Educause Security Discussion mailing list archives
Re: ISA firewall for exchange
From: Adam Carlson <ajcarlson () BERKELEY EDU>
Date: Wed, 18 Feb 2009 17:14:34 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gary, A large part of this recommendation comes from the "best practices" method for designing your network infrastructure around security zones. A typical, simplified network could have 3 security zones: trusted, restricted and untrusted where: trusted = internal network restricted = DMZ untrusted = Internet Ideally, you would not have any services in the trusted zone that are available from the untrusted zone, meaning you are not running any public services from your internal network. The reason for this is not to prevent hacks but rather to minimize their impact. If an exchange server running SMTP/Outlook Web Access on your internal network becomes hacked, the attacker could extend the access to other internal resources(like an internal wiki, internal file servers, etc). On the other hand, if all publicly accessible services are hosted in the restricted zone and a server in the restricted zone becomes hacked, then the hacker should have only limited access to internal resources due to firewall rules (hopefully you would not grant your SMTP server in the DMZ access to your internal file server/wiki etc). Unfortunately, due to the high amount of interaction required between an Exchange server and a Domain controller, it is usually hard to put tight firewall rules around an Exchange server in the DMZ. This is why the Microsoft recommended solution is to have an ISA server in the DMZ and pass SMTP/OWA access through the ISA server to the internal network. You gain 2 things from this: 1) An ISA server will need less access to your Domain controller than an Exchange server so you should be able to put tighter firewall rules in place on an ISA server in your restricted zone. 2) Microsoft has designed the ISA server completely with security in mind and, as a result, there is probably less chance of it getting hacked than an Exchange server. In reality, Universities tend to have a harder time creating strong security zones so you might not have quite as big a security gain by using an ISA server. On the other hand, the fact that Microsoft is recommending against putting their Exchange server directly on the Internet does not fill me with confidence. Fortunately, we don't run Exchange so I have not had to make this call in our environment. Best of luck, - -Adam Gary Flynn wrote:
We're getting ready to bring up Exchange and all Microsoft's documentation recommends protecting it from direct Internet exposure with ISA or a similar application firewall. Thoughts?
- -- Adam Carlson Chief Security Officer Information Technology Residential and Student Service Programs Tel: 510-643-0631 Mobile: 510-220-2477 Email: ajcarlson () berkeley edu "Most of the things worth doing in the world had been declared impossible before they were done." ~Louis D. Brandeis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmcsnoACgkQT0QSLt7kiaA4kwCgmsL8iwGY7P01TdPbdTlKH2pC nRUAn36wr/kXvsfIOBosft0Zh1CQqSi/ =ZYDW -----END PGP SIGNATURE-----
Current thread:
- ISA firewall for exchange Gary Flynn (Feb 18)
- <Possible follow-ups>
- Re: ISA firewall for exchange Miller, Don C. (Feb 18)
- Re: ISA firewall for exchange Adam Carlson (Feb 18)