[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
Date: Fri, 12 Jan 2007 09:39:12 -0800
Hmm.  Looks like it was fine.  I'll post the other.

t


On 1/12/07 9:00 AM, "Gerald G. Young" <g.young@xxxxxxxx> spoketh to all:

> If it’s participating in the domain, add the subnet to AD, especially if you
> have more than one AD site (I consider this a best practice).  A lot of funny
> things can occur with Active Directory aware applications when they can’t 
> tell
> which site they belong to.  Exchange (2003), for instance, won’t start an
> information store.
> 
> Cordially yours,
> Jerry G. Young II
> Product Engineer - Senior
> Platform Engineering, Enterprise Hosting
> NTT America, an NTT Communications Company
> 
> 22451 Shaw Rd.
> Sterling, VA 20166
> 
> Office: 571-434-1319
> Fax: 703-333-6749
> Email: g.young@xxxxxxxx
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jason Jones
> Sent: Friday, January 12, 2007 6:53 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> Either way, I think the idea of an intranet CAS and extranet CAS is probably 
> a
> good approach - the extranet CAS one would assume could then go into the auth
> access perimeter network whilst the intranet one could stay on the LAN. In
> this model, each CAS has a different security risk and hence could be put into
> different security zones. 
>  
> Would it be such a bad thing to add the perimeter subnet to the AD site? It
> will have domain members in it after all...
> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44
> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
> jason.jones@xxxxxxxxxxxxxxxxx
>  
> 
> ________________________________________
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Greg Mulholland
> Sent: 12 January 2007 05:35
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> doing a little bit more reading the only thing i can think might be the reason
> is that apparently each mailbox server needs to have a CAS server in its AD
> site. Therefore they recommend you keep the cas box on the same lan. Also in
> multi domain environments this would add more design considerations. Also in
> larger environments you might need 2 CAS boxes, one for internal users and one
> for external users, for the sake of keeping outbound lan access out of the dmz
> or better design.
>  
> but im not sure about the whole idea of the "swiss cheese" argument. seems a
> bit like flogging a dead horse to me..i dont see how or why it wouldn't work
> in the dmz environment.
>  
> greg
>  
>  
> ----- Original Message -----
> From: Thomas W Shinder
> To: isapros@xxxxxxxxxxxxx
> Sent: Friday, January 12, 2007 3:22 PM
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> WORD!
> 
> I’ll gladly joining you in that public nut-kicking when the time comes. 
> What I
> want to understand first is what are the protocol requirements for the CAS to
> the back-end components, and what their rationale is for making the statements
> that have been reported so far. They might have a good point, and if they have
> it, I want to hear it. But if the point is ‘it’s too hard” or “I 
> don’t
> understand network security, I just say what my boss tells me to say” or 
> “I’m
> on the take with Syphco” then those aren’t valid and body parts will 
> deserve
> some shaking up in the public square. The least they can do is state “we 
> don’t
> have the time or inclination to show you have to provide the highest level of
> network security, but it is possible to do it right, we’re just not going to
> show you how to do it” as a disclaimer. With that, we can then go ahead and
> help those who want to be helped ☺
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thor (Hammer of God)
> Sent: Thursday, January 11, 2007 6:40 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> It may be just this type of “beating it to death” that is required to get 
> the
> Exchange group’s attention.  I don’t really care if they don’t support
> “perimeter network” deployments as long as ISA is an exception.  I have 
> every
> intention to ensure that an ISA authenticated perimeter network DMZ segment
> “in front” of the CAS server is fully supported if the proper protocols 
> are
> allowed.  I will make sure to press them into officially stating why it is 
> not
> supported.  Even so, if they try that, I will publicly kick them in the nuts.
> 
> t
> 
> 
> On 1/11/07 4:15 PM, "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx> spoketh to
> all:
> Hi Amy,
> 
> I am not really sure for their reasoning, but think it is based around the
> "Swiss cheese", don't pass intradomain traffic across a normal firewall
> argument.
> 
> Sorry, my bad for using the term DMZ, the exact phrase used by Scholl is "It's
> true. The Client Access Server (CAS), which among other things includes the
> OWA feature, is not supported in a perimeter network (aka a DMZ).  Instead
> you'll deploy one or more CASs inside your organization and put a robust
> firewall such as ISA 2006 in front of it." I am guessing from experience of
> other Exchange team recommendations that when they say perimeter network they
> really mean a traditional DMZ which is created using traditional packet filter
> firewalls. The recommended deployment is to put the CAS on the internal
> network e.g. on the same network as the Exchange back-end servers. Once the
> CAS is on the internal network, it should then be published to the Internet
> using ISA.
> 
> This design if fine if you want a simple open network where all servers exist
> in the same security zone and hence all trust each other, but many people are
> now trying to better this design by placing different types of servers into
> different security zones based upon their risk level and internet presence -
> say hello to the ISA auth access perimeter network! ;-)
> 
> Basically I think it all harks back to the "don't put domain members in a DMZ"
> mantra which is a pretty fair statement when using PF firewalls like PIX, but
> things have moved on as least privilege authenticated access perimeter
> networks with ISA are now getting advanced enough to challenge this argument.
> Maybe the difference between a PIX firewall and ISA firewall is just too
> subtle for some people???
> 
> Think we have now done this to death now!! - be very surprised if the Exchange
> team go back on these type of statements though. I remember Tom banging his
> head against a brick wall with Henrik based upon one of his MSExchange.org
> articles which said "not in the DMZ" type statements.
> 
> JJ
> ________________________________________
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Amy Babinchak
> Sent: 11 January 2007 23:15
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> Jason,
>  
> What’s the reasoning behind CAS not in the DMZ? Where to they want it? 
> Handing
> nude off the router? Behind a firewall?
>  
> If the later, then just drop the out dated DMZ language. Most firewall admins
> think that DMZ means nude off the other port on my nat box. Your least priv
> design puts CAS safely behind a firewall.
>  
> 
> Amy Babinchak
> Harbor Computer Services
> ________________________________________
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jason Jones
> Sent: Thursday, January 11, 2007 5:58 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> Thanks Amy - maybe I am being a little oversensitive, just didn't expect some
> of the initial responses.
> 
> I tend to avoid most of the main mailing lists, probably for similar reasons
> as others, and I tend to hang out at isaserver.org 95% of the time. Hence
> maybe why only Tom (and Stefan) tend to see my input and views on stuff.
> 
> Tom invited me to this list as he felt it would be a good place for me to pose
> all the questions that he can't answer or go unreplied on isaserver.org
> 
> I really do value the combined "ISA brain power" here, but just think it could
> be a little more forgiving and friendly at times...having said that I have
> found answers here that I just couldn't get elsewhere, so don't misunderstand
> me as ungrateful.
> 
> Anyhow back to the "core issue", from what I hearing from Exchange MVP
> contacts, MS are playing the "CAS in a DMZ is totally unsupported" tune very
> strongly. This is a real shame as it looks like I will never be able to deploy
> the existing least privilege design with Exchange 2007 without fear of
> customers coming back to us after trying to log PSS calls or getting other
> non-ISA firewall guys in who slate the design...oh well, at least ISA will
> still involved to some degree, just not as cool as it could be...
> 
> JJ  
> 
> 
>   
> ________________________________________
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Amy Babinchak
> Sent: 11 January 2007 15:09
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> Jason don’t get discouraged. The changes in Exchange are monumental so there
> are bound to be disagreements and changes of opinion on how to best secure it.
> The concept of an authenticated access DMZ in a separate security zone
> allowing only a very minimal set of protocols is a completely foreign concept
> to 99% of firewall admins out there. That fact you are even thinking about
> this stuff put you in an elite class. The rest are still poking holes and
> setting up VLANs.
