The threat landscape
Situation today!!!
- About 90% of all emails are illegitimate
- Emails have become the primary methods of theft
- Exponentially growing Spam and illegitimate emails
- Primary vector for propagation of threats
- Phishing
- Social Engineering
Crackers are underground
Change in Bring down Vs Own a system – Cracker Commerce
Are we geared for this?
So Are you adequately covered?
Airport Security Model
Change in flying experience
Datacenter – Physical overdose, Logical oversight
Is the requirement for security the same at desktop level and the server level?
1 policeman for 10,000 Citizens – What about the President?
Traditionally, security is done differently for different situations
Compliance is a Primary Concern
Intense Pressure on IT to Improve Productivity
Focus on value adding projects
Make mission-critical systems more reliable
Deployment must be secure, reliable, manageable, cost-effective
Stiff penalties for E-mail misuse
Need to store, find and produce information quickly
Can't comply without policy and monitoring support
1 in 5 employers have had e-mail subpoenaed*
Security Vulnerabilities Still Exist
Spam, viruses and phishing still plague inboxes
Closer relationship between viruses and spam
Companies ill-equipped to stay ahead of threats
*2005 Electronic Monitoring & Surveillance Survey from American Management Association (AMA) and the ePolicy Institute
Damage to image and credibility
Damage to public image and credibility with customers
Financial impact on company from lost sales or corrective actions
Leaked e-mails or memos can be embarrassing
Legal, regulatory, and financial impact
Cost of digital leakage per year is measured in $ billions
Increasing number and complexity of regulations, e.g. GLB, SOX, state-specific regulations
Failing to comply, or losing data, can lead to significant legal fees, fines, and/or jail time
Loss of competitive advantage
Disclosure of strategic plans, M&A info, etc. potentially leads to loss of revenue, market capitalization
Loss of research, analytical data, and other intellectual capital
Premature disclosure of competitive strategies or market moves
More users, locations, and devices
Intranet / Extranet access
Full network connectivity increases risk
Poor integration with apps and services
Lack of scalability
Changing legal and business rules
Granular policy is hard to deploy
Growing Mobility Traditional VPNs Inadequate
Difficult to Enforce Policy
Access Challenges
More advanced
Application-oriented
More frequent
Profit motivated
Many point products
Poor interoperability
Lack of integration
Multiple consoles
Uncoordinated event reporting & analysis
Difficult OOB experience
Cost and complexity
Escalating Threats Fragmented SecurityDifficult to Manage
and Deploy
Security Challenges
Secure Messaging & Collaboration
What is the strategy?
Through a combination of software and services, Microsoft provides an effective and flexible email & collaboration protection offering to customers
Combines four product offerings
- Exchange Hosted Filtering Services
- Forefront for Exchange/SharePoint/OCS
- ISA Server 2006
- Intelligent Application Gateway
Multi-Layer Protection
In the cloud Protection
• Detect and prevent attacks & malicious before they touch your network
Network Edge Protection
Services and on-premise software protect against spam and viruses before they penetrate the network
Gateway Protection
Protocol and application-layer inspection enable secure, remote access to Exchange /SharePoint server
Controlled access to collaboration resources based on policy
Internal Anti-virus Protection
Protects against malicious threats, while enforcing e-mail content policies
Au
then
tica
tio
n a
nd
Au
tho
riza
tio
nManaged Services
Corporate
Network
Exte
rnal Fir
ew
all
ISA Server
2006
Inte
rnal Fir
ew
all
DMZ
On-Premise Software
Forefront for
Exchange/Sha
rePoint
On Premise Message
Hygiene Services
Exchange Hosted
Filtering Services
Internet
Controlled Access
Signature Updates
24:38:00
23:15
21:38
21:33
21:27
21:18
20:46
20:24
19:54
18:49
18:44
18:18
18:18
18:14
17:38
17:27
17:19
16:56
16:54
16:39
Symantec
eTrust-VET
McAfee
Avast
AVG
Trend Micro
Norman
AntiVir
eTrust- INO
Panda
VirusBuster
Fortinet
F-Secure
Ikarus
Command
Sophos
BitDefender
AVK
F-Prot
Kaspersky
Sober.P Virus Detection Time
May 2, 2005 (GMT)No. Updates/Day
Kaspersky 18.5
Dr. Web 10.7
Sophos 2.7
BitDefender 1.7
ClamAV 1.5
AntiVir 1.4
F-Secure 1.4
Panda 1.3
Ikarus 1.1
Symantec 1.1
Trend Micro 1.0
AV-Test.org May 2005
AV-Test.org Feb. 2005
January 2005 Updates
Time of Day
Hour : Minute
Note: the chart (left) represents a single virus outbreak only. It does not represent average response times for the listed antivirus labs.
