1 / 41

Secure Messaging: Microsoft Forefront Protection 2010 for Exchange Server

Required Slide. SESSION CODE: SIA314. Secure Messaging: Microsoft Forefront Protection 2010 for Exchange Server . Alex Nikolayev Program Manager Identity and Security Division Microsoft Corporation. Agenda . Microsoft Forefront Evolution. Forefront and Business Ready Security

doane
Download Presentation

Secure Messaging: Microsoft Forefront Protection 2010 for Exchange Server

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Required Slide SESSION CODE: SIA314 Secure Messaging: Microsoft Forefront Protection 2010 for Exchange Server Alex Nikolayev Program Manager Identity and Security Division Microsoft Corporation

  2. Agenda Microsoft Forefront Evolution • Forefront and Business Ready Security • Forefront Protection Evolution and Architecture Forefront Protection 2010 For Exchange Server Features Overview • Forefront Antimalware Protection • Forefront Antispam Protection • Hybrid Model – bridging the cloud with premises • Forefront Protection 2010 for Exchange Server: Key Differentiators and Benefits Summary

  3. Forefront Protection 2010 for Exchange Server: Technologies Evolution • Antispam Protection • DNSBL • New content filter engine • Anti-Backscatter Multiple engines Hybrid Model • Enhanced Filtering • Keyword Filtering Support for earlier Exchange server versions (Exchange 2003) • FOPE Integration • Integrated Provisioning • and Management • File Filtering • Multiple Engine Support • Antivirus protection • Antispam protection • Exchange 2007 Integration • Integrated into the Transport Pipeline Administration • Powershell support • New Interface dashboard • Edge, Hub, and Mailbox • Hyper-V support Improved Performance • VSAPI for virus scanning • Microsoft Antispyware engine

  4. Forefront Protection 2010 for Exchange Server:Industry-Leading Performance • West Coast Labs: • Spam Catch Rate above 99% • Premium Antispam certification • Virus Bulletin: • Continuous Live Spam Catch Rate above 99%: • 99.77% (September 2009) • 99.46% (November 2009) • 99.32% (January 2010) • 99.86% (March 2010) • 99.93% (May 2010)

  5. Forefront Protection 2010 for Exchange Server:Industry-Leading Performance March: “…the product outperformed its competitors in all spam categories. Thanks to just four false positives, Forefront was the only product to achieve a final score of over 99%.”  May: “Microsoft’s Forefront Protection 2010 for Exchange Server was the clear winner of the last test, achieving the highestfinal score by some distance.” Source: http://www.virusbtn.com/vbspam/index

  6. Forefront Protection 2010 for Exchange Architecture • Built-in not bolted-on in Exchange • Antimalware Defense In Depth: 5 AV engines • Mailbox (store) protection via VSAPI • Layered antispam protection with Cloudmark engine • End to End scenarios support: per-recipient spam filtering • ‘Lights-out’ updates and administration Exchange Server 2007 SP1/Exchange Server 2010 Integrated into Exchange Server Transport Agents Framework Antispam Protection Antimalware Protection Multidirectional Filters PowerShell-drivenUser Interface SMTP Receive Agents: Connection-level Filtering SMTP Receive Agents: Protocol and Content Filtering Routing Agents: Virus/Malware/Content Filtering Exchange Transport SMTP Receive Pipeline Categorizer

  7. Performance Improvements Forefront Protection 2010 for Exchange Server vs. Forefront Security for Exchange 2007 Results (5 engines test) Technology investment Message throughput improvement From 25 to 40 messages/second Measured reduction is 30% Reduction in Context Switches Improvements in CPU Utilization 15% in CPU Utilization improvement Spam filtering msgs throughput Gated by Exchange server performance

  8. Forefront Protection 2010 for Exchange:Malware Filtering

  9. Forefront Protection for Exchange Server: Antimalware Filtering Mail scanned only once at the Edge - saves processing load on Hub and Mailbox servers Mail is stamped with the AV stamp and bypasses redundant filtering on Hub and Store Edge Server Hub Role Mailbox Role SCAN and STAMP NO SCAN NO SCAN Public Folder Spyware Viruses Malware detected on Edge removed immediately

  10. Internal mail is routed through Hub role Proactive scanning at the Mailbox server (store) is turned off by default Saves processing load on Mailbox servers Internet Internal Mail Scanning Edge Server Hub Role Mailbox Role NO SCAN NO SCAN SCAN and STAMP Client Mailbox Role NO SCAN Public Folder

  11. Forefront Antivirus Store Scanning • On Access Scanning • Turned on by default • Follows settings of realtime scan • Scans only message that have not been scanned before • Scheduled Scanning • Scan mailboxes or folders not covered by realtime scan or messages that predate FPE • You may use different engines • Usually deep scans that forgo performance concerns • On Demand Scanning • Immediate scan specific mailboxes and public folders to assess malware concerns that may arise • You may also use this to scan with different engines

  12. Forefront Spyware and Worms Filtering • Spyware: MS AV engine should be enabled for spyware filtering • Enable antispyware scanning for the transport/ realtime/scheduled scan • Worms: • Entire worm message is deleted, including the full message body • Worm is stopped before it enters the network • Network impact is minimized • No impact on the mail store or the email services • Message or attachment is never quarantined • Quarantine kept smaller and more efficient • No notifications are sent • Users are not alarmed but an option to send notice to specific Worm Admins • Worm purging is enabled by default, to disable: Set-FseTransportScan-EnableWormPurge $false

  13. Forefront True Type File Filtering • Filter by name, direction, type, or size • Wildcards supported, e.g., “*resume*.doc” • Directionality: <in>*.exe, <out>*.doc • Filters can be combinations of size, name, type & direction • <in>photo1.jpg>10mb, <out>*.mp3>5mb, <in>*>10mb • Suggested files to block: EXE, COM, PIF, SCR, VBS, SHS, CHM and BAT (match files blocked by Outlook) • Actions • Skip: Detect only Logs the event but does not block • Delete: Remove contents Removes the attachment only and replaces with the customized deletion text • Purge: Eliminate messageDeletes both the attachment and the message body

  14. Keyword Filtering • Filters message body and subject based on specified criteria • Filter lists can enable search for words, phrases, and sentences with basic lexicon • Includes pre-populated lists in 11 languages to scan for: • Profanity • Discriminatory words • Actions: Purge, Identify, Skip/Detect • Inbound/Outbound/Internal scanning

  15. PowerShell • Add- Add-FseFilterListEntry -Keyword -List List1 -Item "Hello“ • Clear- Clear-FSEReport –ScanJob Transport,Realtime,Scheduled,OnDemand • Export- Export-FseSettings -Element "ScanJobs", "AntiSpamSettings" -Path c:\test.xml • Get- Get-FseFilterList -Keyword | Format-List • Import- Import-FSEHostedServicesPolicy –Path c:\admin\setfopepolicy.txt • New- New-FseFilterList -Keyword -List List1 -Item "Hello" • Remove- Remove-FseIncident -All • Start- FseScheduledScan • Stop- Stop-FseOnDemandScan • Suspend- Suspend-FSEOnDemandScan • # Use PowerShell Operators: Get-FseSignatureUpdate | where {$_.Engine -eq 'MICROSOFT'} • Check Incidents for the last 48 hours: Get-FseIncident | ftRecipientNames, IncidentCategory, DetectionTime| where {$_.DetectionTime-ge $CheckTime}

  16. Microsoft® Forefront™ Protection 2010 for Exchange Server: Antimalware Configurations and Options Demo Alex NikolayevProgram ManagerMicrosoft Corporation DEMO

