[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

  • From: "Greg Mulholland" <gmulholland@xxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Fri, 12 Jan 2007 09:11:18 +1100

Re: [isapros] Re: ISA, Exchange 2007 and Perimeter NetworksOh hell no.. please 
dont! they are hideous
  ----- Original Message ----- 
  From: Thor (Hammer of God) 
  To: isapros@xxxxxxxxxxxxx 
  Sent: Friday, January 12, 2007 6:41 AM
  Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks


  Hey Gerald- your last couple of posts all came in as base64 encoded text.  
Was that on purpose?  Just didn't want to approve the post if you were sending 
out naked pictures of Steve or something...

  t


  On 1/11/07 9:09 AM, "Gerald G. Young" <g.young@xxxxxxxx> spoketh to all:


    I always saw it as "initiation by fire". J


    Cordially yours,
    Jerry G. Young II
    Product Engineer - Senior
    Platform Engineering, Enterprise Hosting
    NTT America, an NTT Communications Company
     
    22451 Shaw Rd.
    Sterling, VA 20166
     
    Office: 571-434-1319
    Fax: 703-333-6749
    Email: g.young@xxxxxxxx
     

    From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
    Sent: Thursday, January 11, 2007 11:46 AM
    To: isapros@xxxxxxxxxxxxx
    Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

    "Overly poky."  Kind of hard for me to argue with that one :-p

    t


    On 1/11/07 7:09 AM, "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> 
spoketh to all:
    Jason don't get discouraged. The changes in Exchange are monumental so 
there are bound to be disagreements and changes of opinion on how to best 
secure it. The concept of an authenticated access DMZ in a separate security 
zone allowing only a very minimal set of protocols is a completely foreign 
concept to 99% of firewall admins out there. That fact you are even thinking 
about this stuff put you in an elite class. The rest are still poking holes and 
setting up VLANs. 
     
    Tom, Thor and Jim can be a bit clubby and a little overly poky to new 
comers. It's a twitch they developed after participating on the ISA server 
mailing list. It got worse when they decided to join a general purpose SBS 
list. I'm not sure that they'll ever completely recover.  
     

    Amy 
     

     
      


----------------------------------------------------------------------------


    From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jason Jones
    Sent: Thursday, January 11, 2007 5:47 AM
    To: isapros@xxxxxxxxxxxxx
    Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

    Wish I had never asked now...sometimes, some of you guys really don't make 
it easy for new people to try express their views and pose questions for 
comment without being slapped down. One minute I am being labelled as an 
"idiot" for my comments/views, the next minute someone else who says the same 
thing as me is now right and not challenged. What gives?  

    I know many of you guys don't know me from Adam, but kinda unfair to just 
assume I know jack about ISA and secure network design just because I'm not 
"part of the club".


    Anyhow, thanks to Tim and Tom for seeming to share my disappointment with 
the decision made by the Exchange 2007 team...I think I need to try and find 
out how "official" their lack of support with 2k7 is going to be before I can 
continue recommending the least privilege model I have been using for Exchange 
2003.




----------------------------------------------------------------------------


    From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
    Sent: 11 January 2007 04:30
    To: isapros@xxxxxxxxxxxxx
    Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
    ..maybe I'm just tired.
    I spent two hours trying to get home tonight and I'm clearly not in my mind 
(right or otherwise).
    Forget I wrote and we'll start over tomorrow.


    From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
    Sent: Wednesday, January 10, 2007 8:18 PM
    To: isapros@xxxxxxxxxxxxx
    Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

    That's exactly what I'm talking about.  And precisely the configuration I 
deploy:

    My FE is in the authenticated segment of the DMZ - and a member of my 
internal domain; however, the "recommended protocols" the Exchange group 
recommends are not necessary- and thus, Steve's contention that "CIFS and all 
that other stuff... Might as well just be internal" I reject.  I only allow 
Kerberos-Sec, LDAP, LDAP GC, Ping and DNS only from my FE to the internal DC's. 
 And only HTTP to the BE's.  

    Even if the other prots WERE required, it would still be far smarter to 
deploy the FE in the authenticated DMZ with limited access than to just give 
full stack access to the ENTIRE internal network.   This is a deployment of a 
services made available (initially) to a global, anonymous, untrusted network. 

    Maybe I'm not properly articulating my point, but I have to say I'm really 
surprised that we are having this conversation...

    t


    On 1/10/07 7:10 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
    C'mon, Tim; I know what your deployment recommendations are; this isn't it.
    He wants to extend his domain via "remote membership"; not create a 
separate domain.
     

