[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Sat, 13 Jan 2007 14:54:24 -0800

Shouldn't you be flying?

BTW, it's been snowing all day today.

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Saturday, January 13, 2007 2:18 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

 

I can  see where you are coming from....but being Scottish....not as
paranoid about Korea...J

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Saturday, January 13, 2007 3:23 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

 

..especially if you have them pronounce it.

This problem, along with the geo-political-pc-mongering mentality is
exactly why MS (approved) docs have replaced "DMZ" with "Perimeter
Network".

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Saturday, January 13, 2007 10:46 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

 

But that's the opposite of what the analogy means- the "free for all,
combat rich, chaotic, uncontrollable" zone is NOT the DMZ.  The "DMZ,"
where it refers to Korea, is a highly controlled, restricted area bound
by the policy of the armistice.  I would never put a honeypot in the
DMZ, as no one would ever hit it- not in MY DMZ's anyway... The honeypot
goes on the Internet segment or somewhere that everyone can hit it...
The DMZ is where one should most closely monitor traffic or deploy
intrusion detection... Why have yet another term?  If people can't
understand what DMZ really is, then I doubt they will understand what
PNS is...

t


On 1/12/07 4:09 PM, "Steve Moffat" <steve@xxxxxxxxxx> spoketh to all:

Personally, I think it should mean what it says, and match the anology
that it is part of....
 
Free for all...no restrictions, somewhere you would put a honey pot.....
 
And use the proper term for it which would be is.....?? PNS..Protected
Network Segment
 
S
 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Friday, January 12, 2007 7:51 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Interesting... Probably a good idea for us to actually articulate what
we really mean when we say DMZ.

I guess to some it means "free for all network" but for me, it should be
the network where you have the most restrictive policies controlling
each service so that it is obvious when malicious traffic hits the wire.
Thoughts>
t


On 1/12/07 3:30 PM, "Steve Moffat" <steve@xxxxxxxxxx> spoketh to all:
That's what I thought, now it's what I know....
 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Friday, January 12, 2007 6:35 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Aside from normal router & switch ACLs, ISA is the single line of
defense.
"..we don't need no stinking DMZs"
 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Friday, January 12, 2007 12:12 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Ahh...just had a thought.
 
It's all labeling.
 
Jason, and others (not Jason's fault), have been using the term DMZ.
 
Historically, is the term DMZ not taken literally as being completely
firewalled off from the trusted networks, and what Jason is talking
about is trusted network segmentation.
 
I betcha that's why the Exchange team don't support it...they think it's
a typical run of the mill DMZ...
 
Jim, isn't MS's Internal network segmented by usin ISA?? Including your
mail servers?
 
S 

All mail to and from this domain is GFI-scanned. 


 

 

 

All mail to and from this domain is GFI-scanned.


All mail to and from this domain is GFI-scanned.

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 01-2007