Exchange Deployment and ISA Firewall Nightmare Scenarios — Getting to Know the "Nightmare on Exchange Street" and "Hork Mode Sandwich" Scenarios
If there were an award for putting together the worst possible security design for an Exchange Server organization, which topology do you think would win? In my experience, something I call the Exchange Publishing Nightmare Scenarios because they represent the worst case scenarios for network security when deploying an ISA Firewall to secure Exchange Web services. The figure below shows the topology for one version the Exchange Publishing Nightmare scenario. We’ll call this the Nightmare on Exchange Street scenario.
Figure 2
In the Exchange Publishing Nightmare Scenario the ISA Firewall is separated from the internal network by a third party firewall and from the external network by another third party firewall. As seen in the figure above, there are two “hardware” firewalls deployed, one on the edge of the corporate network and a backend firewall in front of the corpnet. A DMZ segment is seen on the back end “hardware” firewall where a single NIC “hork mode” ISA Firewall is deployed. There are several serious defects in this design:
- The back-end “hardware” firewall represents unnecessary point of failure
- The back-end “hardware” firewall represents another opportunity for firewall misconfiguration – the most common cause of firewall related security issues
- The ISA Firewall is subjected to the security weaknesses of the back-end “hardware” firewall. A quick look at www.secunia.com shows that the ISA Firewall (2004 and 2006) have no active security issues. Compare this with any “hardware” firewall and you will see that the ISA Firewall is more secure than just about any hardware firewall
A variant of this Exchange Publishing Nightmare Scenario places a hork mode ISA Firewall in the DMZ between the “hardware” firewalls, something that I refer to as the Hork Mode Sandwich scenario.
The problem with the Hork Mode Sandwich and the Nightmare on Exchange Street scenarios is that the full firewall feature set is gutted from the ISA Firewall when deployed in hork mode. There is no technical reason for this type of deployment. The only reasons for such a deployment would be political or ignorance. If you need or want to use a back to back Firewall deployment, then place the ISA Firewall closest to the resources that need protection, as the most secure firewall should be nearest the protected resource, and the ISA Firewall is most likely the most secure firewall in this scenario.
I’ve heard excuses that “the customer wants to do it this way”. That is not an acceptable excuse. Would you give a child a loaded gun to play with just because he wanted it? Would you hand a kid a stick of dynamite and a match because he likes to blow things up? Of course not. You use your superior knowledge of guns and explosives (at least compared to the child’s understanding) to protect the child.
In the area of Exchange security using the ISA Firewall, you are the expert and it is your responsibility to protect the customer from poor security designs, regardless of what the customer “thinks” he wants.
I’m fortunate because I can turn down customers who want to harpoon their network security due to their lack of understand of strong network security principles and the ISA Firewall. If you’re not as lucky as me, and you are forced to deploy desultory security designs such as the Nightmare on Exchange Street and Hork Mode Sandwich scenarios, then protect yourself from both a moral and potentially legal front by having the customer sign a release statement that releases you from responsibility for security breaches due to the poor security design demanded by the customer. You’ll be glad you did.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Chris Says:
August 30th, 2007 at 12:04 pm
If only the world was as simple as Tom explains. I am in a scenario where the ISA servers are performing the role of the original ISA product, Proxy Services. While the firewall capabilities of ISA are in fact fantastic, the Proxy capabilities are just as excellent. In my scenario the customer wanted a proxy server that could provide reverse proxy services. The customer already has an established FE/BE firewall solution in place and would not want to re-engineer the firewall solution to simply provide proxy services.
So in this instance a “Hork Mode” ISA server works exceptionally well ( not to mention that the ISA firewall capabilities still apply to the localhost ). Unless Microsoft releases a dedicated Proxy Server in addition to ISA Server then the unihomed ISA server will still have a place in the enterprise.
Cheers!
the capslock assassin » Blog Archive » Tom Shinder on "hardware" firewalls Says:
August 30th, 2007 at 10:19 pm
[…] Tom Shinder of ISAServer.org takes an amusing shot at the myth in some circles that a “hardware” firewall or “firewall appliance” offers more security than a Microsoft ISA Server firewall. […]
Mylo Says:
September 7th, 2007 at 4:22 pm
Chris,
I’ve seen the FE/BE scenarios you describe as well, and it may be often more politically expedient in allowing the uni-homed solution allowing to pass. The point is though, simply using the ISA as a reverse proxy either as a stand-alone server or a domain member in the DMZ does it and security a disservice twofold:
(a) if it’s a stand-alone ISA server in a DMZ it’s not capitalising on the “real” proxy capabilities that come about via domain membership with ISA “fronting” the connection in the BE role; constrained delegation etc.
(b) if it is a domain member in the DMZ, chances are you’re making swiss cheese out of your BE firewall anyway by passing all the Windows protocols out of the DMZ from ISA just to sustain that model.
The irony is that this sort of setup ends up diluting security and it’s quite common in large organisations, sustained by the belief that hardware/appliance firewalls are safer. Both FE and BE need to do ALF and fork the traffic according to what it is. If it’s MS traffic use ISA as the BE.
Cheers,
Mylo
Chris Says:
September 7th, 2007 at 11:32 pm
Interesting comment Mylo. I have to say you make great points but, of course, I have my own thoughts also. In our scenario the ISA server is a domain member in the DMZ to provide the Kerberos Constrained Delegation in the Web Publishing that we are providing. The swiss cheese you are talking about is really only for traffic coming out of the heavily secure ISA server to the Domain Controllers and web servers. While not as secure as only allowing 443 through the back end firewall, it is still far better than to put the web server in the DMZ since the ISA server still uses the excellent firewall services to protect itself. I don’t agree that we are diluting security, rather we are leveraging exactly what the ISA product group had in mind when they gave the option of using a unihomed ISA server (hence the available template).
