[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Wed, 10 Jan 2007 20:16:26 -0800

We're missing each other.

I wholeheartedly agree with Tim's design - it uses completely separate
domains in the LAN and DMZ - there is no relationship between them.

I also agree with restricting access to eth Inet-facing hosts, but this
doesn't have to mean physical relocation to a separate network to
accomplish the task.  IPSec, baby - it works.

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Wednesday, January 10, 2007 8:06 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

 

Because it's more secure. Heck, that's what Tim's entire class was about
-- least priv. Why put two hosts that belong to two different security
zones in the same security zone. Just becuase two hosts are members of
the same domain isn't the end all and be all -- sure, its a security
factor, but there are other, more important factors to take into
account. That's why the Exchange FE or Exchange CAS, should be placed in
an authenticated access DMZ, so that only required traffic is allowed to
move between the CAS and other network devices.

 

Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls

 

         

________________________________

        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: Wednesday, January 10, 2007 7:55 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

        Nope; and the whole concept of "separate domain" vs. "remote
member of the same domain" is my point.

        I agree that the Exch design choice harkens back to the bad ol'
days of "ports bad".

        I also agree that their design docs suck poo-poo; they *still*
push the "ISA shouldn't be a domain member" noise, no matter how hard I
try to fight it.

        The point is; why extend your domain across security boundaries
if you don't have to?

         

        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
        Sent: Wednesday, January 10, 2007 7:47 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

         

        There are plenty of reasons to do it. First, there is the
current example,

         

        Second, is an  internal network services segment where the DCs,
BE Exchange, SQL etc exist, and the untrusted corpnet clients, which are
members of the same domain, are on another segment, separate by the ISA
Firewall.

         

        Did you forget about least privilege?

         

        Thomas W Shinder, M.D.
        Site: www.isaserver.org <http://www.isaserver.org/> 
        Blog: http://blogs.isaserver.org/shinder
        Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
        MVP -- ISA Firewalls

         

                 

________________________________

                From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
                Sent: Wednesday, January 10, 2007 7:13 PM
                To: isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks

                Don't care; doesn't matter, misquoted.

                "Desirable" meaning "everyone wants to do it".

                 

                Publishing RPC (MAPI) traffic is completely different
from splitting your domain membership across the firewall.

                There is *no* good reason to do this.

                 

                From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
                Sent: Wednesday, January 10, 2007 4:30 PM
                To: isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks

                 

                Think you guys have completely misunderstood me, or I am
amazed at your responses.

                 

                We are not talking about ANY firewall here, we are
talking about ISA...one of the key advantages of ISA is that you can
create perimeter networks even for domain members as ISA can perform RPC
and other app filtering. Hence you can move domain members that
represent more of a security risk away from other domain member servers.


                 

                Based upon your answers, you must all be in disagreement
then with the models proposed by Tom for Exchange and network services
protection????

                http://www.isaserver.org/articles/2004multidmzp1.html

        
http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-S
egment-Perimeter-Firewall-Part1.html

                 

                If so, I am very surprised.

                 

                I posted here in August with a least privilege model for
Exchange security which placed Exchange FE's, BE's and DC's into ISA
perimeter networks and got good feedback - what the hell is going on????

                 

                Jim's quote "Ah, yes. While this is a desirable design,
it's also a very difficult one."

                Steve's quote "Hat's off to you for being committed to
deploying security-in-depth with least-privilege and not acquiescing to
the "whatever works" mentality.
                I know it's a hard thing to deploy and support.  While I
have a similar topology, I only separate the clients from the servers
with an infrastructure ISA box- not the BE's from the DC's; they're on
the same "protected" network." 

                Totally confused guys :-(

                 

                 

________________________________

                From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
                Sent: 10 January 2007 23:08
                To: isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks

                That's what I said........

                 

                From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
                Sent: Wednesday, January 10, 2007 7:04 PM
                To: isapros@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks

                 

                Why would you want to place a member of your internal
domain in your DMZ, fer chrissakes?!?

                Hosting any domain member in the DMZ is a difficult
proposition; especially where NAT is the order of the day.

                You can either use a network shotgun at your firewall or
attempt to use your facvorite VPN tunnel across the firewall to the
domain.

                 

                Jim

________________________________

                From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason
Jones
                Sent: Wed 1/10/2007 2:35 PM
                To: isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks

                From what I can gather, the new CAS role now uses RPC to
communicate with the back-end (not sure of new name!) servers so I am
guessing that this is an "RPC isn't safe across firewalls" type stance.
Which I guess for a PIX, is a pretty true statement.

                 

                Just think how much safer the world will be when
firewalls can understand dynamic protocols like RPC...maybe one day
firewalls will even be able to understand and filter based upon RPC
interface...maybe one day... :-D ;-)

                 

                Shame the Exchange team can't see how much ISA changes
the traditional approach to DMZ thinking...kinda makes you think that
both teams work for a different company :-(

                Jason Jones | Silversands Limited | Desk: +44 (0)1202
360489 | Mobile: +44 (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> 

                 

                 

________________________________

                From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
                Sent: 10 January 2007 22:07
                To: isapros@xxxxxxxxxxxxx
                Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks

                I seriously hope that they have take different paths and
these are not limitations on the software or it is going to mean a nice
little redesign and break from custom..

                 

                Greg

                        ----- Original Message ----- 

                        From: Jason Jones
<mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>  

                        To: isapros@xxxxxxxxxxxxx 

                        Sent: Thursday, January 11, 2007 8:25 AM

                        Subject: [isapros] ISA, Exchange 2007 and
Perimeter Networks

                         

                        Hi All, 

                        I heard today from an Exchange MVP colleague
that members of the Exchange team (Scott Schnoll) are saying that they
(Microsoft) do not support placing the new Exchange 2007 Client Access
Server (like the old Exch2k3 FE role) role into a perimeter network. Has
anyone else heard the same? This sounds very similar to Exchange admins
of old when they didn't really understand modern application firewalls
like ISA could do - RPC filter anyone???
http://groups.google.co.uk/group/microsoft.public.exchange.design/browse
_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rn
um=2&hl=en#4db165c21599cf9b
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r
num=2&hl=en#4db165c21599cf9b> 

                        I have just about managed to convince Exchange
colleagues (and customers) of the value of placing Exchange FE servers
in a separate security zone from BE servers, DC's etc and now I here
this...

                        Are the Exchange team confusing the old
traditional DMZ's with what ISA can achieve with perimeter networks? 

                        From what I believe, it is good perimeter
security practice to place servers which are Internet accessible into
different security zones than servers that are purely internal.
Therefore, the idea of placing Exchange 2003 FE servers in an ISA auth
access perimeter network with Exchange 2003 BE servers on the internal
network has always seemed like a good approach. It also follows a good
least privilege model. 

                        Is this another example of the Exchange and ISA
teams following different paths???? 

                        Please tell me that I am wrong and that I am not
going to have to start putting all Exchange roles, irrespective of
security risk, on the same network again!!!!

                        Comments? 

                        Cheers 

                        JJ 

                         

                All mail to and from this domain is GFI-scanned.

                All mail to and from this domain is GFI-scanned.

        All mail to and from this domain is GFI-scanned.


All mail to and from this domain is GFI-scanned.

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 01-2007