Educause Security Discussion mailing list archives
Re: ISA Server for Microsoft Exchange
From: Adam Carlson <ajcarlson () BERKELEY EDU>
Date: Thu, 23 Oct 2008 10:29:56 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This recommendation comes from one of the core principles of network design which involves implementing security domains within your infrastructure. You should never host Internet facing services from your internal network because if a service hosted on your internal network is compromised from the Internet, the compromise could spread to the rest of the internal network. The business argument can be that if there is anything on your internal network that you care about protecting from outside attackers (file shares, workstations, databases etc), you need to design your network in a secure manner that minimizes the chances a hacker can get to those internal resources. That is the quick summary, read on for the more detailed summary which I wouldn't necessarily give to management, but will hopefully make you more persuasive in your argument. What you should strive to do is have all Internet facing services hosted in a DMZ or restricted zone so that if one of the services is compromised from the Internet, the compromised system will only have limited access to your internal network. This will help prevent an attacker from compromising additional systems and data on your internal network. A Microsoft Exchange server is very difficult to put in the DMZ effectively because it requires a high level of connectivity to systems in its domain, especially the domain controller. So while you could place an Exchange server into the DMZ, it would be somewhat pointless because you would have to allow a lot of traffic from the DMZ to the internal network which somewhat defeats the purpose of having a restricted DMZ. That is why Microsoft recommends publishing Exchange and Outlook Web Access through an ISA server. The ISA server can sit in the DMZ and pass Outlook Web Access (OWA) and Exchange connections through the DMZ to the Exchange server on the internal network. ISA servers are also designed to be more secure than Exchange servers so there is a lower likelihood that an ISA server would be compromised from an attack over the Internet. I have had to explain this exact concept to non-technical audiences multiple times and it can be somewhat difficult but I think there are a few things that you can highlight to get people to buy in. 1) Microsoft itself recommends publishing OWA and Exchange through an ISA server 2) Every network-based application could be hacked due to programming problems and this is a way to minimize the probability that your mail server will get hacked and a good way to reduce the impact if it does get attacked. If your audience isn't familiar with the concept of a firewall/DMZ, it is usually not a bad idea to draw that out for them as well and show the difference between only have 2 security zones (Internet and your internal network) versus 3 security zones (Internet, DMZ and your internal network). With only 2 security zones the hacker gets straight into your network while with 3 security zones, they have to go through the systems in the DMZ first which is where they will hopefully get bogged down and prevented from getting to your internal network. There is much more that could be said on this topic, but I think these are the core principles that should be understood by you and conveyed to them in a way that is digestible. Please let me know if something is not clear or I explained things in a confusing manner. Best of luck! - -Adam Connie Sadler wrote:
I am told that we need an ISA Server for Microsoft Exchange. I am asking for the Reader's Digest condensed "english" explanation, but I am having a hard time getting it. :) Can anyone here offer an explanation that will help me to create a business case for this - for a non-technical audience? There is a lot of info on the web, but nothing pops out as useful. I need a translation from techno-speak to executive business need. Thanks! Connie Sadler CISO, Lucile Packard Children's Hospital at Stanford
- -- Adam Carlson Chief Security Officer Information Technology Residential and Student Service Programs Tel: 510-643-0631 Mobile: 510-220-2477 Email: ajcarlson () berkeley edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkAtJQACgkQT0QSLt7kiaAKeACePafT7kYScg3efoVf2WOpt3Ih bDEAoJae2dV4VFkkwPEPgem+MSsuqZdH =0P1U -----END PGP SIGNATURE-----
Current thread:
- ISA Server for Microsoft Exchange Connie Sadler (Oct 22)
- <Possible follow-ups>
- Re: ISA Server for Microsoft Exchange Dobbins, Gary (Oct 22)
- Re: ISA Server for Microsoft Exchange Basgen, Brian (Oct 22)
- Re: ISA Server for Microsoft Exchange Rowe, Ken (Oct 23)
- Re: ISA Server for Microsoft Exchange Chris Edwards (Oct 23)
- Re: ISA Server for Microsoft Exchange Connie Sadler (Oct 23)
- Re: ISA Server for Microsoft Exchange Adam Carlson (Oct 23)