  17. Forefront Protection 2010 for Exchange Server:Antispam Technologies

  18. Forefront End To End Antispam Framework FOPE FOPE FOPE FOPE FOPE FOPE FOPE FOPE Area Content analysis Source analysis Protocol analysis UX Layer Connection SMTP Outlook Content IP Allow/Block Lists Sender Filtering Cloudmark Engine Junk E-Mail Filter Features Recipient Filtering DNSBL Hybrid Model TLD/Encodings Block Quarantine SenderID Filter Backscatter Safelists aggregation Global and Per-Recipient Exception Lists • Safelisted Mail • Guaranteed to Inbox • Immediate Delivery • Rich rendering Yes Yes Yes Message Flow No No No Content Filter Bypass Safe IP Bypass • AS Processed Mail • Guaranteed to Inbox • Delivery after AS scans • Conditional Rendering No Spam Spoofing Backscatter Blocked Sender Blocked Recipient Maybe IP Block DNSBL • Bacn • Moved to JEF • Mail not richly rendered • Subject to Quarantine Yes Reject Reject Reject Quarantine Reject

  19. New Features and Technologies DNSBL filter Content Filter Backscatter Integrated DNS blocklist from multiple third-party and internal vendors Industry-leading third-party content filtering engine with premium efficiency Protection from spam and malicious payload delivered via bogus NDRs Forefront Protection 2010 for Exchange Server Hybrid Model On-Premises  Online Integration Ease of Administration and Reporting “Lights Out” antispam UX

  20. Forefront DNSBL implementation Forefront-protected Exchange server I N T E R N E T • 1. DNSBL agent triggered by Connection request from the Internet, FPE DNSBL agent constructs a DNS query with attached hashed token and sends the query to the Forefront DNSBL backend service, Connecting Client 3. Forefront DNSBL service validates the hash and responds to the query, • 4. The backend service will send the following response: • If a match found, it will return 127.0.0.x code • If no match found, NXDOMAIN will be returned Forefront DNSBL backend 5. DNSBL feature is totally transparent to administration – there is nothing to configure! DNSBL Advantages: • Significantly reduces the Carbon Footprint of Spam • Responsible for rejecting up to 95 % of all mail transaction requests

  21. "Why I'm getting this NDR??!" Forefront Backscatter Protection Outbound Categorizer Exchange internal sender External recipient Token Definition: • BATV-compliant • Hashed tag (based off a key, time, sender, expiration, etc.) • Keys maintained and rotated Anti-Backscatter Agent: • Implemented as RoutingAgent • Acts only on Outbound mail • Attaches a token to P1.MailFrom:

  22. Forefront Backscatter protection Inbound Transport Pipeline NDR generating MTA Exchange NDR recipient Token Verification: • Decrypt the sig using proper key • Verify integrity of the sig • If correct – strip off the sig, stamp the header, and • accept NDR • If incorrect – Discard Backscatter Filter logic: • NDR discovery • Token verification • Acceptance decision SMTP Receive Agent: • Disabled by default • Acts upon DSNs only

  23. Forefront Content Filter Fingerprinting • Fingerprinting applied to every incoming message* • Relevant parts of the entire message are fingerprinted Message Fingerprinting Fingerprint Cache • Content Analysis • URL/Domain • Information Entropy • Redirectors • Pattern Hash • Pattern Dictionary • Dynamic Patterns • Longest Common String • Image Framework (decoding/noise reduction) Spam Reject Legitimate • Fingerprints compared to local cache of known bad fingerprints • Cache data updated every 45 seconds • Match: message is identified as abuse • No match: message is identified as legitimate • Message reduced to anonymous fingerprints • Fingerprints don’t indicate whether the message is legit or spam * Exceptions apply (Safe Senders/Recipients/Safe Listed IPs, etc.)

  24. Content Filter SCL definitions • Forefront Content Filter enables normalization of raw spam score from CMAE engine to SCL • Forefront normalization logic: • All messages classified as not spam get SCL:-1 • SCL assignment logic can be reverted to SCL:0 via powershell(New-FseExtendedOption –Name CFAllowBlockedSenders –Value true) • SCL:-1 boundaries are within -1 to 4 in Exchange • Actions available for messages within SCL range 5 to 9: • Reject/Delete/Stamp and Continue/Quarantine

  25. Microsoft® Forefront™ Protection 2010 for Exchange Server: Antispam Configurations and Options Demo Alex NikolayevProgram ManagerMicrosoft Corporation DEMO

  26. Forefront Protection 2010 for Exchange Server:Bridging the cloud and on-premise deployments

  27. Forefront Online Protection for Exchange Stops junk e-mail and malware before they reach your network Provides always-available e-mail with user-based Quarantine Meets most compliance requirements Active Protection High-availability global network backed by SLAs Secure operations process that meets audit standards Reduces complexity of IT environment Enterprise-Class Reliability Quickly activates with simple MX record change Saves time on antispam management; frees up resources Deployed quickly without additional Capital Expenditures Reduced Cost of Administration

  28. Firewall FPE Hybrid ModelOverview On-Premise Software Internet Spam policy Mail Spam policy FOPE Gateway Full Management Policy SMTP Mail Exchange Hub Mailbox Server Antivirus and antispam protection for Exchange Server 2007/2010 Server Roles

  29. Hybrid Model Data Replication: 8 Policy Rules • Global IP Allow list • Global IP Block list • Global Allowed Senders list • Global Allowed Sender Domains list • Global Blocked Senders list • Global Blocked Domains list • Global Allowed Recipients list • Global Blocked Recipients list FOPE sync: Per-recipient Safe Senders List

  30. Steps to successfully enable FPE/FOPE Hybrid Model • Follow these steps to prepare your Exchange environment and enable management of the FOPE gateway in FPE: • Register with FOPE and create an account http://go.microsoft.com/fwlink/?LinkId=128194 • Install the FOPE Gateway • Configure the FOPE settings in FPE and retrieve the FOPE datacenter IP addresses. • Redirect your mail to the FOPE datacenter by changing your Mail Exchange (MX) records • Configure your firewall rules and Exchange Edge receive connector information • This will ensure that only mail that has been filtered by FOPE is accepted into your organization.

  31. Setting up Hybrid Model Change your MX record Create Account FOPE Service Your Organization SMTP Mail Mail Server

  32. Microsoft® Forefront™ Protection 2010 for Exchange Server: Enabling Hybrid Model Demo Alex NikolayevProgram ManagerMicrosoft Corporation DEMO

  33. Forefront Protection 2010 for Exchange Server Summary An easy to manage Premium Antimalware and Antispam Protection Solution for Microsoft Exchange Server Comprehensive Protection Integrated Security Simplified Management • Intelligent engine selection • Monitoring security state in real-time • New: • Integration with Exchange 2007 and 2010/IRM • Hybrid Model • Automated updating • Inclusive management console with security/protection views • New : • Manage on premises and off premises security policies • Fast response to security incidents • Premium Antispam protection (on premises and in the cloud) • Multiple Malware engine protection against emerging threats • Content and Keyword Filtering • New: • Spyware protection: MSAV • Encrypted messages scanning

  34. Malware Protection: Multiple Engines Spam Protection: Layered Defense Key Differentiators Ease of Administration, Monitoring, and Reporting Hybrid Model: Integration with Online Service

  35. Related Content SIA324 |Business Ready Security: Microsoft Exchange Server 2010 and the Microsoft Forefront Secure Messaging Solution, Better Together SIA314 |Secure Messaging: Microsoft Forefront Protection 2010 for Exchange Server SIA316 | Behind the Spam: A Look at Botnets, Malware, and the Spammers Who Run Them SIA04-INT |Secure Messaging: Implementing Microsoft Forefront Online Protection for Exchange - Best Practices, Pitfalls and Support • SIA04-HOL | Microsoft Forefront Online Protection for Exchange Administration and Reporting • SIA10-HOL | Secure Messaging Solution: Business Ready Security with Microsoft Forefront and Active Directory • Red SIA-1 | Microsoft Forefront Secure Messaging Solution

  36. Track Resources Learn more about our solutions: • http://www.microsoft.com/forefront Try our products: • http://www.microsoft.com/forefront/trial

  37. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn

  38. Required Slide Complete an evaluation on CommNet and enter to win!

  39. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

  40. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

  41. Required Slide

More Related