[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Wed, 10 Jan 2007 20:07:46 -0800

True enough, but in the typical "DMZ" deployment, ISA merely sits
"beside"; not "before" the published service, and thus protects it very
little or not at all.  This is the basic flaw in this design (as I've
seen it so far).

..or maybe I'm just jaded from having to deal with all the "ISA isn't a
firewall" d0rks5 day in and day out...

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Wednesday, January 10, 2007 8:04 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

 

If the host is in the same domain, traffic between the domain member in
the DMZ segment is limited to only the required traffic, not all
traffic. This is least priv. Since SMTP, NNTP, IRC, H.323, SIP, etc.,
etc., aren't allowed from that segment to the other, we've locked out
those exploits. Plus, we have a device in the path between the two
security zones that is logging these attempts at illegitmate traffic and
can provide information for further analysis. If you have an
unincumbered path between the Internet facing host (which has a much
larger "attacker surface") than the non-Internet facing host, then
you're violating least priv and asking for problems you needent have.

 

Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls

 

         

________________________________

        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: Wednesday, January 10, 2007 7:52 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

        What's the diff between allowing domain traffic to the same DC
you're trying to protect?

        The 1d10t cry of "what if it gets compromised?" is the core
issue in this question.

        A host belonging to a separate domain is one thing; a  member of
the internal domain is quite another.

         

        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
        Sent: Wednesday, January 10, 2007 7:45 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

         

        What's wrong with that? There is granularity of security zone
definitions and membership, even within a domain. Just like what we've
done with the FE Exchange Server, there's no qualitative or quanitative
differences here that I can tell.

         

        Thomas W Shinder, M.D.
        Site: www.isaserver.org <http://www.isaserver.org/> 
        Blog: http://blogs.isaserver.org/shinder
        Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
        MVP -- ISA Firewalls

         

                 

________________________________

                From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
                Sent: Wednesday, January 10, 2007 7:11 PM
                To: isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks

                C'mon, Tim; I know what your deployment recommendations
are; this isn't it.

                He wants to extend his domain via "remote membership";
not create a separate domain.

                 

                From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
                Sent: Wednesday, January 10, 2007 4:26 PM
                To: isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks

                 

                Because it's safer that way, that's why... That's what
an authenticated access DMZ perimeter is for- with a CAS server that
presents logon services to any Internet user, I would (and, in fact,
require) that the server be in a least-privileged authenticated access
perimeter network that limits that servers communications to the minimum
required for required functionality - and only to the hosts it needs to
talk to.
                
                Let's say there is a front-end implementation issue or
coding vulnerability: the CAS on the internal network would allow
unfettered, full-stack access to the internal network.  A CAS in a
perimeter DMZ would mitigate potential exposure in the event of a 0day
or configuration issue. 
                
                "Safer on the internal network" is a complete misnomer
when it comes to servers presenting services to an untrusted network. 
                
                t
                
                
                On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx>
spoketh to all:

                Why would you want to place a member of your internal
domain in your DMZ, fer chrissakes?!?
                Hosting any domain member in the DMZ is a difficult
proposition; especially where NAT is the order of the day.
                You can either use a network shotgun at your firewall or
attempt to use your facvorite VPN tunnel across the firewall to the
domain.
                
                Jim

                
________________________________


                From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason
Jones
                Sent: Wed 1/10/2007 2:35 PM
                To: isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks
                
                From what I can gather, the new CAS role now uses RPC to
communicate with the back-end (not sure of new name!) servers so I am
guessing that this is an "RPC isn't safe across firewalls" type stance.
Which I guess for a PIX, is a pretty true statement.
                
                Just think how much safer the world will be when
firewalls can understand dynamic protocols like RPC...maybe one day
firewalls will even be able to understand and filter based upon RPC
interface...maybe one day... :-D ;-)
                
                Shame the Exchange team can't see how much ISA changes
the traditional approach to DMZ thinking...kinda makes you think that
both teams work for a different company :-(
                Jason Jones | Silversands Limited | Desk: +44 (0)1202
360489 | Mobile: +44 (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
<mailto:jason.jones@xxxxxxxxxxxxxxxxx>  
                
                 

                
________________________________


                From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
                Sent: 10 January 2007 22:07
                To: isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks
                
                I seriously hope that they have take different paths and
these are not limitations on the software or it is going to mean a nice
little redesign and break from custom..
                
                Greg

                ----- Original Message ----- 
                From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
<mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>   
                To: isapros@xxxxxxxxxxxxx 
                Sent: Thursday, January 11, 2007 8:25 AM
                Subject: [isapros] ISA, Exchange 2007 and Perimeter
Networks
                
                
                Hi All, 
                
                I heard today from an Exchange MVP colleague that
members of the Exchange team (Scott Schnoll) are saying that they
(Microsoft) do not support placing the new Exchange 2007 Client Access
Server (like the old Exch2k3 FE role) role into a perimeter network. Has
anyone else heard the same? This sounds very similar to Exchange admins
of old when they didn't really understand modern application firewalls
like ISA could do - RPC filter anyone???
http://groups.google.co.uk/group/microsoft.public.exchange.design/browse
_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rn
um=2&hl=en#4db165c21599cf9b
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+i
sa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r
num=2&hl=en#4db165c21599cf9b>  
                
                I have just about managed to convince Exchange
colleagues (and customers) of the value of placing Exchange FE servers
in a separate security zone from BE servers, DC's etc and now I here
this...
                
                Are the Exchange team confusing the old traditional
DMZ's with what ISA can achieve with perimeter networks? 
                
                From what I believe, it is good perimeter security
practice to place servers which are Internet accessible into different
security zones than servers that are purely internal. Therefore, the
idea of placing Exchange 2003 FE servers in an ISA auth access perimeter
network with Exchange 2003 BE servers on the internal network has always
seemed like a good approach. It also follows a good least privilege
model. 
                
                Is this another example of the Exchange and ISA teams
following different paths???? 
                
                Please tell me that I am wrong and that I am not going
to have to start putting all Exchange roles, irrespective of security
risk, on the same network again!!!!
                
                Comments? 
                
                Cheers 
                
                JJ 

                All mail to and from this domain is GFI-scanned. 

                 

                 

                All mail to and from this domain is GFI-scanned.

        All mail to and from this domain is GFI-scanned.


All mail to and from this domain is GFI-scanned.

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 01-2007