Level of additional security attained with reverse proxy ISA/TMG for example
I was having a discussion with some other network admins and we were wondering to what degree a solution like ISA/TMG offers increased security for a Exchange environment, if you used it, for example, to publish OWA. First, I'm assuming Exchange 2007 or 2010. OK. For some, any direct access to internal servers from the Internet is a bad thing. Yet, there are probably thousands of SBS environments where Exchange is exposed to the outside world, albeit through port 443 (and perhaps 80) only. And as far as I know, the Edge Transport role can provide antivirus, antispam and some policy functions (address re-write) but does not act as a reverse proxy (correct?). So, let's imagine an environment where: 1) The only inbound access to the Hub Transport server is from your hosted email filtering company (MX Logic, Postini). 2) The only access to the CAS is on port 443. 3) The CAS server respects commonly recommended guidelines for security: updates regularly applied, default admin account disabled or protected with long and complex password, logs monitored for failed logon attempts, possible application of security templates, and I could go on... So on one hand we have that and on the other, we add a ISA/TMG reverse proxy allowing us, among other things, to publish OWA. What exactly are we gaining security-wise from the reverse-proxy? Someone asked: if it's just shuttling the packets over to the CAS, what are we gaining?
February 1st, 2011 6:11pm

Hello Mike, Thanks for the links. You wrote: A reverse proxy adds security to a trusted web site by providing a layer of separation between users and trusted networks/systems. The same reason the Mona Lisa is behind bullet proof glass and you cannot touch it. The CAS would only accept traffic from the DMZ, not the internet. In your Mona Lisa analogy, no ingress or egress is possible between the outside (where wide-mouthed tourists are standing in awe of the masterpiece) and the painting on the other side of the glass (only light will pass, not hands). In the case of OWA, the traffic reaching the CAS from the DMZ is simply traffic relayed from the Internet. Now, as an application laver firewall, does ISA/TMG process the incoming packets, dropping or relaying as appropriate, so as to increase security? It would appear to do just that by URL Protection (Maximum URL length, Maximum Query length and Verify Normalization) and regulating HTTP methods (disallowing certain commands). But I see elsewhere that some of these methods can be configured on recent versions of IIS: http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering I can see the advantage of offloading some of that work from the IIS/Exchange server to the ISA/TMG device. But from a strictly security standpoint, I am trying to gauge the advantage obtained by putting ISA/TMG in front of the CAS server. If I were a consultant, I might have to justify recommending an additional expense. I might be asked: "If on a scale of 1 to 10, we can attain 5 without ISA/TMG, what level would we reach with the reverse proxy?" 6? 7? 8? I'm wondering if I could buttress my response with technical details, rather than resorting to marketing rhetoric like "I'm the expert, just trust me and sign the check please". I believe the buyer would have nothing to loose by implementing ISA/TMG. I believe the buyer would gain from it. I'm simply trying to ascertain to what degree.
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2011 1:56pm

Hello Mike, Thanks for the links. You wrote: A reverse proxy adds security to a trusted web site by providing a layer of separation between users and trusted networks/systems. The same reason the Mona Lisa is behind bullet proof glass and you cannot touch it. The CAS would only accept traffic from the DMZ, not the internet. In your Mona Lisa analogy, no ingress or egress is possible between the outside (where wide-mouthed tourists are standing in awe of the masterpiece) and the painting on the other side of the glass (only light will pass, not hands). In the case of OWA, the traffic reaching the CAS from the DMZ is simply traffic relayed from the Internet. TMG would terminate the traffic and then make a new connection to OWA. The “user’s packets” are not simply forwarded along like a router. Now, as an application laver firewall, does ISA/TMG process the incoming packets, dropping or relaying as appropriate, so as to increase security? See above comment It would appear to do just that by URL Protection (Maximum URL length, Maximum Query length and Verify Normalization) and regulating HTTP methods (disallowing certain commands). But I see elsewhere that some of these methods can be configured on recent versions of IIS: http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering I can see the advantage of offloading some of that work from the IIS/Exchange server to the ISA/TMG device. But from a strictly security standpoint, I am trying to gauge the advantage obtained by putting ISA/TMG in front of the CAS server. If I were a consultant, I might have to justify recommending an additional expense. I might be asked: "If on a scale of 1 to 10, we can attain 5 without ISA/TMG, what level would we reach with the reverse proxy?" 6? 7? 8? Coming up with arbitrary numbers to rate security is not a useful endeavor. Computer science is more complex than this. J I'm wondering if I could buttress my response with technical details, rather than resorting to marketing rhetoric like "I'm the expert, just trust me and sign the check please". I believe the buyer would have nothing to loose by implementing ISA/TMG. I believe the buyer would gain from it. I'm simply trying to ascertain to what degree. As I suggested already, please do some additional research and study into computer security. This is not something I can help with here on the forums. Mike Crowley Check out My Blog!
February 3rd, 2011 9:24pm

Thanks again Mike. This discussion might be useful for anyone else inquiring about this: http://arstechnica.com/civis/viewtopic.php?f=17&t=1123546 As for the scale of 1 to 10, I wasn't expecting anyone to come up with a number. I was contemplating how I might answer such a question I were asked.
Free Windows Admin Tool Kit Click here and download it now
February 5th, 2011 9:34am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics