Presentation is loading. Please wait.

Presentation is loading. Please wait.

Robert Petrunić, CISSP, CEH, MCITP Algebra. Agenda Kako do sigurnosti? (izazov) Kako FF pristupa problemu Što sve spada u FF FF Endpoint protection 2010.

Similar presentations


Presentation on theme: "Robert Petrunić, CISSP, CEH, MCITP Algebra. Agenda Kako do sigurnosti? (izazov) Kako FF pristupa problemu Što sve spada u FF FF Endpoint protection 2010."— Presentation transcript:

1 Robert Petrunić, CISSP, CEH, MCITP Algebra

2 Agenda Kako do sigurnosti? (izazov) Kako FF pristupa problemu Što sve spada u FF FF Endpoint protection 2010 FF Identity Manager FF TMG i UAG

3 Kako do sigurnosti (izazov)

4 Svakodnevni problemi Malware, spam, phishing Zaporke Korisnici surfaju umjesto da rade Tuneliranje i skrivanje prometa Novac (nedostatak) Nerazumijevanje i needuciranost Propusti u softveru, 0-day napadi Kriminalci Društvene mreže...

5 Problemi... Reverse konekcija Exploit i malware s WEB-a Exploit i malware interno HTTP/HTTPS tuneliranje CD/USB stick Nezadovoljni korisnik Covert kanali...

6 Problemi...

7

8 Potencijalna rješenja Edukacija, demistifikacija End to end trust −Secure by design −Secure by default −Secure in deployment Antivirusni programi Vatrozid, IDS/IPS, Honeypot Bolji i sveobuhvatniji alati za upravljanje Restrikcije ForeFront produkti

9 Kako FF pristupa problemu

10 Business ready security 1. −Zaštita svugdje −Pristup od bilo kuda 2. −Integrirano −Proširivo 3. −Jednostavno −upravljivo

11 Što sve spada u FF

12 FF Endpoint protection FF Application Security −FF Online Protection for Exchange −FF Protection for Exchange −FF Protection for Office Communication Server FF Protection for SharePoint FF Network (Edge) Access and protection −FF Threath Management Gateway −FF Unified Access Gateway FF Identity Management −FF Identity Manager 2010

13

14 FEP + Security Management Pack FEP (Forefront Endpoint protection) −Antivirusno i sigurnosno rješenje za klijente −Integrirano unutar SCCM 2007 FEP Security Management Pack −Antivirusno i sigurnosno rješenje za poslužitelje −Integrirano unutar SCCM 2007 FEP 2012 je u RC-u !!!

15 FEP + Security Management Pack Nude: −Integraciju s postojećom upravljačkom infrastrukturom −SCCM 2007 −Antimalware engine (dokazano dobar) −Izvješćivanje (MS SQL reporting servisi) −policy based antimalware management −Firewall management −Migracija s postojećih rješenja (FF Client security)

16 FEP + Security Management Pack Jednostavno za deployment Jednostavno za upravljanje Unified protection −Antimalware (virusi, trojanci, rootkitovi, crvi, spyware...) −Procjena ranjivosti −Upravljanje Windows vatrozidom −NIS (Network inspection system)

17 FEP + Security Management Pack Sistemski zahtijevi (Poslužitelj) −2 GB memorije −FEP server (600 MB), FEP baza (1,25 GB), FEP reporting baza (1,25 GB) −Windows server 2003 SP2 ili noviji −SQL server 2005 SP3 ili noviji −Microsoft SCCM 2007 SP2 ili noviji −Windows installer 3.1,.NET 3.5 SP1

18 Forefront Endpoint Protection 2010 Built on distribution infrastructure of Microsoft ® System Center Configuration Manager software Supports all System Center Configuration Manager topologies and enables enterprise-wide scalability Facilitates easy migration Able to deploy across various operating systems (including Microsoft Windows ® client and Microsoft Windows Server ® ) Protection against viruses, spyware, rootkits, and network vulnerabilities Productivity-oriented default configuration Integrated management of host firewall Backed by Microsoft Malware Protection Center Unified management interface for desktop administrators Timely and effective alerts Simple, operation- oriented policy administration Historical reporting for security administrators DeploymentDeploymentProtectionProtectionManagementManagement

19 Deployment

20 SQL Reporting Services SCCM Software Distribution SCCM Desired Configuration Management SCCM Server DATA Config. / Dashboard Reports EVENTS Desktops, Laptops, and Servers TELEMETRY SpyNet Network File Share

