[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
Date: Fri, 12 Jan 2007 10:29:37 -0800
I¹ve separated out ³authentication traffic² rules from my ³services² rules.

I define ³limited intradomain traffic² as the required AD
authentication/domain membership (GPO, LDAP, site assignment, etc) traffic
between the FE and the DC¹s.   The other traffic, like POP, IMAP, etc are
for what ³services² I choose to support for external users, but yes, you can
apply whatever rules you want to.  I don¹t support external POP or IMAP
access, so those protocols are not even defined in my ruleset.

³Least privilege² rules (for me) are broken down into ³full-time required
protocols² and ³temporary access on-demand² protocols.  For the most part,
this applies to ³dangerous² protocols such as CIFS and RPC when used for
authentication  and are applied from the FE to the DC¹s.  Other ³access²
services like HTTP, POP, IMAP are enabled as needed, and only from the FE to
the BE(s).  Regarding Direct Push, I though you could accomplish that via
SMTP out directly to the mobile provider.  That¹s how I did it way back
when, anyway.  

But you are totally correct  labbing this stuff is the way to go.  First I
look at the ³full access² traffic and then see how much I can carve it down
to a minimum set of rules required on a service-by-service, host-by-host
basis.

t


On 1/12/07 9:40 AM, "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx> spoketh to
all:

> Tim,
>  
> Does this "limited intradomain traffic" approach work for other FE services
> like RPC/HTTP, POP, IMAP etc or is it a OWA only thing?
>  
> I am guessing that RPC/HTTP should be ok as it uses the 6001, 6002 and 6004
> ports but just wondered if the RPC proxy threw a spanner in the works without
> CIFS or RPC???
>  
> Are you guys also aware that in addition to FE=>BE & DC rules you also need to
> create BE=>FE rules to allow for Direct Push? Guess this is still needed for
> the CAS roles???
>  
> Definitely time for a lab exercise!
>  
> JJ
> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44
> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
> 
>  
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thor (Hammer of God)
> Sent: 12 January 2007 17:22
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> I can¹t yet comment on what protocols will be necessary for CAS to perform
> particular functions as I have not yet analyzed the required traffic, but even
> with Ex2k3, ³full time² intradomain protocol support is totally unnecessary
> for the FE to act as the OWA front end once it has been properly initiated
> into the Exchange organization  I mentioned this in a past post, but as part
> of my ³least privileged² configuration, CIFS and RPC (All interfaces) are
> disabled, and only Kerberos-UDP, LDAP, LDAP GC, Ping and DNS are enabled from
> the FE to my DC¹s object, and only HTTP from the FE to the BE.  This works
> perfectly.  But, if I need to log on to the FE perimeter box box or use System
> Manager from that box, then I enable the CIFS/RPC rule to the DC¹s, get ?er
> done, and disable again.  This is completely different than the ³official²
> Exchange documentation, but it is about as secure as you could hope for in
> such an easily maintained configuration.  This is because I think the Exchange
> group is not necessarily explicitly aware of the authentication negotiation
> process, and just assumes that CIFS is required for authentication  but, if
> the client can¹t establish a standard SMB channel, it will fall back to
> Kerberos UDP.  Given what one can do with an established authenticated CIFS
> connection, I choose to disable it for security reasons.
> 
> My guess (again, I¹m not sure) is that different operations will require
> different protocol support.  For standard OWA access, I¹m sure we can get away
> with similar limited protocols.  If you want to be able to map drives via the
> OWA interface (which CAS will let you do) you¹ll most probably need to allow
> CIFS to the host (but ONLY to that host).  Even so, it¹s a far better
> configuration considering the ³universal access² to the FE.
> 
> When I deploy this, I¹ll know better.  And even if PSS gives me crap about it
> not being supported, I just won¹t tell them.  I¹ll put the CAS ³behind ISA²
> like they say and keep my perimeter DMZ configuration to myself.