    From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] 
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of God)
    Sent: Wednesday, January 10, 2007 4:26 PM
    To: isapros@xxxxxxxxxxxxx
    Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
     
    Because it's safer that way, that's why... That's what an authenticated 
access DMZ perimeter is for- with a CAS server that presents logon services to 
any Internet user, I would (and, in fact, require) that the server be in a 
least-privileged authenticated access perimeter network that limits that 
servers communications to the minimum required for required functionality - and 
only to the hosts it needs to talk to.

    Let's say there is a front-end implementation issue or coding 
vulnerability: the CAS on the internal network would allow unfettered, 
full-stack access to the internal network.  A CAS in a perimeter DMZ would 
mitigate potential exposure in the event of a 0day or configuration issue. 

    "Safer on the internal network" is a complete misnomer when it comes to 
servers presenting services to an untrusted network. 

    t


    On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
    Why would you want to place a member of your internal domain in your DMZ, 
fer chrissakes?!?
    Hosting any domain member in the DMZ is a difficult proposition; especially 
where NAT is the order of the day.
    You can either use a network shotgun at your firewall or attempt to use 
your facvorite VPN tunnel across the firewall to the domain.

    Jim 




----------------------------------------------------------------------------



    From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
    Sent: Wed 1/10/2007 2:35 PM
    To: isapros@xxxxxxxxxxxxx
    Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

    From what I can gather, the new CAS role now uses RPC to communicate with 
the back-end (not sure of new name!) servers so I am guessing that this is an 
"RPC isn't safe across firewalls" type stance. Which I guess for a PIX, is a 
pretty true statement.

    Just think how much safer the world will be when firewalls can understand 
dynamic protocols like RPC...maybe one day firewalls will even be able to 
understand and filter based upon RPC interface...maybe one day... :-D ;-)

    Shame the Exchange team can't see how much ISA changes the traditional 
approach to DMZ thinking...kinda makes you think that both teams work for a 
different company :-(
    Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 
(0)7971 500312 | Fax: +44 (0)1202 360900 | Email: jason.jones@xxxxxxxxxxxxxxxxx 
<mailto:jason.jones@xxxxxxxxxxxxxxxxx> 

      




----------------------------------------------------------------------------


    From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] 
<mailto:isapros-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Greg Mulholland
    Sent: 10 January 2007 22:07
    To: isapros@xxxxxxxxxxxxx
    Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks

    I seriously hope that they have take different paths and these are not 
limitations on the software or it is going to mean a nice little redesign and 
break from custom..

    Greg
    ----- Original Message ----- 
    From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>  
    To: isapros@xxxxxxxxxxxxx 
    Sent: Thursday, January 11, 2007 8:25 AM
    Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks


    Hi All, 

    I heard today from an Exchange MVP colleague that members of the Exchange 
team (Scott Schnoll) are saying that they (Microsoft) do not support placing 
the new Exchange 2007 Client Access Server (like the old Exch2k3 FE role) role 
into a perimeter network. Has anyone else heard the same? This sounds very 
similar to Exchange admins of old when they didn't really understand modern 
application firewalls like ISA could do - RPC filter anyone??? 
http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en#4db165c21599cf9b
 
<http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>
 
<http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>
 
<http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>
 
<http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thread/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum=2&amp;hl=en#4db165c21599cf9b>
 

    I have just about managed to convince Exchange colleagues (and customers) 
of the value of placing Exchange FE servers in a separate security zone from BE 
servers, DC's etc and now I here this.

    Are the Exchange team confusing the old traditional DMZ's with what ISA can 
achieve with perimeter networks? 

    From what I believe, it is good perimeter security practice to place 
servers which are Internet accessible into different security zones than 
servers that are purely internal. Therefore, the idea of placing Exchange 2003 
FE servers in an ISA auth access perimeter network with Exchange 2003 BE 
servers on the internal network has always seemed like a good approach. It also 
follows a good least privilege model. 

    Is this another example of the Exchange and ISA teams following different 
paths???? 

    Please tell me that I am wrong and that I am not going to have to start 
putting all Exchange roles, irrespective of security risk, on the same network 
again!!!!

    Comments? 

    Cheers 

    JJ 


    All mail to and from this domain is GFI-scanned. 




     

      


    All mail to and from this domain is GFI-scanned. 






    All mail to and from this domain is GFI-scanned.

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 01-2007