[isalist] Re: New Articles on Tales
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sun, 16 Aug 2009 15:03:53 -0500
http://www.ISAserver.org
-------------------------------------------------------
Now that I'm an FTE to a legit corp, I can't make any claims, comments,
opinions, or orfs on poo-poo head or any of it's affiliates.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Sunday, August 16, 2009 2:26 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
"poo-poo head"? While it's true that I have an affinity for that term (I
actually prefer "meanie-poo-poo-head"), I don't think you'll find that
stated or insinuated anywhere in this thread.
You're right - we let our pedanticistic discussion entirely detract from
the questions at hand.
I'll start this thread over again.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Sunday, August 16, 2009 11:00 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
OK. "Many apply equally." Like what? Please don't leave us with a
thread that is summed up by:
1) Can I have some guidance on why ISA/TMG recommends a DM and Edge
recommends WG?
2) Tinfoil hat, kneejerk, never say never or always, perceived,
irrational, cookie cutter, poo-poo head!
3) Um, you're a security guy. Can you explain?
4) Poo-poo head!
5) Can you at least list something tangible?
6) Cherry picking poo-poo head!
7) Can you give me one security reason?
8) Tom said so!
Please don't tell me all of this is based on "managing" the box.
t
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Sunday, August 16, 2009 10:14 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
Must
Read
Recopied from previous posting: "In fact, many of the same arguments Tom
offers in his "ISA as a domain member" article apply equally to the Exch
Edge deployment; management, patching, access controls, etc..."
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Sunday, August 16, 2009 10:07 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
So, Edge role server as a dm why?
t
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Sunday, August 16, 2009 9:49 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
As usual, you prefer to cherry-pick than read.
I'm not arguing that Exch Edge "should" be a DM; rather that it *can* be
a DM and still meet the business and security needs of the deployment.
In fact, many of the same arguments Tom offers in his "ISA as a domain
member" article apply equally to the Exch Edge deployment; management,
patching, access controls, etc...
Perhaps it was poorly stated in my initial response, but my argument is
with those who "always" or "never". There are exceptions to every
"rule" and many of those with good reason. Anyone who proposes that
"this is always better" ignores the requirements and limitations of the
environment and business needs and thus serves their customers poorly.
For instance, while I strongly dislike the SBS deployment model (much
prefer the EBS model for small business), there are valid business
reasons to deploy it; most of them dictated by $$. In the EBS
deployment, your edge server is a DM and is as secure as it can be,
given the goals of the typical EBS deployment.
To your comparison of ISA and TMG as DM, while offering AD-focused
features, they also provide features targeted at those deployments where
the firewall/proxy is not a domain member. These were added to serve the
non-DM-minded folks; whether they be TFHC or DiD. In fact, the majority
of comments received by the FF Edge team arguing against placing a DM at
the edge were not reasoned, DiD-based discussions, but rather "the
security team says 'NO FREAKIN WAY!!!' and they won't discuss
alternatives". Since MS is a profit-based company and profit is
negatively affected by a lack of sales, we tend to remove sales
blockers, even if the blocker is based on unreasoned requirements. I
fight this on a daily basis.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Sunday, August 16, 2009 9:05 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
You are the only one who said "must always" or "must never," no one
else... But I notice that a lot when people find they must inject
superlatives in order to prop up manufactured straw man arguments.
And yes, you got me. I clearly number myself among the "knee-jerk
deployment methodology crowds." :/
It's sad that your reaction actually speaks more for my point than your
argument, but I'm used to that. I'm sure you'll come back with
something "clever" (positioned as a postulate) that dances all around
the non-point you're not making, but I'm used to that too.
I find it funny that the PM of a MSFT security product would call those
who choose to deploy DMZ/edge assets in a more secure manner when it is
not necessary a "tinfoil hat crowd." Is it too much cool-aid, or not
enough meds?
Why not share with the rest of the class the pressing reasons to deploy
an Exchange Edge role on a domain member rather than an isolated WG?
Feel free to manufacture whatever deployment scenario suits your needs
in order to substantiate the point you are trying to make. And try to
stay focused... terms like "irrational, knee-jerk, tinfoil hat, sadly,
and cookie-cutter" just take away from the point you are failing to
make.
ISA/TMG as a domain member provides tangible authentication benefits,
and is a "requirement" for most of that functionality. This is not the
case with Edge. As such, I'm looking forward to your list of reasons why
one should deploy Exchange Edge as a DM, and how that can increase (or
even maintain) the same security posture as WG mode for that role.
t
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Sunday, August 16, 2009 8:27 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
DiD is not satisfied by cookie-cutter deployment methodology, nor will
the *required* threat modeling be defined, much less understood.
Anyone who tells you that you "must always" or "must never" with regard
to any computer deployment is failing to do what we have both stated -
perform a threat model based on the environment and business needs.
Sadly, the Exchange team has historically contributed to this irrational
mindset.
Even Tom's extreme dislike for the "hork-mode sandwich" is tempered with
"it's your choice, but..."
I thought I knew you better than this, but if you number yourself among
the knee-jerk deployment methodology crowd, well; feel free to feel
insulted.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Sunday, August 16, 2009 8:14 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
It is *hardly* a tinfoil hat crowd. It's called "security in depth" and
"least privilege." The local ADAM instance provides the necessary
functionality to the edge role server, thus reducing some of the REAL
threats and the perceived benefit of making it a domain member. Exchange
Edge doesn't "support" WG membership, it is specifically designed to
provide that functionality based on "real word" issues that are present
in true enterprise topologies.
Do whatever you want to do to suit your needs, but don't call people who
have to consider the security ramifications of infrastructure designs
beyond "mom and pop" as "tinfoil hat crowd." It's insulting.
t
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Sunday, August 16, 2009 7:32 AM
To: ISA Mailing List
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
There is no "always" or "never" to either of them. It's situational and
requires that the deployment team perform their own threat modeling.
Exchange supports placing the edge role on a WG server to appease the
"no domain members at the edge" tinfoil hat crowd, but when you combine
it with TMG, the attack surface and thus the perceived threat of having
the Exch edge role as a domain member is greatly reduced; even over that
offered by Windows Firewall policies.
Jim
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Han Valk
Sent: Saturday, August 15, 2009 11:54 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: New Articles on Tales
http://www.ISAserver.org
-------------------------------------------------------
As far as I know Exchange Edge is to be installed on a workgroup server
while TMG does its best job when domain joined. So this is a bit of a
contradiction to me. I would love to see guidance from Microsoft on
that. Maybe this can be added to the Q&A in Understanding Email
Protection on TMG.
Han.
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Sunday, August 16, 2009 00:35
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] New Articles on Tales
>
>
http://blogs.technet.com/isablog/archive/2009/08/15/new-tales-from-the-
> edge-articles.aspx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
