Forefront Security for Office Communications Server Technical Overview Name Title Microsoft Corporation
Jun 08, 2015
Forefront Security for Office Communications ServerTechnical Overview
NameTitle
Microsoft Corporation
Agenda• Forefront Security for Office Communications Server
Overview• Comprehensive Protection
−Multiple Engine Approach−Virus Scanning−File Transfer Scanning
• Integrated Security− OCS 2007 Integration− Federated and Public IM Protection− Performance Optimization Tools
• Simplified Management− Automated signature updates− Statistics, events and performance counters− Notifications
• Summary
A comprehensive line of business security
products that helps you gain greater
protection and secure access through deep
integration and simplified management
Network EdgeServer Applications
Client & Server OS
Microsoft Forefront Security for Office Communications Server provides fast and effective protection against IM-based malware by including multiple scanning engines from industry-leading security partners in a single solution and helps reduce corporate liability by blocking IM messaging containing inappropriate content.
Comprehensive
Protection
IntegratedSecurity
Simplified Management
Integrates multiple antimalware engines Blocks transfer of dangerous file types Prevents sharing of out-of-policy content
Optimizes virus scanning on OCS 2007 Integrates with multiple server roles Protects federated connections and public
IM Built-in administrator console Automated signature updates IM notifications for out-of-policy activity
Comprehensive Protection
Problem Single Point of Failure
SharePoint
ISA Server
SMTP Server
Internet
Viruses
Anti-virus Approaches
OCS Exchange
Single VendorSingle Engine
Worms
Spam
A A
A A A
A
A A
Problem Management/Cost
SharePoint
ISA Server
SMTP Server
Internet
Viruses
Anti-virus Approaches
OCS Exchange
Multi-vendorMulti-engine
Worms
Spam
A B
C
A
ED
B C
• Forefront Security for Office Communications Server harnesses the strengths of multiple antivirus scan engines from Microsoft and industry-leading security partners− All engines are delivered and licensed by Forefront
• Forefront Security for Office Communications Server can all or a subset of its five engines per scanning operation
Harnessing Multiple Scanning Technologies in a Single Solution
Office Communications
Server 2007
A
B
C
E
D
The Multiple Engine AdvantageRapid response to new threatsFail-safe protection through redundancyDiversity of antivirus engines and heuristics
Response time1 (in hours)
WildList Number
MalwareName
FSOCS Engines Vendor A* Vendor B* Vendor C*
10/08 agent_itw69.ex_ 0.00 0.00 226.88 0.0010/08 autorun_itw463.ex_ 0.00 115.62 109.38 126.0810/08 autorun_itw476.ex_ 0.00 152.98 1039.35 570.8210/08 ircbot_itw466.ex_ 0.00 0.00 0.00 696.8810/08 onlinegames_itw593.ex_ 66.48 47.70 115.55 152.4210/08 rbot_itw2666.ex_ 0.00 0.00 0.00 934.8510/08 slenfbot_itw21.ex_ 0.00 0.00 0.00 172.7510/08 vb_itw163.ex_ 0.00 45.17 0.00 0.0010/08 zbot_itw18.ex_ 0.00 1195.55 473.87 463.3211/08 agent_itw75.ex_ 0.00 71.70 45.43 705.3711/08 auraax_itw1.ex_ 0.00 74.73 50.03 61.8711/08 autorun_itw490.ex_ 0.00 0.00 75.23 394.3311/08 bagle_itw199.ex_ 10.52 60.67 561.95 257.6311/08 ircbot_itw470.ex_ 0.00 150.88 336.37 1034.0011/08 krap_itw1.ex_ 0.00 45.80 0.00 154.0711/08 magania_itw13.ex_ 0.00 45.80 67.55 103.8711/08 rbot_itw2668.ex_ 0.00 0.00 0.00 1156.4511/08 sdbot_itw2685.ex_ 0.00 43.48 709.07 1022.7011/08 slenfbot_itw26.ex_ 0.00 75.37 0.00 182.8811/08 slenping_itw3.ex_ 0.00 51.60 0.00 1058.4712/08 agent_itw82.ex_ 0.00 49.58 71.62 35.3212/08 autorun_itw511.ex_ 0.00 78.43 74.92 64.1712/08 ircbot_itw474.ex_ 0.00 176.23 0.00 139.3212/08 koobface_itw9.ex_ 0.00 41.22 0.00 1182.0312/08 sdbot_itw2686.ex_ 0.00 63.07 709.15 1227.4012/08 zbot_itw27.ex_ 0.00 1274.87 1059.32 1215.45
** 0.00 denotes proactive detection
1 Source: AV-Test.org 2008 (www.av-test.org)
Single-engine solutions
= Less than 5 hours
= 5 to 24 hours = More than 24 hours
Virus Scanning
• SIP message stream is routed through FSOCS
• Clean messages and file transfers are stamped and forwarded through OCS− Infected files are blocked
and/or quarantined− Notification is sent to
sender and administrator
OCS 2007
SIP MessageStream
IM
IM
Quarantine
Notification
SIP Message Scanning
• FSOCS recognizes SIP message content types supported by OC 2007 and 2005, including: − Plain Text− Rich Text Format (default)− Mime-Multipart Alternative− ISF (Ink Serialized Format)/GIF
• FSOCS will scan unknown content types that could be sent by custom clients built with UCC SDK for malware
• FSOCS can also be configured to block unknown content types
File Transfer Filtering
• A key part of messaging protection strategy
• File transfer filtering proactively blocks a specific range of potentially dangerous file types− Suggested files to block: EXE, COM, PIF,
SCR, VBS, SHS, CHM and BAT
• Should be consistent with attachment filtering for email protection
File Transfer FilteringSetting filters• Search for specific files by name, e.g.
“resume.doc”− Wildcards supported, e.g. “*resume*.doc”
• File filters can be Inbound or Outbound− <in>*.exe, <out>*.doc
• Files can be blocked based on size, and size/name/type/direction combinations−<in>*.mp3>2mb−<out>*.mp3>5mb− <in>*.*>10mb
Use *.exe and All Types of files to block anything named *.exe
Use * and EXEFILE to block any executable file no matter what it is named
File Transfer FilteringSetting Filters• Forefront Security for Office Communications
Server blocks by extension and true file type• Can’t fool filter by simple change of
extension• Each is configured differently
File Transfer FilteringSetting Filters• Actions
− Skip: detect only− Delete: remove contents− Purge: eliminate message− Identify: tag message/file
Integrated Security
OCS 2007 Enterprise IntegrationFSOCS protects each instance of Standard Edition, Front End, Director and Access Edge server roles, with support for OCS 2007 and OCS 2007 R2.
Federated (Trusted) Organization
Internet
Public IM Networks
Access Edge Server Director ServerFront-End Server
Internal UsersRemote Users
Securing External Users
• FSOCS secures IM communications with 3 types of external users:− Users within configured Federated Organizations− Remote users outside the internal network but
who have a persistent Active Directory identity within the organization
− Users of configured Public IM Networks within OCS 2007
− FSOCS is deployed on the Access Edge Server role and scans all IM activity between internal and external users− Ensures no IM transferred files get across the
perimeter network into the internal network unscanned
INTERNET
Access Edge Director Front EndOC Client
SCAN and STAMP
NO SCAN NO SCAN
External IM ScanningIntegration with Access Edge Server
IMIM
• IM File scanned only once at the Access Edge• Saves processing load on Director and Front End servers
Access Edge Director Front End
Client
SCAN and STAMP
NO SCAN NO SCAN
Internet
Client
IM
Internal IM ScanningIntegration with Director and Front End Servers
• Internal IM scanned & stamped at Director server• Saves processing load on Front End servers
Optimized Performance Controls
Bias
Engines used are not always the same. They are dynamically allocated from the available pool.
A
B
C
D
Max Certainty: uses all engines (100%) Favor Certainty: uses all available engines* Neutral: uses approximately 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*
Optimized Performance Controls
Bias
Engines used are not always the same. They are dynamically allocated from the available pool.
A
B
Max Certainty: uses all engines (100%) Favor Certainty: uses all available engines* Neutral: uses approximately 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*
Simplified Management
Built-in Administrator Console• Configure
− Scan jobs− Antivirus settings− Scanner updates− File filters− Keyword filters
• View and manage − Notifications− Incidents− Quarantined files OCS
2007
IM
Quarantine
Forefront Administrator
Notify
Automated Signature Updating
Internet
Engine Partner Updates
www.microsoft.com
Internet
ForefrontEngineAdaptor
Statistics• The Forefront Administrator tracks and
maintains message statistics, including:− Messages Scanned− Messages Detected− Messages Tagged− Messages Purged− Total Messages Scanned− Total Messages Detected− Total Messages Tagged− Total Messages Purged
Events and Performance Counters• Windows Event Viewer
− FSOCS stores virus detections, stop codes, system information, and other general application events in the Windows application log.
− Additionally, these events are stored in ProgramLog.txt located in Program Files\Microsoft Forefront Security\Office Communications Server
• Windows Performance Monitor− FSOCS provides more than 100 performance counters to
view real-time performance metrics. (You can use Perfmon.exe -- performance object is called Microsoft Forefront Server Security).− RTC Proxy Categorizer - Records SIP Messaging and File Transfer Activity − RTC Proxy Health - Records Processing Queue Lengths and Throughput− RTC Proxy SIP Traffic- Records SIP Message Processing Success and Reject
counts − RTC Proxy Scan/Filter Results - Records Performance measurements for IM
and File Scanning and Filtering
Notifications
• FSOCS sends notifications when users attempt to send malware, designated file types, or out-of-policy keywords.
• Can be configured separately for internal and external users− IM admin receives e-mail− Sender (and recipient if
desired) receive IM communication.
Configuring Admin Notification
User IM Notification
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.