21 Total client deployment to date: 110K Target deployment: 250K

22 Distribucija FEP klijenta 2 metode:: −Distribucija putem SCCM-a −Pokretanjem.exe datoteke s parametrima −Ručna instalacija −Skriptirana instalacija −Third-party instalacijski alati −Group Policy instalacija −Predinstalirano u OS image −... Automatsko uklanjanja postojećeg AV-a: Symantec Endpoint Protection verzija 11 Symantec Corporate Edition verzija 10 McAfee VirusScan Enterprise verzija 8.5 i verzija 8.7 Trend Micro OfficeScan verzija 8.0 i verzija 10.0 Forefront Client Security verzija 1 uključujući i Operations Manager agenta

23 Protect Clients with Reduced Complexity Simple interface Minimal, high-level user interactions Only necessary interactions Administration options User configurability controls Central policy enforcement Maintains high productivity −CPU throttling during scans −Faster scans through advanced caching

24 Common Client Built on Microsoft Security Essentials proven success Common client across Microsoft security products – MSE, FEP, Intune

25 DEMO – FF client security

26 Management

27 Management Scenarios Policy Management −Scheduled scans −Scan exclusions −Update locations −Client Configuration Desired Configuration Management (DCM) −Clients out of policy −Unhealthy clients −Out of date clients Reporting −Malware activity −Computer health −Summary or detailed views

28 Unified Management Interface Simplified operations for client management and security through a unified console Centralized console for policy management and monitoring Enterprise-wide visibility into client security Quick identification and remediation of client security issues

29 Tracking Historical Reports Provides rich historical information −Malware Incidents −Protection Status −Security Compliance −Policy Distribution −Alerts Based on SQL Reporting Services Supports multiple formats Customizable and extensible to other tools Notification

30 Malware Activity

31 Advanced Protection

32 Što je uključeno unutar engine-a Process/registry/network RTP watchers Directional scanning Persisted file cache Wildcard support for exclusions Scheduled scan randomization CPU throttling Command line scanner Signature update package chaining UNC signature distribution Signature source ordering fallback Dynamic translation Live system behavior monitoring Kernel inspection (Komoku) Dynamic signature service WLSP integration Network vulnerability shielding (NIS) Kernel Support Library (KSL) driver Reboot tracking (remediation) Directed scanning improvements Offline scan integration Diagnostic scan Service hardening/anti- tampering State management Kernel-mode boot-time removal

33 Signatures Samples Goals for Protection in FEP 2010 Customer machine MMPC Blocking threat infectionsNeutralizing active threats Real-time Protection Generics & Heuristics Browser Protection Network Vulnerability Shielding Anti-rootkit Behavior Monitoring Dynamic Signature Service Malware Response

34 Forefront Protection Stack: Overview Firewall & Configuration Management Browser Protection Generics and Heuristics Antimalware Behavior Monitoring Dynamic Signature Service Malware Response “MMPC” Anti-Rootkit Network Vulnerability Shielding Putting our assets together – we have created a comprehensive protection stack Focus: Reduce time and cost to protect Increase cost to attack, decrease exploit window Operationalize new protection technologies Destroying malware’s value prop Recent investments: Closing vulnerability and social engineering vectors Web, Network, Behavior Operationalizing protection Balancing protection vs. performance Remediation and threat management improvements Simplifying deployment

35 Forefront Protection Stack: Details Firewall & Configuration Management Browser Protection Generics and Heuristics Antimalware Behavior Monitoring Dynamic Signature Service Malware Response “MMPC” Anti-Rootkit Network Vulnerability Shielding Real-time protection provides high-quality reactive detection with optimized performance Key improvements Improved Monitoring: Process/Registry/Network watchers Improved performance scenarios for servers Performance improvements using advanced caching Cached files are not rescanned Cache persists across reboots New exclusion features (wildcard support) Scheduled scan flexibility CPU throttling Command line scan options Signature update improvements Service hardening/anti-tampering

36 Forefront Protection Stack: Details Firewall & Configuration Management Browser Protection Generics and Heuristics Antimalware Behavior Monitoring Dynamic Signature Service Malware Response “MMPC” Anti-Rootkit Network Vulnerability Shielding Industry leading proactive detection based on our Dynamic Translation technology Generics/heuristics based on emulated behavior and/or decrypted binary characteristics Allows a single signature to detect thousands of files Advanced+ Certification from AV- Comparatives.org on pro-active detection Dynamic Translation helps us deal with malware volume – many are the same threat, just obfuscated differently With polymorphic malware, what the code does may be the only common aspect of two samples

