Title: Managing Messaging and Collaboration System Threat Protection: A Technical Dive of Forefront Server
1Managing Messaging and Collaboration System
Threat Protection A Technical Dive of Forefront
Server Security
Ketil Pedersen Technology Specialist Manager
2Agenda
- Introduction to Forefront Server Security
products - Forefront Security for Exchange Server
- Exchange 2007 Role Support
- Premium Anti-spam Services
- File filtering
- Forefront Security for SharePoint
- SharePoint API
- Demo
- Closing remarks
3Forefront System Center
IT Security
IT Management
- Change Configuration Management
- Backup Recovery
- Virtual Machine Management
- Systems Monitoring
- Client Security
- Application Server Security
- Network Edge Security
- Secure Remote Access
Common Management Infrastructure Platform
Simplified
Productive
Integrated
4Microsoft Forefront Server Security includes
multiple scan engines from industry-leading
security firms, integrated in a single solution
to help businesses protect their Exchange
messaging environments from viruses, worms, and
spam and protect their Microsoft Office
SharePoint 2007 and Windows SharePoint Services
3.0 collaboration environment by eliminating
documents containing malicious code, confidential
information, and inappropriate content.
- Ships with manages multiple antivirus engines
- File Filtering and premium anti-spam protection
- File Content Keyword Filtering for SharePoint
ComprehensiveProtection
- Deep integration with platform
- Scanning innovations and performance controls
- Maintains uptime and optimizes performance.
Optimized Performance
- Easily manage configuration and operation
- Automated signature updates
- Reporting, Notifications and Alerts
Simplified Management
5Server Security Product Roadmap
Previous Versions
Current
2007
SP1
Microsoft
Antigen
Messaging Security Suite
SP1
6Comprehensive Protection
7Harnessing the Strength of Multiple Engines
- Forefront Server Security products integrate and
ship with industry-leading antivirus scan engines
from
- Each scan job in a Forefront Server Security
product can run up to five engines simultaneously
8The Multiple Engine Advantage
- Rapid response to new threats
- Fail-safe protection through redundancy
- Diversity of anti-virus engines and heuristics
1AVTest.org, 2006
9Optimized Performance
10Optimized Performance Controls
Engines used are not always the same. They are
dynamically allocated from the available pool.
A
C
D
Bias
Max Certainty uses all engines (100) Favor
Certainty uses all available engines Neutral
uses approximately 50 of available
engines Favor Performance uses 25 of available
engines Max Performance uses one engine for
every scan
11Optimized Performance Controls
Engines used are not always the same. They are
dynamically allocated from the available pool.
A
Bias
Max Certainty uses all engines (100) Favor
Certainty uses all available engines Neutral
uses approximately 50 of available
engines Favor Performance uses 25 of available
engines Max Performance uses one engine for
every scan
12Simplified Management
13Forefront Server Security Management Console
Features
- Central management console
- Deploys and configures Forefront/Antigen Security
for Exchange and SharePoint environments - Automates signature updates across the
enterprise - Scans for and pulls updates for multiple
antivirus engines - Distributes updates to all Forefront/Antigen
servers
14Forefront Server Security Management Console
Features
- Comprehensive reporting
- Detected viruses, keyword filters or file
filters - Actions taken by Forefront/Antigen on detection
of a virus or content violation - Message traffic activity
- Antivirus engine versions
- Outbreak alerts
- SNMP and SMTP alerts sent when administrator-defin
ed thresholds for viruses, file and content
filters are exceeded - Alerts can be forwarded to Microsoft Operations
Manager
15Notifications Reporting
16Integrated Management Forefront Management Pack
- Over 100 Events, Performance Counters, and
Services Monitored - Monitors the state of Forefront.
- Collects statistical data on scanning, detection,
and removal of messages and attachments - Polls Forefront Services - Provides timed events
to poll systems for critical process health - Key Tasks
- Triggers scan engine updates
- Centralizes storage and deployment of license
files - Imports, exports and deploys setting changes
- Initiates and/or schedules manual scan jobs
- Starts/Stops control of Forefront services
17Forefront Security for Exchange Server
18Exchange 2007 Enterprise Topology
Enterprise network
OtherSMTPServers
I N T E R N E T
EdgeTransport
HubTransport
PBX or VoIP
Unified Messaging
- Applications
- OWA
- Protocols
- ActiveSync, POP, IMAP, RPC / HTTP
- Programmability
- Web services,
- Web parts
Mailbox
Public Folders
ClientAccess
19Email Transport Scanning
- New intelligent scanning does not scan email that
has already been scanned - By default, email scanned at Edge Transport or
Hub Transport does not get scanned again when
routed or deposited into mailboxes - Minimizes AV scanning overhead to maximize mail
system performance - Significantly reduces scanning impact at the
store - Can be turned off to allow scanning at all points
20Transport ScanningInbound Mail
Edge Server
Hub Role
Mailbox Role
I N T E R N E T
SCAN and STAMP
NO SCAN
NO SCAN
Client
Mailbox Role
- Mail scanned only once at the Edge
- Saves processing load on Hub and Mailbox servers
Public Folder
21Transport ScanningInternal Mail
Edge Server
Hub Role
Mailbox Role
NO SCAN
NO SCAN
SCAN and STAMP
Client
- Internal mail is routed through Hub role
- Proactive scanning at the Mailbox server (store)
is turned off by default - Saves processing load on Mailbox servers
Mailbox Role
NO SCAN
Public Folder
22Mail Store ScanningMultiple Options
- Standard mode
- Background Scan to sweep the store once each day,
scanning only the most vulnerable files - On-access protection for unscanned mail
- Outbreak mode
- Re-scan on-access whenever scan engines update
- Ultimate security mode
- Scan on submission to store
- Re-scan on access whenever scan engines update
- Continuous background scan with new signatures
23Incremental Background Scanning
- Ability to scope background scanning allows for
daily sweep of store with latest updates - Scan only messages delivered in the past
- 4, 6, 8, 12, 18 hours
- 1, 2, 3, 4, 5, 7, 30 days
- Combines security and performance
- The most dangerous messages are scanned
- The bulk of the store does not get scanned
repeatedly for no reason
24Premium Anti-spam Protection
- Forefront Security for Exchange Server licenses
and activates the premium anti-spam features for
Exchange 2007 - Deployed on Exchange Edge or Hub server role
- Edge server can be deployed in front of Exchange
2003 mailboxes - Built upon base anti-spam in Exchange 2007,
premium anti-spam protection adds - Microsoft IP reputation filter service and
automated updates - Automated updates for Microsoft Smartscreen spam
heuristics, phishing Web sites and Intelligent
Message Filter (IMF) - Targeted spam signature data and automatic
updates to identify latest spam campaigns
25File Filtering
- A key part of any mail protection strategy
- File filtering proactively blocks a specific
range of potentially dangerous file types whether
or not a signature exists - Suggested files to block EXE, COM, PIF, SCR,
VBS, SHS, CHM and BAT - Some users will block the same file types that
are blocked by Outlook 2003 - See Outlook online help for list
26File FilteringSetting up file filters
- Forefront blocks by extension and true file type
- Cant fool filter by simple change of extension
- Each is configured differently
- Use .exe and All Types of files to block
anything named .exe
- Use . and EXEFILE to block any executable file
no matter what it is named
27File FilteringSetting up file filters
- Search for specific files by name, e.g.
resume.doc - Wildcards supported, e.g. resume.doc
- Each represents 250 characters
- File filters can be Inbound or Outbound
- .exe, .doc
- Files can be blocked based on size, and
size/name/type/direction combinations - .mp32mb
- .mp35mb
- .10mb
28File Filtering Actions
- Every filter or filter list can have a separate
action applied, offering great flexibility - SkipDetect only logs the event but does not
block or alter the message - Not a secure setting!
- Useful for monitoring and discovery purposes
- Allows for pre-testing of new rules without end
user impact - DeleteRemove contents removes the attachment
only and replaces with the customized deletion
text - PurgeEliminate message deletes both the
attachment and the message body - End user receives nothing
29File Filtering Zip file behavior
- Forefront scans within ZIP and other compressed
formats, deletes only the offending file and then
repackages the ZIP
Custom deletion text
Filter Rules Delete .exeQuarantine
Container file before scan
30- Real-time threat prevention features
- Multi-layer anti-spam and anti-virus
- Customized content and policy enforcement
- E-mail retention for help with compliance and
e-discovery - Customized report generation for help
demonstrating compliance - Fully indexed, searchable archive
- Uninterrupted e-mail accessibility
- Rapid recovery from unplanned disasters and
network outages - Thirty-day rolling historical e-mail store
- Full e-mail encryption
- No public and private key management
- Gateway, policy-based e-mail encryption
31Hosted Services Network Infrastructure
- Hosted services provisioned across a reliable
network infrastructure - SLA uptime guarantees of 99.999 percent
- Services activated with simple mail exchange
record redirect - Requires minimal IT administration centralized
control - Scalability without additional cost can handle
all message volume variations - Helps free local loop, customers servers, and
bandwidth from unwanted traffic - Delivers legitimate messages to customers site
32Forefront Security for SharePoint
33Forefront Security for SharePoint
- Virus Protection for Document Libraries
- Real-time scanning of documents uploadedand
downloaded from document library - Manual and scheduled scanning of document
library
SQL Document Library
Document
SharePoint Server
Users
Document
- Content Policy Enforcement
- File filtering to block documents frombeing
posted based on name match, file type or file
extension - Content filtering by keywords withindocuments
for inappropriate words and phrases
34SharePoint API integration
- Utilizes the SharePoint Virus API to scan files
during upload and download - Optimized for performance in a SQL environment
- Files are not rescanned if engines have not been
updated - Up to ten simultaneous scanning threads to help
ensure users are not delayed waiting for
documents to scan - Automatic integration with SharePoint Information
Rights Management (IRM) to scan protected files
on the fly
35Summary
- Comprehensive protection
- Optimized performance
- Simplified management.
- An integral part of Microsoft Forefront
- Visit http//www.microsoft.com/infrastructure
- Learn more about how Forefront Client Security
fits in the Forefront System Center solution - Download beta/evaluation software
Forefront works like a dream. We dont have to
do anything to it until were ready to upgrade.
With a small IT staff, thats exactly what we
want. Alexander Fischer, Chief of IT
Infrastructure, Koehler Paper Group
We wouldnt put anything else for e-mail
security on our Exchange Server 2007 machines.
The software is well-respected. Its been around
its proven. Chris Habala, Senior
Architect/Analyst, Del Monte
36Demo Forefront Security for Exchange Server