[isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Wed, 10 Jan 2007 22:39:26 -0600
IPSec restrictions are nice, but why not get the same protection by
physical and logical segmentation?
Also, with IPSec, you don't get protocol inspection, and since RPC is an
issue in this circumstance, IPSec would actually hork our level of
security.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Wednesday, January 10, 2007 8:14 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
If IPSe4 restrictions are deployed in the domain, you can do the
same thing without separating the host from the domain via firewalls.
Since IPSec policies can be handled via GPO, manglement becomes
easier.
The whole point using ISA to separate the Inet-facing host from
the Inet is that the attack surface is reduced to only that traffic that
ISA will allow to the Inet-facing host. To me, this is lesser-priv than
trying to mitigate the results of traffic the Inet-facing host should
never have seen in the first place.
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Wednesday, January 10, 2007 8:04 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
If the host is in the same domain, traffic between the domain
member in the DMZ segment is limited to only the required traffic, not
all traffic. This is least priv. Since SMTP, NNTP, IRC, H.323, SIP,
etc., etc., aren't allowed from that segment to the other, we've locked
out those exploits. Plus, we have a device in the path between the two
security zones that is logging these attempts at illegitmate traffic and
can provide information for further analysis. If you have an
unincumbered path between the Internet facing host (which has a much
larger "attacker surface") than the non-Internet facing host, then
you're violating least priv and asking for problems you needent have.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Wednesday, January 10, 2007 7:52 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks
What's the diff between allowing domain traffic to the
same DC you're trying to protect?
The 1d10t cry of "what if it gets compromised?" is the
core issue in this question.
A host belonging to a separate domain is one thing; a
member of the internal domain is quite another.
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Wednesday, January 10, 2007 7:45 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter
Networks
What's wrong with that? There is granularity of security
zone definitions and membership, even within a domain. Just like what
we've done with the FE Exchange Server, there's no qualitative or
quanitative differences here that I can tell.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Wednesday, January 10, 2007 7:11 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
C'mon, Tim; I know what your deployment
recommendations are; this isn't it.
He wants to extend his domain via "remote
membership"; not create a separate domain.
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Wednesday, January 10, 2007 4:26 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
Because it's safer that way, that's why...
That's what an authenticated access DMZ perimeter is for- with a CAS
server that presents logon services to any Internet user, I would (and,
in fact, require) that the server be in a least-privileged authenticated
access perimeter network that limits that servers communications to the
minimum required for required functionality - and only to the hosts it
needs to talk to.
Let's say there is a front-end implementation
issue or coding vulnerability: the CAS on the internal network would
allow unfettered, full-stack access to the internal network. A CAS in a
perimeter DMZ would mitigate potential exposure in the event of a 0day
or configuration issue.
"Safer on the internal network" is a complete
misnomer when it comes to servers presenting services to an untrusted
network.
t
On 1/10/07 3:04 PM, "Jim Harrison"
<Jim@xxxxxxxxxxxx> spoketh to all:
Why would you want to place a member of your
internal domain in your DMZ, fer chrissakes?!?
Hosting any domain member in the DMZ is a
difficult proposition; especially where NAT is the order of the day.
You can either use a network shotgun at your
firewall or attempt to use your facvorite VPN tunnel across the firewall
to the domain.
Jim
________________________________
From: isapros-bounce@xxxxxxxxxxxxx on behalf of
Jason Jones
Sent: Wed 1/10/2007 2:35 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
From what I can gather, the new CAS role now
uses RPC to communicate with the back-end (not sure of new name!)
servers so I am guessing that this is an "RPC isn't safe across
firewalls" type stance. Which I guess for a PIX, is a pretty true
statement.
Just think how much safer the world will be when
firewalls can understand dynamic protocols like RPC...maybe one day
firewalls will even be able to understand and filter based upon RPC
interface...maybe one day... :-D ;-)
Shame the Exchange team can't see how much ISA
changes the traditional approach to DMZ thinking...kinda makes you think
that both teams work for a different company :-(
Jason Jones | Silversands Limited | Desk: +44
(0)1202 360489 | Mobile: +44 (0)7971 500312 | Fax: +44 (0)1202 360900 |
Email: jason.jones@xxxxxxxxxxxxxxxxx
<mailto:jason.jones@xxxxxxxxxxxxxxxxx>
<mailto:jason.jones@xxxxxxxxxxxxxxxxx>
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
Sent: 10 January 2007 22:07
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and
Perimeter Networks
I seriously hope that they have take different
paths and these are not limitations on the software or it is going to
mean a nice little redesign and break from custom..
Greg
----- Original Message -----
From: Jason Jones
<mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
<mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>
To: isapros@xxxxxxxxxxxxx
Sent: Thursday, January 11, 2007 8:25 AM
Subject: [isapros] ISA, Exchange 2007 and
Perimeter Networks
Hi All,
I heard today from an Exchange MVP colleague
that members of the Exchange team (Scott Schnoll) are saying that they
(Microsoft) do not support placing the new Exchange 2007 Client Access
Server (like the old Exch2k3 FE role) role into a perimeter network. Has
anyone else heard the same? This sounds very similar to Exchange admins
of old when they didn't really understand modern application firewalls
like ISA could do - RPC filter anyone???
http://groups.google.co.uk/group/microsoft.public.exchange.design/browse
_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rn
um=2&hl=en#4db165c21599cf9b
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+i
sa&rnum=2&hl=en#4db165c21599cf9b>
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r
num=2&hl=en#4db165c21599cf9b>
I have just about managed to convince Exchange
colleagues (and customers) of the value of placing Exchange FE servers
in a separate security zone from BE servers, DC's etc and now I here
this...
Are the Exchange team confusing the old
traditional DMZ's with what ISA can achieve with perimeter networks?
From what I believe, it is good perimeter
security practice to place servers which are Internet accessible into
different security zones than servers that are purely internal.
Therefore, the idea of placing Exchange 2003 FE servers in an ISA auth
access perimeter network with Exchange 2003 BE servers on the internal
network has always seemed like a good approach. It also follows a good
least privilege model.
Is this another example of the Exchange and ISA
teams following different paths????
Please tell me that I am wrong and that I am not
going to have to start putting all Exchange roles, irrespective of
security risk, on the same network again!!!!
Comments?
Cheers
JJ
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
- » [isapros] ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
- » [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
