Testify!!! t On 1/10/07 7:38 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all: > Actually, an Internet facing host should NEVER be placed in the same security > zone as non-Internet facing hosts. Since the CAS is an Internet facing host, > it should be placed in a separate security zone, such as an authenticated > access DMZ. The Exchange guys horks another green one with their doltish > recommendations for the CAS -- no doubt due to their abject lack of > understanding of the heterogeneity of "DMZs". > > Also, someone in this thread mixed up domain segmentation with network > physical and logical segmentation -- a common N00b error, since there is no > pre-defined relationship between the two. > > I would never put the CAS on my non-Internet facing host zone, no matter what > the boneheads on the Exchange Team "think" -- heck, they're still putting the > ISA Firewall between two "firewalls" in their docs. Those guys are the last > ones I'd look to for guidance in network security (OK, Syphco guys are *the* > last, but the Exchange guys and barely in front of them. > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > MVP -- ISA Firewalls > > > >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >> Behalf Of Jim Harrison >> Sent: Wednesday, January 10, 2007 7:13 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> >> >> >> >> Don¹t care; doesn¹t matter, misquoted. >> >> ³Desirable² meaning ³everyone wants to do it². >> >> >> >> Publishing RPC (MAPI) traffic is completely different from splitting your >> domain membership across the firewall. >> >> There is *no* good reason to do this. >> >> >> >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >> Behalf Of Jason Jones >> Sent: Wednesday, January 10, 2007 4:30 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> >> >> Think you guys have completely misunderstood me, or I am amazed at your >> responses. >> >> >> >> We are not talking about ANY firewall here, we are talking about ISA...one >> of the key advantages of ISA is that you can create perimeter networks even >> for domain members as ISA can perform RPC and other app filtering. Hence you >> can move domain members that represent more of a security risk away from >> other domain member servers. >> >> >> >> Based upon your answers, you must all be in disagreement then with the >> models proposed by Tom for Exchange and network services protection???? >> >> http://www.isaserver.org/articles/2004multidmzp1.html >> >> http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-Segmen >> t-Perimeter-Firewall-Part1.html >> >> >> >> If so, I am very surprised. >> >> >> >> I posted here in August with a least privilege model for Exchange security >> which placed Exchange FE's, BE's and DC's into ISA perimeter networks and got >> good feedback - what the hell is going on???? >> >> >> >> Jim's quote "Ah, yes. While this is a desirable design, it's also a very >> difficult one." >> >> Steve's quote "Hat's off to you for being committed to deploying >> security-in-depth with least-privilege and not acquiescing to the "whatever >> works" mentality. >> I know it's a hard thing to deploy and support. While I have a similar >> topology, I only separate the clients from the servers with an >> infrastructure ISA box- not the BE's from the DC's; they're on the same >> "protected" network." >> >> Totally confused guys :-( >> >> >> >> >> >> >> >> >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >> Behalf Of Steve Moffat >> Sent: 10 January 2007 23:08 >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> That¹s what I said??.. >> >> >> >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >> Behalf Of Jim Harrison >> Sent: Wednesday, January 10, 2007 7:04 PM >> To: isapros@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> >> >> >> >> >> Why would you want to place a member of your internal domain in your DMZ, >> fer chrissakes?!? >> >> >> >> Hosting any domain member in the DMZ is a difficult proposition; especially >> where NAT is the order of the day. >> >> >> >> You can either use a network shotgun at your firewall or attempt to use your >> facvorite VPN tunnel across the firewall to the domain. >> >> >> >> >> >> >> >> Jim >> >> >> >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones >> Sent: Wed 1/10/2007 2:35 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> >> >> From what I can gather, the new CAS role now uses RPC to communicate with >> the back-end (not sure of new name!) servers so I am guessing that this is >> an "RPC isn't safe across firewalls" type stance. Which I guess for a PIX, >> is a pretty true statement. >> >> >> >> Just think how much safer the world will be when firewalls can understand >> dynamic protocols like RPC...maybe one day firewalls will even be able to >> understand and filter based upon RPC interface...maybe one day... :-D ;-) >> >> >> >> Shame the Exchange team can't see how much ISA changes the traditional >> approach to DMZ thinking...kinda makes you think that both teams work for a >> different company :-( >> >> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 >> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email: >> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> >> >> >> >> >> >> >> >> >> >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On >> Behalf Of Greg Mulholland >> Sent: 10 January 2007 22:07 >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks >> >> >> >> I seriously hope that they have take different paths and these are not >> limitations on the software or it is going to mean a nice little redesign >> and break from custom.. >> >> >> >> >> >> >> >> Greg >> >>> >>> >>> >>> ----- Original Message ----- >>> >>> >>> >>> From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx> >>> >>> >>> >>> To: isapros@xxxxxxxxxxxxx >>> >>> >>> >>> Sent: Thursday, January 11, 2007 8:25 AM >>> >>> >>> >>> Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks >>> >>> >>> >>> >>> >>> Hi All, >>> >>> >>> I heard today from an Exchange MVP colleague that members of the Exchange >>> team (Scott Schnoll) are saying that they (Microsoft) do not support >>> placing the new Exchange 2007 Client Access Server (like the old Exch2k3 FE >>> role) role into a perimeter network. Has anyone else heard the same? This >>> sounds very similar to Exchange admins of old when they didn't really >>> understand modern application firewalls like ISA could do - RPC filter >>> anyone??? >>> http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr >>> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl= >>> en#4db165c21599cf9b >>> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_th >>> read/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r >>> num=2&hl=en#4db165c21599cf9b> >>> >>> >>> I have just about managed to convince Exchange colleagues (and customers) >>> of the value of placing Exchange FE servers in a separate security zone >>> from BE servers, DC's etc and now I here this? >>> >>> >>> Are the Exchange team confusing the old traditional DMZ's with what ISA can >>> achieve with perimeter networks? >>> >>> >>> From what I believe, it is good perimeter security practice to place >>> servers which are Internet accessible into different security zones than >>> servers that are purely internal. Therefore, the idea of placing Exchange >>> 2003 FE servers in an ISA auth access perimeter network with Exchange 2003 >>> BE servers on the internal network has always seemed like a good approach. >>> It also follows a good least privilege model. >>> >>> >>> Is this another example of the Exchange and ISA teams following different >>> paths???? >>> >>> >>> Please tell me that I am wrong and that I am not going to have to start >>> putting all Exchange roles, irrespective of security risk, on the same >>> network again!!!! >>> >>> >>> Comments? >>> >>> >>> Cheers >>> >>> >>> JJ >>> >>> >>> >> >> All mail to and from this domain is GFI-scanned. >> >> All mail to and from this domain is GFI-scanned. >