1 / 33

EX04: Exchange 2007 Security, Part II

EX04: Exchange 2007 Security, Part II. Jim McBee jmcbee@somorita.com http://mostlyexchange.blogspot.com. Agenda. Why the Edge Transport Role? Message Hygiene Securing Internet Client Access Summary. Info Worker Situation. IT Pro Situation E-mail is mission-critical

Download Presentation

EX04: Exchange 2007 Security, Part II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com http://mostlyexchange.blogspot.com

  2. Agenda • Why the Edge Transport Role? • Message Hygiene • Securing Internet Client Access • Summary

  3. Info Worker Situation IT Pro Situation • E-mail is mission-critical • E-mail systems too complex/ expensive • Management tasks tedious, not automated Org-wide Situation • Security the top concern • Spam and viruses compromise the e-mail experience • Regulatory compliance critical in many industries • Users want easy access to all their communications • Mobile devices are increasingly common • Calendaring is frustrating Built-In Protection Anywhere Access Control Exchange 2007 Themes

  4. Protecting The Perimeter • Prevent hostile or unwanted content from reaching Exchange mailbox servers • Enforce messaging policies before e-mail enters internal network • Reduce the attack surface for your Internet exposed resources • Perimeter security • Exchange Server 2007 Edge Services • Microsoft Forefront Security for Exchange Server • Microsoft ISA Server

  5. Why The Edge Transport Role?

  6. The Need For The Edge (cont.) • Mail routers on the organization border have specialized needs • CAS role is designed for mailbox access • Hub Transport tied into Active Directory • Increased security threats • Must balance conflicting objectives • Make intelligent routing choices • Reject bad messages, not allow into the organization • Enforce message hygiene and policy • Minimize firewall exposure and reconfiguration

  7. The Need For The Edge • Exchange 2003: Monolithic architecture • No granular control over which code modules are installed • Some services (Store) are required for RFC-required functionality. • Active Directory membership • Need DC and GC access • Exposes entire forest • Perceived to be vulnerable as a border MTA

  8. Exchange 2007 On The Edge • Full AD integration without AD exposure • EdgeSync • Easier than ever to provide secure transit without a lot of configuration • Enforce policies on the edge for a big compliance win! • Extensive message hygiene features • Fully scriptable

  9. Message Hygiene

  10. Message Hygiene at the Edge • Enterprise-ready capabilities built-in to Exchange 2007 Edge Server role • Anti-spam • Anti-virus • Easily extended for third-party functionality

  11. Fighting Spam in Exchange 2007 • Connection filtering • Drop bad connections based on source IP address • Allow/deny lists • DNS real-time blocklists • Third party allow lists • Preserve resources (CPU, RAM, bandwidth) • Protocol filtering • Drop bad connections based on SMTP conversation • Sender filtering • Recipient filtering • Protocol errors • Slow down persistent senders to avoid excessive resource consumption (tarpitting)

  12. Fighting Spam in Exchange 2007 • Content filtering • Reject or bounce messages based on content cues • Intelligent Message Filter (IMF) • Sender ID and domain reputation • Computational puzzles • Transport rules • Most resource intensive • Quarantine • Managed by administrator • Integrated with IMF

  13. Connection Filtering • Admin-configured allow/deny • By IP • By domain • By sender • By recipient • Real-time lists • Block lists (DNS RBLs) • Allow lists (bonded senders)

  14. Protocol Filtering • Sender filters • Local restrictions • Sender ID • Recipient filters • Protocol analysis • SMTP errors • Example: Bad/missing domain in HELO/EHLO • Example: DNS checks for matching A and PTR records • Patterns in connections/submissions • Tarpitting

  15. Tarpitting: How It Works • An SMTP client establishes connection. • After a configurable error threshold, Exchange adds a delay to each SMTP responses. • With each subsequent error or protocol violation, Exchange increases the delay time. • The SMTP client continues to get valid responses – just farther apart. • The SMTP client maintains the connection while successfully completing fewer actions.

  16. Sender ID • By-domain DNS-based policy to identify hosts trusted to send mails from that domain • Published in DNS • Backwards compatible with Sender Protection Framework (SPF) • Check envelope (MAIL FROM) or Purported Responsible Address (PRA) • Server can take action at check time or integrate results with IMF • Performed by Edge • Usually performed by the first server in the organization to handle a given message • If that server isn’t Edge, Exchange may not get the full benefit of the Sender ID check

  17. Content Filtering • Intelligent Message Filter (IMF) • Uses SmartScreen technology • Compares and weights composite score from several data sources • Sender ID (if used) • IP address presence on blocklists (if so configured) • Message characteristics • Provides two confidence levels: spam and phish • Custom weight lists • Administrator configurable word lists allow fine-tuning of IMF results • Transport rules allow centralized dynamic response to time-critical threats • Quarantine

  18. IMF Features • Automatic updates • Every 2 weeks • Daily with Enterprise licenses • Integrates domain reputation • Sender ID • Local dynamic domain reputation • Computational puzzles • Self-adjusts as administrators remove false positives from quarantine • Anti-phishing protection

  19. Microsoft Forefront Security

  20. Microsoft Forefront Security

  21. Attachment Filtering • Strip attachments • By file size • By MIME content type • By file extension • Look inside ZIP archives • Create rules on the fly to block emerging threats

  22. Transport AV By Role • Edge Transport • Filters inbound and outbound traffic • Hub Transport • Filters all email between mailboxes • …even on the same server • Mailbox • Scan the mailbox store • Use legacy VSAPI 2.5 interface

  23. Microsoft Hosted Exchange Services

  24. Exchange Options Choice for Messaging Complementary Services HOSTED EXCHANGE (through service providers) Provides choice in how you deploy, manage your messaging infrastructure Exchange Hosted Services complement any Exchange mailbox Exchange Hosted Filtering included with Enterprise Client Access Licenses

  25. Securely Publishing Exchange Resources To The Internet

  26. Microsoft ISA Server Protection • Reverse proxy Exchange services • Outlook Web Access • RPC over HTTPS • ActiveSync • Offload Forms-Based Authentication • ISA Server has FBA logon form • Delegated authentication at the ISA Server • Authenticate user prior to allowing internal access • Supports Smart Card authentication

  27. Enterprise Topology

  28. Summary Message hygiene out of the box Four-stage granular anti-spam Transport anti-virus by role Microsoft Forefront Security for Exchange Server provides antivirus protection Exchange Hosted Services offers you flexibility ISA Server improves security for Internet exposed resources

  29. For more information Visit TechNet: http://www.microsoft.com/technet Visit the Exchange 2007 home page: http://www.microsoft.com/exchange/preview/default.mspx Microsoft Forefront http://www.microsoft.com/forefront/default.mspx

  30. Questions?

  31. Antigen for SMTP Gateways • Detects and removes e-mail viruses at the network edge • Scans SMTP stack to disable threats within a message during the routing process • Provides advanced content filtering capabilities for messages and attachments • Integrates file filtering, keyword filtering, anti-spam, and content filtering during the routing process • Protects Windows Server 2003 and Windows 2000 Server SMTP gateways • Proactively notifies administrators of virus incidents and scan events by e-mail or event log Internet Firewall SMTP Gateway Server/Routing Server Exchange Servers Users

  32. Internet ISA Server Exchange Site 1 Exchange Front End Exchange Site 2 Exchange Public Folder Server Exchange Mailbox Server Antigen for Exchange • Detects and removes viruses in e-mail messages and attachments • Scans at SMTP stack (most processing intensive scans) • Scans real-time at Exchange information store • Provides on-demand and scheduled scans of information store • Uses Microsoft-approved virus scanning API integration for Exchange 2000 and 2003 • Provides advanced content-filtering capabilities for messages and attachments • Integrates file filtering, keyword filtering and anti-spam at the SMTP routing level • Protects Exchange Server 5.5, 2000, and 2003

  33. Extending AV Agent framework for third party integration Exchange 2007 provides new capabilities Managed MIME parsing and composing Content-Transfer encoding (Base64, QP, UUEncode, BinHex) Managed TNEF and RTF parsing and composing Managed iCalendar/vCard parsing and composing

More Related