Different Engines
19:15
13:05
12:35
9:05
6:00
5:50
5:00
5:00
4:35
4:35
4:10
4:10
2:30
1:40
1:20
0:15
0:05
23:35
F-Prot
F-Secure
AntiVir
Norman
Panda
Quickheal
Bitdefender
McAfee
Symantec
Kaspersky
Dr. Web
RAV
eTrust-VET
Sophos
eTrust-INO
AVG
Virusbuster
TrendMicro
Mydoom.dll Detection TimeJanuary 26-27, 2004 (GMT)
AV-Test.org Jan 2004
Time of DayHour : Minute
Note: these charts represents single virus outbreaks only. It does not represent average response times for each listed antivirus labs.
Different Engines
Jan 27
Jan 26
13:00
11:30
11:25
10:30
10:30
9:50
9:20
7:35
6:50
6:20
6:05
4:00
4:00
1:45
0:15
23:45
23:40
20:35
14:50
14:00
Ikarus
VirusBuster
Command
AVG
Norman
eTrust-INO
Panda
eTrust-VET
Dr. Web
McAfee
Symantec
TrendMicro
Sophos
F-Prot
F-Secure
Esafe
AntiVir
RAV
Kaspersky
Bitdefender
Bagle.A Worm Detection TimeJanuary 18-19, 2004 (GMT)
Jan 19
Jan 18
Time of DayHour : Minute
Signature Updates – History
Problem Single Point of Failure
SharePoint
ISA Server
SMTP Server
Internet
Viruses
Anti-virus Approaches
Exchange Exchange
Single VendorSingle Engine
Worms
Spam
A A
A A A
A
A A
Problem Management/Cost
SharePoint
ISA Server
SMTP Server
Internet
Viruses
Anti-virus Approaches
Exchange Exchange
Multi-vendorMulti-engine
Worms
Spam
A B
C
A
ED
B C
Harnessing the Strength of Multiple Engines
Forefront Server Security products integrate and ship with industry-leading antivirus scan engines from
Each scan job in a Forefront Server Security product can run up to five engines simultaneously
Internal Messaging and Collaboration Servers
A B C ED
* Magic Quadrant for E-Mail Security Boundary, 2006. Peter Firstbrook, Arabella Hallawell Publication Date: 25 September 2006/ID Number: G00142431
Gartner Magic Quadrant forE-Mail Security Boundary 2006 *
Industry Analyst Perspective
Optimized Performance Controls
Bias
Engines used are not always the same. They are dynamically allocated from the available pool. A
B
C
D
Max Certainty: uses all engines (100%)Favor Certainty: uses all available engines*
Neutral: uses approximately 50% of available engines*
Favor Performance: uses 25% of available engines*
Max Performance: uses one engine for every scan*
Optimized Performance Controls
Bias
Engines used are not always the same. They are dynamically allocated from the available pool.
A
B
Max Certainty: uses all engines (100%)Favor Certainty: uses all available engines*
Neutral: uses approximately 50% of available engines*
Favor Performance: uses 25% of available engines*
Max Performance: uses one engine for every scan*
Forefront Security for SharePoint
SQL Document Library
Document
Users
Document
SharePoint Server
Virus Protection for Document Libraries
- Real-time scanning of documents uploadedand downloaded from document library
- Manual and scheduled scanning of document library
Content Policy Enforcement
- File filtering to block documents frombeing posted based on name match, file type or file extension
- Content filtering by keywords withindocuments for inappropriate words and phrases
Detects and removes malware and viruses in instant message sessions- Protect conversations and file
transfers- Block clickable URLs
Provides advanced content-filtering capabilities for messages and attachments- Enforce content policies Keyword filtering in messages
and file transfers File filtering by type and
extension- Enhances built-in LCS archiving
by blocking inappropriate content
Microsoft Office Communicator
Windows Messenger Clients
Live Communications Server
Firewall
Outside IM Clients
Forefront Security for LCS
Solution Overview
A simple MX record is all it takes to begin filtering
Real-time Attack Prevention (RTAP) and Directory Services protect against the largest attacks
Virus filter delivers zero-day protection using multiple, complementary anti-virus engines
Flexible policy filter to enforce corporate email-use policies
High-accuracy spam filtering
Email queuing ensures mail is never lost
Filtering in the CLoiud
Secure Remote Access
Secure External Client Access to Email
• Hackers can attack the messaging system using standard client protocols
• Native Outlook access to Exchange servers are not easily protected by traditional firewalls
Protect Internal Email Communication
• The email infrastructure can be compromised if not protected
• Email attacks can succeed by masquerading as legitimate traffic, even when content appears to be encrypted
Business Need: Risk to Organization:
21
Exchange
Intranet Web Server
SharePoint
Active Directory
External Web Server
Administrator
User
ISA 2006 Appliance
DMZ
Internal Network
Internet
Secure Application PublishingThe Solution
Strong Server ProtectionCustomized forms incl. mobile devices, alternative authN for non-browser appsRADIUS OTP, smart card support LDAP support for AD integration & other user directories
NTLM, Kerberos & Kerberos Constrained Delegation support
Single sign-onAutomatic link translation through global links table
Cookie-based NLB keeps session alive in case of fail-over
Exchange, SharePoint publishing Wizards Better UI for certificate management
Idle-based, session-based timeouts account for non-user trafficBetter Identity Control
Seamless Access
High Performance
Easy Management
Needs New ISA Server 2006 Features
ClientHigh-Availability, Management, Logging, Reporting, Multiple Portals
Authentication
Authorization
User Experience
Tunneling
Security
Endpoint Detection and Application Intelligence – Controlled Access
Applications Knowledge Center
SharePoint. ………....
Devices Knowledge Center
Windows. ………...
Specific Applications
Web
Client/Server
Browser Embedded
Exchange/ Outlook
OWA
SharePoint
Citrix
Generic Applications
Application
Aware
Modules
•Application Aware Platform •Application Definition Syntax/Language•Application Modules
SSL VPN Gateway
The way forward…
……Security requirements are changing with the change in the threat environment
…… Defence in depth
…… Integrated Solution
© 2007 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Application Layer Content:?????????????????????????????????????????????????????????????????????????????????????????????
Only packet headers are inspected
- Application layer content appears as “black box”IP Header
Source AddressDest. Address
TTLChecksum
TCP HeaderSequence Number
Source PortDestination Port
Checksum
Forwarding decisions based on port numbersLegitimate traffic and application layer attacks use identical ports
Internet
Expected HTTP Traffic
Unexpected HTTP Traffic
Attacks
Non-HTTP Traffic Corporate Network
Application Layer Content:<html><head><meta http-equiv="content-
type" content="text/html; charset=UTF-8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet"
Deep Content Inspection: packet headers andapplication content are inspected
IP Header:
Source Address,Dest. Address,
TTL, Checksum
TCP Header:Sequence Number
Source Port,Destination Port,
Checksum
Forwarding decisions based on contentOnly legitimate and allowed traffic is processed
Internet
Allowed HTTP Traffic
Prohibited HTTP Traffic
Attacks
Non-HTTP TrafficCorporate Network
E-mail Access: Traditional Firewall
Firewall rules open ports to allow traffic to and from mail server:
- Incoming connections on email server for SMTP, IMAP, Outlook Web Access (using SSL)
- Outgoing connections from email server for SMTP
Limitation:
- Control over what channels are opened, but no control over what type of network traffic is sent to e-mail server over these channels
Exchange Server
Allow: Port 25 (SMTP)
Allow: Port 143 (IMAP)
Allow: Port 25Allow: Port 443 (SSL)Internet
Allow: Port 135 (RPC)
Outlook Web AccessTraditional Firewall
Web traffic to OWA is encrypted
- Standard SSL encryption
- Security against eavesdropping and impersonation
Limitation:
- Default OWA implementation does not protect against application layer attacks
Exchange OWA Server (FE or CAS)
OWA Traffic
Password Guessing
Web Server Attacks
SSL Tunnel
Concept of defense in depth requires inspection of OWA traffic at firewall
Internet
Web Server Attacks
Password Guessing
How ISA Server Protects OWA
Authentication- Unauthorized requests are blocked before they reach the Exchange server- Enforces all OWA authentication methods at the firewall- Provide forms-based authentication at the firewall before reaching OWA- Allow customized authentication forms for mobile devices or other applications
Inspection- Invalid HTTP requests or requests for non-OWA content are blocked- Inspection of SSL traffic before it reaches Exchange server*
Confidentiality- Ensures encryption of traffic over the Internet at the firewall- Can prevent the downloading of attachments to client computers separate from
intranet users
OWA Traffic
SSL Tunnel
InspectionAuthentication
Internet
Exchange Server OWA or Client Access
Server
*Note: Full ISA inspection is not available if GZip compression is used by OWA.
Web Server Attacks
Password Guessing
Enhanced Protection with Bridging
Traffic decrypted and inspected by ISA Server
- Same benefits as described in preceding slide
Traffic re-encrypted and sent to OWA server
- Allows server-to-server authentication
- Hardens Exchange by protecting OWA traffic from eavesdropping and tampering in transit
SSL Tunnel
InspectionAuthentication
Internet Exchange Server OWA or Client Access Server
SSL Tunnel
How RPC/HTTP Works
RPC/HTTP encapsulates RPC traffic inside HTTP
- RPC proxy server extracts RPC traffic from HTTP stream
- Advantage: Most firewalls allow HTTP traffic
RPC
Attacks
Internet
HTTP Traffic
Exchange Client Access
Services
Problem: Traditional firewalls leave RPC proxy exposed to Web-based attacks
RPC/HTTP with ISA Server
ISA Server terminates SSL tunnel
- Inspects HTTP traffic for protocol compliance
- Blocks requests for all URLs except published RPC virtual directory
No direct connections from Internet to Exchange Server
- Application layer protection for HTTP traffic
RPC Traffic
Web Server Attacks
InternetExchange
Client Access Services