[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From: "Greg Mulholland" <gmulholland@xxxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Date: Mon, 15 Jan 2007 09:43:32 +1100
Re: [isapros] Re: ISA, Exchange 2007 and Perimeter NetworksAt least not these 
days. in the days of old i used to do this once or twice, but not since about 
2004!
  ----- Original Message ----- 
  From: Thomas W Shinder 
  To: isapros@xxxxxxxxxxxxx 
  Sent: Monday, January 15, 2007 9:33 AM
  Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks


  No, I think it's absurd -- they're cow-towing to the Syphco rep trained 
port-opener "network guys".

  There is no additional security conferred IMHO.

  Thomas W Shinder, M.D.
  Site: www.isaserver.org
  Blog: http://blogs.isaserver.org/shinder/
  Book: http://tinyurl.com/3xqb7
  MVP -- Microsoft Firewalls (ISA)





----------------------------------------------------------------------------
    From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jason Jones
    Sent: Sunday, January 14, 2007 4:07 PM
    To: isapros@xxxxxxxxxxxxx
    Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks


    Jim/Tom,

    I noticed that quite a lot of the ISA firewall appliance vendor promote the 
"ISA in a new forest, with a one way trust to the existing forest" model. Do 
you have the same view on this?
    Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 
(0)7971 500312 | Fax: +44 (0)1202 360900 | Email: jason.jones@xxxxxxxxxxxxxxxxx





----------------------------------------------------------------------------
    From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
    Sent: 14 January 2007 16:53
    To: isapros@xxxxxxxxxxxxx
    Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks


    No; the Exch team (or certain author-wanna-bees, anyway).

    I've tech-reviewed three Exch-created docs last year and without exception, 
they all carried this verbal virus with them.

    It's an incredible fight to get this removed and I have to admit that I 
haven't been entirely successful.



    From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thomas W Shinder
    Sent: Sunday, January 14, 2007 8:36 AM
    To: isapros@xxxxxxxxxxxxx
    Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks



    You mean the ISA UE is pushing the domain=bad crapola? How do you tell a 
secure EAS publishing story without it?



    Thomas W Shinder, M.D.
    Site: www.isaserver.org
    Blog: http://blogs.isaserver.org/shinder/
    Book: http://tinyurl.com/3xqb7
    MVP -- Microsoft Firewalls (ISA)






--------------------------------------------------------------------------

      From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] 
On Behalf Of Jim Harrison
      Sent: Saturday, January 13, 2007 9:48 PM
      To: isapros@xxxxxxxxxxxxx
      Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

      They do ask; they just don't listen.

      I was asked to review a doc on EAS via ISA that's coming out soon and 
couldn't get them to drop the "ISA as domain member == bad" mantra.



      From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] 
On Behalf Of Jason Jones
      Sent: Saturday, January 13, 2007 3:46 PM
      To: isapros@xxxxxxxxxxxxx
      Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks



      Can't believe they just make their own decision terminology/security 
architecture rather than asking ISA product team for advise on what they should 
be saying....maybe that is just me being incredibly naive though ;-)




--------------------------------------------------------------------------

      From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] 
On Behalf Of Thomas W Shinder
      Sent: 13 January 2007 17:32
      To: isapros@xxxxxxxxxxxxx
      Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

      However, one thing I DON'T want to get back to is the "single model" DMZ 
-- because the entire point of this conversation is that there is a 
heterogeniety of DMZs and that the problem with the Exchange team is that they 
didn't understand this in the first place. :)



      Thomas W Shinder, M.D.
      Site: www.isaserver.org
      Blog: http://blogs.isaserver.org/shinder/
      Book: http://tinyurl.com/3xqb7
      MVP -- Microsoft Firewalls (ISA)






------------------------------------------------------------------------

        From: isapros-bounce@xxxxxxxxxxxxx 
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
        Sent: Saturday, January 13, 2007 11:23 AM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

        It's interesting how the canaille misinterprets the term DMZ, like they 
do for most things :)



        Think about the Korean DMZ -- is that really a "free for all" place? Or 
one of the most monitored and secured areas in the world, where nothing happens 
without someone knowing about it almost immediately?



        That what you get when the Syphco reps teach a generation of "port 
openers"....



        Thomas W Shinder, M.D.
        Site: www.isaserver.org
        Blog: http://blogs.isaserver.org/shinder/
        Book: http://tinyurl.com/3xqb7
        MVP -- Microsoft Firewalls (ISA)






----------------------------------------------------------------------

          From: isapros-bounce@xxxxxxxxxxxxx 
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
          Sent: Friday, January 12, 2007 5:51 PM
          To: isapros@xxxxxxxxxxxxx
          Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

          Interesting... Probably a good idea for us to actually articulate 
what we really mean when we say DMZ.

          I guess to some it means "free for all network" but for me, it should 
be the network where you have the most restrictive policies controlling each 
service so that it is obvious when malicious traffic hits the wire.  Thoughts>
          t


          On 1/12/07 3:30 PM, "Steve Moffat" <steve@xxxxxxxxxx> spoketh to all:

          That's what I thought, now it's what I know..
           

          From: isapros-bounce@xxxxxxxxxxxxx 
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
          Sent: Friday, January 12, 2007 6:35 PM
          To: isapros@xxxxxxxxxxxxx
          Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

          Aside from normal router & switch ACLs, ISA is the single line of 
defense.
          "..we don't need no stinking DMZs"
           

          From: isapros-bounce@xxxxxxxxxxxxx 
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
          Sent: Friday, January 12, 2007 12:12 PM
          To: isapros@xxxxxxxxxxxxx
          Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

          Ahh.just had a thought.
           
          It's all labeling.
           
          Jason, and others (not Jason's fault), have been using the term DMZ.
           
          Historically, is the term DMZ not taken literally as being completely 
firewalled off from the trusted networks, and what Jason is talking about is 
trusted network segmentation.
           
          I betcha that's why the Exchange team don't support it.they think 
it's a typical run of the mill DMZ.
           
          Jim, isn't MS's Internal network segmented by usin ISA?? Including 
your mail servers?
           
          S 

          All mail to and from this domain is GFI-scanned. 





      All mail to and from this domain is GFI-scanned.

    All mail to and from this domain is GFI-scanned.
References:
- [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
  - From: Thomas W Shinder
[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Other related posts:
