Implementing Messaging & Collaboration...

Implementing Messaging & Collaboration Security

[Name]

[Designation]

The threat landscape

Situation today!!!

- About 90% of all emails are illegitimate

- Emails have become the primary methods of theft

- Exponentially growing Spam and illegitimate emails

- Primary vector for propagation of threats

- Phishing

- Social Engineering

Crackers are underground

Change in Bring down Vs Own a system – Cracker Commerce

Are we geared for this?

So Are you adequately covered?

Airport Security Model

Change in flying experience

Datacenter – Physical overdose, Logical oversight

Is the requirement for security the same at desktop level and the server level?

1 policeman for 10,000 Citizens – What about the President?

Traditionally, security is done differently for different situations

Compliance is a Primary Concern

Intense Pressure on IT to Improve Productivity

Focus on value adding projects

Make mission-critical systems more reliable

Deployment must be secure, reliable, manageable, cost-effective

Stiff penalties for E-mail misuse

Need to store, find and produce information quickly

Can't comply without policy and monitoring support

1 in 5 employers have had e-mail subpoenaed*

Security Vulnerabilities Still Exist

Spam, viruses and phishing still plague inboxes

Closer relationship between viruses and spam

Companies ill-equipped to stay ahead of threats

*2005 Electronic Monitoring & Surveillance Survey from American Management Association (AMA) and the ePolicy Institute

Damage to image and credibility

Damage to public image and credibility with customers

Financial impact on company from lost sales or corrective actions

Leaked e-mails or memos can be embarrassing

Legal, regulatory, and financial impact

Cost of digital leakage per year is measured in $ billions

Increasing number and complexity of regulations, e.g. GLB, SOX, state-specific regulations

Failing to comply, or losing data, can lead to significant legal fees, fines, and/or jail time

Loss of competitive advantage

Disclosure of strategic plans, M&A info, etc. potentially leads to loss of revenue, market capitalization

Loss of research, analytical data, and other intellectual capital

Premature disclosure of competitive strategies or market moves

More users, locations, and devices

Intranet / Extranet access

Full network connectivity increases risk

Poor integration with apps and services

Lack of scalability

Changing legal and business rules

Granular policy is hard to deploy

Growing Mobility Traditional VPNs Inadequate

Difficult to Enforce Policy

Access Challenges

More advanced

Application-oriented

More frequent

Profit motivated

Many point products

Poor interoperability

Lack of integration

Multiple consoles

Uncoordinated event reporting & analysis

Difficult OOB experience

Cost and complexity

Escalating Threats Fragmented SecurityDifficult to Manage

and Deploy

Security Challenges

Secure Messaging & Collaboration

What is the strategy?

Through a combination of software and services, Microsoft provides an effective and flexible email & collaboration protection offering to customers

Combines four product offerings

- Exchange Hosted Filtering Services

- Forefront for Exchange/SharePoint/OCS

- ISA Server 2006

- Intelligent Application Gateway

Multi-Layer Protection

In the cloud Protection

• Detect and prevent attacks & malicious before they touch your network

Network Edge Protection

Services and on-premise software protect against spam and viruses before they penetrate the network

Gateway Protection

Protocol and application-layer inspection enable secure, remote access to Exchange /SharePoint server

Controlled access to collaboration resources based on policy

Internal Anti-virus Protection

Protects against malicious threats, while enforcing e-mail content policies

Au

then

tica

tio

n a

nd

Au

tho

riza

tio

nManaged Services

Corporate

Network

Exte

rnal Fir

ew

all

ISA Server

2006

Inte

rnal Fir

ew

all

DMZ

On-Premise Software

Forefront for

Exchange/Sha

rePoint

On Premise Message

Hygiene Services

Exchange Hosted

Filtering Services

Internet

Controlled Access

Signature Updates

24:38:00

23:15

21:38

21:33

21:27

21:18

20:46

20:24

19:54

18:49

18:44

18:18

18:18

18:14

17:38

17:27

17:19

16:56

16:54

16:39

Symantec

eTrust-VET

McAfee

Avast

AVG

Trend Micro

Norman

AntiVir

eTrust- INO

Panda

VirusBuster

Fortinet

F-Secure

Ikarus

Command

Sophos

BitDefender

AVK

F-Prot

Kaspersky

Sober.P Virus Detection Time

May 2, 2005 (GMT)No. Updates/Day

Kaspersky 18.5

Dr. Web 10.7

Sophos 2.7

BitDefender 1.7

ClamAV 1.5

AntiVir 1.4

F-Secure 1.4

Panda 1.3

Ikarus 1.1

Symantec 1.1

Trend Micro 1.0

AV-Test.org May 2005

AV-Test.org Feb. 2005

January 2005 Updates

Time of Day

Hour : Minute

Note: the chart (left) represents a single virus outbreak only. It does not represent average response times for the listed antivirus labs.

Different Engines

19:15

13:05

12:35

9:05

6:00

5:50

5:00

5:00

4:35

4:35

4:10

4:10

2:30

1:40

1:20

0:15

0:05

23:35

F-Prot

F-Secure

AntiVir

Norman

Panda

Quickheal

Bitdefender

McAfee

Symantec

Kaspersky

Dr. Web

RAV

eTrust-VET

Sophos

eTrust-INO

AVG

Virusbuster

TrendMicro

Mydoom.dll Detection TimeJanuary 26-27, 2004 (GMT)

AV-Test.org Jan 2004

Time of DayHour : Minute

Note: these charts represents single virus outbreaks only. It does not represent average response times for each listed antivirus labs.

Different Engines

Jan 27

Jan 26

13:00

11:30

11:25

10:30

10:30

9:50

9:20

7:35

6:50

6:20

6:05

4:00

4:00

1:45

0:15

23:45

23:40

20:35

14:50

14:00

Ikarus

VirusBuster

Command

AVG

Norman

eTrust-INO

Panda

eTrust-VET

Dr. Web

McAfee

Symantec

TrendMicro

Sophos

F-Prot

F-Secure

Esafe

AntiVir

RAV

Kaspersky

Bitdefender

Bagle.A Worm Detection TimeJanuary 18-19, 2004 (GMT)

Jan 19

Jan 18

Time of DayHour : Minute

Signature Updates – History

Problem Single Point of Failure

SharePoint

ISA Server

SMTP Server

Internet

Viruses

Anti-virus Approaches

Exchange Exchange

Single VendorSingle Engine

Worms

Spam

A A

A A A

A

A A

Problem Management/Cost

SharePoint

ISA Server

SMTP Server

Internet

Viruses

Anti-virus Approaches

Exchange Exchange

Multi-vendorMulti-engine

Worms

Spam

A B

C

A

ED

B C

Harnessing the Strength of Multiple Engines

Forefront Server Security products integrate and ship with industry-leading antivirus scan engines from

Each scan job in a Forefront Server Security product can run up to five engines simultaneously

Internal Messaging and Collaboration Servers

A B C ED

* Magic Quadrant for E-Mail Security Boundary, 2006. Peter Firstbrook, Arabella Hallawell Publication Date: 25 September 2006/ID Number: G00142431

Gartner Magic Quadrant forE-Mail Security Boundary 2006 *

Industry Analyst Perspective

Optimized Performance Controls

Bias

Engines used are not always the same. They are dynamically allocated from the available pool. A

B

C

D

Max Certainty: uses all engines (100%)Favor Certainty: uses all available engines*

Neutral: uses approximately 50% of available engines*

Favor Performance: uses 25% of available engines*

Max Performance: uses one engine for every scan*

Optimized Performance Controls

Bias

Engines used are not always the same. They are dynamically allocated from the available pool.

A

B

Max Certainty: uses all engines (100%)Favor Certainty: uses all available engines*

Neutral: uses approximately 50% of available engines*

Favor Performance: uses 25% of available engines*

Max Performance: uses one engine for every scan*

Forefront Security for SharePoint

SQL Document Library

Document

Users

Document

SharePoint Server

Virus Protection for Document Libraries

- Real-time scanning of documents uploadedand downloaded from document library

- Manual and scheduled scanning of document library

Content Policy Enforcement

- File filtering to block documents frombeing posted based on name match, file type or file extension

- Content filtering by keywords withindocuments for inappropriate words and phrases

Detects and removes malware and viruses in instant message sessions- Protect conversations and file

transfers- Block clickable URLs

Provides advanced content-filtering capabilities for messages and attachments- Enforce content policies Keyword filtering in messages

and file transfers File filtering by type and

extension- Enhances built-in LCS archiving

by blocking inappropriate content

Microsoft Office Communicator

Windows Messenger Clients

Live Communications Server

Firewall

Outside IM Clients

Forefront Security for LCS

Solution Overview

A simple MX record is all it takes to begin filtering

Real-time Attack Prevention (RTAP) and Directory Services protect against the largest attacks

Virus filter delivers zero-day protection using multiple, complementary anti-virus engines

Flexible policy filter to enforce corporate email-use policies

High-accuracy spam filtering

Email queuing ensures mail is never lost

Filtering in the CLoiud

Secure Remote Access

Secure External Client Access to Email

• Hackers can attack the messaging system using standard client protocols

• Native Outlook access to Exchange servers are not easily protected by traditional firewalls

Protect Internal Email Communication

• The email infrastructure can be compromised if not protected

• Email attacks can succeed by masquerading as legitimate traffic, even when content appears to be encrypted

Business Need: Risk to Organization:

21

Exchange

Intranet Web Server

SharePoint

Active Directory

External Web Server

Administrator

User

ISA 2006 Appliance

DMZ

Internal Network

Internet

Secure Application PublishingThe Solution

Strong Server ProtectionCustomized forms incl. mobile devices, alternative authN for non-browser appsRADIUS OTP, smart card support LDAP support for AD integration & other user directories

NTLM, Kerberos & Kerberos Constrained Delegation support

Single sign-onAutomatic link translation through global links table

Cookie-based NLB keeps session alive in case of fail-over

Exchange, SharePoint publishing Wizards Better UI for certificate management

Idle-based, session-based timeouts account for non-user trafficBetter Identity Control

Seamless Access

High Performance

Easy Management

Needs New ISA Server 2006 Features

ClientHigh-Availability, Management, Logging, Reporting, Multiple Portals

Authentication

Authorization

User Experience

Tunneling

Security

Endpoint Detection and Application Intelligence – Controlled Access

Applications Knowledge Center

SharePoint. ………....