And let us not forget that in my environment politics rule and we can only push for so much before we are stepping on the wrong toes…
Cheers!
Mylo Says:
September 8th, 2007 at 9:55 am
Hi Chris,
You make some good points and agreed it’s absolutely better than slapping the web server in the DMZ. I’m kind of glad you mention it’s a domain member and using KCD. It’s better than the stand-alone ISA scenario. Just not sure whether all those Windows protocols should be floating round the DMZ before they tunnel thru your firewall to your DC (LDAP, RPC etc)
Good luck with pushing the boundaries and re-educating a few souls
Regards,
Mylo
Dean Says:
January 4th, 2009 at 7:59 pm
what a load of rubbish.
The isa just doesn’t compare to firewall hardware appliances on the market, i.e sidewinder, juniper, and cisco asa in terms of features, management, and reliability. The ISA software is buggy and since it runs on windows it can hardly be regarded secure.
Thomas Shinder Says:
January 5th, 2009 at 12:17 am
Hi Dean,
I’m sorry you don’t understand the ISA firewall security model or feature set. Otherwise, you wouldn’t be so wrong in your statements regarding the ISA firewall, which as you might know, is the most secure firewall on the market today.
I do custom classes for “old school” firewall admins who need to learn about how to secure networks in the 21st century. I’d be glad to educate you and your organization on how to upgrade from the “hardware” port opener mentality you have today.
HTH,
Tom
Jim Harrison Says:
January 7th, 2009 at 4:13 pm
Poor Dean,
It was once an amusing event to read of someone still espousing the “hardware vs. software” argument, but now it’s just sad. Add to this your clearly ignorant views on Windows in general and ISA in particular and you have what can only be described as a serious hole in your IT education.
Do yourself (and your customers) a favor; take Tom up on his training offer; factual knowledge trumps tribal knowledge any day.
Dean Says:
January 18th, 2009 at 11:05 pm
No thanks. We recently replaced our ISA’s because of on-going config db corruptions, and windows related server issues. The new setup with the ISA configured with a single nic for web/sharepoint publishing behind a redundant pair of firewalls, is proving to be a much better option with less downtime, less need for reboots and patching windows.
tshinder Says:
January 18th, 2009 at 11:24 pm
Yo sad po’ Dean,
Just because your IT group is an incompetent chorus line of boobs doesn’t mean that it’s the ISA firewall’s fault. Sure, you cost your company untold thousands of dollars because you didn’t want to take the time to learn how the ISA firewall works, and you couldn’t deal with your ego issues to hire a consultant (I don’t remember you asking my firm to help you make it work) — so why not pay an insane preimium to “hardware” fireall sales guys?
Is your IT manager this stupid, or did the sales guy give you the right PPTs to dope your manager into thinking it was an ISA firewall issue when it was an intellectual challange problem?
I’d LOVE to talk to your employer. Post his number here and I’m sure we can save your company many thousands of wasted dollars. If you work for a publicly traded company, it’s even more important that you come clean. You can’t afford to waste money in today’s economic climate, just because of an illusion of the “immaculate nature” of “hardware”.
I still offer training classes. As Jim said, take me up on the offer. Your company’s stockholders deserve no less.
HTH,
Tom
Jim Harrison Says:
January 19th, 2009 at 12:10 am
Dean,
Single-NIC deployment doesn’t change the configuration DB, nor does it change anything with regard to your (lack of a) patching metodology. IOW, this change is irrelevant to the issues you claim to have experienced. Thus, the changes are unlikely to resolve them and you will have wasted lots of time re-engineering this “sadwich”.
Frankly, anyone who believes that “only Windows needs patching” is dangerous and irresponsible. If you do work for a publicly-traded company, please let us know the name or stock ticker of this company so we can adjust what few investments we still have left. I can’t speak for anyone else, but my money (wnhat still remains) is too precious to be entrusted to a company that wastes it this way.
Greg Says:
January 19th, 2009 at 1:11 am
Dean i am confused you say that you replaced your ISA with a single nic solution, how does this reduce your patching? Many people think that Microsoft’s in your face patch releases are a bad thing. I look after a large enterprise network and i would much rather be alerted to such issues then have to dig for them every month or more. Whilst patching is a chore, it is a necessary chore and we utilise some good technology to help us out with it. Microsoft products are not the only ones that need regular patching, ever used VMware??!!
One could argue until you are blue in the face about software and hardware firewalls (that run software) but unless you have an open mind and can understand either without any bias, something i am not sure you can do judging by your comments earlier, then you will be ill-informed at best. No software is perfect that is for sure, but you will get plenty of hearty discussion from any tech with half a clue on the validity of ISA server as an enterprise class firewall. Traditional ‘network guys’ may agree with you, but reallistically in this day and age the network guy is about as useful to me as a a donkey configuring a vlan for use in my datacenter. Which i can do anyway!!
If you wanted to get a proper run down on ISA server or any product (Exchange, SQL) you wouldnt ask your network guy how it affects him, you would ask someone who knows the product inside out. IMO Jim and Tom are the highest rated product specialists in this case and their words should not be taken lightly. They are not saying you must use it, however if you are going to ditch it based on unsubstantiated reasons it is important you do it for the right reasons.
Greg