> 
> t
> 
> 
> On 1/12/07 3:56 AM, "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx> spoketh to
> all:
> 
>> From what I have read, the CAS is similar to the FE but with the  addition
>> some new features - I would *imagine* it would use very similar  protocols,
>> and if anything hopefully it will use less protocols for more  efficient
>> communications. I am sure it will still need to core intradomain  protocols
>> as it will be a domain member, but I think they have moved away from  the
>> FE>BE HTTP, POP3, IMAP model.
>> 
>> Need to lab it really to get a good  idea.
>> Jason Jones |  Silversands Limited | Desk: +44 (0)1202 360489 |  Mobile: +44
>> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
>> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
>> 
>>  
>> 
>>  
>> 
>>  From:  isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Thomas W Shinder
>> Sent: 12 January 2007  04:23
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re:  ISA, Exchange 2007 and Perimeter Networks
>> 
>> WORD!
>>  
>> I¹ll gladly joining you in that  public nut-kicking when the time comes. What
>> I want to understand first is  what are the protocol requirements for the CAS
>> to the back-end components, and  what their rationale is for making the
>> statements that have been reported so  far. They might have a good point, and
>> if they have it, I want to hear it. But  if the point is ?it¹s too hard² or
>> ³I don¹t understand network security, I  just say what my boss tells me to
>> say² or ³I¹m on the take with Syphco² then  those aren¹t valid and body parts
>> will deserve some shaking up in the public  square. The least they can do is
>> state ³we don¹t have the time or inclination  to show you have to provide the
>> highest level of network security, but it is  possible to do it right, we¹re
>> just not going to show you how to do it² as a  disclaimer. With that, we can
>> then go ahead and help those who want to be  helped J
>>  
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]  On
>> Behalf Of Thor (Hammer of God)
>> Sent: Thursday, January 11,  2007 6:40 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros]  Re: ISA, Exchange 2007 and Perimeter Networks
>> 
>> It may be just this type of ³beating it to death²  that is required to get
>> the Exchange group¹s attention.  I don¹t really  care if they don¹t support
>> ³perimeter network² deployments as long as ISA is  an exception.  I have
>> every intention to ensure that an ISA authenticated  perimeter network DMZ
>> segment ³in front² of the CAS server is fully supported  if the proper
>> protocols are allowed.  I will make sure to press them into  officially
>> stating why it is not supported.  Even so, if they try  that, I will publicly
>> kick them in the nuts.
>> 
>> t
>> 
>> 
>> On 1/11/07  4:15 PM, "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx> spoketh to
>> all:
>> Hi Amy,
>> 
>> I am not  really sure for their reasoning, but think it is based around the
>> "Swiss  cheese", don't pass intradomain traffic across a normal firewall
>> argument.
>> 
>> Sorry, my bad for using the term  DMZ, the exact phrase used by Scholl is
>> "It's true. The Client Access  Server (CAS), which among other things
>> includes the OWA feature, is not  supported in a perimeter network (aka a
>> DMZ).  Instead you'll deploy one  or more CASs inside your organization and
>> put a robust firewall such as ISA  2006 in front of it." I am guessing from
>> experience of  other Exchange team recommendations that when they say
>> perimeter network they  really mean a traditional DMZ which is created using
>> traditional packet filter  firewalls. The recommended deployment is to put
>> the CAS on the internal  network e.g. on the same network as the Exchange
>> back-end servers. Once the  CAS is on the internal network, it should then be
>> published to the Internet  using ISA.
>> 
>> This design if fine if you want a  simple open network where all servers
>> exist in the same security zone and  hence all trust each other, but many
>> people are now trying to better this  design by placing different types of
>> servers into different security zones  based upon their risk level and
>> internet presence - say hello to the ISA auth  access perimeter network! ;-)
>> 
>> Basically I  think it all harks back to the "don't put domain members in a
>> DMZ" mantra  which is a pretty fair statement when using PF firewalls like
>> PIX, but things  have moved on as least privilege authenticated access
>> perimeter networks with  ISA are now getting advanced enough to challenge
>> this argument. Maybe the  difference between a PIX firewall and ISA firewall
>> is just too subtle for some  people???