37 Generics and Heuristics: Dynamic Translation (DT) Real ResourcesVirtualized Resources HANDLE hFile; hFile = CreateFile(L"NewVirus.exe", GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_HIDDEN, NULL);... push h push offset string L"NewVirus.exe” call dword ptr cmp esi,esp... push h push offset string L"NewVirus.exe” call dword ptr [DT_CreateFile] cmp esi,esp DT

38 Forefront Protection Stack: Details Firewall & Configuration Management Browser Protection Generics and Heuristics Antimalware Behavior Monitoring Dynamic Signature Service Malware Response “MMPC” Anti-Rootkit Network Vulnerability Shielding Live system behavior monitoring identifies new threats Tracks behavior of unknown processes and known good processes gone bad Provides Live OS anomaly detection Primary sensors Process / File / Registry operations Network Activity – Spam and BotNets Kernel Modification – “Komoku Inc” Integration for Anti-rootkit (AR) protection Web Downloads Behavior Monitoring “detections” driven by the engine and trigger a request to the Dynamic Signature Service New signature support enables AV researchers (MMPC) to rapidly respond to evolving threats

39 Forefront Protection Stack: Details Firewall & Configuration Management Browser Protection Generics and Heuristics Antimalware Behavior Monitoring Dynamic Signature Service Malware Response “MMPC” Anti-Rootkit Vulnerability Shielding Delivers protection for new threats not in signature set on endpoint. Low Fidelity: New class of generics looks for suspicious characteristics as behavior is emulated with dynamic translation Queries SpyNet telemetry service about ‘interesting’ files Back-end classifiers use machine learning to identify new malware If the file is known bad, a new signature is delivered in real-time to the client requesting it Balances signature distribution time/cost with need for real-time updates Admins must choose to opt-in to use this feature

40 Forefront Protection Stack: Details Firewall & Configuration Management Browser Protection Generics and Heuristics Antimalware Behavior Monitoring Dynamic Signature Service Malware Response “MMPC” Anti-Rootkit Network Vulnerability Shielding Network Inspection System (NIS) detects and blocks Conficker-style network vulnerability exploits NIS inspects inbound and outbound network traffic and blocks detected exploits Only on if users are vulnerable: signatures enabled individually based on specific patch level – disabled once the machine is patched If no signatures are active, NIS turns off traffic interception Starting small in FEP 2010 – protection for top severity Windows vulnerabilities – but can be extended via engine updates over time

41 Forefront Protection Stack: Details Firewall & Configuration Management Browser Protection Generics and Heuristics Antimalware Behavior Monitoring Dynamic Signature Service Malware Response “MMPC” Anti-Rootkit Network Vulnerability Shielding FEP 2010 tightly integrates with browser download managers (IE, Firefox) to ensure deep scanning of all downloads Integration and data sharing with Internet Explorer SmartScreen cloud services provides real-time protection from malicious Web sites without additional performance and compatibility costs when running IE URL reputation File reputation (recently enabled in IE9) Telemetry: Source URLs URLs improve WLSP/Smartscreen for all IE users Intelligence for SSIRP events, MS vuln exploitation trends, takedowns

42 Forefront Protection Stack: Details Firewall & Configuration Management Browser Protection Generics and Heuristics Antimalware Behavior Monitoring Dynamic Signature Service Malware Response “MMPC” Anti-Rootkit Network Vulnerability Shielding FEP customer submissions and telemetry are prioritized across the global response team Ability for enterprise customers to engage virus researchers and analysts 24/7 for high priority submissions Ability to track submission status online Detailed information on detections added or modified in a definition set (change log) RSS feeds to keep our customer base up to date on new encyclopedia write ups, definition releases, and telemetry Visit the portal at:

43 Forefront Protection Stack: Summary Anti-Rootkit Generics and Heuristics Real-time Protection Behavior Monitoring Dynamic Signature Service Malware Response Provide high-quality protection Browser Protection Cover more attack vectors Discovering new threat Delivering signatures faster Network Vulnerability Shielding

44 FEP Licensing

45 Today: August 2011: Server – DSL (Device Subscription licence) Klijent – USL ili DSL Cijena: 10,20 USD po useru ili uređaju + SCCM 2k7 *bazirano na minimalno 5 usera. Dodatni diskont Kod volume licencing-a

