ForeFront Security

Microsoft Government WorkshopNovember 2007

Ľubo Goryl lgoryl@microsoft.comTechnology Solution ProfessionalMicrosoft Slovakia

Agenda

Prehľad Forefront Server Security produktov Forefront Security for Exchange Server Forefront Security for SharePoint Forefront Management Console Forefront Client Security Záver a otázky

23 million pobočiek celosvetovo(IDC, 2006)

3.6 billion mobilných užívateľov do 2010 (Infonetics, 2007)

85% of organizácií bude mať WLANs do 2010 (Infonetics, 2006)

Požiadavky na prístup

8x viac “phishing” stránok za posledný rok (AWG, 2006)

„Spyware software“ nárast 277% za posledný rok (Microsoft Security Intelligence Report)

Viac útokov indikovaných za účelom zisku (Multiple sources)

Nebezpečenstvá

Výskum v organizáciách

Technológie zabezpečenia a správy IT

Active Directory

Active Directory Federation Federation ServicesServices

Card SpaceCard Space

InteroperabilityInteroperability

Developer Tools & GuidanceDeveloper Tools & Guidance

Systems ManagementSystems Management

Identity ManagementIdentity Management

Windows Client and Server Operating SystemsWindows Client and Server Operating Systems

Forefront = integrácia, komplexnosť, správa

Windows Networking Solutions

Client And Server OSClient And Server OS Server ApplicationsServer Applications Network EdgeNetwork Edge

Forefront Server Security

Roadmapa Server Security produktov

Máme Najnovšie Ďalšia generácia

SP1

SP1

• Includes downgrade rights to Antigen 9.0 for securing Exchange 2003/2000

9.0 SP1

• Includes downgrade rights to Antigen for SharePoint

•

Komplexná ochrana

Problem Single Point of Failure

SharePointSharePoint

ISA ISA ServerServer

SMTP SMTP ServerServer

Internet

Viruses

Anti-virus – možnosti riešenia

ExchangExchangee

ExchangExchangee

Single Vendor

Single Engine

Worms

Spam

A A

A A A

A

A A

Problem Management/Cost

SharePointSharePoint

ISA ISA ServerServer

SMTP SMTP ServerServer

Internet

Viruses

Anti-virus – možnosti riešenia

ExchangExchangee

ExchangExchangee

Multi-vendorMulti-engine

Worms

Spam

A B

C

A

ED

B C

Sila viacerých „enginov“

Forefront Server Security sú integrované a dodávané s „industry-leading antivirus scan engines“ od :

Každý „scan job“ vo Forefront Server Security product môže bežať simultánne s 5 „engine“

