ForeFront Security Microsoft Government Workshop November 2007 Ľubo Technology Solution Professional Microsoft Slovakia
Agenda Prehľad Forefront Server Security produktov Forefront Security for Exchange Server Forefront Security for SharePoint Forefront Management Console Forefront Client Security Záver a otázky
23 million pobočiek celosvetovo (IDC, 2006) 3.6 billion mobilných užívateľov do 2010 (Infonetics, 2007) 85% of organizácií bude mať WLANs do 2010 (Infonetics, 2006) Požiadavky na prístup 8x viac “phishing” stránok za posledný rok (AWG, 2006) „Spyware software“ nárast 277% za posledný rok (Microsoft Security Intelligence Report) Viac útokov indikovaných za účelom zisku (Multiple sources) Nebezpečenstvá Výskum v organizáciách
Technológie zabezpečenia a správy IT Active Directory Federation Services Card Space
Interoperability Developer Tools & Guidance Systems Management Identity Management Windows Client and Server Operating Systems Forefront = integrácia, komplexnosť, správa Windows Networking Solutions Client And Server OS Server Applications Network Edge
Forefront Server Security
Roadmapa Server Security produktov MámeNajnovšieĎalšia generácia SP1 Includes downgrade rights to Antigen 9.0 for securing Exchange 2003/ SP1 Includes downgrade rights to Antigen for SharePoint
Komplexná ochrana
Problem Single Point of Failure SharePoint ISA Server SMTP Server Internet Viruses Anti-virus – možnosti riešenia ExchangeExchange Single Vendor Single Engine Worms Spam A AAAA A A A
Problem Management/Cost SharePoint ISA Server SMTP Server Internet Viruses Anti-virus – možnosti riešenia ExchangeExchange Multi-vendor Multi-engine Worms Spam AB C A E D B C
Sila viacerých „enginov“ Forefront Server Security sú integrované a dodávané s „industry-leading antivirus scan engines“ od : Každý „scan job“ vo Forefront Server Security product môže bežať simultánne s 5 „engine“ Internal Messaging and Collaboration Servers A B C E D
Výhody viacnásobného „enginu“ Rýchlejšia odozva na nové nebezpečenstvá Ochrana voči „padnutému enginu“ Rôzne antivírusové „enginy a heuristiky“ AVTest.org, 2007 Forefront Set 1 Forefront Set 2 Forefront Set 3 Vendor A*Vendor B*Vendor C* 1006_areses_itw30.ex_ 0.00** _areses_itw36.ex_ _areses_itw37.ex_ _areses_itw41.ex_ _mytob_itw590.ex_ _rontokbro_itw36.ex_ _sdbot_itw1809.ex_ _sdbot_itw1831.ex_ _sdbot_itw1847.ex_ _stration_itw101.ex_ _stration_itw102.ex_ _stration_itw42.ex_ _stration_itw43.ex_ _stration_itw44.ex_ _stration_itw45.ex_ _stration_itw46.ex_ _stration_itw47.ex_ _stration_itw60.ex_ _rbot_itw2090.ex_ _sdbot_itw1814.ex_ _sdbot_itw1866.ex_ _sdbot_itw1867.ex_ _sdbot_itw1876.ex_ _stration_itw124.ex_ _bagle_itw137.ex_ _bagle_itw141.ex_ _puce_itw1.ex_ _rbot_itw2038.ex_ _sdbot_itw1889.ex_ = less than 5 hours = 5 to 24 hours = more than 24 hours * Includes beta signatures **0.00 denotes proactive detection Čas odozvy ( v hodinách) Microsoft multi-engine solution Other single- engine solutions
Optimalizácia výkonu
Riadenie oprimalizácie výkonu Dôraz na Používané enginy nie sú stále tie isté. Sú dynamicky alokované z dostupných. A B CD Max bezpečnosť: používa všetky engines (100%) Vyššia bezpečnosť: používa všetky dostupné engines* Neutral: používa pribl.50% dostupných engines* Vyšší výkon: používa 25% dostupných engines* Max výkon: používa jeden engine pre každý scan*
Riadenie oprimalizácie výkonu Dôraz na : Používané enginy nie sú stále tie isté. Sú dynamicky alokované z dostupných. A B Max bezpečnosť: používa všetky engines (100%) Vyššia bezpečnosť: používa všetky dostupné engines* Neutral: používa pribl.50% dostupných engines* Vyšší výkon: používa 25% dostupných engines* Max výkon: používa jeden engine pre každý scan*
Jednoduchší Management
SharePoint Servers Exchange Servers Forefront Server Security Management Console Features Centrálna management konzola Nasadzuje a konfiguruje Forefront/Antigen Security for Exchange and SharePoint Automatizuje „signature updates“ naprieč organizáciou Scanuje a sťahuje aktualizácie pre viacnásobné enginy Distribúcia aktualizácií na všetky Forefront/Antigen servery
Forefront Server Security Management Console vlastnosti : Komplexné reporty Detected viruses, keyword filters or file filters Actions taken by Forefront/Antigen on detection of a virus or content violation Message traffic activity Antivirus engine versions Zaznamenané upozornenia SNMP and SMTP alerts sent when administrator-defined thresholds for viruses, file and content filters are exceeded Alerts can be forwarded to Microsoft Operations Manager
Automatizovaný „Signature Updating“ Internet Engine Partner Updates Internet Forefront Engine Adaptor
Notifikácie & Reporting
Microsoft Operations Manager Forefront Management Pack for MOM 2005 / SCCM 2007 Over 100 Events, Performance Counters, and Services Monitored Monitors the state of Forefront. Collects statistical data on scanning, detection, and removal of messages and attachments Polls Forefront Services - Provides timed events to poll systems for critical process health Key Tasks Triggers scan engine updates Centralizes storage and deployment of license files Imports, exports and deploys setting changes Initiates and/or schedules manual scan jobs Starts/Stops control of Forefront services
Forefront Security for Exchange Server
Čo je nové ? Forefront Security for Exchange Server Support for three Exchange roles in single product 64-bit support (32-bit support only for evaluation) Localization into 11 languages Support for new Exchange AV features AV transport stamp Targeted background scanning for optimized performance Access to all scan engines included with license Premium anti-spam services for Exchange 2007 Cluster Server improvements including new Exchange 2007 CCR cluster support
Mailbox Client Access Unified Messaging Edge Transport Hub Transport Enterprise network Other SMTP Servers Mailbox Routing Hygiene Routing Policy Voice Messaging PBX or VoIP Public Folders Fax Applications: -OWA Protocols: -ActiveSync, POP, IMAP, RPC / HTTP … Programmability: -Web services, -Web parts Exchange 2007 Enterprise Topology INTERNETINTERNET
Transport Scanning New intelligent scanning does not scan that has already been scanned By default, scanned at Edge Transport or Hub Transport does not get scanned again when routed or deposited into mailboxes Minimizes AV scanning overhead to maximize mail system performance Significantly reduces scanning impact at the store Can be turned off to allow scanning at all points
INTERNETINTERNET Edge Server Hub Rol box Role Public Folder Client SCAN and STAMP NO SCAN Mail scanned only once at the Edge Saves processing load on Hub and Mailbox servers Transport Scanning – Prichádzajúci Mail
Edge ServerHub Rol box Role Public Folder Client SCAN and STAMP NO SCAN Transport Scanning – Interný Mail Internal mail is routed through Hub role Proactive scanning at the Mailbox server (store) is turned off by default Saves processing load on Mailbox servers Internet
Mail Store Scanning – Multiple Options Standard mode Background Scan to sweep the store once each day, scanning only the most vulnerable files On-access protection for unscanned mail Outbreak mode Re-scan on-access whenever scan engines update Ultimate security mode Scan on submission to store Re-scan on access whenever scan engines update Continuous background scan with new signatures
Incremental Background Scanning Ability to scope background scanning allows for daily “sweep” of store with latest updates Scan only messages delivered in the past 4, 6, 8, 12, 18 hours 1, 2, 3, 4, 5, 7, 30 days Combines security and performance The most dangerous messages are scanned The bulk of the store does not get scanned repeatedly for no reason
Premium Anti-spam Protection Forefront Security for Exchange Server licenses and activates the premium anti-spam features for Exchange 2007 Deployed on Exchange Edge or Hub server role Edge server can be deployed in front of Exchange 2003 mailboxes Built upon base anti-spam in Exchange 2007, premium anti-spam protection adds: Microsoft IP reputation filter service and automated updates Automated updates for Microsoft Smartscreen spam heuristics, phishing Web sites and Intelligent Message Filter (IMF) Targeted spam signature data and automatic updates to identify latest spam campaigns
File Filtering A key part of any mail protection strategy File filtering proactively blocks a specific range of potentially dangerous file types whether or not a signature exists Suggested files to block: EXE, COM, PIF, SCR, VBS, SHS, CHM and BAT Some users will block the same file types that are blocked by Outlook 2003 See Outlook online help for list
Use *.exe and All Types of files to block anything named *.exe Use *.* and EXEFILE to block any executable file no matter what it is named File Filtering Setting up file filters Forefront blocks by extension and true file type Can’t fool filter by simple change of extension Each is configured differently
File Filtering Setting up file filters Search for specific files by name, e.g. “resume.doc” Wildcards supported, e.g. “*resume*.doc” Each * represents 250 characters File filters can be Inbound or Outbound *.exe, *.doc Files can be blocked based on size, and size/name/type/direction combinations *.mp3>2mb *.mp3>5mb *.*>10mb
File Filtering Actions Every filter or filter list can have a separate action applied, offering great flexibility Skip:Detect only – logs the event but does not block or alter the message Not a secure setting! Useful for monitoring and discovery purposes Allows for pre-testing of new rules without end user impact Delete:Remove contents – removes the attachment only and replaces with the customized deletion text Purge:Eliminate message – deletes both the attachment and the message body End user receives nothing
Filter Rules: Delete *.exe Quarantine File Filtering – Zip file behavior Forefront scans within ZIP and other compressed formats, deletes only the offending file and then repackages the ZIP Container file before scan EXEDOC JPGBMP DOC JPGBMP TXT Container file after scan EXE Quarantine Custom deletion text
Forefront Security for SharePoint
Čo je nov? Forefront Security for SharePoint Both 32-bit and 64-bit support Localization (11 languages) Support for SharePoint Information Rights Management Documents Keyword filtering on Office XML Open Format and Excel formats Access to all scan engines included with license
Forefront Security for SharePoint SQL Document Library Document Users Document SharePoint Server Virus Protection for Document Libraries -Real-time scanning of documents uploaded and downloaded from document library -Manual and scheduled scanning of document library Content Policy Enforcement -File filtering to block documents from being posted based on name match, file type or file extension -Content filtering by keywords within documents for inappropriate words and phrases
SharePoint API integration Utilizes the SharePoint Virus API to scan files during upload and download Optimized for performance in a SQL environment Files are not rescanned if engines have not been updated Up to ten simultaneous scanning threads to help ensure users are not delayed waiting for documents to scan Automatic integration with SharePoint Information Rights Management (IRM) to scan protected files on the fly
Forefront Server Security Management Console
Čo je nové v Forefront Server Security Management Console? Exchange 2007 CCR Cluster Support SQL 2005 Support* Auto-discovery of Exchange Servers* Exchange Server Filter* Redundancy* Localization in 11 languages** * Beta 2 (mid-2007) ** RTM (2H 2007)
Forefront Server Security Management Console
November
Reportovanie
* Magic Quadrant for Security Boundary, Peter Firstbrook, Arabella Hallawell Publication Date: 25 September 2006/ID Number: G Gartner Magic Quadrant for Security Boundary 2006 * Industry Analyst Perspective
© 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.