Re: ISA firewall for exchange

[Adam Carlson <ajcarlson () BERKELEY EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gary,
        A large part of this recommendation comes from the "best practices"
method for designing your network infrastructure around security zones.
 A typical, simplified network could have 3 security zones:  trusted,
restricted and untrusted where:

trusted = internal network
restricted = DMZ
untrusted = Internet

Ideally, you would not have any services in the trusted zone that are
available from the untrusted zone, meaning you are not running any
public services from your internal network.  The reason for this is not
to prevent hacks but rather to minimize their impact.  If an exchange
server running SMTP/Outlook Web Access on your internal network becomes
hacked, the attacker could extend the access to other internal
resources(like an internal wiki, internal file servers, etc).

On the other hand, if all publicly accessible services are hosted in the
restricted zone and a server in the restricted zone becomes hacked, then
 the hacker should have only limited access to internal resources due to
firewall rules (hopefully you would not grant your SMTP server in the
DMZ access to your internal file server/wiki etc).

Unfortunately, due to the high amount of interaction required between an
Exchange server and a Domain controller, it is usually hard to put tight
firewall rules around an Exchange server in the DMZ.  This is why the
Microsoft recommended solution is to have an ISA server in the DMZ and
pass SMTP/OWA access through the ISA server to the internal network.

You gain 2 things from this:

1)  An ISA server will need less access to your Domain controller than
an Exchange server so you should be able to put tighter firewall rules
in place on an ISA server in your restricted zone.

2)  Microsoft has designed the ISA server completely with security in
mind and, as a result, there is probably less chance of it getting
hacked than an Exchange server.

In reality, Universities tend to have a harder time creating strong
security zones so you might not have quite as big a security gain by
using an ISA server.  On the other hand, the fact that Microsoft is
recommending against putting their Exchange server directly on the
Internet does not fill me with confidence.

Fortunately, we don't run Exchange so I have not had to make this call
in our environment.  Best of luck,

- -Adam

Gary Flynn wrote:
> We're getting ready to bring up Exchange and all Microsoft's
> documentation recommends protecting it from direct Internet
> exposure with ISA or a similar application firewall.
>
> Thoughts?

- --
Adam Carlson
Chief Security Officer
Information Technology
Residential and Student Service Programs
Tel: 510-643-0631
Mobile: 510-220-2477
Email: ajcarlson () berkeley edu

"Most of the things worth doing in the world had been declared
impossible before they were done." ~Louis D. Brandeis

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmcsnoACgkQT0QSLt7kiaA4kwCgmsL8iwGY7P01TdPbdTlKH2pC
nRUAn36wr/kXvsfIOBosft0Zh1CQqSi/
=ZYDW
-----END PGP SIGNATURE-----