Re: DMZ and AD
From: Oli Restorick [MVP] (oli_at_mvps.org)
Date: 08/15/04
- Next message: Lee Flight: "Re: ADAM Deployment"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: ADAM user object limitations?"
- In reply to: Al Mulnick: "Re: DMZ and AD"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 15 Aug 2004 09:19:28 +0100
Good information.
I was just trying to clear up a terminology thing about what an IPSec tunnel
is. I'm learning this stuff and have come across some confusion with the
phrase "IPSec tunnel", that's all. Am I right in saying that what most
people mean when they say "IPSec tunnel" is actually IPSec running in
transport mode rather than tunnel mode?
I was thinking along the same lines with ISA Server 2004, which seems great
from the testing I've done with it.
Anyway, thanks for your post and sorry to hijack the original poster's
thread.
Oli
"Al Mulnick" <amulnick_No_SPAM@ncDOTrr.com> wrote in message
news:OGCq0OmgEHA.3864@TK2MSFTNGP10.phx.gbl...
> Sure.
> I'm referring to the encryption (ESP) of ALL traffic from the DMZ host
> (this
> case, the FE server) to the internal network hosts (this case, the DNS,
> DC/GC, and Exchange hosts assuming that the problem of IPSec tunnels to
> Exchange clusters is now recommended) with the intent of requiring fewer
> permit rules on the firewall device.
>
> I couldn't say if *all* IDS systems are unable to inspect IPSec traffic
> but
> I wouldn't expect AH to prevent IDS systems from seeing the packet
> contents.
>
> The point of the whole thing is that putting Exchange in the DMZ is not
> the
> best idea. In practice, it can be difficult to properly configure the
> security devices between the DMZ host and the internal infrastructure to
> allow the FE server the communications with the Exchange and Active
> Directory/DNS hosts especially when compared to permitting traffic from
> the
> ISA server to the FE server. That only requires TCP 80 or TCP 443 traffic
> between them depending on your configuration. That's a lot easier and
> more
> reliable for starters. The ISA server's ability to bridge the SSL
> conversation and check packets for intent is a good bonus unless security
> is
> more of a concern and then it would be pretty much required, right?
>
> Also, while ISA or some other layer-7 firewall has overhead of hardware
> and
> OS and application, it's offloaded to a separate device. IPSec tunnels
> can
> have unwanted overhead that impacts performance on the machine.
>
>
> Does that answer the questions? Or was there something you were heading
> toward? Maybe you've seen some information that can be useful here? Or
> maybe you have a suggestion that would help him out? If so, I'd like to
> hear it 'cause having extra hardware for a solution such as this is always
> a
> tough sell.
>
>
>
> Al
>
>
>
> "Oli Restorick [MVP]" <oli@mvps.org> wrote in message
> news:eGzbZijgEHA.704@TK2MSFTNGP09.phx.gbl...
>> Can you clarify what you mean by an "IPSec tunnel"?
>>
>> Also, is it true that all IDS systems are unable to inspect IPSec traffic
> if
>> only AH is used (i.e. no ESP).
>>
>> Oli
>>
>>
>> "Al Mulnick" <amulnick_No_SPAM@ncDOTrr.com> wrote in message
>> news:%237BKIbigEHA.2812@tk2msftngp13.phx.gbl...
>> > It is simpler, but it has no ability to check for malicious intent and
>> > blocks your IDS from doing anything about it and they put added strain
> on
>> > your DC/GC's. I can't remember off the top of my head, but it used to
> be
>> > that you couldn't use an IPSec tunnel to an Exchange cluster, but that
> may
>> > have changed. IPSec tunnels do make it easier to traverse the firewall
>> > though.
>> >
>> > The recommended way to deploy Exchange to the internet, for OWA,
> HTTP/RPC,
>> > AS, SMTP, IMAP, POP3, is to use a layer-7 firewall device that can
> inspect
>> > the packets as they go by. ISA Server is one such example of how to do
>> > that. Makes it much more reliable as well since you don't have to
>> > worry
>> > about punching enough holes in your firewall to make it similar to
>> > swiss
>> > cheese and you won't have to worry about the latest IIS hack to have
>> > somebody overrun your Exchange FE server and then have full,
> uninterrupted
>> > and undetected access to your internal network via IPSec tunnels.
>> >
>> > I've always recommended ISA since it was released for those reasons.
> I've
>> > deployed the IPSec tunnels as well and there are some utilities that
> make
>> > it
>> > easier to deploy and troubleshoot which should be available at
>> > http://www.microsoft.com/security
>> >
>> > For topology and click by click ways to deploy Exchange in this
> scenario,
>> > see http://www.microsoft.com/exchange/library and have a look at the
> docs
>> > there.
>> >
>> > Shame about that consultant though, her getting away before the job was
>> > totally done and all ;)
>> >
>> > Al
>> >
>> >
>> > "Dave Shaw [MVP]" <dhshaw@NoSpam.msn.com> wrote in message
>> > news:%23Wr40hhgEHA.4092@TK2MSFTNGP10.phx.gbl...
>> >> Make your life a little simpler ...
>> >>
>> >> Use IPSec filters on the firewalls to allow traffic to and from the
>> >> messaging server to the domain. It's much more secure and uses many
>> >> fewer
>> >> ports.
>> >>
>> >> -ds
>> >>
>> >>
>> >> "C Emmons" <anonymous@discussions.microsoft.com> wrote in message
>> >> news:07ae01c48198$c3917b40$3a01280a@phx.gbl...
>> >> >I am running Exchange 2003 SP1 on Windows Server 2003. I
>> >> > am using the Front-End/Back-End Topology. The Exchange
>> >> > Front-End passes request for mail to the Back-End. I
>> >> > paid a consultant to come in and setup a DMZ in which the
>> >> > Front-End now resides. As far as I can see, the
>> >> > connectivity seems okay between the front and the back.
>> >> > However, the front-end server will not work. I get the
>> >> > following error:
>> >> >
>> >> > All DS Servers in domain are not responding.
>> >> >
>> >> > Outside the DMZ (IP changed back to my internal network) -
>> >> > everyone works fine between front and back.
>> >> >
>> >> > I have two Domain Controllers running Windows 2003 Server
>> >> > Enterprise (Clusters). The Exchange Server is of course
>> >> > in the domain, but is not a domain controller.
>> >> >
>> >> > Can anyone please help - I am trying to meet a deadline
>> >> > and the consultant has gone. Help much appeciated.
>> >> > C Emmons
>> >>
>> >>
>> >
>> >
>>
>>
>
>
- Next message: Lee Flight: "Re: ADAM Deployment"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: ADAM user object limitations?"
- In reply to: Al Mulnick: "Re: DMZ and AD"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