Devices Knowledge Center

Windows. ………...

Specific Applications

Web

Client/Server

Browser Embedded

Exchange/ Outlook

OWA

SharePoint

Citrix

Generic Applications

Application

Aware

Modules

•Application Aware Platform •Application Definition Syntax/Language•Application Modules

SSL VPN Gateway

The way forward…

……Security requirements are changing with the change in the threat environment

…… Defence in depth

…… Integrated Solution

Edge Appendix Slides

Application Layer Content:?????????????????????????????????????????????????????????????????????????????????????????????

Only packet headers are inspected

- Application layer content appears as “black box”IP Header

Source AddressDest. Address

TTLChecksum

TCP HeaderSequence Number

Source PortDestination Port

Checksum

Forwarding decisions based on port numbersLegitimate traffic and application layer attacks use identical ports

Internet

Expected HTTP Traffic

Unexpected HTTP Traffic

Attacks

Non-HTTP Traffic Corporate Network

Application Layer Content:<html><head><meta http-equiv="content-

type" content="text/html; charset=UTF-8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet"

Deep Content Inspection: packet headers andapplication content are inspected

IP Header:

Source Address,Dest. Address,

TTL, Checksum

TCP Header:Sequence Number

Source Port,Destination Port,

Checksum

Forwarding decisions based on contentOnly legitimate and allowed traffic is processed

Internet

Allowed HTTP Traffic

Prohibited HTTP Traffic

Attacks

Non-HTTP TrafficCorporate Network

E-mail Access: Traditional Firewall

Firewall rules open ports to allow traffic to and from mail server:

- Incoming connections on email server for SMTP, IMAP, Outlook Web Access (using SSL)

- Outgoing connections from email server for SMTP

Limitation:

- Control over what channels are opened, but no control over what type of network traffic is sent to e-mail server over these channels

Exchange Server

Allow: Port 25 (SMTP)

Allow: Port 143 (IMAP)

Allow: Port 25Allow: Port 443 (SSL)Internet

Allow: Port 135 (RPC)

Outlook Web AccessTraditional Firewall

Web traffic to OWA is encrypted

- Standard SSL encryption

- Security against eavesdropping and impersonation

Limitation:

- Default OWA implementation does not protect against application layer attacks

Exchange OWA Server (FE or CAS)

OWA Traffic

Password Guessing

Web Server Attacks

SSL Tunnel

Concept of defense in depth requires inspection of OWA traffic at firewall

Internet

Web Server Attacks

Password Guessing

How ISA Server Protects OWA

Authentication- Unauthorized requests are blocked before they reach the Exchange server- Enforces all OWA authentication methods at the firewall- Provide forms-based authentication at the firewall before reaching OWA- Allow customized authentication forms for mobile devices or other applications

Inspection- Invalid HTTP requests or requests for non-OWA content are blocked- Inspection of SSL traffic before it reaches Exchange server*

Confidentiality- Ensures encryption of traffic over the Internet at the firewall- Can prevent the downloading of attachments to client computers separate from

intranet users

OWA Traffic

SSL Tunnel

InspectionAuthentication

Internet

Exchange Server OWA or Client Access

Server

*Note: Full ISA inspection is not available if GZip compression is used by OWA.

Web Server Attacks

Password Guessing

Enhanced Protection with Bridging

Traffic decrypted and inspected by ISA Server

- Same benefits as described in preceding slide

Traffic re-encrypted and sent to OWA server

- Allows server-to-server authentication

- Hardens Exchange by protecting OWA traffic from eavesdropping and tampering in transit

SSL Tunnel

InspectionAuthentication

Internet Exchange Server OWA or Client Access Server

SSL Tunnel

How RPC/HTTP Works

RPC/HTTP encapsulates RPC traffic inside HTTP

- RPC proxy server extracts RPC traffic from HTTP stream

- Advantage: Most firewalls allow HTTP traffic

RPC

Attacks

Internet

HTTP Traffic

Exchange Client Access

Services

Problem: Traditional firewalls leave RPC proxy exposed to Web-based attacks

RPC/HTTP with ISA Server

ISA Server terminates SSL tunnel

- Inspects HTTP traffic for protocol compliance

- Blocks requests for all URLs except published RPC virtual directory

No direct connections from Internet to Exchange Server

- Application layer protection for HTTP traffic

RPC Traffic

Web Server Attacks

InternetExchange

Client Access Services

Implementing Messaging & Collaboration...

Documents

Transcript of Implementing Messaging & Collaboration...