46 FEP Supported Clients Client SKUs: −Windows XP SP3 (x86) −No Network Inspection System (Vulnerability Shielding) support −Windows Vista (x86 and x64) −SP1 required for NIS support −Windows 7 (x86 and x64) −Windows 7 XP Mode Server SKUs: −Windows Server 2003 SP2 (x86 and x64) + R2 −Windows Server 2008 (x86 and x64) + R2

47 DEMO – FEP konzola u SCCM-u

48 DEMO FEP

49

50 Što je FIM? FIM = ILM −integrirani user management, −self—service portali za upravljanje: −Credentialima, grupama i policy-em Glavne razlike: −IT može bez pisanja custom koda upravljati heterogenim identitetima −Useri pomoću poznatih alata (Office, SharePoint, Windows) upravljaju karakteristikama svojih identiteta −Developeri mogu proširiti platformu (otvorena platforma)

51 FIM features Credential Management Heterogeneous certificate management with 3rd party CAs Management of multiple credential types, including One Time Passwords Self-service password reset integrated with Windows logon Group Management Rich Office-based self-service group management tools Offline approvals through Office Automated group and distribution list updates User Management Integrated provisioning of identities, credentials, and resources Automated, codeless user provisioning and de-provisioning Self-service profile management Policy Management SharePoint-based console for policy authoring, enforcement & auditing Extensible WS– * APIs and Windows Workflow Foundation workflows Heterogeneous identity synchronization and consistency

52 End user scenario Credential Management Group Management User Management Policy Management Self-service smart card provisioning User requests to join secure distribution list for new product development User changes their cell phone number Integration with Windows logon No need to call help desk Faster time to resolution Request process through Office No waiting for help desk Faster time to resolution Automatic updating of business applications No need to call help desk Faster time to resolution Example Scenario FIM Advantages CFO gives final approval for new user to access in-scope SOX app Automatic routing of multiple approvals Approval process through Office Audit trail of approvals

53 IT admin scenario Credential Management Group Management User Management Policy Management Create workflow to automatically issue passwords and smart cards to new users Design policy to automatically create departmental security groups Author policy to require HR approval for job title change Automatically provision new employees with identity, mailbox, and credentials Centralized management Automatic policy enforcement across systems Management of role changes & retirements Generation and delivery of initial one-time use password Integration of smart card enrollment with provisioning Automatic management of group membership Secure access to departmental resources, with audit trail Example Scenario FIM Advantages

54 FIM arhitektura Solutions Group Mgmt Credential Mgmt Policy Mgmt Custom User Mgmt OutlookPortalWindowsCustom ILM Clients ILM Platform ILM Sync ILM Service AuthZ Workflow AuthN Workflow Delegation & Permissions Action Workflow App DB Adapters Request Processor Sync DB DirectoriesDatabases SystemsApplications Identity Stores Cert Mgmt ILM-CM DB ILM-CM ILM-CM Portal

55 FIM management agenti AD DS AD LDS AD GAL Delimited tekst file Bilo koji file bazirani data source Fixed width tekst fileovi IBM DB2 IBM Tivoli DS LDIF Novel eDirectory Oracle database SAP R/3 MS SQL SUN DS Netscape DS Management agent ==== sinhronizira FIM sa spojenim data sorce-om

56 FIM Scenariji 3 najčešća scenarija: −Smart card logon −VPN (IPSec, SSL) −Secure (S/MIME)

57 Smartcard logon

58 VPN

59 Secure (S/MIME)

60 FIM licenciranje Serverska licenca −Za FIM 2010 servere Klijentska licenca −Za svakog usera čiji identitet ili cert je upravljan FIM-om −Za svakog usera koji pristupa FIM softveru −Vanjski usera (CAL ili external connector)

61 FIM cijene Server − USD Klijent −18 USD External connector − USD + Server + SQL Server 2008

62

63 BeforeNow Network Protection Network Access Integrated and comprehensive protection from Internet-based threats Unified platform for all enterprise remote access needs

64 Što je TMG? Firewall – Control network policy access at the edge Secure Web Gateway – Protect users from Web browsing threats Secure Relay – Protect users from threats Remote Access Gateway – Enable users to remotely access corporate resources Intrusion Prevention – Protect desktops and servers from intrusion attempts ComprehensiveIntegrated Simplified