Internal Messaging and Collaboration Servers

A B C ED

Výhody viacnásobného „enginu“

Rýchlejšia odozva na nové nebezpečenstvá

Ochrana voči „padnutému enginu“

Rôzne antivírusové „enginy a heuristiky“

AVTest.org, 2007

Forefront Set 1

Forefront Set 2

Forefront Set 3

Vendor A* Vendor B* Vendor C*

1006_areses_itw30.ex_ 0.00** 0.00 0.00 0.00 0.00 0.001006_areses_itw36.ex_ 0.00 0.00 0.00 1598.78 0.00 0.001006_areses_itw37.ex_ 0.00 0.00 0.00 0.00 52.30 175.451006_areses_itw41.ex_ 0.00 0.00 0.00 0.00 13.15 194.351006_mytob_itw590.ex_ 0.00 0.00 0.00 1332.17 0.00 0.001006_rontokbro_itw36.ex_ 0.00 0.00 0.00 0.00 0.00 613.401006_sdbot_itw1809.ex_ 0.00 0.00 0.00 9.97 166.07 270.391006_sdbot_itw1831.ex_ 65.95 52.23 41.78 59.43 1.00 46.381006_sdbot_itw1847.ex_ 56.54 56.54 204.79 416.27 29.92 85.321006_stration_itw101.ex_ 0.00 0.00 0.00 93.88 23.46 96.851006_stration_itw102.ex_ 0.00 0.00 0.00 26.00 28.05 30.831006_stration_itw42.ex_ 0.92 0.92 0.92 3.72 3.12 7.051006_stration_itw43.ex_ 2.00 2.00 2.00 4.80 4.20 8.131006_stration_itw44.ex_ 0.00 0.00 0.00 5.60 2.00 7.581006_stration_itw45.ex_ 0.00 0.00 0.00 3.55 2.00 7.581006_stration_itw46.ex_ 0.00 0.00 0.00 2.75 2.20 6.781006_stration_itw47.ex_ 0.00 0.00 0.00 3.72 3.12 7.051006_stration_itw60.ex_ 0.00 0.00 0.00 0.00 4.64 6.321106_rbot_itw2090.ex_ 0.00 0.00 0.00 1739.10 0.00 298.641106_sdbot_itw1814.ex_ 0.00 0.00 0.00 1.00 0.00 0.001106_sdbot_itw1866.ex_ 0.00 0.00 0.00 26.80 1.00 35.271106_sdbot_itw1867.ex_ 0.00 0.00 0.00 14.00 12.84 23.141106_sdbot_itw1876.ex_ 0.00 0.00 0.00 468.60 306.82 430.801106_stration_itw124.ex_ 0.00 0.00 0.38 0.66 1.88 8.801206_bagle_itw137.ex_ 0.00 0.00 0.00 4.01 0.00 13.831206_bagle_itw141.ex_ 0.00 0.00 0.00 17.15 0.00 13.831206_puce_itw1.ex_ 0.00 0.00 0.00 0.00 0.00 1.00

1206_rbot_itw2038.ex_ 0.00 0.00 0.00 1026.27 0.00 0.001206_sdbot_itw1889.ex_ 0.00 0.00 0.00 128.28 255.20 63.96

= less than 5 hours

= 5 to 24 hours

= more than 24 hours

* Includes beta signatures**0.00 denotes proactive detection

Čas odozvy ( v hodinách)Microsoft

multi-engine solutionOther single-

engine solutions

Optimalizácia výkonu

Riadenie oprimalizácie výkonu

Dôraz na

Používané enginy nie sú stále tie isté.

Sú dynamicky alokované z dostupných.

A

B

C

D

Max bezpečnosť: používa všetky engines (100%) Vyššia bezpečnosť: používa všetky dostupné engines* Neutral: používa pribl.50% dostupných engines*Vyšší výkon: používa 25% dostupných engines*Max výkon: používa jeden engine pre každý scan*

Riadenie oprimalizácie výkonu

Dôraz na :

Používané enginy nie sú stále tie isté.

Sú dynamicky alokované z dostupných.

A

B

Max bezpečnosť: používa všetky engines (100%) Vyššia bezpečnosť: používa všetky dostupné engines* Neutral: používa pribl.50% dostupných engines*Vyšší výkon: používa 25% dostupných engines*Max výkon: používa jeden engine pre každý scan*

Jednoduchší Management

SharePoint Servers

Exchange Servers

Forefront Server Security Management Console Features

Centrálna management konzola- Nasadzuje a konfiguruje

Forefront/Antigen Security for Exchange and SharePoint

Automatizuje „signature updates“ naprieč organizáciou- Scanuje a sťahuje aktualizácie

pre viacnásobné enginy- Distribúcia aktualizácií na

všetky Forefront/Antigen servery

Forefront Server Security Management Console vlastnosti :

Komplexné reporty- Detected viruses, keyword filters or file filters- Actions taken by Forefront/Antigen on

detection of a virus or content violation- Message traffic activity- Antivirus engine versions

Zaznamenané upozornenia- SNMP and SMTP alerts sent when administrator-

defined thresholds for viruses, file and content filters are exceeded

- Alerts can be forwarded to Microsoft Operations Manager

Automatizovaný „Signature Updating“

Internet

Engine Partner Updates

www.microsoft.com

Internet

ForefrontEngineAdaptor

Notifikácie & Reporting

Microsoft Operations Manager Forefront Management Pack for MOM 2005 / SCCM 2007

Over 100 Events, Performance Counters, and Services Monitored- Monitors the state of Forefront.- Collects statistical data on scanning, detection,

and removal of messages and attachments- Polls Forefront Services - Provides timed events

to poll systems for critical process health Key Tasks

- Triggers scan engine updates- Centralizes storage and deployment of license

files- Imports, exports and deploys setting changes- Initiates and/or schedules manual scan jobs- Starts/Stops control of Forefront services

Forefront Security for Exchange Server

Čo je nové ?

Forefront Security for Exchange Server- Support for three Exchange roles in single product- 64-bit support (32-bit support only for evaluation)- Localization into 11 languages- Support for new Exchange AV features

AV transport stamp Targeted background scanning for optimized performance

- Access to all scan engines included with license- Premium anti-spam services for Exchange 2007- Cluster Server improvements including new

Exchange 2007 CCR cluster support

Mailbox

ClientAccess

Unified Messaging

EdgeTransport

HubTransport

Enterprise networkOtherSMTP

Servers

Mailbox

Routing

Hygiene Routing Policy

Voice Messaging

PBX or VoIP

PublicFolders

Fax

Applications:- OWA

Protocols:- ActiveSync, POP,

IMAP, RPC / HTTP …

Programmability:- Web services, - Web parts

Exchange 2007 Enterprise Topology

INTERNET

INTERNET

Edge Server Hub Role Mailbox Role

Mailbox Role

Public Folder

Client

SCAN and STAMP

NO SCAN NO SCAN

• Mail scanned only once at the Edge

• Saves processing load on Hub and Mailbox servers

Transport Scanning – Prichádzajúci Mail

Edge Server Hub Role Mailbox Role

Mailbox Role

Public Folder

Client

SCAN and STAMP

NO SCAN NO SCAN

NO SCAN

Transport Scanning – Interný Mail

Internal mail is routed through Hub role

Proactive scanning at the Mailbox server (store) is turned off by default

Saves processing load on Mailbox servers

Internet

Use *.exe and All Types of files to block anything named *.exe

Use *.* and EXEFILE to block any executable file no matter what it is named

File FilteringSetting up file filters

Forefront blocks by extension and true file type- Can’t fool filter by simple change of

extension- Each is configured differently

File FilteringSetting up file filters

Search for specific files by name, e.g. “resume.doc”- Wildcards supported, e.g. “*resume*.doc”- Each * represents 250 characters

File filters can be Inbound or Outbound- <in>*.exe, <out>*.doc

Files can be blocked based on size, and size/name/type/direction combinations- <in>*.mp3>2mb- <out>*.mp3>5mb- <in>*.*>10mb

File Filtering Actions

Every filter or filter list can have a separate

action applied, offering great flexibility- Skip:Detect only – logs the event but does

not block or alter the message Not a secure setting! Useful for monitoring and discovery purposes Allows for pre-testing of new rules without end

user impact- Delete:Remove contents – removes the

attachment only and replaces with the customized deletion text

- Purge:Eliminate message – deletes both the attachment and the message body End user receives nothing

Filter Rules: Delete *.exeQuarantine

File Filtering – Zip file behavior

Forefront scans within ZIP and other compressed formats, deletes only the offending fileand then repackages the ZIP

Container file before scan

EXE DOC

JPGBMP

DOC

JPGBMP

TXT

Container file after scanEXE

Quarantine

Custom deletion text

Forefront Security for SharePoint

Čo je nov?

Forefront Security for SharePoint- Both 32-bit and 64-bit support- Localization (11 languages)- Support for SharePoint Information

Rights Management Documents- Keyword filtering on Office XML

Open Format and Excel formats- Access to all scan engines

included with license

Forefront Security for SharePoint

SQL Document Library

Document

Users

Document

SharePoint Server

Virus Protection for Document Libraries- Real-time scanning of documents uploaded

and downloaded from document library- Manual and scheduled scanning of

document library

Content Policy Enforcement- File filtering to block documents

frombeing posted based on name match, file type or file extension

- Content filtering by keywords withindocuments for inappropriate words and phrases

Forefront Server Security Management Console

Čo je nové v Forefront Server Security Management Console?

Exchange 2007 CCR Cluster SupportSQL 2005 Support*Auto-discovery of Exchange Servers*Exchange Server Filter*Redundancy*Localization in 11 languages**

* Beta 2 (mid-2007)** RTM (2H 2007)

Forefront Server Security Management Console

November 2006 43

Security SummarySecurity SummarySecurity SummarySecurity Summary

Reportovanie

* Magic Quadrant for E-Mail Security Boundary, 2006. Peter Firstbrook, Arabella Hallawell Publication Date: 25 September 2006/ID Number: G00142431

Gartner Magic Quadrant forE-Mail Security Boundary

2006 *

Industry Analyst Perspective

© 2007 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.