Microsoft Forefront - Security for Office Communications Server Technical Overview Presentation

Forefront Security for Office Communications ServerTechnical Overview

NameTitle

Microsoft Corporation

Agenda• Forefront Security for Office Communications Server

Overview• Comprehensive Protection

−Multiple Engine Approach−Virus Scanning−File Transfer Scanning

• Integrated Security− OCS 2007 Integration− Federated and Public IM Protection− Performance Optimization Tools

• Simplified Management− Automated signature updates− Statistics, events and performance counters− Notifications

• Summary

A comprehensive line of business security

products that helps you gain greater

protection and secure access through deep

integration and simplified management

Network EdgeServer Applications

Client & Server OS

Microsoft Forefront Security for Office Communications Server provides fast and effective protection against IM-based malware by including multiple scanning engines from industry-leading security partners in a single solution and helps reduce corporate liability by blocking IM messaging containing inappropriate content.

Comprehensive

Protection

IntegratedSecurity

Simplified Management

Integrates multiple antimalware engines Blocks transfer of dangerous file types Prevents sharing of out-of-policy content

Optimizes virus scanning on OCS 2007 Integrates with multiple server roles Protects federated connections and public

IM Built-in administrator console Automated signature updates IM notifications for out-of-policy activity

Comprehensive Protection

Problem Single Point of Failure

SharePoint

ISA Server

SMTP Server

Internet

Viruses

Anti-virus Approaches

OCS Exchange

Single VendorSingle Engine

Worms

Spam

A A

A A A

A

A A

Problem Management/Cost

SharePoint

ISA Server

SMTP Server

Internet

Viruses

Anti-virus Approaches

OCS Exchange

Multi-vendorMulti-engine

Worms

Spam

A B

C

A

ED

B C

• Forefront Security for Office Communications Server harnesses the strengths of multiple antivirus scan engines from Microsoft and industry-leading security partners− All engines are delivered and licensed by Forefront

• Forefront Security for Office Communications Server can all or a subset of its five engines per scanning operation

Harnessing Multiple Scanning Technologies in a Single Solution

Office Communications

Server 2007

A

B

C

E

D

The Multiple Engine AdvantageRapid response to new threatsFail-safe protection through redundancyDiversity of antivirus engines and heuristics

Response time1 (in hours)

WildList Number

MalwareName

FSOCS Engines Vendor A* Vendor B* Vendor C*

10/08 agent_itw69.ex_ 0.00 0.00 226.88 0.0010/08 autorun_itw463.ex_ 0.00 115.62 109.38 126.0810/08 autorun_itw476.ex_ 0.00 152.98 1039.35 570.8210/08 ircbot_itw466.ex_ 0.00 0.00 0.00 696.8810/08 onlinegames_itw593.ex_ 66.48 47.70 115.55 152.4210/08 rbot_itw2666.ex_ 0.00 0.00 0.00 934.8510/08 slenfbot_itw21.ex_ 0.00 0.00 0.00 172.7510/08 vb_itw163.ex_ 0.00 45.17 0.00 0.0010/08 zbot_itw18.ex_ 0.00 1195.55 473.87 463.3211/08 agent_itw75.ex_ 0.00 71.70 45.43 705.3711/08 auraax_itw1.ex_ 0.00 74.73 50.03 61.8711/08 autorun_itw490.ex_ 0.00 0.00 75.23 394.3311/08 bagle_itw199.ex_ 10.52 60.67 561.95 257.6311/08 ircbot_itw470.ex_ 0.00 150.88 336.37 1034.0011/08 krap_itw1.ex_ 0.00 45.80 0.00 154.0711/08 magania_itw13.ex_ 0.00 45.80 67.55 103.8711/08 rbot_itw2668.ex_ 0.00 0.00 0.00 1156.4511/08 sdbot_itw2685.ex_ 0.00 43.48 709.07 1022.7011/08 slenfbot_itw26.ex_ 0.00 75.37 0.00 182.8811/08 slenping_itw3.ex_ 0.00 51.60 0.00 1058.4712/08 agent_itw82.ex_ 0.00 49.58 71.62 35.3212/08 autorun_itw511.ex_ 0.00 78.43 74.92 64.1712/08 ircbot_itw474.ex_ 0.00 176.23 0.00 139.3212/08 koobface_itw9.ex_ 0.00 41.22 0.00 1182.0312/08 sdbot_itw2686.ex_ 0.00 63.07 709.15 1227.4012/08 zbot_itw27.ex_ 0.00 1274.87 1059.32 1215.45

** 0.00 denotes proactive detection

1 Source: AV-Test.org 2008 (www.av-test.org)

Single-engine solutions

= Less than 5 hours

= 5 to 24 hours = More than 24 hours

Virus Scanning

• SIP message stream is routed through FSOCS

• Clean messages and file transfers are stamped and forwarded through OCS− Infected files are blocked

and/or quarantined− Notification is sent to

sender and administrator

OCS 2007

SIP MessageStream

IM

IM

Quarantine

Notification

SIP Message Scanning

• FSOCS recognizes SIP message content types supported by OC 2007 and 2005, including: − Plain Text− Rich Text Format (default)− Mime-Multipart Alternative− ISF (Ink Serialized Format)/GIF

• FSOCS will scan unknown content types that could be sent by custom clients built with UCC SDK for malware

• FSOCS can also be configured to block unknown content types

File Transfer Filtering

• A key part of messaging protection strategy

• File transfer filtering proactively blocks a specific range of potentially dangerous file types− Suggested files to block: EXE, COM, PIF,

SCR, VBS, SHS, CHM and BAT

• Should be consistent with attachment filtering for email protection

File Transfer FilteringSetting filters• Search for specific files by name, e.g.

“resume.doc”− Wildcards supported, e.g. “*resume*.doc”

• File filters can be Inbound or Outbound− <in>*.exe,  <out>*.doc

• Files can be blocked based on size, and size/name/type/direction combinations−<in>*.mp3>2mb−<out>*.mp3>5mb− <in>*.*>10mb

Use *.exe and All Types of files to block anything named *.exe

Use * and EXEFILE to block any executable file no matter what it is named

File Transfer FilteringSetting Filters• Forefront Security for Office Communications

Server blocks by extension and true file type• Can’t fool filter by simple change of

extension• Each is configured differently

File Transfer FilteringSetting Filters• Actions

− Skip: detect only− Delete: remove contents− Purge: eliminate message− Identify: tag message/file

Integrated Security

OCS 2007 Enterprise IntegrationFSOCS protects each instance of Standard Edition, Front End, Director and Access Edge server roles, with support for OCS 2007 and OCS 2007 R2.

Federated (Trusted) Organization

Internet

Public IM Networks

Access Edge Server Director ServerFront-End Server

Internal UsersRemote Users

Securing External Users

• FSOCS secures IM communications with 3 types of external users:− Users within configured Federated Organizations− Remote users outside the internal network but

who have a persistent Active Directory identity within the organization

− Users of configured Public IM Networks within OCS 2007

− FSOCS is deployed on the Access Edge Server role and scans all IM activity between internal and external users− Ensures no IM transferred files get across the

perimeter network into the internal network unscanned

INTERNET

Access Edge Director Front EndOC Client

SCAN and STAMP

NO SCAN NO SCAN

External IM ScanningIntegration with Access Edge Server

IMIM

• IM File scanned only once at the Access Edge• Saves processing load on Director and Front End servers

Access Edge Director Front End

Client

SCAN and STAMP

NO SCAN NO SCAN

Internet

Client

IM

Internal IM ScanningIntegration with Director and Front End Servers

• Internal IM scanned & stamped at Director server• Saves processing load on Front End servers

Optimized Performance Controls

Bias

Engines used are not always the same. They are dynamically allocated from the available pool.

A

B

C

D

Max Certainty: uses all engines (100%) Favor Certainty: uses all available engines* Neutral: uses approximately 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*

Optimized Performance Controls

Bias

Engines used are not always the same. They are dynamically allocated from the available pool.

A

B

Max Certainty: uses all engines (100%) Favor Certainty: uses all available engines* Neutral: uses approximately 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*

Simplified Management

Built-in Administrator Console• Configure

− Scan jobs− Antivirus settings− Scanner updates− File filters− Keyword filters

• View and manage − Notifications− Incidents− Quarantined files OCS

2007

IM

Quarantine

Forefront Administrator

Notify

Automated Signature Updating

Internet

Engine Partner Updates

www.microsoft.com

Internet

ForefrontEngineAdaptor

Statistics• The Forefront Administrator tracks and

maintains message statistics, including:− Messages Scanned− Messages Detected− Messages Tagged− Messages Purged− Total Messages Scanned− Total Messages Detected− Total Messages Tagged− Total Messages Purged

Events and Performance Counters• Windows Event Viewer

− FSOCS stores virus detections, stop codes, system information, and other general application events in the Windows application log.

− Additionally, these events are stored in ProgramLog.txt located in Program Files\Microsoft Forefront Security\Office Communications Server

• Windows Performance Monitor− FSOCS provides more than 100 performance counters to

view real-time performance metrics. (You can use Perfmon.exe -- performance object is called Microsoft Forefront Server Security).− RTC Proxy Categorizer - Records SIP Messaging and File Transfer Activity − RTC Proxy Health - Records Processing Queue Lengths and Throughput− RTC Proxy SIP Traffic- Records SIP Message Processing Success and Reject

counts − RTC Proxy Scan/Filter Results - Records Performance measurements for IM

and File Scanning and Filtering

Notifications

• FSOCS sends notifications when users attempt to send malware, designated file types, or out-of-policy keywords.

• Can be configured separately for internal and external users− IM admin receives e-mail− Sender (and recipient if

desired) receive IM communication.

Configuring Admin Notification

User IM Notification

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.