Home page logo

educause logo Educause Security Discussion mailing list archives

Re: ISA Server for Microsoft Exchange
From: Adam Carlson <ajcarlson () BERKELEY EDU>
Date: Thu, 23 Oct 2008 10:29:56 -0700

Hash: SHA1

This recommendation comes from one of the core principles of network
design which involves implementing security domains within your
infrastructure.  You should never host Internet facing services from
your internal network because if a service hosted on your internal
network is compromised from the Internet, the compromise could spread to
the rest of the internal network.  The business argument can be that if
there is anything on your internal network that you care about
protecting from outside attackers (file shares, workstations, databases
etc), you need to design your network in a secure manner that minimizes
the chances a hacker can get to those internal resources.

That is the quick summary, read on for the more detailed summary which I
wouldn't necessarily give to management, but will hopefully make you
more persuasive in your argument.

What you should strive to do is have all Internet facing services hosted
in a DMZ or restricted zone so that if one of the services is
compromised from the Internet, the compromised system will only have
limited access to your internal network.  This will help prevent an
attacker from compromising additional systems and data on your internal

A Microsoft Exchange server is very difficult to put in the DMZ
effectively because it requires a high level of connectivity to systems
in its domain, especially the domain controller.  So while you could
place an Exchange server into the DMZ, it would be somewhat pointless
because you would have to allow a lot of traffic from the DMZ to the
internal network which somewhat defeats the purpose of having a
restricted DMZ.

That is why Microsoft recommends publishing Exchange and Outlook Web
Access through an ISA server.  The ISA server can sit in the DMZ and
pass Outlook Web Access (OWA) and Exchange connections through the DMZ
to the Exchange server on the internal network.  ISA servers are also
designed to be more secure than Exchange servers so there is a lower
likelihood that an ISA server would be compromised from an attack over
the Internet.

I have had to explain this exact concept to non-technical audiences
multiple times and it can be somewhat difficult but I think there are a
few things that you can highlight to get people to buy in.

1)  Microsoft itself recommends publishing OWA and Exchange through an
ISA server
2)  Every network-based application could be hacked due to programming
problems and this is a way to minimize the probability that your mail
server will get hacked and a good way to reduce the impact if it does
get attacked.

If your audience isn't familiar with the concept of a firewall/DMZ, it
is usually not a bad idea to draw that out for them as well and show the
difference between only have 2 security zones (Internet and your
internal network) versus 3 security zones (Internet, DMZ and your
internal network).  With only 2 security zones the hacker gets straight
into your network while with 3 security zones, they have to go through
the systems in the DMZ first which is where they will hopefully get
bogged down and prevented from getting to your internal network.

There is much more that could be said on this topic, but I think these
are the core principles that should be understood by you and conveyed to
them in a way that is digestible.  Please let me know if something is
not clear or I explained things in a confusing manner.

Best of luck!

- -Adam

Connie Sadler wrote:
I am told that we need an ISA Server for Microsoft Exchange. I am asking for
the Reader's Digest condensed "english" explanation, but I am having a hard
time getting it.  :)  Can anyone here offer an explanation that will help me
to create a business case for this - for a non-technical audience? There is
a lot of info on the web, but nothing pops out as useful. I need a
translation from techno-speak to executive business need.


Connie Sadler
CISO, Lucile Packard Children's Hospital at Stanford

- --
Adam Carlson
Chief Security Officer
Information Technology
Residential and Student Service Programs
Tel: 510-643-0631
Mobile: 510-220-2477
Email: ajcarlson () berkeley edu

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]