Upload
rolf-golden
View
229
Download
0
Tags:
Embed Size (px)
Citation preview
Forefront Server Security
Agenda
Introduction to Forefront Server Security products- Comprehensive Protection Features- Optimized Performance Features- Simplified Management Features
Forefront Security for Exchange Server- Exchange 2007 Role Support- Premium Anti-spam Services- File filtering
Forefront Security for SharePoint- SharePoint API- Content filtering
Summary
Server Security Product RoadmapPastPast
ClientClient
ServerServer
EdgeEdge
Next Generation Client SecurityNext Generation Client Security
Next Generation Server SecurityNext Generation Server Security
Next Generation Edge Security & AccessNext Generation Edge Security & Access
Inte
gra
ted
Pro
tectio
n &
In
teg
rate
d P
rote
ction
&
Man
ag
em
en
tM
an
ag
em
en
tC
od
en
am
ed
‘Stirlin
g’
Cod
en
am
ed
‘Stirlin
g’
(Beta 2)
PresentPresent FutureFuture
Comprehensive Protection
Problem Single Point of Failure
SharePointSharePoint
ISA ISA ServerServer
SMTP SMTP ServerServer
Internet
Viruses
Anti-virus Approaches
ExchangExchangee
ExchangExchangee
Single Vendor
Single Engine
Worms
Spam
A A
A A A
A
A A
Problem Management/Cost
SharePointSharePoint
ISA ISA ServerServer
SMTP SMTP ServerServer
Internet
Viruses
Anti-virus Approaches
ExchangExchangee
ExchangExchangee
Multi-vendorMulti-engine
Worms
Spam
A B
C
A
ED
B C
Harnessing the Strength of Multiple Engines
Forefront Server Security products integrate and ship with industry-leading antivirus scan engines from
Each scan job in a Forefront Server Security product can run up to five engines simultaneously
Internal Messaging and Collaboration Servers
A B C ED
The Multiple Engine Advantage
Rapid response to new threatsFail-safe protection through redundancyDiversity of antivirus engines and heuristics
Response time1 (in hours)The Microsoft
multiple-engine solutionWildList Number
MalwareName
Forefront Set 1
Forefront Set 2
Forefront Set 3
Vendor A* Vendor B* Vendor C*
10/2006 Areses!Itw30 0.00** 0.00 0.00 0.00 0.00 0.0010/2006 Areses!Itw36 0.00 0.00 0.00 1598.78 0.00 0.0010/2006 Areses!Itw37 0.00 0.00 0.00 0.00 52.30 175.4510/2006 Areses!Itw41 0.00 0.00 0.00 0.00 13.15 194.3510/2006 Mytob!Itw590 0.00 0.00 0.00 1332.17 0.00 0.0010/2006 Rontokbro!Itw36 0.00 0.00 0.00 0.00 0.00 613.4010/2006 Sdbot!Itw1809 0.00 0.00 0.00 9.97 166.07 270.3910/2006 Sdbot!Itw1831 65.95 52.23 41.78 59.43 1.00 46.3810/2006 Sdbot!Itw1847 56.54 56.54 204.79 416.27 29.92 85.3210/2006 Stration!Itw101 0.00 0.00 0.00 93.88 23.46 96.8510/2006 Stration!Itw102 0.00 0.00 0.00 26.00 28.05 30.8310/2006 Stration!Itw42 0.92 0.92 0.92 3.72 3.12 7.0510/2006 Stration!Itw43 2.00 2.00 2.00 4.80 4.20 8.1310/2006 Stration!Itw44 0.00 0.00 0.00 5.60 2.00 7.5810/2006 Stration!Itw45 0.00 0.00 0.00 3.55 2.00 7.5810/2006 Stration!Itw46 0.00 0.00 0.00 2.75 2.20 6.7810/2006 Stration!Itw47 0.00 0.00 0.00 3.72 3.12 7.0510/2006 Stration!Itw60 0.00 0.00 0.00 0.00 4.64 6.3211/2006 Rbot!Itw2090 0.00 0.00 0.00 1739.10 0.00 298.6411/2006 Sdbot!Itw1814 0.00 0.00 0.00 1.00 0.00 0.0011/2006 Sdbot!Itw1866 0.00 0.00 0.00 26.80 1.00 35.2711/2006 Sdbot!Itw1867 0.00 0.00 0.00 14.00 12.84 23.1411/2006 Sdbot!Itw1876 0.00 0.00 0.00 468.60 306.82 430.8011/2006 Stration!Itw124 0.00 0.00 0.38 0.66 1.88 8.8012/2006 Bagle!Itw137 0.00 0.00 0.00 4.01 0.00 13.8312/2006 Bagle!Itw141 0.00 0.00 0.00 17.15 0.00 13.8312/2006 Puce!Itw1 0.00 0.00 0.00 0.00 0.00 1.0012/2006 Rbot!Itw2038 0.00 0.00 0.00 1026.27 0.00 0.0012/2006 Sdbot!Itw1889 0.00 0.00 0.00 128.28 255.20 63.96
* Includes beta signatures** 0.00 denotes proactive detection
1 Source: AV-Test.org 2007 (www.av-test.org)
Other single-engine solutions
= Less than 5 hours
= 5 to 24 hours = More than 24 hours
Optimized Performance
Optimized Performance Controls
Bias
Engines used are not always the same. They are dynamically allocated from the available pool.
A
B
C
D
Max Certainty: uses all engines (100%) Favor Certainty: uses all available engines* Neutral: uses approximately 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*
Optimized Performance Controls
Bias
Engines used are not always the same. They are dynamically allocated from the available pool.
A
B
Max Certainty: uses all engines (100%) Favor Certainty: uses all available engines* Neutral: uses approximately 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*
Simplified Management
SharePoint Servers
Exchange Servers
Forefront Server Security Management Console Features
Central management console - Deploys and configures
Forefront/Antigen Security for Exchange and SharePoint environments
Automates signature updates across the enterprise- Scans for and pulls updates
for multiple antivirus engines
- Distributes updates to all Forefront/Antigen servers
Forefront Server Security Management Console Features
Comprehensive reporting- Detected viruses, keyword filters or file filters- Actions taken by Forefront/Antigen on
detection of a virus or content violation- Message traffic activity- Antivirus engine versions
Outbreak alerts- SNMP and SMTP alerts sent when administrator-
defined thresholds for viruses, file and content filters are exceeded
- Alerts can be forwarded to Microsoft Operations Manager
Automated Signature Updating
Internet
Engine Partner Updates
www.microsoft.com
Internet
ForefrontEngineAdaptor
Notifications & Reporting
Microsoft Operations Manager Forefront Management Pack for MOM 2005
Over 100 Events, Performance Counters, and Services Monitored- Monitors the state of Forefront.- Collects statistical data on scanning, detection,
and removal of messages and attachments- Polls Forefront Services - Provides timed events
to poll systems for critical process health Key Tasks
- Triggers scan engine updates- Centralizes storage and deployment of license
files- Imports, exports and deploys setting changes- Initiates and/or schedules manual scan jobs- Starts/Stops control of Forefront services
Forefront Security for Exchange Server
Microsoft® Forefront™ Security for Exchange Server includes multiple scan engines from industry-leading security firms, integrated in a single solution to help businesses protect their Exchange messaging environments from viruses, worms, and spam.
Secure Messaging
Comprehensive
Protection
Optimized Performance
Simplified Management
Ships with & manages multiple antivirus engines
Multi-layered protection in Exchange 2007
File Filtering and premium anti-spam protection
Deep integration with Exchange Server Scanning innovations & performance
controls Maintains uptime and optimizes
performance Easily manage configuration and operation
Automated signature updates Reporting, Notifications and Alerts
What’s New in This Release?
Forefront Security for Exchange Server- Support for three Exchange roles in single product- 64-bit support (32-bit support only for evaluation)- Localization into 11 languages- Support for new Exchange AV features
AV transport stamp Targeted background scanning for optimized performance
- Access to all scan engines included with license- Premium anti-spam services for Exchange 2007- Cluster Server improvements including new
Exchange 2007 CCR cluster support
Mailbox
ClientAccess
Unified Messaging
EdgeTransport
HubTransport
Enterprise networkOtherSMTP
Servers
Mailbox
Routing
Hygiene Routing Policy
Voice Messaging
PBX or VoIP
PublicFolders
Fax
Applications:- OWA
Protocols:- ActiveSync, POP,
IMAP, RPC / HTTP …
Programmability:- Web services, - Web parts
Exchange 2007 Enterprise Topology
INTERNET
Email Transport Scanning
New intelligent scanning does not scan email that has already been scanned- By default, email scanned at Edge Transport
or Hub Transport does not get scanned again when routed or deposited into mailboxes
Minimizes AV scanning overhead to maximize mail system performance- Significantly reduces scanning impact at the
store- Can be turned off to allow scanning at all
points
INTERNET
Edge Server Hub Role Mailbox Role
Mailbox Role
Public Folder
Client
SCAN and STAMP
NO SCAN NO SCAN
• Mail scanned only once at the Edge
• Saves processing load on Hub and Mailbox servers
Transport Scanning – Inbound Mail
Edge Server Hub Role Mailbox Role
Mailbox Role
Public Folder
Client
SCAN and STAMP
NO SCAN NO SCAN
NO SCAN
Transport Scanning – Internal Mail
Internal mail is routed through Hub role
Proactive scanning at the Mailbox server (store) is turned off by default
Saves processing load on Mailbox servers
Internet
Mail Store Scanning – Multiple Options
Standard mode- Background Scan to sweep the store once each
day, scanning only the most vulnerable files- On-access protection for unscanned mail
Outbreak mode- Re-scan on-access whenever scan engines update
Ultimate security mode- Scan on submission to store- Re-scan on access whenever scan engines update- Continuous background scan with new signatures
Incremental Background Scanning
Ability to scope background scanning allows for daily “sweep” of store with latest updates
Scan only messages delivered in the past-4, 6, 8, 12, 18 hours-1, 2, 3, 4, 5, 7, 30 days
Combines security and performance-The most dangerous messages are scanned-The bulk of the store does not get scanned
repeatedly for no reason
Premium Anti-spam Protection
Forefront Security for Exchange Server licenses and activates the premium anti-spam features for Exchange 2007
Deployed on Exchange Edge or Hub server role- Edge server can be deployed in front of
Exchange 2003 mailboxes Built upon base anti-spam in Exchange 2007,
premium anti-spam protection adds:- Microsoft IP reputation filter service and automated
updates- Automated updates for Microsoft Smartscreen spam
heuristics, phishing Web sites and Intelligent Message Filter (IMF)
- Targeted spam signature data and automatic updates to identify latest spam campaigns
File Filtering
A key part of any mail protection strategy
File filtering proactively blocks a specific range of potentially dangerous file types whether or not a signature exists-Suggested files to block: EXE, COM, PIF,
SCR, VBS, SHS, CHM and BAT -Some users will block the same file types
that are blocked by Outlook 2003 See Outlook online help for list
Use *.exe and All Types of files to block anything named *.exe
Use *.* and EXEFILE to block any executable file no matter what it is named
File FilteringSetting up file filters
Forefront blocks by extension and true file type- Can’t fool filter by simple change of
extension- Each is configured differently
File FilteringSetting up file filters
Search for specific files by name, e.g. “resume.doc”- Wildcards supported, e.g. “*resume*.doc”- Each * represents 250 characters
File filters can be Inbound or Outbound- <in>*.exe, <out>*.doc
Files can be blocked based on size, and size/name/type/direction combinations- <in>*.mp3>2mb- <out>*.mp3>5mb- <in>*.*>10mb
File Filtering Actions
Every filter or filter list can have a separate
action applied, offering great flexibility- Skip:Detect only – logs the event but does
not block or alter the message Not a secure setting! Useful for monitoring and discovery purposes Allows for pre-testing of new rules without end
user impact- Delete:Remove contents – removes the
attachment only and replaces with the customized deletion text
- Purge:Eliminate message – deletes both the attachment and the message body End user receives nothing
Filter Rules: Delete *.exeQuarantine
File Filtering – Zip file behavior
Forefront scans within ZIP and other compressed formats, deletes only the offending fileand then repackages the ZIP
Container file before scan
EXE DOC
JPGBMP
DOC
JPGBMP
TXT
Container file after scanEXE
Quarantine
Custom deletion text
Forefront Security for SharePoint
Microsoft Forefront Security for SharePoint integrates multiple scan engines from industry-leading vendors and provides content controls to help businesses protect their Microsoft Office SharePoint 2007 and Windows SharePoint Services 3.0 collaboration environment by eliminating documents containing malicious code, confidential information, and inappropriate content.
Secure Collaboration
Ships with & manages multiple antivirus engines
File & Content Keyword Filtering Support for Open XML & IRM-protected docs Deep integration with SharePoint Server Scanning innovations and performance
controls Maintains uptime and optimizes performance. Easily manage configuration and operation Automated signature updates Reporting, Notifications and Alerts
Comprehensive
Protection
OptimizedPerformance
Simplified Management
What’s New in This Release?
Forefront Security for SharePoint-Both 32-bit and 64-bit support- Localization (11 languages)-Support for SharePoint Information
Rights Management Documents-Keyword filtering on Office XML
Open Format and Excel formats-Access to all scan engines
included with license
Forefront Security for SharePoint
SQL Document Library
DocumentUsers
Document
SharePoint Server
Virus Protection for Document Libraries
Integrates scan engines from eight industry leading vendorsReal-time scanning of documents uploadedand downloaded from document libraryManual and scheduled scanning of document library
Content Policy EnforcementFile filtering to block documents frombeing posted based on name match, file type or file extensionContent filtering by keywords withindocuments for inappropriate words and phrases
Protects MOSS 2007 and WSS 3.0
SharePoint API integration
Utilizes the SharePoint Virus API to scan files during upload and download- Optimized for performance in a
SQL environment Files are not rescanned if engines have
not been updated Up to ten simultaneous scanning threads
to help ensure users are not delayed waiting for documents to scan
Automatic integration with SharePoint Information Rights Management (IRM) to scan protected files on the fly
Forefront Server Security Management Console
Centralized, web-based console Automated signature updates for multiple AV
engines Comprehensive reporting
Simplified Management
Forefront Server Security Management Console allows administrators to easily manage Forefront Security for Exchange Server, Forefront Security for SharePoint and Microsoft Antigen, providing a web-based console to centralize configuration and operation, automate the download and distribution of signature and scan engine updates, and generate comprehensive reports.
Outbreak response Rapid update distribution
Integration with SQL Server 2005 & Windows Server 2003
Redundancy maintains server availability Support for Exchange 2007 CCR clusters
Comprehensive
Protection
OptimizedPerformance
What’s New in Forefront Server Security Management Console?
Exchange 2007 CCR Cluster SupportSQL 2005 Support*Auto-discovery of Exchange Servers*Exchange Server Filter*Redundancy*Localization in 11 languages**
* Beta 2 (mid-2007)** RTM (2H 2007)
Forefront Server Security Management Console
Sybari Enterprise Manager
Antigen Enterprise Manager
Forefront Server
Security Management
Console
Sybari Antigen for Exchange/SMTP 8.0
Sybari Antigen for SharePoint 8.0
Sybari Antigen for Instant Messaging 8.0
Microsoft Antigen for Exchange/SMTP 9.0
Microsoft Forefront Security for Exchange Server
Microsoft Forefront Security for SharePoint
Support Matrix and History
Customer Testimonials
“Forefront works like a dream. We don’t have to do anything to it until we’re ready to upgrade. With a small IT staff, that’s exactly what we want.”Alexander Fischer, Chief of IT Infrastructure, Koehler Paper Group
“We looked at Forefront and it blew us away. We’re a Microsoft shop. We want to use products that will integrate well with what we have. And we’ve seen the Microsoft roadmap for the Forefront product range, so we know this is a product we can use to increasing advantage in the years to come.”
Peter Oescheger, CIO, Sasfin
“We wouldn’t put anything else for e-mail security on our Exchange Server 2007 machines. The software is well-respected. It’s been around; it’s proven. Our own experience with Microsoft Antigen is that it’s an outstanding product. Forefront Security for Exchange Server makes it even better.”
Chris Habala, Senior Architect/Analyst, Del Monte
“The integration of Forefront with Exchange is even better than the integration we saw with Antigen. It integrates proactively as part of the scanning flow. It’s not complicated to install or administer. Microsoft has taken one of the best antivirus products for Exchange and just made it better.”
Will Wilson, Director of Information Systems, Guardian Management
Summary
Microsoft Forefront Server Security products:- Provide comprehensive antivirus, antispam and
content filtering protection for Exchange Server, SharePoint Server, Windows SharePoint Services, and Live Communications Server
- Strengthen messaging and collaboration security by integrating multiple industry-leading antivirus technologies in a single solution
- Optimize performance of messaging and collaboration servers with scanning innovations and performance bias controls
- Simplify management of messaging and collaboration security
© 2007 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Appendix
* Magic Quadrant for E-Mail Security Boundary, 2006. Peter Firstbrook, Arabella Hallawell Publication Date: 25 September 2006/ID Number: G00142431
Gartner Magic Quadrant forE-Mail Security Boundary
2006 *
Industry Analyst Perspective
Magic Quadrant Disclaimer This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Microsoft. Go to: www.microsoft.com/forefront. The Magic Quadrant noted on slide 16 is copyrighted September 25, 2006, by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.