Sikkerhed/Compliance

Peter ArvedlundSecurity Solutions Specialist

Claus PetersenSr. Partner TS Core Infrastructure

Client and Server OS

Server ApplicationsPerimeter/edge

Forefront Security Overblik ...mod malware/virus, hacking, spam etc.

Internet

Management & VisibilityDynamic Response

Network EdgeServer ApplicationsClient and Server OS vNextForefront codename “Stirling”

vNext

V.2

vNext

Client and Server OS

Server ApplicationsPerimeter/edge

Forefront Security Overblik ...mod malware/virus, hacking, spam etc.

Internet

Exchange Hosted Filtering

Hosted antivirus & antispam

Internet

Client and Server OS

Server ApplicationsPerimeter/edgeInternet

Forefront Security Overblik ...mod malware/virus, hacking, spam etc.

Internet Security & Acceleration Server

&Intelligent Application Gateway

ISA 2006 Strengths

• Branch Office Application Gateway− Site – Site VPN with application layer protection− Caching and Compression between sites− Combination Proxy/Firewall benefits for remote offices

• Application Firewall/Proxy Server− AD integrated proxy server− 5th generation proxy server− Http filtering with 3rd party plug-ins extensibility

• Secure Application Publishing− Good choice for customers with single namespace− Easy setup for Exchange and RPC/Http access− AD integrated/Cert/Smart Card auth/RADIUS

Microsoft Confidential

Simple Management

Multiple Threat Protection

• Web anti-virus, anti-malware

• URL filtering• Email anti-virus, anti-spam• Intrusion prevention• Integration with Forefront

codename “Stirling”

Secure Connectivity

Forefront "Threat Management Gateway"

The Forefront “Threat Management Gateway” provides protection from multiple Internet-based threats, secure

connectivity and simplified management.“Threat Management Gateway” represents the evolution of ISA Server into a comprehensive, integrated Edge protection solution

“Threat Management Gateway” Investment Areas

• Network & application firewall

• Internet access protection (proxy)

• Remote access VPN• Site-to-site VPN• Exchange & SharePoint

publishing

• “Appliance like” experience

• Easy deployment• Centralized management• Integration with MS

infrastructure, including AD, WSUS, System Center

Anything you can do….I can do…ANYWHERE..!

Anywhere Acces / Secure Remote Acces

12

Appliance solutions

Forskellige roller – forskellige adgang

FinancialPartner or Field Agent

Project ManagerEmployee

LogisticsPartner

CorporateLaptop

Home PC

Kiosk

Full Intranet

Payroll & HR

Legacy AppsCustom Financials

Supply Chain

File Access

Remote TechnicianEmployee

Unmanaged Partner PC Webmail Tech Support App

Limited Webmail: no attachments

Limited Intranet

“Compliance”: Hver brugers adgang bestemmes af adgangs-politikker som relateres direkte til den enkelte Bruger, Sikkerhedsniveau eller

PC/PDA

ISA & IAG Roadmap

Microsoft Confidential

Network firewall

Application firewall

Internet access protection (proxy)

Basic OWA & SharePoint publishing

IPsec VPN (remote & site to site)

Web caching, HTTP compression

Web anti-virus, anti malware

URL filtering

Email anti-virus, anti-malware

Intrusion prevention

"TMG" vs. ISA Server 2006• TMG extends current ISA capabilities to provide Edge protection against

viruses, malware and other Internet based threatsISA 2006 “TMG"

NewNew

New

New

Integration with codename “Stirling” New

Enhanced UI, management, reporting New

Microsoft Confidential

Application Intelligence and Publishing

End Point Security

SSL Tunneling

Information Leakage Prevention

Robust Authentication Support (KCD, ADFS, OTP)

Product Certification (Common Criteria, ICSA)

NAP Integration

Terminal Services Integration

Array Management

Enhanced Management and Monitoring (MOM Pack)

"UAG" vs. IAG 2007IAG 2007 “UAG"

New

New

New

New

New

New

New

Enhanced Mobile Solutions

New and Customizable User Portal

Wizard Driven Configuration

New

Demo IAG

Client and Server OS

Server ApplicationsPerimeter/edgeInternet

Forefront Security Overblik ...mod malware/virus, hacking, spam etc.

Forefront Security for Application

Servers

InternetForefront til Exchange, Sharepoint & OCS fungerer som én samlet anti-virus administrations- & integrations-konsol som indeholder op til 8 forskellige antivirus scannere.....!

Forefront for Application Servers

- Exchange- Sharepoint - OCS

Forefront Server Security products integrate and ship with industry-leading antivirus scan engines from

Each scan job in a Forefront Server Security product can run up to five engines simultaneously

Internal Messaging and Collaboration Servers

A B C ED

SQL Document Library

DocumentUsers

Document

SharePoint Server

Virus Protection for Document Libraries

Real-time scanning of documents uploadedand downloaded from document libraryManual and scheduled scanning of document library

Content Policy EnforcementFile filtering to block documents frombeing posted based on name match, file type or file extensionContent filtering by keywords withindocuments for inappropriate words and phrases

• Detects and removes viruses in IM conversations− Supports LCS 2005 pooling, PIC, file

transfers, and encrypted conversations

− Blocks IMs with potentially harmful links

• Scans for confidential information and inappropriate keywords in IMs and documents

• Allows creation of IM policies through whitelisting and IM/SMTP notifications

Forefront

Microsoft Office Communicator

Windows Messenger Clients

Office Communications Server

Firewall

Outside IM Clients

Integrated Management Forefront Management Pack

• Over 100 Events, Performance Counters, and Services Monitored− Monitors the state of Forefront.− Collects statistical data on scanning, detection,

and removal of messages and attachments− Polls Forefront Services - Provides timed events

to poll systems for critical process health

• Key Tasks− Triggers scan engine updates− Centralizes storage and deployment of license

files− Imports, exports and deploys setting changes− Initiates and/or schedules manual scan jobs− Starts/Stops control of Forefront services

Demo Forefront for Sharepoint

Client and Server OS

Server ApplicationsPerimeter/edgeInternet

Forefront Security Overblik ...mod malware/virus, hacking, spam etc.

Forefront Client Security

AVComparatives(Feb 2008)

Results of testing of 29 anti-virus engines against more than 870,000 malware files

discovered during the last six months

Test of consumer anti-virus products using a malware sample covering

approximately the last three years.

Received AVComparatives Advanced Certification

Kaspersky 97.4%Symantec 96.1%Microsoft 96.1%Trend Micro 95.4%AVG 95.1%Sophos 95.0%NOD32 93.6%Panda 93.3%Norman 90.8%McAfee 86.4%eTrust 73.7%

AVTest.org(November 2007)

Test based on more than 1 million malware samples

AVTest.org(March 2008)

Kaspersky 98.30%

Symantec 97.70%

McAfee 94.90%

Microsoft 93.90%

VBA32 87.70%

AVK (G Data) 99.91%Trend Micro 98.72%

Sophos 98.10%Microsoft 97.79%Kaspersky 97.17%

F-Secure 96.78%

Norton (Symantec) 95.70%

McAfee 95.58%eTrust / VET (CA) 72.07%

Én antivirus scannerAntivirus, antispyware & antirootkit

Product Name/

Capability

Leading Competit

or

Forefront Client Security

Memory Footprint1

ServerClient

58.6 Mbs66.3 Mbs

56.5 Mbs57.9 Mbs

Avg Usage, CPU & Memory2

% Server Avg% Client Avg

30.5%29.4%

2.0%11.1%

Boot time increase3

62% avg increase

4.5% avg increase

Scanning time (quick)

Network 1 (Avg)4

Network 2 (Avg)4

29.9 min12.0 min

13.6 min5.3 min

Scanning time (full)

Network 1 (Avg)4

Network 2 (Avg)4

156.8 min92.8 min

34.6 min18.3 min

60%+ less CPU

usage

14x faster

at boot time

2x faster

in quick scans

5x faster in full scans

Sources: West Coast Labs, AVTest.org, Performance benchmarking study with West Coast Labs.

Product Name/ Capability

LeadingCompetit

or

Forefront Client

Security

Memory Footprint1

Client – uninfected

Client -infected

536 Mbs593 Mbs

522 Mbs495 Mbs

Avg Usage, CPU & Memory2

% Client – uninfected % Client - infected

82.37%88.56%

79%81.6%

Scanning timeUninfected client

Infected client147.69mi

n167.09mi

n

81.82 min95.33 min

Application Startup time

Starting Word with no AV –

1.7252.425 sec 2.233 sec

Starting IEwith no AV –

2.2753.6 sec 2.6 sec

7% less CPU

2x faster

Én antivirus scannerAntivirus, antispyware & antirootkit

SMS/SCCM

Security SummarySecurity Summary

“Is my environment compliant with security

best practices?”

“Has my level of vulnerability exposure changed over time?”

“What portion of my environment is at high

risk?”

Client and Server OS

Server ApplicationsPerimeter/edgeInternet

Forefront Security Overblik ...mod malware/virus, hacking, spam etc.

Management – “Codename Stirling” RTM Q1 ´09

Management & VisibilityDynamic Response

Network EdgeServer ApplicationsClient and Server OS vNextForefront codename “Stirling”FCS v.2 is part of the “Stirling” security System

vNext

V.2

vNext

Stirling Protection Overview• Comprehensive and coordinated protection with dynamic response• Unified assets and policy-centric management across client, server, and

edge• Critical visibility into security state: threats and vulnerabilities

vNext

vNext

vNext

Antimalware

Host Firewall

Host Intrusion Prevention System

Software Restriction

Device Control

NAP Integration

Exchange 2007 & E14 Protection

Additional Antimalware Capabilities

Advanced Antispam

Content FilteringSharepoint 2007 & SPS 14 Malware Protection

Web (URL) Filtering

HTTP/FTP AV

Intrusion Prevention

Remote Access

NAP Integration

Firewall

Silo'd best of breed solution are not enough• Breaches came from a combination of event:

− 62% were attributed to a significant error− 59% resulted from hacking and intrusions− 31% incorporated malicious code− 22% exploited a vulnerability− 15% were due to physical threatsTime span of data breach events

http://www.verizonbusiness.com/resources/security/databreachreport.pdf

DNS Reverse Lookup

Client Event Log

Edge ProtectionLogg

Network Admin.

Edge Protection

Client Security

Hours

DEMO-CLT1

Peter

DesktopAdmin.

Manual: Launch a scan

WEB

Malicious Web Site

Phone

Manual: Disconnect the Computer

Example: Zero Day ScenarioToday :

Security Assessments Channel

2-3 min

TMG identifies malware on DEMO-CLT1 computer attempting to propagate (Port Scan)

Security Admin.

Network Admin

DEMO-CLT1

Peter

DesktopAdmin.

Malicious Web Site

WEB

Forefront TMG Client

Security

CompromisedComputer DEMO-CLT1High FidelityHigh SeverityExpire: Wed

CompromisedUser: AndyLow FidelityHigh SeverityExpire: Wed

Stirling Core

FCS identifies Andy has logged on to DEMO-

CLT1

Alert

Scan Computer

Block Email

Block IM

Reset Account

Quarantine

Example: Zero Day ScenarioWith Stirling and Dynamic Response

NAPActive

Directory

Forefront Server for:

Exchange, SharePoint

OCS

Demo Stirling

Identity & Security Roadmap

ThreatMitigation

Management

IdentityBasedAccess

IdentityInfrastructure

"Zermatt" Identity Developer Framework

H2 CY08H1 CY08 H1 CY09

Beta 1

Beta 1

Beta 1

Beta 1 WEB

S

Beta

Beta 2

Beta 2

Beta 2

Beta 2

~2010

NEW

NEXT

RTM

RTM

RTM

RTM

RTM

Beta 3 RC RTM

RTMIAG SP2

Active DirectoryRights Management Services RTM

AD, ADLDS, ADFS (Windows Server 2008 R2) RTMRTMBeta

RTMBeta 2Beta 1

Spørgsmål?Claus Petersen

cpeters@microsoft.com

Peter Arvedlundpeterarv@microsoft.com

www.forefront.dkwww.microsoft.com/stirling