>  
> Tom, Thor and Jim can be a bit clubby and a little overly poky to new comers.
> It’s a twitch they developed after participating on the ISA server mailing
> list. It got worse when they decided to join a general purpose SBS list. I’m
> not sure that they’ll ever completely recover.  
>  
> 
> Amy 
>  
> 
>  
>  
> ________________________________________
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jason Jones
> Sent: Thursday, January 11, 2007 5:47 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> Wish I had never asked now...sometimes, some of you guys really don't make it
> easy for new people to try express their views and pose questions for comment
> without being slapped down. One minute I am being labelled as an "idiot" for
> my comments/views, the next minute someone else who says the same thing as me
> is now right and not challenged. What gives?  
> 
> I know many of you guys don't know me from Adam, but kinda unfair to just
> assume I know jack about ISA and secure network design just because I'm not
> "part of the club".
> 
> 
> Anyhow, thanks to Tim and Tom for seeming to share my disappointment with the
> decision made by the Exchange 2007 team...I think I need to try and find out
> how "official" their lack of support with 2k7 is going to be before I can
> continue recommending the least privilege model I have been using for Exchange
> 2003.
> ________________________________________
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jim Harrison
> Sent: 11 January 2007 04:30
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> ..maybe I’m just tired…
> I spent two hours trying to get home tonight and I’m clearly not in my mind
> (right or otherwise).
> Forget I wrote and we’ll start over tomorrow…
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thor (Hammer of God)
> Sent: Wednesday, January 10, 2007 8:18 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> That’s exactly what I’m talking about.  And precisely the configuration I
> deploy:
> 
> My FE is in the authenticated segment of the DMZ – and a member of my 
> internal
> domain; however, the “recommended protocols” the Exchange group 
> recommends are
> not necessary- and thus, Steve’s contention that “CIFS and all that other
> stuff... Might as well just be internal” I reject.  I only allow 
> Kerberos-Sec,
> LDAP, LDAP GC, Ping and DNS only from my FE to the internal DC’s.  And only
> HTTP to the BE’s.  
> 
> Even if the other prots WERE required, it would still be far smarter to deploy
> the FE in the authenticated DMZ with limited access than to just give full
> stack access to the ENTIRE internal network.   This is a deployment of a
> services made available (initially) to a global, anonymous, untrusted network.
> 
> Maybe I’m not properly articulating my point, but I have to say I’m really
> surprised that we are having this conversation...
> 
> t
> 
> 
> On 1/10/07 7:10 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
> C’mon, Tim; I know what your deployment recommendations are; this isn’t 
> it.
> He wants to extend his domain via “remote membership”; not create a 
> separate
> domain.
>  
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
> <mailto:isapros-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Thor (Hammer of God)
> Sent: Wednesday, January 10, 2007 4:26 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
>  
> Because it’s safer that way, that’s why... That’s what an authenticated 
> access
> DMZ perimeter is for— with a CAS server that presents logon services to any
> Internet user, I would (and, in fact, require) that the server be in a
> least-privileged authenticated access perimeter network that limits that
> servers communications to the minimum required for required functionality –
> and only to the hosts it needs to talk to.
> 
> Let’s say there is a front-end implementation issue or coding vulnerability:
> the CAS on the internal network would allow unfettered, full-stack access to
> the internal network.  A CAS in a perimeter DMZ would mitigate potential
> exposure in the event of a 0day or configuration issue.
> 
> “Safer on the internal network” is a complete misnomer when it comes to
> servers presenting services to an untrusted network.
> 
> t
> 
> 
> On 1/10/07 3:04 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
> Why would you want to place a member of your internal domain in your DMZ, fer
> chrissakes?!?
> Hosting any domain member in the DMZ is a difficult proposition; especially
> where NAT is the order of the day.
> You can either use a network shotgun at your firewall or attempt to use your
> facvorite VPN tunnel across the firewall to the domain.
> 
> Jim 
> ________________________________________
> 
> 
> From: isapros-bounce@xxxxxxxxxxxxx on behalf of Jason Jones
> Sent: Wed 1/10/2007 2:35 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> From what I can gather, the new CAS role now uses RPC to communicate with the
> back-end (not sure of new name!) servers so I am guessing that this is an "RPC
> isn't safe across firewalls" type stance. Which I guess for a PIX, is a pretty
> true statement.
> 
> Just think how much safer the world will be when firewalls can understand
> dynamic protocols like RPC...maybe one day firewalls will even be able to
> understand and filter based upon RPC interface...maybe one day... :-D ;-)
> 
> Shame the Exchange team can't see how much ISA changes the traditional
> approach to DMZ thinking...kinda makes you think that both teams work for a
> different company :-(
> Jason Jones | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44
> (0)7971 500312 | Fax: +44 (0)1202 360900 | Email:
> jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>
> 
>   
> ________________________________________
> 
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
> <mailto:isapros-bounce@xxxxxxxxxxxxx%5d>  On Behalf Of Greg Mulholland
> Sent: 10 January 2007 22:07
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA, Exchange 2007 and Perimeter Networks
> 
> I seriously hope that they have take different paths and these are not
> limitations on the software or it is going to mean a nice little redesign and
> break from custom..
> 
> Greg
> ----- Original Message -----
> From: Jason Jones <mailto:Jason.Jones@xxxxxxxxxxxxxxxxx>  
> To: isapros@xxxxxxxxxxxxx
> Sent: Thursday, January 11, 2007 8:25 AM
> Subject: [isapros] ISA, Exchange 2007 and Perimeter Networks
> 
> 
> Hi All, 
> 
> I heard today from an Exchange MVP colleague that members of the Exchange team
> (Scott Schnoll) are saying that they (Microsoft) do not support placing the
> new Exchange 2007 Client Access Server (like the old Exch2k3 FE role) role
> into a perimeter network. Has anyone else heard the same? This sounds very
> similar to Exchange admins of old when they didn't really understand modern
> application firewalls like ISA could do - RPC filter anyone???
> http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_threa
> d/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&q=cas+dmz+isa&rnum=2&hl=en#4
> db165c21599cf9b 
> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thre
> ad/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum=
> 2&amp;hl=en#4db165c21599cf9b>
>  <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thr
> ead/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum
> =2&amp;hl=en#4db165c21599cf9b>
> <http://groups.google.co.uk/group/microsoft.public.exchange.design/browse_thre
> ad/thread/4ecab9cb8e50015e/4db165c21599cf9b?lnk=st&amp;q=cas+dmz+isa&amp;rnum=
> 2&amp;hl=en#4db165c21599cf9b>
> 
> I have just about managed to convince Exchange colleagues (and customers) of
> the value of placing Exchange FE servers in a separate security zone from BE
> servers, DC's etc and now I here this…
> 
> Are the Exchange team confusing the old traditional DMZ's with what ISA can
> achieve with perimeter networks?
> 
> From what I believe, it is good perimeter security practice to place servers
> which are Internet accessible into different security zones than servers that
> are purely internal. Therefore, the idea of placing Exchange 2003 FE servers
> in an ISA auth access perimeter network with Exchange 2003 BE servers on the
> internal network has always seemed like a good approach. It also follows a
> good least privilege model.
> 
> Is this another example of the Exchange and ISA teams following different
> paths???? 
> 
> Please tell me that I am wrong and that I am not going to have to start
> putting all Exchange roles, irrespective of security risk, on the same network
> again!!!!
> 
> Comments? 
> 
> Cheers 
> 
> JJ 
> All mail to and from this domain is GFI-scanned.
> 
> 
>  
> 
>   
> All mail to and from this domain is GFI-scanned.
> 
> All mail to and from this domain is GFI-scanned.
> 
>
[isapros] Re: ISA, Exchange 2007 and Perimeter Networks

Other related posts:
