[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Thu, 11 Jan 2007 09:22:25 -0000

The trouble is Tom, if the Exchange team say not supported (exactly what
this means I am not totally sure) and then one of my customers goes to
PSS who says our ISA/Exchange deployment isn't supported, this puts us
in a very difficult position as an MS solution provider who designed the
solution...

Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile:
+44 (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> 

 


________________________________

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: 11 January 2007 03:38
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks


Actually, an Internet facing host should NEVER be placed in the same
security zone as non-Internet facing hosts. Since the CAS is an Internet
facing host, it should be placed in a separate security zone, such as an
authenticated access DMZ. The Exchange guys horks another green one with
their doltish recommendations for the CAS -- no doubt due to their
abject lack of understanding of the heterogeneity of "DMZs".
 
Also, someone in this thread mixed up domain segmentation with network
physical and logical segmentation -- a common N00b error, since there is
no pre-defined relationship between the two.
 
I would never put the CAS on my non-Internet facing host zone, no matter
what the boneheads on the Exchange Team "think" -- heck, they're still
putting the ISA Firewall between two "firewalls" in their docs. Those
guys are the last ones I'd look to for guidance in network security (OK,
Syphco guys are *the* last, but the Exchange guys and barely in front of
them.
 
Tom
 
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls

 


________________________________

        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: Wednesday, January 10, 2007 7:13 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
        
        

        Don't care; doesn't matter, misquoted.

        "Desirable" meaning "everyone wants to do it".

         

        Publishing RPC (MAPI) traffic is completely different from
splitting your domain membership across the firewall.

        There is *no* good reason to do this.

         

        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
        Sent: Wednesday, January 10, 2007 4:30 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

         

        Think you guys have completely misunderstood me, or I am amazed
at your responses.

         

        We are not talking about ANY firewall here, we are talking about
ISA...one of the key advantages of ISA is that you can create perimeter
networks even for domain members as ISA can perform RPC and other app
filtering. Hence you can move domain members that represent more of a
security risk away from other domain member servers.  

         

        Based upon your answers, you must all be in disagreement then
with the models proposed by Tom for Exchange and network services
protection????

        http://www.isaserver.org/articles/2004multidmzp1.html

        
http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-S
egment-Perimeter-Firewall-Part1.html

         

        If so, I am very surprised.

         

        I posted here in August with a least privilege model for
Exchange security which placed Exchange FE's, BE's and DC's into ISA
perimeter networks and got good feedback - what the hell is going on????

         

        Jim's quote "Ah, yes. While this is a desirable design, it's
also a very difficult one."

        Steve's quote "Hat's off to you for being committed to deploying
security-in-depth with least-privilege and not acquiescing to the
"whatever works" mentality.
        I know it's a hard thing to deploy and support.  While I have a
similar topology, I only separate the clients from the servers with an
infrastructure ISA box- not the BE's from the DC's; they're on the same
"protected" network." 

        Totally confused guys :-(

         

         

________________________________

        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
        Sent: 10 January 2007 23:08
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

        That's what I said........

         

        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: Wednesday, January 10, 2007 7:04 PM
        To: isapros@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

         

        Why would you want to place a member of your internal domain in
your DMZ, fer chrissakes?!?

        Hosting any domain member in the DMZ is a difficult proposition;
especially where NAT is the order of the day.

        You can either use a network shotgun at your firewall or attempt
to use your facvorite VPN tunnel across the firewall to the domain.

         

        Jim

________________________________

        From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
        Sent: Wed 1/10/2007 2:35 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

        From what I can gather, the new CAS role now uses RPC to
communicate with the back-end (not sure of new name!) servers so I am
guessing that this is an "RPC isn't safe across firewalls" type stance.
Which I guess for a PIX, is a pretty true statement.

         

        Just think how much safer the world will be when firewalls can
understand dynamic protocols like RPC...maybe one day firewalls will
even be able to understand and filter based upon RPC interface...maybe
one day... :-D ;-)

         

        Shame the Exchange team can't see how much ISA changes the
traditional approach to DMZ thinking...kinda makes you think that both
teams work for a different company :-(

        Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 |
Mobile: +44 (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx> 

         

         

________________________________

        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland
        Sent: 10 January 2007 22:07
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

        I seriously hope that they have take different paths and these
are not limitations on the software or it is going to mean a nice little
redesign and break from custom..

         

        Greg

                ----- Original Message ----- 

                From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>


                To: isapros@xxxxxxxxxxxxx 

                Sent: Thursday, January 11, 2007 8:25 AM

                Subject: [isapros] ISA, Exchange 2007 and Perimeter
Networks

                 

                Hi All, 

                I heard today from an Exchange MVP colleague that
members of the Exchange team (Scott Schnoll) are saying that they
(Microsoft) do not support placing the new Exchange 2007 Client Access
Server (like the old Exch2k3 FE role) role into a perimeter network. Has
anyone else heard the same? This sounds very similar to Exchange admins
of old when they didn't really understand modern application firewalls
like ISA could do - RPC filter anyone???
http://groups.google.co.uk/group/microsoft.public.exchange.design/browse
_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rn
um=2&hl=en#4db165c21599cf9b
<http://groups.google.co.uk/group/microsoft.public.exchange.design/brows
e_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&r
num=2&hl=en#4db165c21599cf9b> 

                I have just about managed to convince Exchange
colleagues (and customers) of the value of placing Exchange FE servers
in a separate security zone from BE servers, DC's etc and now I here
this...

                Are the Exchange team confusing the old traditional
DMZ's with what ISA can achieve with perimeter networks? 

                From what I believe, it is good perimeter security
practice to place servers which are Internet accessible into different
security zones than servers that are purely internal. Therefore, the
idea of placing Exchange 2003 FE servers in an ISA auth access perimeter
network with Exchange 2003 BE servers on the internal network has always
seemed like a good approach. It also follows a good least privilege
model. 

                Is this another example of the Exchange and ISA teams
following different paths???? 

                Please tell me that I am wrong and that I am not going
to have to start putting all Exchange roles, irrespective of security
risk, on the same network again!!!!

                Comments? 

                Cheers 

                JJ 

                 

        All mail to and from this domain is GFI-scanned.

        All mail to and from this domain is GFI-scanned.

Other related posts: