Copyright Microsoft Corp. 2006 Sunil Uppal Sr. Consultant Microsoft Building a Multi-Layered Security Solution for Email.

Copyright Microsoft Corp. 2006

Sunil UppalSunil UppalSr. ConsultantSr. ConsultantMicrosoftMicrosoft

Building a Multi-Layered Security Building a Multi-Layered Security Solution for EmailSolution for Email


Session ObjectiveSession ObjectiveTo help IT Professionals understand and To help IT Professionals understand and articulate Microsoft’s Secure Messaging articulate Microsoft’s Secure Messaging

solutionsolution

Secure messaging infrastructure – On premiseSecure messaging infrastructure – On premiseMessage Hygiene Message Hygiene

Anti-Spam Anti-Spam

Network edge protectionNetwork edge protection

Anti-virusAnti-virus

Multi-layer solution Multi-layer solution On-premise software complimented with Hosted ServicesOn-premise software complimented with Hosted Services


CommunicationCommunicationCollaborationCollaborationBusiness productivity gainsBusiness productivity gains

Worms and VirusesWorms and VirusesEvolving threats to CollaborationEvolving threats to CollaborationSpamSpam

The Interconnected WorldThe Interconnected World


What is messaging hygiene?What is messaging hygiene?Maintain corporate messaging environment free of malicious and Maintain corporate messaging environment free of malicious and unauthorized contentunauthorized content

ThreatsThreatsVirus infected e-mailVirus infected e-mail

Unsolicited commercial e-mail (spam)Unsolicited commercial e-mail (spam)

Denial of Service (DoS) attacksDenial of Service (DoS) attacks

Directory Harvesting (DHA) attacksDirectory Harvesting (DHA) attacks

E-mail spoofingE-mail spoofing

Unauthorized mail submission (Relaying)Unauthorized mail submission (Relaying)

PhishingPhishing


Malicious and unsolicited e-mail messages Malicious and unsolicited e-mail messages An annoyance to usersAn annoyance to users… … but also a large hit to the infrastructurebut also a large hit to the infrastructure

E-Mail Hygiene – Is it E-Mail Hygiene – Is it important?important?

One dayOne day MS IT Statistics (Dec’2004)MS IT Statistics (Dec’2004)

Connection FilteringConnection Filtering

Sender andSender andRecipient FilteringRecipient Filtering

IntelligentIntelligentMessage FilteringMessage Filtering

Outlook 2003Outlook 2003MailboxMailbox

InboxInbox

Junk E-mailJunk E-mail

Incoming E-mailIncoming E-mail

Out of estimated Out of estimated 50,000,000+50,000,000+ e-mail submission attempts e-mail submission attempts to to microsoft.com microsoft.com domain,domain,

……only about only about 1,500,0001,500,000 messages were legitimatemessages were legitimate

Multi-layered defense is the key!Multi-layered defense is the key!


E-mail HygieneE-mail Hygiene - - Layered Layered DefenseDefense

Exchange SMTP Routing HUBs

MailboxServers

Exchange SMTP Gateways

Internet

Connection FilteringSender/Recipient

FilteringAntispam

Clients

Attachment blockingAntivirusAntispam

Attachment filteringAntivirus

Connection FilteringConnection Filtering

Sender andSender andRecipient Recipient FilteringFiltering

IntelligentIntelligentMessage Message FilteringFiltering

OutloOutlook ok

20032003MailbMailb

oxox

InboxInbox

Junk E-mailJunk E-mail

Incoming Incoming E-mailE-mail


Connection FilteringConnection Filtering – – Block Block ListsLists

Real-time DNS-based block listsReal-time DNS-based block listsCheck IP of sender against the block list using Check IP of sender against the block list using DNS queries DNS queries If DNS record for sender’s IP exists, block it. If DNS record for sender’s IP exists, block it. Use third-party block lists or roll your ownUse third-party block lists or roll your own

Exchange 2003Exchange 2003Supports multiple RBL providers (applied in Supports multiple RBL providers (applied in order!)order!)Terminates connection (SMTP protocol 550 error)Terminates connection (SMTP protocol 550 error) 550 5.7.1 E-mail rejected because 213.241.32.5 is 550 5.7.1 E-mail rejected because 213.241.32.5 is listed by sbl-xbl.spamhaus.org. Please see listed by sbl-xbl.spamhaus.org. Please see http://www.spamhaus.org/lookup.lasso for more http://www.spamhaus.org/lookup.lasso for more information. If you still need assistance contact information. If you still need assistance contact [email protected]@microsoft.com

Supports customizable response per configured Supports customizable response per configured providerprovider

IP: 1.2.3.4

myrbl.com

SMTP Connect

DNS Request: 4.3.2.1.myrbl.com.

DNS Response: 127.0.0.4.

SMTP Error 550 Filter Action


Built in Exchange Server 2003Built in Exchange Server 2003Effective to combat mail bombing attacksEffective to combat mail bombing attacksFiltering mail for ??? senders/recipients @microsoft.com Filtering mail for ??? senders/recipients @microsoft.com resulted in up to 30,000,000+ message submissions per day resulted in up to 30,000,000+ message submissions per day savingssavings

10

Sender/Recipient FilteringSender/Recipient Filtering


Sender/Recipient FilteringSender/Recipient Filtering


Sender/Recipient FilteringSender/Recipient FilteringFilter messages sent from particular email addresses or domainsFilter messages sent from particular email addresses or domains

Temporary measure during mail bombing attacksTemporary measure during mail bombing attacksNot so effective for dynamic anti-spamNot so effective for dynamic anti-spam

Drops connection before message payload is accepted – cheap!Drops connection before message payload is accepted – cheap!Filtering messages with blank sendersFiltering messages with blank senders

Targeting RFC822 From:Targeting RFC822 From:No effect on NDRsNo effect on NDRs

Blocking own domain will break some scenarios (e.g., ListServ)Blocking own domain will break some scenarios (e.g., ListServ)From: <[email protected]>To: <[email protected]>

DistributionList

From: <[email protected]>To: <[email protected]>

Sender Filtering*@contoso.com


Recipient LookupRecipient LookupValidates the recipient before accepting messages and returns 550 protocol error if the Validates the recipient before accepting messages and returns 550 protocol error if the recipient is not validrecipient is not valid

Result: No message payload is transmitted – savings in performanceResult: No message payload is transmitted – savings in performanceBut, what if I do But, what if I do RCPT TO: [email protected], RCPT TO: [email protected] TO: [email protected], RCPT TO: [email protected]...

Side effect: Possibility of rapid alias enumeration, a.k.a. DHASide effect: Possibility of rapid alias enumeration, a.k.a. DHAAbout 20 minutes to harvest all valid 4 character aliases by brute force enumerationAbout 20 minutes to harvest all valid 4 character aliases by brute force enumeration

Possible solution: Delay the 550 response for Possible solution: Delay the 550 response for nn seconds: slows down the attacker seconds: slows down the attacker significantly significantly http://support.microsoft.com/default.aspx?kbid=842851 http://support.microsoft.com/default.aspx?kbid=842851 Works only for authoritative domains!Works only for authoritative domains!

SMTP Connect

SMTP Error 550

RecipientLookup

Recipientnot found

à Ehlo …...à Rcpt to: <[email protected]>ß 550 User unknown


Protecting Against SpoofingProtecting Against Spoofing

Root cause – anonymous SMTP mail submissionRoot cause – anonymous SMTP mail submission

Best Practice – restrict anonymous SMTP internallyBest Practice – restrict anonymous SMTP internally

For Internet E-mailFor Internet E-mailOption 1:Option 1: Use Exchange 2003 “Resolve anonymous” feature Use Exchange 2003 “Resolve anonymous” feature

Exchange 2003 Gateway Setting

Result on Outlook Client


Protecting Against SpoofingProtecting Against Spoofing

Option 2:Option 2:

Authenticate Internet messages with SenderID/SPF technologyAuthenticate Internet messages with SenderID/SPF technology

SPF/SPF/SenderID FrameworkSenderID FrameworkPublish the list of approvedPublish the list of approvede-mail gateways in DNS (SPF record)e-mail gateways in DNS (SPF record)

Authenticate incoming e-mailsAuthenticate incoming e-mailsagainst this listagainst this list

Sender ID Policy ExampleSender ID Policy Example““v=spf1 mx ip4:131.107.3.0/24 –all”v=spf1 mx ip4:131.107.3.0/24 –all”

Microsoft.com Sender ID recordMicrosoft.com Sender ID recordnslookup -q=TXT microsoft.comnslookup -q=TXT microsoft.com


Using Message Header ParsingUsing Message Header Parsing

Block List Filtering and Sender ID make decisions based on IP Block List Filtering and Sender ID make decisions based on IP address of the senderaddress of the sender

May have dependency on being the outermost SMTP serverMay have dependency on being the outermost SMTP server

Exchange Server 2003 SP2 Header ParsingExchange Server 2003 SP2 Header Parsing

Microsoft Mail Internet Headers Version 2.0Received: from smtp1.contoso.com ([10.168.0.15]) by EXHUB.contoso.comReceived: from smtp2.contoso.com ([10.168.0.10]) by smtp1.contoso.comReceived: from mailhost.fabrikam.com ([169.254.0.22]) by smtp2.contoso.comReceived: from hub.fabrikam.com ([169.254.0.34]) by mailhost.fabrikam.comReceived: from mail pickup service by hub.fabrikam.com with Microsoft SMTPSVC;From: "Administrator" <[email protected]>To: “Joe Doe" <[email protected]>


Restricted/Authenticated DGsRestricted/Authenticated DGs

Distribution Groups (DGs) may contain large recipient populationDistribution Groups (DGs) may contain large recipient population

A single malicious message to a DG - large impactA single malicious message to a DG - large impact

Best Practice: Restrict large/sensitive internal DGsBest Practice: Restrict large/sensitive internal DGs

Protects from Protects from most spam most spam

attacksattacks

Much more Much more secure!secure!


Spam FilteringSpam Filtering

Educating users about spamEducating users about spamSpam fighting starts with guarding your Spam fighting starts with guarding your e-mail addresse-mail address

Fighting spam at multiple levelsFighting spam at multiple levelsGateway (filtering)Gateway (filtering)Mailbox (move to Junk E-mail)Mailbox (move to Junk E-mail)Client (move to Junk E-mail)Client (move to Junk E-mail)

Spam Confidence levelSpam Confidence levelExchange 2003 feature rather than a solutionExchange 2003 feature rather than a solution


Spam Confidence Level (SCL)Spam Confidence Level (SCL)

Message property to indicate a certainty that the message is spam Message property to indicate a certainty that the message is spam or notor not

Values: -1, 0-9Values: -1, 0-9Propagated within EXCH50 blobPropagated within EXCH50 blob

Can be leveraged/stamped by anti-spam solutionCan be leveraged/stamped by anti-spam solutionExchange 2003 has two thresholds/actionsExchange 2003 has two thresholds/actions

At the SMTP gateway levelAt the SMTP gateway levelAt the Store levelAt the Store level

Exposing SCL in OutlookExposing SCL in Outlook http://blogs.msdn.com/exchange/archive/2004/05/26/142607.aspxhttp://blogs.msdn.com/exchange/archive/2004/05/26/142607.aspx


Intelligent Message Filter Intelligent Message Filter (IMF)(IMF)

Key infrastructure design points:Key infrastructure design points:IMF is positioned before anti-virus scanningIMF is positioned before anti-virus scanningAll SMTP transport behind IMF must beAll SMTP transport behind IMF must be

Authenticated Authenticated Supports EXCH50 blob propagationSupports EXCH50 blob propagation

MessageEnvelope

EXCH50 Blobwith SCL rating

Message bodyRFC 2822

Internet

Exchange 2003Mailbox Server

Exchange 2003SMTP Gateway

+IMF

Third Party SMTP Server


Intelligent Message Filter Intelligent Message Filter (IMF)(IMF)

Analysis message content Analysis message content and assigns SCL valueand assigns SCL value

Deploying IMF in a single-Deploying IMF in a single-forest scenarioforest scenario

Deploying IMF in a multiple-Deploying IMF in a multiple-forest scenarioforest scenario

EXCH50 blob transferEXCH50 blob transferExch50AuExch50AutthCheckEnabledhCheckEnabled

EstablishingEstablishingauthenticated SMTP authenticated SMTP connectionsconnections

Exchange 2003Gateway

IntelligentMessage

Filter

SCL SCL

Exchange 2003Gateway

IntelligentMessage

Filter

SCL SCL

SCL


Intelligent Message FilterIntelligent Message FilterTopological PlacementTopological Placement

Outermost message content analysis componentOutermost message content analysis componentInstall on SMTP gatewaysInstall on SMTP gatewaysAssign to External SMTP VS onlyAssign to External SMTP VS only

Inbound mail scanningInbound mail scanning

For more information: http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/imfdeploy.mspxFor more information: http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/imfdeploy.mspx

Inte

rne

t

Mailbox serversExchange 2003 Gateway Servers

Antispam filtering

Exchange 2003HUB Servers

Antivirus filteringContent filtering


Intelligent Message FilterIntelligent Message FilterCustomizationCustomization

IMF Modes at the GatewayIMF Modes at the GatewayGatewayGateway

No ActionNo ActionArchiveArchiveDeleteDeleteRejectReject

Custom Error Message (Exchange SP2)Custom Error Message (Exchange SP2)HKLM\Software\Microsoft\Exchange\ContentFilter HKLM\Software\Microsoft\Exchange\ContentFilter

CustomRejectResponseCustomRejectResponse

Forcing content scanning for authenticated connectionsForcing content scanning for authenticated connectionsHKLM\Software\Microsoft\Exchange\ContentFilter HKLM\Software\Microsoft\Exchange\ContentFilter CheckAuthSessions=1CheckAuthSessions=1

21


Anti-virus Anti-virus Possible Protection FrontiersPossible Protection Frontiers

Gateway level Gateway level Transport Event SinksTransport Event SinksTransport VSAPITransport VSAPIDedicated virus scanning SMTP MTADedicated virus scanning SMTP MTA

Information Store levelInformation Store levelVSAPI 2.xVSAPI 2.xESEESEMAPIMAPI

Client levelClient levelMethods have different dependencies, pros and consMethods have different dependencies, pros and cons


Anti-virus - Anti-virus - Evaluation CriteriaEvaluation Criteria

Functionality testsFunctionality testsGateway integration method (Event sink/VSAPI)Gateway integration method (Event sink/VSAPI)

Support for different message encodingsSupport for different message encodingsS/MIME scanningS/MIME scanning

TNEF scanningTNEF scanning

Mail direction awarenessMail direction awareness

Attachment filtering capabilityAttachment filtering capability

NotificationsNotifications

Handling exceptionsHandling exceptions

Virus actionsVirus actions


Protecting Against DoS Protecting Against DoS attacksattacks

Extremely difficult to guard againstExtremely difficult to guard againstDoS at the messaging layer and network layer are differentDoS at the messaging layer and network layer are differentSpam and virus attacks often result in DoS effectSpam and virus attacks often result in DoS effectCountermeasuresCountermeasures

Anti-virus and Anti-spam systemsAnti-virus and Anti-spam systemsMessage size limits (global/SMTP VS)Message size limits (global/SMTP VS)Authenticated only DL’s / Empty DL’sAuthenticated only DL’s / Empty DL’sMax recipients restrictionMax recipients restrictionCriteria based filteringCriteria based filteringConnection restrictionsConnection restrictionsManage relay restrictions/inbound domainsManage relay restrictions/inbound domains

Proactive monitoringProactive monitoring


Client Side TechnologiesClient Side TechnologiesAttachment blocking, script strippingAttachment blocking, script stripping

http://www.microsoft.com/office/ork/xp/four/outg03.htmhttp://www.microsoft.com/office/ork/xp/four/outg03.htm

Stripping web beaconsStripping web beaconsUser Trusted & Junk Senders listsUser Trusted & Junk Senders listsClient side spam filteringClient side spam filtering

Update for Outlook 2003: Junk E-mail Filter (KB870765)Update for Outlook 2003: Junk E-mail Filter (KB870765)

Outlook client version control (Q288894)Outlook client version control (Q288894)


Outlook 2003/OWA 2003Outlook 2003/OWA 2003Web BeaconsWeb Beacons


Outlook 2003Outlook 2003Client Side Spam FilteringClient Side Spam Filtering

Outlook spam filtering applies to externally Outlook spam filtering applies to externally submitted e-mailsubmitted e-mail


Exchange 2003 Gateway Exchange 2003 Gateway Platform for Messaging HygienePlatform for Messaging Hygiene

Two SMTP Virtual Servers Two SMTP Virtual Servers approachapproach

Different handling Different handling of inbound and outbound of inbound and outbound e-mail e-mail

Easier metrics gatheringEasier metrics gathering

Exchange 2003 Exchange 2003 GatewaysGateways

Exchange 2003 Exchange 2003 Routing HUBsRouting HUBs

Mailbox ServersMailbox ServersExternal External

Messaging Messaging SystemsSystems

Exchange 2003 SMTP Gateway

Inbound SMTP VS(2)

Outbound SMTP VS (1)

SMTP

Connector

Inbound SMTP Virtual Server

AnonymousBasic AuthenticationIntegrated Windows Auth.

Apply Sender Filter

Relay for Anonymous

Relay for Authenticated

IP Restrictions

Apply Recipient FilterApply Connection FilterApply Intelligent Message FilterApply SenderID Filter

Outbound SMTP Virtual Server

AnonymousBasic AuthenticationIntegrated Windows Auth.

Apply Sender Filter

Relay for AnonymousRelay for AuthenticatedIP Restrictions

Apply Recipient Filter

Apply Connection Filter

Apply Intelligent Message Filter

Apply SenderID Filter


Exchange Exchange 20032003

GatewaysGateways

Exchange 2003Exchange 2003HubsHubs Mailbox Mailbox

serversserversClientsClients

Antivirus and Anti-Spam: Antivirus and Anti-Spam: DesignDesignGateway ServerGateway Server

TransportTransport

SCL>=GatewaySCL>=GatewayThreshold?Threshold?

Exchange IMFExchange IMFOther Anti-SpamOther Anti-Spam

SolutionsSolutions

Sender/RecipientSender/RecipientFilteringFiltering

Filter ActionFilter Action

Connection FilteringConnection FilteringRBLsRBLs

NoNoYesYes

Gateway ServerGateway ServerTransportTransport

Attachment StrippingAttachment Stripping

Virus ScanningVirus Scanning

SCLSCL

Mailbox ServerMailbox ServerStoreStore

SCL StoreSCL StoreThresholdThreshold

User Safe/User Safe/BlockedBlockedSendersSenders

SCL>StoreSCL>StoreThreshold?Threshold?

Junk mailJunk mailInboxInbox

YesYes NoNoSCLSCL

ClientClient(Outlook 2003)(Outlook 2003)

Desktop Anti-Desktop Anti-VirusVirus

Attachment blockingAttachment blocking

User Safe/BlockedUser Safe/BlockedSendersSenders

Spam?Spam?

Junk mailJunk mailInboxInbox

InternetInternet


Anti-virus and Anti-spamAnti-virus and Anti-spamBest PracticesBest Practices

Implement layered defensesImplement layered defensesScan for spam before scanning for virusesScan for spam before scanning for virusesImplement virus scanning for both inbound and outbound Implement virus scanning for both inbound and outbound mailmailTest AV products on various message encodings and Test AV products on various message encodings and attachment formatsattachment formatsConfigure gateway anti-virus to be mail direction awareConfigure gateway anti-virus to be mail direction awareAt the gatewayAt the gateway

Consider “Block on fail” principle for anti-virusConsider “Block on fail” principle for anti-virusConfigure anti-virus to Configure anti-virus to purgepurge worm infected e-mails worm infected e-mailsImplement attachment blockingImplement attachment blockingDo not send security notifications to the InternetDo not send security notifications to the Internet


Securing Exchange Securing Exchange CommunicationsCommunications

What do you want to secure?What do you want to secure?User data in transitUser data in transit

User credentialsUser credentials

System data in transitSystem data in transit

What do you want to secure it from?What do you want to secure it from?External threatsExternal threats

Internal threatsInternal threats

Securing Exchange CommunicationsSecuring Exchange CommunicationsStrong authenticationStrong authentication

Confidentiality of e-mail dataConfidentiality of e-mail data


Confidentiality of e-mail dataConfidentiality of e-mail dataMail transportMail transport

SMTP internallySMTP internallySMTP externallySMTP externally

Front End-to-Back End communicationsFront End-to-Back End communicationsHTTP (OWA, OMA, EAS, RPC/HTTP)HTTP (OWA, OMA, EAS, RPC/HTTP)IMAP4/POP3IMAP4/POP3

Client AccessClient AccessOutlook to ExchangeOutlook to ExchangeMobile clients to Front EndMobile clients to Front End


Securing AuthenticationSecuring AuthenticationUse Windows Integrated authenticationUse Windows Integrated authenticationProactively disable insecure (Basic) authentication throughout the Proactively disable insecure (Basic) authentication throughout the messaging infrastructure wherever possiblemessaging infrastructure wherever possible

ldifde -d "CN=Microsoft Exchange,CN=Services,CN=Configuration, ldifde -d "CN=Microsoft Exchange,CN=Services,CN=Configuration, DC=contoso,DC=com" -r "(objectClass=protocolCfgSMTPServer)" -p Subtree -l DC=contoso,DC=com" -r "(objectClass=protocolCfgSMTPServer)" -p Subtree -l msExchAuthenticationFlags -f CON:msExchAuthenticationFlags -f CON:

1 – Anonymous, 2 – Basic, 4 – Windows Integrated1 – Anonymous, 2 – Basic, 4 – Windows Integrated

If Basic authentication is absolutely required, use transport level If Basic authentication is absolutely required, use transport level security (SSL/TLS, IPSEC)security (SSL/TLS, IPSEC)

C:\>base64>> decode TEFCXGpvZWRvdzpUb3RhMTF5JGVjdXJI

DOMAIN\joedoe:Tota11y$ecuredecode succeeded


`

`

Securing Exchange AuthenticationSecuring Exchange Authentication

Mobile OWA Mobile OWA ClientsClients ISA Server 2004ISA Server 2004 FrontFront

EndEnd

MailboxMailboxServerServer


SMTP SMTP GatewayGateway

External SMTP External SMTP GatewayGateway

Outlook 2003 Outlook 2003 ClientClient


Forms Based AuthenticationForms Based Authentication

Kerberos or Windows IntegratedKerberos or Windows Integrated

Anonymous authenticationAnonymous authentication

Proactively disable not needed/insecure authenticationProactively disable not needed/insecure authenticationldifde -d "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com" ldifde -d "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com"

-r "(objectClass=protocolCfgSMTPServer)" -p Subtree -l msExchAuthenticationFlags -f CON:-r "(objectClass=protocolCfgSMTPServer)" -p Subtree -l msExchAuthenticationFlags -f CON:

1 – Anonymous, 2 – Basic, 4 – Windows Integrated1 – Anonymous, 2 – Basic, 4 – Windows Integrated

InternetPerimeterNetwork

ExchangeORG


`

`

Securing Exchange Data in TransitSecuring Exchange Data in Transit



SMTP SMTP GatewayGateway

External SMTP External SMTP GatewayGateway



Following the “block on fail” principleFollowing the “block on fail” principleRequiring SSLRequiring SSLInsecure connections are not acceptedInsecure connections are not accepted

ExchangeORG

HTTPS

IPsec

RPC Encryption

TLS for SMTP

Mobile OWA Mobile OWA ClientsClients ISA Server 2004ISA Server 2004 FrontFront

EndEnd

InternetPerimeterNetwork


Using ISA and Exchange Using ISA and Exchange TogetherTogether

Exchange Client Access Scenarios:Exchange Client Access Scenarios:OWAOWA

OMA, ActiveSyncOMA, ActiveSync

RPC/HTTPRPC/HTTP

ISA Server 2004 provides additional ISA Server 2004 provides additional security:security:

Application layer inspectionApplication layer inspection

Authentication solutionsAuthentication solutions

Firewall protectionFirewall protection

Logging and MonitoringLogging and Monitoring

RPC filtering (for Exchange 2000)RPC filtering (for Exchange 2000)


E-mail Access: Traditional E-mail Access: Traditional FirewallFirewall

Firewall rules open ports to allow traffic to Firewall rules open ports to allow traffic to and from mail server:and from mail server:

Incoming connections on email server for SMTP, Incoming connections on email server for SMTP, POP3, Outlook Web Access (using SSL)POP3, Outlook Web Access (using SSL)

Outgoing connections from email server for SMTPOutgoing connections from email server for SMTP

Limitation:Limitation:Control over what channels are opened, but no Control over what channels are opened, but no control over what type of network traffic is sent to control over what type of network traffic is sent to email server over these channelsemail server over these channels

Exchange Server

Allow: Port 25 (SMTP)

Allow: Port 110 (POP3)

Allow: Port 25Allow: Port 443 (SSL)Internet

Allow: Port 135 (RPC)


How Exchange 2000 RPC WorksHow Exchange 2000 RPC Works99223333

RPC Server (Exchange 2000)

RPC Client (Outlook)

TCP 135:

Port for {

0E4A…}Port 4402: D

ata

The RPC server maintains a table of Universally Unique Identifiers (UUID) and assigned port

1

The client connects to TCP port 135 on the server to query for the port associated with a UUID

2

The server responds with theassociated port

3

The client reconnects to server on the designated port to access Exchange

4

Server: Port 4

402

Internet


RPC and Traditional FirewallsRPC and Traditional Firewalls

Open port 135 for Open port 135 for incoming trafficincoming traffic

Open every port Open every port that RPC that RPC mightmight use use for incoming trafficfor incoming traffic

RPC Server (Exchange 2000)

RPC Client (Outlook)

TCP 135:

Port for {

0E4A… ?Port 4402: D

ata

Server: Port 4

402

Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC

accessaccess

Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC

accessaccess

Internet


Exchange 2000 and ISA ServerExchange 2000 and ISA ServerRPC Server

(Exchange 2000)

Outlook

TCP 135:

Port for {

0E4A… ?Port 4402: D

ata

Server: Port 4

402

Internet

Initial connection:Initial connection:Only allows valid RPC trafficOnly allows valid RPC traffic

Blocks non-Exchange queriesBlocks non-Exchange queries

Secondary connectionSecondary connectionOnly allows connectionOnly allows connectionto port used byto port used byExchangeExchange

Enforces Enforces encryptionencryption


OWA: Traditional FirewallOWA: Traditional Firewall

Web traffic to OWA is encryptedWeb traffic to OWA is encryptedStandard SSL encryptionStandard SSL encryption

Security against eavesdropping and impersonationSecurity against eavesdropping and impersonation

Limitation:Limitation:Default OWA implementation does not protect Default OWA implementation does not protect against application layer attacksagainst application layer attacks

Exchange Server OWA Front End

OWA Traffic

Password Guessing

Web Server Attacks

SSL Tunnel

Concept of defense in depth requires inspection of OWA traffic at firewall

Concept of defense in depth requires inspection of OWA traffic at firewall

Internet


Web Server Attacks

Password Guessing

How ISA Server Protects OWAHow ISA Server Protects OWA

AuthenticationAuthenticationUnauthorized requests are blocked before they reach the Exchange Unauthorized requests are blocked before they reach the Exchange serverserver

Enforces all OWA authentication methods at the firewallEnforces all OWA authentication methods at the firewall

Provide forms-based authentication at the firewall before reaching OWAProvide forms-based authentication at the firewall before reaching OWA

InspectionInspectionInvalid HTTP requests or requests for non-OWA content are blockedInvalid HTTP requests or requests for non-OWA content are blocked

Inspection of SSL traffic before it reaches Exchange server*Inspection of SSL traffic before it reaches Exchange server*

ConfidentialityConfidentialityEnsures encryption of traffic over the Internet at the firewallEnsures encryption of traffic over the Internet at the firewall

Can prevent the downloading of attachments to client computers Can prevent the downloading of attachments to client computers separate from intranet usersseparate from intranet users

OWA Traffic

SSL Tunnel

InspectionAuthentication

Internet

Exchange Server OWA Front End

*Note: Full ISA inspection is not available if GZip compression is used *Note: Full ISA inspection is not available if GZip compression is used by OWA.by OWA.


RPC/HTTP encapsulates RPC traffic RPC/HTTP encapsulates RPC traffic inside HTTPinside HTTP

Internal Web server (RPC proxy) extracts Internal Web server (RPC proxy) extracts RPC traffic from HTTPRPC traffic from HTTP

Advantage: Most firewalls allow HTTP trafficAdvantage: Most firewalls allow HTTP traffic

Problem: Traditional firewalls leave RPC Problem: Traditional firewalls leave RPC proxy exposed to Web-based attacksproxy exposed to Web-based attacks

How RPC/HTTP WorksHow RPC/HTTP Works

RPC Traffic

Web Server Attacks

InternetHTTP Traffic

Exchange Client Access

Services


RPC over HTTP with ISA ServerRPC over HTTP with ISA Server

ISA Server terminates SSL tunnelISA Server terminates SSL tunnelInspects HTTP traffic for protocol complianceInspects HTTP traffic for protocol compliance

Blocks requests for all URLs except Blocks requests for all URLs except http://.../rcp/...http://.../rcp/...

No direct connections from Internet to No direct connections from Internet to Exchange ServerExchange Server

Application layer protection for HTTP trafficApplication layer protection for HTTP traffic

RPC Traffic

Web Server Attacks

Internet Exchange Client Access

Services


Easy ISA Configuration and Easy ISA Configuration and AdministrationAdministration

Mail Publishing Wizard makes configuration easy

and prevents configuration mistakes

Mail Publishing Wizard makes configuration easy

and prevents configuration mistakes


So where are we today?So where are we today?Assess your environmentAssess your environment

Is Spam a real threat to your infrastructure?Is Spam a real threat to your infrastructure?

Do you have all the layers in place?Do you have all the layers in place?

Does your team has the requisite skills?Does your team has the requisite skills?

Do you have the right infrastructure in place?Do you have the right infrastructure in place?

Think again…Think again…

Do you really want to manage all this?Do you really want to manage all this?

Is there an alternate? Hold on…Is there an alternate? Hold on…

Do you want an additional layer?Do you want an additional layer?

Do you want a stop - gap arrangement?Do you want a stop - gap arrangement?


IT ProsIT ProsE-mail is mission

critical

E-mail must always be available

E-mail maintenance is expensive and resource-intensive

Manage cost & Manage cost & complexitycomplexity

Security ProsSecurity ProsSecurity top

concern

Regulatory compliance critical in many industries

Threats continue to evolve

Counter-measures are expensive and difficult to update

Secure, protect Secure, protect and complyand comply

Information Information WorkersWorkers

Inbox value and Inbox value and accessaccess

Users want uninterrupted access to their inbox

Spam and viruses distract users from business productivity

What are the What are the Challenges?Challenges?


Multi-Layer Secure MessagingMulti-Layer Secure Messaging

Network Edge ProtectionNetwork Edge Protection

Services and on-premise software protect against spam and viruses before they penetrate the Services and on-premise software protect against spam and viruses before they penetrate the networknetwork

Firewall ProtectionFirewall Protection

Protocol and application-layer inspection enable secure, remote access to Exchange serverProtocol and application-layer inspection enable secure, remote access to Exchange server

Internal Anti-virus ProtectionInternal Anti-virus Protection

Protects against malicious threats, while enforcing e-mail content policies Protects against malicious threats, while enforcing e-mail content policies BETTER TOGETHER WITH EXCHANGEBETTER TOGETHER WITH EXCHANGE

Software and services use multiple scanning engines to protect Exchange inboxes from threatsSoftware and services use multiple scanning engines to protect Exchange inboxes from threats

Au

then

ticati

on

an

d A

uth

ori

zati

on

Managed ServicesManaged Services

Corporate Corporate NetworkNetwork

Exte

rnal

Fir

ew

all

ISA ServerISA Server

Inte

rnal

Fir

ew

all

DMZDMZ

On-Premise SoftwareOn-Premise Software

Antigen for Antigen for ExchangeExchange

Antigen for SMTP Antigen for SMTP GatewaysGateways

Advanced Spam Advanced Spam ManagerManager

FrontBridge E-mail FrontBridge E-mail Filtering ServicesFiltering Services

InternetInternet


Multi-Layer Secure Multi-Layer Secure Messaging Messaging

What are the products?What are the products?FrontBridge Email Filtering ServicesFrontBridge Email Filtering Services

Hosted, internet-based messaging servicesHosted, internet-based messaging services

Provides anti-virus, anti-spam, content, Provides anti-virus, anti-spam, content, and file filteringand file filtering

Uses multiple scanning enginesUses multiple scanning engines

Block majority of threats before they reach Block majority of threats before they reach your networkyour network

Tremendous gain in security and efficiencyTremendous gain in security and efficiency



What are the products?What are the products?Antigen for SMTP/ExchangeAntigen for SMTP/Exchange

On-premise, server-based mail On-premise, server-based mail scanning softwarescanning software

Provides anti-virus, anti-spam, content Provides anti-virus, anti-spam, content and file filteringand file filtering

Multiple complementary technologies used Multiple complementary technologies used

Complete end user controlComplete end user control

Protection against internal threats and Protection against internal threats and virus propagationvirus propagation



What are the products?What are the products?ISA Server 2004ISA Server 2004

On-premise, server-based application On-premise, server-based application layer firewalllayer firewall

Provides secure publishing of Outlook Provides secure publishing of Outlook Web AccessWeb Access

Enhanced security for mobile workforceEnhanced security for mobile workforce

Provides SMTP protocol scanningProvides SMTP protocol scanning



Better TogetherBetter TogetherUsing all three offerings in a layered Using all three offerings in a layered solution provides the best level of solution provides the best level of protectionprotection

Defense in depthDefense in depth

Preliminary cleaning of spam and viruses Preliminary cleaning of spam and viruses via FrontBridge lessens the processing via FrontBridge lessens the processing load for the on-premise solutionsload for the on-premise solutions

Single vendor purchase simplifies Single vendor purchase simplifies licensing and support issueslicensing and support issues


FrontBridge ServicesFrontBridge Services

InternetInternet

ContinuityContinuity

FilteringFiltering

EncryptionEncryption

Mail FlowMail Flow

ArchivingArchiving

FirewaFirewallll

End UsersEnd Users

E-Mail E-Mail ServerServer

No onsite IT managementNo onsite IT management

Fastest response to threatsFastest response to threats

Centralized control Centralized control

SMTP platform-agnosticSMTP platform-agnostic

Unparalleled reliability and Unparalleled reliability and scalabilityscalability


FrontBridge E-Mail FilteringFrontBridge E-Mail Filtering

Edge and Edge and connection-connection-based blockingbased blocking

Directory Directory services, real-services, real-time attack time attack prevention, prevention, multi-layer multi-layer virus scanning virus scanning and content and content filteringfiltering

Advanced spam Advanced spam filteringfiltering

Fingerprinting, Fingerprinting, SPF lookups, SPF lookups, rules based rules based scoringscoring

E-Mail queuing E-Mail queuing

E-Mail E-Mail quarantinequarantine


Antigen - Multiple Scan Engine Antigen - Multiple Scan Engine

• Manage up to 8 scan enginesManage up to 8 scan engines

• Eliminate single point of failureEliminate single point of failure

• Minimize window of exposure Minimize window of exposure during outbreaks during outbreaks

Scan Engine 1Scan Engine 1



Scan Engine 3Scan Engine 3QuarantiQuarantinene


Antigen for SMTP GatewaysAntigen for SMTP Gateways

Detects and removes e-mail viruses Detects and removes e-mail viruses at the network edgeat the network edge

Scans SMTP stack to disable threats Scans SMTP stack to disable threats within a message during the routing within a message during the routing processprocess

Provides advanced content filtering Provides advanced content filtering capabilities for messages and capabilities for messages and attachmentsattachments

Integrates file filtering, keyword Integrates file filtering, keyword filtering, anti-spam, and content filtering, anti-spam, and content filtering during the routing processfiltering during the routing process

Protects Windows Server 2003 and Protects Windows Server 2003 and Windows 2000 Server SMTP Windows 2000 Server SMTP gatewaysgateways

Proactively notifies administrators Proactively notifies administrators of virus incidents and scan events of virus incidents and scan events by e-mail or event logby e-mail or event log

SMTP Gateway Server/Routing Server

Internet

Firewall

Exchange Servers

Users


Antigen for ExchangeAntigen for ExchangeDetects and removes viruses in Detects and removes viruses in e-mail messages and attachmentse-mail messages and attachments

Scans at SMTP stack (most Scans at SMTP stack (most processing intensive scans)processing intensive scans)

Scans real-time at Exchange Scans real-time at Exchange information Storeinformation Store

Provides on-demand and Provides on-demand and scheduled scans of information scheduled scans of information storestore

Uses Microsoft-approved virus Uses Microsoft-approved virus scanning API integration for scanning API integration for Exchange 2000 and 2003Exchange 2000 and 2003

Provides advanced content-filtering Provides advanced content-filtering capabilities for messages and capabilities for messages and attachmentsattachments

Integrates file filtering, keyword Integrates file filtering, keyword filtering and anti-spam at the filtering and anti-spam at the SMTP routing levelSMTP routing level

Protects Exchange Server 5.5, 2000, Protects Exchange Server 5.5, 2000, and 2003and 2003

ISA Server

Exchange Front End

Exchange Site 1

Exchange Site 2

Internet

Exchange Public Folder Server

Exchange Mailbox Server


ConclusionConclusionTop things to rememberTop things to remember

Establish and document security requirementsEstablish and document security requirements

Enforce security at multiple levels – defense in depthEnforce security at multiple levels – defense in depth

Establish layered e-mail hygiene defensesEstablish layered e-mail hygiene defenses

Secure Exchange servers by roleSecure Exchange servers by role

Bring Exchange Front Server out of perimeter network. Use reverse Bring Exchange Front Server out of perimeter network. Use reverse proxy solutions for secure Exchange publishing (ISA).proxy solutions for secure Exchange publishing (ISA).

Use only secure authentication methods. Disable unneeded ones.Use only secure authentication methods. Disable unneeded ones.

Enforce e-mail data encryption where neededEnforce e-mail data encryption where needed


For More InformationFor More Information

http://www.microsoft.com/securemessaging http://www.microsoft.com/securemessaging Combines FrontBridge, Antigen and ISA informationCombines FrontBridge, Antigen and ISA information

Microsoft IT deployments and best practices: Microsoft IT deployments and best practices: http://www.microsoft.com/technet/itshowcasehttp://www.microsoft.com/technet/itshowcase

Whitepapers on FrontBridge services Whitepapers on FrontBridge services http://www.frontbridge.comhttp://www.frontbridge.com

Sign up for a free trial of FrontBridge filtering services Sign up for a free trial of FrontBridge filtering services http://www.frontbridge.com/forms/form_evaluation.phphttp://www.frontbridge.com/forms/form_evaluation.php

Download evaluation copy of Antigen and Advanced Spam Manager Download evaluation copy of Antigen and Advanced Spam Manager http://www.sybari.com/eval http://www.sybari.com/eval


© 2006 Microsoft Corporation. All rights reserved.© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Copyright Microsoft Corp. 2006 Sunil Uppal Sr. Consultant Microsoft Building a Multi-Layered Security Solution for Email.

Documents