>> 
>> Think we have now done this to  death now!! - be very surprised if the
>> Exchange team go back on these type of  statements though. I remember Tom
>> banging his head against a brick wall with  Henrik based upon one of his
>> MSExchange.org articles which said "not in the  DMZ" type statements.
>> 
>> JJ   
>>  
>> 
>>   
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]  On
>> Behalf Of Amy Babinchak
>> Sent: 11 January 2007  23:15
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re:  ISA, Exchange 2007 and Perimeter Networks
>> 
>> Jason,
>>  
>> What¹s the reasoning behind CAS  not in the DMZ? Where to they want it?
>> Handing nude off the router? Behind a  firewall?
>>  
>> If the later, then just drop the out dated DMZ  language. Most firewall
>> admins think that DMZ means nude off the other port on  my nat box. Your
>> least priv design puts CAS safely behind a  firewall.
>>  
>> 
>> Amy Babinchak
>> Harbor Computer Services
>>  
>> 
>>   
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]  On
>> Behalf Of Jason Jones
>> Sent: Thursday, January 11, 2007  5:58 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re:  ISA, Exchange 2007 and Perimeter Networks
>> 
>> Thanks Amy - maybe I am being a little oversensitive,  just didn't expect
>> some of the initial  responses.
>> 
>> I tend to avoid most of the main mailing lists,  probably for similar reasons
>> as others, and I tend to hang out at  isaserver.org 95% of the time. Hence
>> maybe why only Tom (and Stefan) tend to  see my input and views on stuff.
>> 
>> Tom invited me to this list as he felt it would be a  good place for me to
>> pose all the questions that he can't answer or go  unreplied on isaserver.org
>> 
>> I really do value the combined "ISA brain power" here,  but just think it
>> could be a little more forgiving and friendly at  times...having said that I
>> have found answers here that I just couldn't get  elsewhere, so don't
>> misunderstand me as  ungrateful.
>> 
>> Anyhow back to the "core issue", from what I hearing  from Exchange MVP
>> contacts, MS are playing the "CAS in a DMZ is totally  unsupported" tune very
>> strongly. This is a real shame as it looks like I will  never be able to
>> deploy the existing least privilege design with Exchange 2007  without fear
>> of customers coming back to us after trying to log PSS calls or  getting
>> other non-ISA firewall guys in who slate the design...oh well, at  least ISA
>> will still involved to some degree, just not as cool as it could  be...
>> 
>> JJ   
>> 
>> 
>>   
>>  
>>  
>> 
>>   
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]  On
>> Behalf Of Amy Babinchak
>> Sent: 11 January 2007  15:09
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re:  ISA, Exchange 2007 and Perimeter Networks
>> Jason don¹t  get discouraged. The changes in Exchange are monumental so there
>> are bound to  be disagreements and changes of opinion on how to best secure
>> it. The concept  of an authenticated access DMZ in a separate security zone
>> allowing only a  very minimal set of protocols is a completely foreign
>> concept to 99% of  firewall admins out there. That fact you are even thinking
>> about this stuff  put you in an elite class. The rest are still poking holes
>> and setting up  VLANs.
>>  
>> Tom, Thor and Jim can be a bit clubby and a little overly  poky to new
>> comers. It¹s a twitch they developed after participating on the  ISA server
>> mailing list. It got worse when they decided to join a general  purpose SBS
>> list. I¹m not sure that they¹ll ever completely recover.
>>  
>> 
>> Amy 
>>  
>> 
>>  
>>  
>>  
>>  
>> 
>>   
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]  On
>> Behalf Of Jason Jones
>> Sent: Thursday, January 11, 2007  5:47 AM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re:  ISA, Exchange 2007 and Perimeter Networks
>> 
>> Wish I had never asked now...sometimes, some of you  guys really don't make
>> it easy for new people to try express their views and  pose questions for
>> comment without being slapped down. One minute I am being  labelled as an
>> "idiot" for my comments/views, the next minute someone else who  says the
>> same thing as me is now right and not challenged. What gives?
