Let’s start this post about Exchange with a common question: Now that Microsoft has stopped selling TMG, should I rip it out and find something else to publish Exchange with? I have occasionall...
Updated Jul 01, 2019
Version 2.0
Blog Post
So... Microsoft decided to discontinue TMG simply because they are confident that we don't need it anymore? I don't think so.. I have and I want to belive that Microsoft don't take security in this simplicistic way.
I agree that security adds complexity and I agree that we have evidence that Microsoft in the last years wrote better code from a security perspective, but software can have bugs (for example: undisclosed 0days), Exchange and IIS too... these pieces of code aren't "bugs free" for sure.
I bet I'm not the only one who heard of IIS remote code execution bugs in the last years.
Yes, it is true that the modern client computer's mobility is virtually extending the network perimeter to the Internet, but this doesn't mean that we have to forget about the protection of exposed services in our security measures.
I can think of multiple reasons why a reverse proxy in the DMZ is still needed these days, a few ones:
- Pre-Auth can take out all reverse shells, automated attacks and casual attackers... I don't think that the protection from these kind of attacks can be seen as "very little extra" or "anything". Yes this can be seen as an insurance: a low-cost and effective insurance.
- If the reverse proxy supports IDS/protocol analysis we can easily fight against direct shells or covert channels (protocol tunneling) too.
- To add support for OTP/Two Factor Authentication, a lot of security can be added to the entire infrastructure if we don't require to type domain passwords when using public networks or devices.
- To expose a different attack surface (different services) on the Internet, getting into a LAN server would require two different exploits.
- blah.. blah...
I can understand if Microsoft decided to leave this kind of business to other vendors/partners, I can live with this decision... end of the discussion. But please... don't tell us that Exchange and IIS are bullet proof and security measures are so "old school", if Microsoft really thinks that they can guarantee on the security of their products than why not create a "refund program" for all those customers hacked by using exploits?