand and filter based upon RPC interface...maybe one day... :-D ;-) >> >> Shame the Exchange team can't see how much ISA changes the traditional >> approach to DMZ thinking...kinda makes you think that both teams work for a >> different company :-( >> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 >> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email: >> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> >> >> >> >> >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] >> <mailto:isapros-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Greg Mulholland >> Sent: 10 January 2007 22:07 >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> I seriously hope that they have take different paths and these are not >> limitations on the software or it is going to mean a nice little redesign >> and break from custom.. >> >> Greg >> ----- Original Message ----- >> From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx> >> To: isapros@xxxxxxxxxxxxx >> Sent: Thursday, January 11, 2007 8:25 AM >> Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks >> >> >> Hi All, >> >> I heard today from an Exchange MVP colleague that members of the Exchange >> team (Scott Schnoll) are saying that they (Microsoft) do not support placing >> the new Exchange 2007 Client Access Server (like the old Exch2k3 FE role) >> role into a perimeter network. Has anyone else heard the same? This sounds >> very similar to Exchange admins of old when they didn't really understand >> modern application firewalls like ISA could do - RPC filter anyone??? >> http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thre >> ad/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en >> #4db165c21599cf9b >> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr >> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnu >> m=2&hl=en#4db165c21599cf9b> >> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr >> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnu >> m=2&hl=en#4db165c21599cf9b> >> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr >> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnu >> m=2&hl=en#4db165c21599cf9b> >> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr >> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnu >> m=2&hl=en#4db165c21599cf9b> >> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr >> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnu >> m=2&hl=en#4db165c21599cf9b> >> >> I have just about managed to convince Exchange colleagues (and customers) of >> the value of placing Exchange FE servers in a separate security zone from BE >> servers, DC's etc and now I here this? >> >> Are the Exchange team confusing the old traditional DMZ's with what ISA can >> achieve with perimeter networks? >> >> From what I believe, it is good perimeter security practice to place servers >> which are Internet accessible into different security zones than servers >> that are purely internal. Therefore, the idea of placing Exchange 2003 FE >> servers in an ISA auth access perimeter network with Exchange 2003 BE >> servers on the internal network has always seemed like a good approach. It >> also follows a good least privilege model. >> >> Is this another example of the Exchange and ISA teams following different >> paths???? >> >> Please tell me that I am wrong and that I am not going to have to start >> putting all Exchange roles, irrespective of security risk, on the same >> network again!!!! >> >> Comments? >> >> Cheers >> >> JJ >> >> All mail to and from this domain is GFI-scanned. >> >> >> >> >> >> >> >> All mail to and from this domain is GFI-scanned. >> >> >> >> >> All mail to and from this domain is GFI-scanned. >> >> >> >> >> > >