65 Features VoIP traversal Enhanced NAT ISP link redundancy Firewall HTTP antivirus/ antispyware URL filtering HTTPS forward inspection Secure Web Access Exchange Edge integration Antivirus Antispam Protection Network inspection system Intrusion Prevention NAP integration with client VPN SSTP integration Remote Access Array management Change tracking Enhanced reporting W2K8, native 64-bit Deployment and Management Malware protection URL filtering Intrusion prevention Subscription Services

66 Network layer firewall Application layer firewall Internet access protection (proxy) Basic OWA and SharePoint publishing IPSec VPN (remote and site-to- site) Web caching, HTTP compression Web antivirus, antimalware URL filtering antimalware, antispam Network intrusion prevention Comparing with ISA Server 2006 ISA Server 2006 Forefront TMG New Enhanced UI, management, reporting New Exchange publishing (RPC over HTTP) Windows Server® 2008 R2, 64-bit (only) New

67 TMG vs. ISA 2006 HTTPS inspekcija URL filtering Antimalware WEB zaštita Ugrađen IPS Poboljšana zaštita Poboljšana podrška za NAT Poboljšana podrška za VoIP 64 bitni OS

68 NIS Baziran na signaturama Tri tipa signatura: −Vulenrability based −Exploit based −Policy based Baziran na GAPA-i (Generic Application level Protocol Analyzer) Poznati browser bazirani napadi MMPC (Microsoft Malware protection center) istražuje ranjivosti i piše signature

69 NIS – proces izrade signatura

70 NIS podržani protokoli HTTP, DNS, SMB, SMB2, NetBIOS, MSRPC, SMTP, POP3, IMAP, MIME... za sad...

71 NIS planiranje Kapacitet −Troši do 30% dodatnih resursa na TMG serveru s uključenom antimalware inspekcijom −Većina toga otpada na HTTP promet

72 HTTPS inspekcija Rješava problem tuneliranja Sprječava pristup stranicama s neispravnim certifikatima Postoji mogućnost izuzetaka TMG generira certifikate (MitM)

73 URL filtering - namjena Povećanje sigurnosti Povećanje produktivnosti Smanjanje rizika odgovornosti Smanjanje potrošnje bandwith-a

74 URL filtering - MRS Microsoft reputation services (MRS) cloud bazirani reputation centar hostan u Microsoft datacentru TMG podatke s MRS-a pohranjuje lokalno (TTL) Koristi filtere više vendora svaki specijaliziran za neko područje

75 URL filtering Preko 80 URL kategorija (Child Pornography, Anonymizers, BotNets, Gambling, Malicious, Hate/Discrimination...) Razlika između ISA servera gdje je administrator trebao importirati i raditi kategorije Jednostavno podešavanje (kategorije) Mogućnost izuzetaka Reporting – tko su useri koji konstantno krše politike tvrtke? Moguće lokalno prepisati MSR policy

76 Antimalware inspekcija Hvata web bazirani malware Reže sumnjiv promet prije ulaska u internu mrežu Antivirusni softver na rubu mreže

77 Licenciranje i cijene NIS je free Antimalware inspekcija i URL filtriranje −120 dana trial −Per user /device 12$ godišnje TMG Standard 1499$ TMG Enterprise 5999$

78 UAG vs. TMG Forefront TMG 2010 −Enables users to safely and productively use the Internet without worrying about malware and other threats Forefront UAG −Comprehensive, secure remote access to corporate resources Forefront UAG is the preferred solution for providing remote access −Forefront TMG 2010 still provides support for remote access features, but not the recommended solution

79 Licenciranje i cijene Microsoft Volume Licensing (MVLS) −Serverska licenca – Appliance ili softver −Klijentska licenca −External connector User ili device CAL – 15 USD Appliance – cca

80 UAG appliance

81 DEMO TMGkonzola nove funkcionalnosti

82 Problemi i rješenja Zero day napadi, Malware, Phishing, spam −FF Endpoint security −TMG Politike (policy), zaporke i regulatorni zahtijevi, društvene mreže −TMG −FIM Zaporke −FIM Nerazumijevanje i needuciranost −Svi alati iz FF porodice (user dio je jednostavan)

83 Linkovi ForeFront Virtualni labovi Video prezentacije

84 Pitanja ? Hvala !


Download ppt "Robert Petrunić, CISSP, CEH, MCITP Algebra. Agenda Kako do sigurnosti? (izazov) Kako FF pristupa problemu Što sve spada u FF FF Endpoint protection 2010."

Similar presentations


Ads by Google