>> 
>> I know many of you  guys don't know me from Adam, but kinda unfair to just
>> assume I know jack  about ISA and secure network design just because I'm not
>> "part of the  club".
>> 
>> 
>> Anyhow, thanks to Tim and Tom for seeming to share my  disappointment with
>> the decision made by the Exchange 2007 team...I think I  need to try and find
>> out how "official" their lack of support with 2k7 is  going to be before I
>> can continue recommending the least privilege model I  have been using for
>> Exchange 2003.
>>  
>>  
>> 
>>   
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]  On
>> Behalf Of Jim Harrison
>> Sent: 11 January 2007  04:30
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re:  ISA, Exchange 2007 and Perimeter Networks
>> ..maybe I¹m  just tired?
>> I spent two hours trying to get home tonight and I¹m clearly  not in my mind
>> (right or otherwise).
>> Forget I wrote and we¹ll start over  tomorrow?
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]  On
>> Behalf Of Thor (Hammer of God)
>> Sent: Wednesday, January  10, 2007 8:18 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject:  [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>> 
>> That¹s exactly  what I¹m talking about.  And precisely the configuration I
>> deploy:
>> 
>> My FE is in the authenticated segment of the DMZ  and a member  of my
>> internal domain; however, the ³recommended protocols² the Exchange group
>> recommends are not necessary- and thus, Steve¹s contention that ³CIFS and all
>> that other stuff... Might as well just be internal² I reject.  I only  allow
>> Kerberos-Sec, LDAP, LDAP GC, Ping and DNS only from my FE to the  internal
>> DC¹s.  And only HTTP to the BE¹s.
>> 
>> Even if the  other prots WERE required, it would still be far smarter to
>> deploy the FE in  the authenticated DMZ with limited access than to just give
>> full stack access  to the ENTIRE internal network.   This is a deployment of
>> a services  made available (initially) to a global, anonymous, untrusted
>> network.  
>> 
>> Maybe I¹m not properly articulating my point, but I have to say I¹m  really
>> surprised that we are having this  conversation...
>> 
>> t
>> 
>> 
>> On 1/10/07 7:10 PM, "Jim Harrison"  <Jim@xxxxxxxxxxxx> spoketh to all:
>> C¹mon, Tim; I know what your deployment  recommendations are; this isn¹t it.
>> He wants to extend his domain via  ³remote membership²; not create a separate
>> domain.
>>  
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> <mailto:isapros-bounce@xxxxxxxxxxxxx%5d>   On Behalf Of Thor (Hammer of God)
>> Sent: Wednesday,  January 10, 2007 4:26 PM
>> To:  isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and  Perimeter Networks
>>  
>> Because it¹s safer that way, that¹s why...  That¹s what an authenticated
>> access DMZ perimeter is for? with a CAS server  that presents logon services
>> to any Internet user, I would (and, in fact,  require) that the server be in
>> a least-privileged authenticated access  perimeter network that limits that
>> servers communications to the minimum  required for required functionality 
>> and only to the hosts it needs to talk  to.
>> 
>> Let¹s say there is a front-end implementation issue or coding  vulnerability:
>> the CAS on the internal network would allow unfettered,  full-stack access to
>> the internal network.  A CAS in a perimeter DMZ  would mitigate potential
>> exposure in the event of a 0day or configuration  issue.
>> 
>> ³Safer on the internal network² is a complete misnomer when it  comes to
>> servers presenting services to an untrusted network.
>> 
>> t
>> 
>> 
>> On 1/10/07 3:04 PM, "Jim Harrison"  <Jim@xxxxxxxxxxxx> spoketh to all:
>> Why would you want to place a  member of your internal domain in your DMZ,
>> fer chrissakes?!?
>> Hosting any  domain member in the DMZ is a difficult proposition; especially
>> where NAT is  the order of the day.
>> You can either use a network shotgun at your firewall  or attempt to use your
>> facvorite VPN tunnel across the firewall to the  domain.
>> 
>> Jim 
>>  
>>  
>> 
>>   
>> 
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx on  behalf of Jason Jones
>> Sent: Wed 1/10/2007 2:35 PM
>> To:  isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA, Exchange 2007 and  Perimeter Networks
>> 
>> From what I can gather, the new  CAS role now uses RPC to communicate with
>> the back-end (not sure of new name!)  servers so I am guessing that this is
>> an "RPC isn't safe across firewalls"  type stance. Which I guess for a PIX,
>> is a pretty true  statement.
>> 
>> Just think how much safer the  world will be when firewalls can understand
>> dynamic protocols like RPC...maybe  one day firewalls will even be able to
>> understand and filter based upon RPC  interface...maybe one day... :-D ;-)
>> 
>> Shame  the Exchange team can't see how much ISA changes the traditional
>> approach to  DMZ thinking...kinda makes you think that both teams work for a
>> different  company :-(
>> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 |  Mobile: +44
>> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
>> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
>> 
>>   
>>  
>>  
>> 
>>   
>> 
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> <mailto:isapros-bounce@xxxxxxxxxxxxx%5d>   On Behalf Of Greg Mulholland
>> Sent: 10 January 2007  22:07
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re:  ISA, Exchange 2007 and Perimeter Networks
>> 
>> I seriously hope that they  have take different paths and these are not
>> limitations on the software or it  is going to mean a nice little redesign
>> and break from  custom..
>> 
>> Greg
>> ----- Original Message -----
>> From: Jason  Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
>> To: isapros@xxxxxxxxxxxxx
>> Sent: Thursday, January  11, 2007 8:25 AM
>> Subject: [isapros] ISA, Exchange 2007 and Perimeter  Networks
>> 
>> 
>> Hi All, 
>> 
>> I heard today from an Exchange MVP  colleague that members of the Exchange
>> team (Scott Schnoll) are saying that  they (Microsoft) do not support placing
>> the new Exchange 2007 Client Access  Server (like the old Exch2k3 FE role)
>> role into a perimeter network. Has  anyone else heard the same? This sounds
>> very similar to Exchange admins of old  when they didn't really understand
>> modern application firewalls like ISA could  do - RPC filter anyone???
>> http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thre
>> ad/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en
>> #4db165c21599cf9b
>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr
>> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnu
>> m=2&amp;hl=en#4db165c21599cf9b>
>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr
>> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnu
>> m=2&amp;hl=en#4db165c21599cf9b>
>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr
>> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnu
>> m=2&amp;hl=en#4db165c21599cf9b>
>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr
>> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnu
>> m=2&amp;hl=en#4db165c21599cf9b>
>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr
>> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnu
>> m=2&amp;hl=en#4db165c21599cf9b>
>> 
>> I have just about managed to convince Exchange colleagues (and  customers) of
>> the value of placing Exchange FE servers in a separate security  zone from BE
>> servers, DC's etc and now I here this?
>> 
>> Are the Exchange  team confusing the old traditional DMZ's with what ISA can
>> achieve with  perimeter networks?
>> 
>> From what I believe, it is good perimeter security  practice to place servers
>> which are Internet accessible into different  security zones than servers
>> that are purely internal. Therefore, the idea of  placing Exchange 2003 FE
>> servers in an ISA auth access perimeter network with  Exchange 2003 BE
>> servers on the internal network has always seemed like a good  approach. It
>> also follows a good least privilege model.
>> 
>> Is this  another example of the Exchange and ISA teams following different
>> paths????  
>> 
>> Please tell me that I am wrong and that I am not going to have to  start
>> putting all Exchange roles, irrespective of security risk, on the same
>> network again!!!!
>> 
>> Comments? 
>> 
>> Cheers 
>> 
>> JJ 
>>  
>> All mail to and from this domain  is GFI-scanned.
>> 
>> 
>> 
>>  
>> 
>>   
>>  
>> All mail to and from this domain  is GFI-scanned.
>> 
>> 
>> 
>>  
>> All mail to and from  this domain is GFI-scanned.
>> 
>>  
>> 
>>  
>> 
> 
>
Follow-Ups:
- [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
  - From: Jason Jones
[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Other related posts:
