Edge Security with Forefront Sandeep Modhvadia Security Specialist
Agenda ISA Server 2006 What’s New What’s Improved SSO Publishing Demo Hardware Sizing Whale Intelligent Application Gateway What is it? How does it Work? Custom Publishing Demo Q&A
ISA Server 2006 – Improved Exchange Publishing Support for Exchange 2007 Certificate Management Forms Based Authentication Custom Forms Multi-Language Support Authentication Enhancements Certificates, OTP, Radius, LDAP
ISA Server 2006 – New Features Single Sign On Cookie based authentication SharePoint publishing Specialised Wizard driven publishing Cross Array Link Translation
Custom FBA and Single Sign On Demo
What Is Whale Client High-Availability, Management, Logging, Reporting, Multiple Portals Authentication Authorization User Experience Tunneling Security Specific Applications Web Client/Server Java/Browser Embedded Exchange/ Outlook OWA SharePoint/ Portals Citrix Generic Applications Application Aware Modules SSL VPN Gateway Applications Knowledge Centre OWA … ………... Citrix …….. Sharepoint. ……….... Devices Knowledge Centre PDA ….... Linux …….. Windows. ………... MAC …..... ISO7799 Corporate Governance SarbOx Basel2 Policy & Regulation Awareness Centre WHO? WHAT? WHERE? COMPLIANT?
Integrated Solution Benefits
External World Air Gap Switch External e-Gap Virtual Web Server Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Authentication Browser-Side Security Manager Applications File Shares HAT Engine User types URL into browser
External World Air Gap Switch External e-Gap Virtual Web Server Transaction is sent over internet to external server Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares Authentication HAT Engine Applications
External World Air Gap Switch External e-Gap Virtual Web Server External e-Gap, receives packet Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares Authentication HAT Engine Applications
External World Air Gap Switch External e-Gap Virtual Web Server All protocol layers and TCP/IP headers are stripped off Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares Authentication HAT Engine Applications
External World Air Gap Switch External e-Gap Virtual Web Server Still-encrypted data is transferred to memory bank via SCSI connection Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares Authentication HAT Engine Applications
External World Air Gap Switch External e-Gap Virtual Web Server Switch disconnects from external server, connects to internal server Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares Authentication HAT Engine Applications
External World Air Gap Switch External e-Gap Internal e-Gap SBC Virtual Web Server Data is fetched from appliance memory Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares Authentication HAT Engine Applications
External World Air Gap Switch External e-Gap Virtual Web Server Data is decrypted, SSL session is established and platform dependent Endpoint Compliance Module is sent back to browser to interrogate machine Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares Data Authentication HAT Engine Applications
External World Air Gap Switch External e-Gap Internal e-Gap SBC Virtual Web Server SSL Engine If Endpoint Compliance Module doesn’t find the machine ‘up to scratch’ stricter security policies are enforced Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares Authentication HAT Engine Applications
External World Air Gap Switch External e-Gap Virtual Web Server encrypted login page is generated and sent back Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares Data Authentication HAT Engine Applications
External World Air Gap Switch Virtual Web Server Customized login page appears in browser’s window Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares Authentication HAT Engine Applications External e-Gap
Data Flow External World Air Gap Switch External e-Gap Virtual Web Server User completes authorization credentials & submits response Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares Authentication HAT Engine Applications Username: John Smith Password: *********** SecurID: **********
External World Air Gap Switch External e-Gap Internal e-Gap SBC Virtual Web Server Air Gap Switch shuttles the data across the air gap Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares Authentication HAT Engine Applications
Intranet Internal e-Gap SBC App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares External World Air Gap Switch External e-Gap Internal e-Gap Virtual Web Server App-Level Inspection SSL Engine Internal e-Gap Server checks user credentials with appropriate authentication server; user is authenticated. Authentication credentials are combined with Endpoint Compliance results to determine Access Policy Data Intranet Authentication OK HAT Engine Applications
External World Air Gap Switch External e-Gap Internal e-Gap SBC Virtual Web Server SSL Engine User receives dynamically generated “Home Page” (based on identity and location) and selects desired application Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares Authentication HAT Engine Applications
External World Air Gap Switch External e-Gap Virtual Web Server Air Gap Switch shuttles the data across the air gap Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine File Shares Browser-Side Security Manager Authentication HAT Engine Applications
External World Air Gap Switch External e-Gap Internal e-Gap SBC Virtual Web Server App-Level Inspection Real Web Server SSL Engine Intranet File Shares (SMB) Application data is inspected and compared to Mandatory Access Control List Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares Data Authentication HAT Engine Applications
Intranet Internal e-Gap SBC App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares External World Air Gap Switch External e-Gap Internal e-Gap Virtual Web Server App-Level Inspection SSL Engine HAT Engine determines which back-end server to relay the request to Data Intranet Authentication HAT Engine Applications Authentication
External World Air Gap Switch External e-Gap Virtual Web Server Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine File Shares Browser-Side Security Manager Data is dispatched to the appropriate server Authentication HAT Engine Applications Transaction
External World Air Gap Switch External e-Gap Virtual Web Server Application generates response Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine File Shares Browser-Side Security Manager Authentication HAT Engine Applications
External World Air Gap Switch External e-Gap Virtual Web Server Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Browser-Side Security Manager Response is converted by HAT engine for external use. Response may also be rewritten and/or blocked depending on Policy File Shares Authentication HAT Engine Data Applications
External World Air Gap Switch External e-Gap Virtual Web Server Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares Authentication HAT Engine Applications
External World Air Gap Switch External e-Gap SBC Virtual Web Server response Intranet Internal e-Gap SBC App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares Authentication HAT Engine Applications User works with application as if inside corporate network environment
External World Air Gap Switch External e-Gap Internal e-Gap SBC Virtual Web Server SSL Engine After user completes session Attachment Wiper cleans up to ensure nothing sensitive remains on access machine Intranet Internal e-Gap App-Level Inspection Authentication SSL Engine Browser-Side Security Manager File Shares Authentication HAT Engine Applications
Custom Application Publishing with Whale Demo
Gateway Roadmap Whale Intelligent Application Gateway * (incl. ISA Server 2004) Express Edition Enterprise Edition Application Optimizers Network Connectivity Modules Integrated appliances with ISA Server Whale IAG Standard Edition Enterprise Edition Unified Access Gateway “Longhorn” Svr-wave OEM appliances Software availability Updated software for ISA and IAG OEM-ready Continued 3 rd -party application support Single-server config NAP, IPv6, 64-bit support Consistent policy framework Broader authentication tools (ADFS, smartcard) Enhanced network connectivity Improved enterprise application support
For More Information
Ihr Potenzial. Unser Antrieb. Thank you for attending this TechNet Event Find these slides at: