forefront security microsoft government workshop november 2007 Ľubo...
Post on 18-Dec-2015
213 views
TRANSCRIPT
ForeFront Security
Microsoft Government WorkshopNovember 2007
Ľubo Goryl [email protected] Solution ProfessionalMicrosoft Slovakia
Agenda
Prehľad Forefront Server Security produktov Forefront Security for Exchange Server Forefront Security for SharePoint Forefront Management Console Forefront Client Security Záver a otázky
23 million pobočiek celosvetovo(IDC, 2006)
3.6 billion mobilných užívateľov do 2010 (Infonetics, 2007)
85% of organizácií bude mať WLANs do 2010 (Infonetics, 2006)
Požiadavky na prístup
8x viac “phishing” stránok za posledný rok (AWG, 2006)
„Spyware software“ nárast 277% za posledný rok (Microsoft Security Intelligence Report)
Viac útokov indikovaných za účelom zisku (Multiple sources)
Nebezpečenstvá
Výskum v organizáciách
Technológie zabezpečenia a správy IT
Active Directory
Active Directory Federation Federation ServicesServices
Card SpaceCard Space
InteroperabilityInteroperability
Developer Tools & GuidanceDeveloper Tools & Guidance
Systems ManagementSystems Management
Identity ManagementIdentity Management
Windows Client and Server Operating SystemsWindows Client and Server Operating Systems
Forefront = integrácia, komplexnosť, správa
Windows Networking Solutions
Client And Server OSClient And Server OS Server ApplicationsServer Applications Network EdgeNetwork Edge
Forefront Server Security
Roadmapa Server Security produktov
Máme Najnovšie Ďalšia generácia
SP1
SP1
• Includes downgrade rights to Antigen 9.0 for securing Exchange 2003/2000
9.0 SP1
• Includes downgrade rights to Antigen for SharePoint
•
Komplexná ochrana
Problem Single Point of Failure
SharePointSharePoint
ISA ISA ServerServer
SMTP SMTP ServerServer
Internet
Viruses
Anti-virus – možnosti riešenia
ExchangExchangee
ExchangExchangee
Single Vendor
Single Engine
Worms
Spam
A A
A A A
A
A A
Problem Management/Cost
SharePointSharePoint
ISA ISA ServerServer
SMTP SMTP ServerServer
Internet
Viruses
Anti-virus – možnosti riešenia
ExchangExchangee
ExchangExchangee
Multi-vendorMulti-engine
Worms
Spam
A B
C
A
ED
B C
Sila viacerých „enginov“
Forefront Server Security sú integrované a dodávané s „industry-leading antivirus scan engines“ od :
Každý „scan job“ vo Forefront Server Security product môže bežať simultánne s 5 „engine“
Internal Messaging and Collaboration Servers
A B C ED
Výhody viacnásobného „enginu“
Rýchlejšia odozva na nové nebezpečenstvá
Ochrana voči „padnutému enginu“
Rôzne antivírusové „enginy a heuristiky“
AVTest.org, 2007
Forefront Set 1
Forefront Set 2
Forefront Set 3
Vendor A* Vendor B* Vendor C*
1006_areses_itw30.ex_ 0.00** 0.00 0.00 0.00 0.00 0.001006_areses_itw36.ex_ 0.00 0.00 0.00 1598.78 0.00 0.001006_areses_itw37.ex_ 0.00 0.00 0.00 0.00 52.30 175.451006_areses_itw41.ex_ 0.00 0.00 0.00 0.00 13.15 194.351006_mytob_itw590.ex_ 0.00 0.00 0.00 1332.17 0.00 0.001006_rontokbro_itw36.ex_ 0.00 0.00 0.00 0.00 0.00 613.401006_sdbot_itw1809.ex_ 0.00 0.00 0.00 9.97 166.07 270.391006_sdbot_itw1831.ex_ 65.95 52.23 41.78 59.43 1.00 46.381006_sdbot_itw1847.ex_ 56.54 56.54 204.79 416.27 29.92 85.321006_stration_itw101.ex_ 0.00 0.00 0.00 93.88 23.46 96.851006_stration_itw102.ex_ 0.00 0.00 0.00 26.00 28.05 30.831006_stration_itw42.ex_ 0.92 0.92 0.92 3.72 3.12 7.051006_stration_itw43.ex_ 2.00 2.00 2.00 4.80 4.20 8.131006_stration_itw44.ex_ 0.00 0.00 0.00 5.60 2.00 7.581006_stration_itw45.ex_ 0.00 0.00 0.00 3.55 2.00 7.581006_stration_itw46.ex_ 0.00 0.00 0.00 2.75 2.20 6.781006_stration_itw47.ex_ 0.00 0.00 0.00 3.72 3.12 7.051006_stration_itw60.ex_ 0.00 0.00 0.00 0.00 4.64 6.321106_rbot_itw2090.ex_ 0.00 0.00 0.00 1739.10 0.00 298.641106_sdbot_itw1814.ex_ 0.00 0.00 0.00 1.00 0.00 0.001106_sdbot_itw1866.ex_ 0.00 0.00 0.00 26.80 1.00 35.271106_sdbot_itw1867.ex_ 0.00 0.00 0.00 14.00 12.84 23.141106_sdbot_itw1876.ex_ 0.00 0.00 0.00 468.60 306.82 430.801106_stration_itw124.ex_ 0.00 0.00 0.38 0.66 1.88 8.801206_bagle_itw137.ex_ 0.00 0.00 0.00 4.01 0.00 13.831206_bagle_itw141.ex_ 0.00 0.00 0.00 17.15 0.00 13.831206_puce_itw1.ex_ 0.00 0.00 0.00 0.00 0.00 1.00
1206_rbot_itw2038.ex_ 0.00 0.00 0.00 1026.27 0.00 0.001206_sdbot_itw1889.ex_ 0.00 0.00 0.00 128.28 255.20 63.96
= less than 5 hours
= 5 to 24 hours
= more than 24 hours
* Includes beta signatures**0.00 denotes proactive detection
Čas odozvy ( v hodinách)Microsoft
multi-engine solutionOther single-
engine solutions
Optimalizácia výkonu
Riadenie oprimalizácie výkonu
Dôraz na
Používané enginy nie sú stále tie isté.
Sú dynamicky alokované z dostupných.
A
B
C
D
Max bezpečnosť: používa všetky engines (100%) Vyššia bezpečnosť: používa všetky dostupné engines* Neutral: používa pribl.50% dostupných engines*Vyšší výkon: používa 25% dostupných engines*Max výkon: používa jeden engine pre každý scan*
Riadenie oprimalizácie výkonu
Dôraz na :
Používané enginy nie sú stále tie isté.
Sú dynamicky alokované z dostupných.
A
B
Max bezpečnosť: používa všetky engines (100%) Vyššia bezpečnosť: používa všetky dostupné engines* Neutral: používa pribl.50% dostupných engines*Vyšší výkon: používa 25% dostupných engines*Max výkon: používa jeden engine pre každý scan*
Jednoduchší Management
SharePoint Servers
Exchange Servers
Forefront Server Security Management Console Features
Centrálna management konzola- Nasadzuje a konfiguruje
Forefront/Antigen Security for Exchange and SharePoint
Automatizuje „signature updates“ naprieč organizáciou- Scanuje a sťahuje aktualizácie
pre viacnásobné enginy- Distribúcia aktualizácií na
všetky Forefront/Antigen servery
Forefront Server Security Management Console vlastnosti :
Komplexné reporty- Detected viruses, keyword filters or file filters- Actions taken by Forefront/Antigen on
detection of a virus or content violation- Message traffic activity- Antivirus engine versions
Zaznamenané upozornenia- SNMP and SMTP alerts sent when administrator-
defined thresholds for viruses, file and content filters are exceeded
- Alerts can be forwarded to Microsoft Operations Manager
Automatizovaný „Signature Updating“
Internet
Engine Partner Updates
www.microsoft.com
Internet
ForefrontEngineAdaptor
Notifikácie & Reporting
Microsoft Operations Manager Forefront Management Pack for MOM 2005 / SCCM 2007
Over 100 Events, Performance Counters, and Services Monitored- Monitors the state of Forefront.- Collects statistical data on scanning, detection,
and removal of messages and attachments- Polls Forefront Services - Provides timed events
to poll systems for critical process health Key Tasks
- Triggers scan engine updates- Centralizes storage and deployment of license
files- Imports, exports and deploys setting changes- Initiates and/or schedules manual scan jobs- Starts/Stops control of Forefront services
Forefront Security for Exchange Server
Čo je nové ?
Forefront Security for Exchange Server- Support for three Exchange roles in single product- 64-bit support (32-bit support only for evaluation)- Localization into 11 languages- Support for new Exchange AV features
AV transport stamp Targeted background scanning for optimized performance
- Access to all scan engines included with license- Premium anti-spam services for Exchange 2007- Cluster Server improvements including new
Exchange 2007 CCR cluster support
Mailbox
ClientAccess
Unified Messaging
EdgeTransport
HubTransport
Enterprise networkOtherSMTP
Servers
Mailbox
Routing
Hygiene Routing Policy
Voice Messaging
PBX or VoIP
PublicFolders
Fax
Applications:- OWA
Protocols:- ActiveSync, POP,
IMAP, RPC / HTTP …
Programmability:- Web services, - Web parts
Exchange 2007 Enterprise Topology
INTERNET
INTERNET
Edge Server Hub Role Mailbox Role
Mailbox Role
Public Folder
Client
SCAN and STAMP
NO SCAN NO SCAN
• Mail scanned only once at the Edge
• Saves processing load on Hub and Mailbox servers
Transport Scanning – Prichádzajúci Mail
Edge Server Hub Role Mailbox Role
Mailbox Role
Public Folder
Client
SCAN and STAMP
NO SCAN NO SCAN
NO SCAN
Transport Scanning – Interný Mail
Internal mail is routed through Hub role
Proactive scanning at the Mailbox server (store) is turned off by default
Saves processing load on Mailbox servers
Internet
Use *.exe and All Types of files to block anything named *.exe
Use *.* and EXEFILE to block any executable file no matter what it is named
File FilteringSetting up file filters
Forefront blocks by extension and true file type- Can’t fool filter by simple change of
extension- Each is configured differently
File FilteringSetting up file filters
Search for specific files by name, e.g. “resume.doc”- Wildcards supported, e.g. “*resume*.doc”- Each * represents 250 characters
File filters can be Inbound or Outbound- <in>*.exe, <out>*.doc
Files can be blocked based on size, and size/name/type/direction combinations- <in>*.mp3>2mb- <out>*.mp3>5mb- <in>*.*>10mb
File Filtering Actions
Every filter or filter list can have a separate
action applied, offering great flexibility- Skip:Detect only – logs the event but does
not block or alter the message Not a secure setting! Useful for monitoring and discovery purposes Allows for pre-testing of new rules without end
user impact- Delete:Remove contents – removes the
attachment only and replaces with the customized deletion text
- Purge:Eliminate message – deletes both the attachment and the message body End user receives nothing
Filter Rules: Delete *.exeQuarantine
File Filtering – Zip file behavior
Forefront scans within ZIP and other compressed formats, deletes only the offending fileand then repackages the ZIP
Container file before scan
EXE DOC
JPGBMP
DOC
JPGBMP
TXT
Container file after scanEXE
Quarantine
Custom deletion text
Forefront Security for SharePoint
Čo je nov?
Forefront Security for SharePoint- Both 32-bit and 64-bit support- Localization (11 languages)- Support for SharePoint Information
Rights Management Documents- Keyword filtering on Office XML
Open Format and Excel formats- Access to all scan engines
included with license
Forefront Security for SharePoint
SQL Document Library
Document
Users
Document
SharePoint Server
Virus Protection for Document Libraries- Real-time scanning of documents uploaded
and downloaded from document library- Manual and scheduled scanning of
document library
Content Policy Enforcement- File filtering to block documents
frombeing posted based on name match, file type or file extension
- Content filtering by keywords withindocuments for inappropriate words and phrases
Forefront Server Security Management Console
Čo je nové v Forefront Server Security Management Console?
Exchange 2007 CCR Cluster SupportSQL 2005 Support*Auto-discovery of Exchange Servers*Exchange Server Filter*Redundancy*Localization in 11 languages**
* Beta 2 (mid-2007)** RTM (2H 2007)
Forefront Server Security Management Console
November 2006 43
Security SummarySecurity SummarySecurity SummarySecurity Summary
Reportovanie
* Magic Quadrant for E-Mail Security Boundary, 2006. Peter Firstbrook, Arabella Hallawell Publication Date: 25 September 2006/ID Number: G00142431
Gartner Magic Quadrant forE-Mail Security Boundary
2006 *
Industry Analyst Perspective
© 2007 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.