Better Together Microsoft Exchange Server 2010 and Microsoft
Better Together: Microsoft Exchange Server 2010 and Microsoft Forefront Secure Messaging Solution Cristian Mora Technical Product Manager Microsoft Corporation SIA 311 Alexander Nikolayev Program Manager Microsoft Corporation SIA 311
Agenda E-mail Security Threats Forefront/Exchange Better Together Security Summary Spam & Malware Phishing & Viruses Premium Antimalware Protection Premium Antispam Protection Administration and Management Forefront Protection 2010 for Exchange: Key Differentiators Forefront/Exchange Better Together: Benefits and Better Together Security
Top E-mail Threat Concerns Malware via URLs, Malware via Attachments, Phishing, Spam, Data Leakage. Source: Messaging Security Survey: The Good, Bad, and Ugly Study. IDC, 2009
“The growth in e-mail traffic means that over the next four years, organizations will need increasingly better defenses against all types of spam and malware… Battling spam alone is very costly – in 2009, a typical 1, 000 -user organization spends over $1. 8 million annually to manage spam. ” — The Radicati Group, Inc. , E-mail Security Market, 2009 -2013 … Around $8 Billion Lost to Viruses, Spyware and Phishing… 2 million consumers have had to replace their computers over the past two years due to software infections… 1 in 5 online consumers have been victims of Cybercrime… — 2009 State of the Net Survey “As one leading financial institution told us, it routinely sees that at least 14 out of every 15 incoming emails are pure spam” - Forrester Wave Email filtering Q 2 2009, April 2009 “Almost 60% of organizations reported spam blocking effectiveness of less than 95%” - Brian E. Burke, “Messaging Security Survey” IDC February 2009
New Phishing Sites By Month 7, 197 4, 280 2, 560 2, 625 2, 870 2, 854 4, 564 5, 259 5, 242 4, 367 4, 630 3, 326 1, 707 Dec 04 Jan Feb Mar Apr May Jun Jul Aug Source: http: //www. antiphishing. org Sep Oct Nov Dec 05
New Phishing Sites By Month Source: http: //www. antiphishing. org
e h t s ’ t a h So, w ? ? ? n o i t u l So
Business Ready Security Help securely enable business by managing risk and empowering people Protect everywhere, access anywhere Identity Simplify the security experience, manage compliance Highly Secure & Interoperable Platform Integrate and extend security across the enterprise from: Block Cost Siloed to: Enable Value Seamless
Business Ready Security Solutions Secure Messaging Secure Collaboration Information Protection Identity and Access Management Secure Endpoint
Secure Messaging Enable more secure business communication from virtually anywhere and on virtually any device, while preventing unauthorized use of confidential information PROTECT everywhere ACCESS anywhere • Best-in-class antimalware on-premise / in -the-cloud • Protect sensitive information in e-mail • Secure, seamless access INTEGRATE and EXTEND security SIMPLIFY security, MANAGE compliance • Built-in information protection • Enterprise-wide visibility and reporting • Extend secure e-mail to partners • Unified management
Innovative Technologies Industry Collaboration and Cooperation User Education Effective Legislation
Forefront Protection 2010 for Exchange Server Support for earlier Exchange server versions (Exchange 2003) Multiple Engine Support Antivirus protection Antispam protection Multiple engines Enhanced Filtering Keyword Filtering File Filtering Exchange 2007 Integration Integrated into the Transport Pipeline Edge, Hub, and Mailbox VSAPI for virus scanning Antispam Protection DNSBL New content filter engine Anti-Backscatter Hybrid Model FOPE Integration Integrated provisioning and Management Administration Powershell support New Interface dashboard Hyper V support Improved Performance Microsoft Antispyware engine
Forefront/Exchange Better Together: Surpassing Security Expectations Exchange 2010 Encryption Default Intra-Org ∙ Inter-Org m. TLS support ∙ IRM support Forefront 2010 Antispam Premium Antivirus Multiple Engine Malware Detection Unified Management Hosted, Hybrid Protection
Industry-Leading Performance 0 360 Malware and Spam Protection West Coast Labs: Spam Catch Rate above 99% Premium Antispam certification Virus Bulletin: Continuous Spam Catch Rate above 99%: 99. 77% (September 2009) 99. 46% (November 2009)
Protection 2010 for Exchange Server Forefront Protection 2010 for Exchange Server Deployment Options
Forefront Protection 2010 for Exchange Server Threat Management Gateway Enterprise Network Edge Transport Hub Transport Routing & Policy External Mail Protection Availability: Exchange 2010 Exchange 2007 SP 1 Protection 2010 for Exchange Server Unified Messaging Mailbox Storage of mailbox items Mobile phone Threat Management Gateway Web browser Voice mail & voice access Protection 2010 for Exchange Server Client Access Client connectivity Web services Outlook (remote user) Outlook (local user) Phone system (PBX or VOIP) Line of business applications
Protection 2010 for Exchange Server Forefront Protection 2010 for Exchange Server Malware Protection
Protect Messages from Malware Competitors’ Solutions Single Engine Protect everywhere, access anywhere Microsoft Solution “Defense in Depth” Multiple Engines 38 times faster An AV-Test of consumer antivirus products Automatic Engine Updates revealed: • On average, Forefront engine sets provided a response in 3. 1 hours or less. On premises or in the cloud • Single-engine vendors provided responses in 5 days, 4 days, and 6 days respectively. 99% spam detection* * With premium antispam services “ Source: New Solution Helps Pharmaceutical Maker Improve IT Performance and Security. Microsoft case study, June 2008. http: //www. microsoft. com/casestudies/Case_Study_Detail. aspx? Case. Study. ID=4000002230
Forefront Protection 2010 for Exchange Server: Multiple AV Scanning Engines Advantages Leading antimalware engines deployment via integrated solution, Allows multi-directional protection of messaging stream: inbound, outbound, internal, and data at rest, Intelligent Engine Selection: Automatically chooses the most current and effective engines first, Allows administrators to balance security with performance needs. Removal of a single point of failure in the organization, Lower TCO – all engines included in base cost.
Performance Improvements Forefront Protection 2010 for Exchange Server vs. Forefront Security for Exchange 2007 Technology investment Message throughput improvement Reduction in Context Switches Improvements in CPU Utilization Native 64 -bit support. C Spam Filtering throughput Results (5 engines test) From 25 to 40 messages/second Measured reduction is 30% 15% in CPU Utilization improvement Coming in SP 1 Gated by the Exchange Server perf
Forefront Engines Updates Remote Update Services MSAV/CMAE Directly from vendor Redistribution Automatic Updates Manual Config
demo Managing Multi-Engine Environment
Protection 2010 for Exchange Server Forefront Protection 2010 for Exchange Server Antispam Overview
Forefront Protection 2010 Antispam Functional Highlights Exchange 2010 Connection Filtering Protocol Filtering Content Filtering + Forefront 2010 Benefits Forefront DNS Block List • Aggregated RBL data from multiple external and internal vendors • No configuration required Unified Management • Consolidated Connection/Sender/Recipient/Sender ID filtering for simplified management Backscatter Filter • Blocks NDR (backscatter) spam Cloudmark CMAE Engine • Option of alternative 3 rd party content filter • Above 99% detection rate • No configuration required (installs with smart defaults) Forefront True Type Filtering • Real file type inspection (not just extension) • Actionable scanning of nested files/within ZIP Global Exception Lists • Single access point to sender and recipient exception lists (allow and block actions) Streamlined SCL • Less ambiguous ratings for less false positives end to end. Hybrid Model • Integration with Forefront Online Protection for Exchange
Forefront Protection 2010 Antispam Features IP Block List DNSBL Filter Sender ID Filter Sender Filter Recipient Filter Backscatter Filter Content Filter Junk E-mail Filter Layered Antispam Technologies Connection Filtering (IP Block/Allow, DNSBL, Sender. ID filters) Protocol Filtering (Sender, Recipient, Backscatter filters) Content Filtering (spam/phishing) New additions: DNSBL, Cloudmark CMAE Engine, Backscatter, Hybrid Model
Reducing the Carbon Footprint of Spam: Forefront DNSBL Implemented as SMTP Receive Agent, configuration/maintenance-free feature, Multiple external and internal RBL providers with continuous flow of feeds, Queries sent to Forefront-owned DNS infrastructure, Efficiency: based on internal MSIT numbers 80 -85% of all incoming connection requests being denied by DNSBL, Rejection response is actionable (to help with the corrective actions: “ 550 5. 7. 1 Do this to get the IP removed from the DNSBL list…”
"Why I'm getting this NDR? ? !" Forefront Backscatter Protection Outbound Categorizer Exchange internal sender Anti-Backscatter Agent: • Implemented as Routing. Agent • Acts only on Outbound mail • Attaches a token to P 1. Mail. From: External recipient Token Definition: • BATV-compliant • Hashed tag (based off a key, • time, sender, expiration, etc. ) Keys maintained and rotated
Forefront Backscatter protection Inbound Transport Pipeline NDR generating MTA SMTP Receive Agent: • Disabled by default • Acts upon DSNs only Exchange NDR recipient Token Verification: • Decrypt the sig using proper key Backscatter Filter logic: • Verify integrity of the sig • NDR discovery • If correct – strip off the sig, stamp the header, and accept NDR • Token verification • If incorrect – Discard • Acceptance decision
Forefront Content Filter Fingerprinting Fingerprint Cache Spam Reject Legitimate Ø Ø Fingerprinting applied to every incoming message * Relevant parts of the entire message are fingerprinted Ø Message reduced to anonymous fingerprints Ø Fingerprints don’t indicate whether the message is legit or spam * Exceptions apply (Safe Senders/Recipients/Safe Listed IPs etc. ) Ø Ø Fingerprints compared to local cache of known bad fingerprints Cache data updated every 45 seconds Ø Match: message is identified as abuse Ø No match: message is identified as legitimate
Content Filter SCL definitions Forefront enables normalization SCL Value Content Spam. Filter Confidence Level Definitions (Exchange)of raw spam-1 score. Messages from CMAE engine SCL coming from a trusted to source (AUTH’d or safe listed) 0 Messages categorized as not spam Forefront normalization logic: The likelihood of messages being spam is extremely low 1 - 4 All classified as notbeing spam get SCL: -1 The likelihood of messages spam is high extremely high 5 - 9 messages SCL assignment logic can be reverted to SCL: 0 via powershell -Fse. Extended. Option –Name CFAllow. Blocked. Senders –Value true) (New SCL: -1 boundaries are within -1 to 4 in Exchange Actions available for messages within SCL range 5 to 9: Reject/Delete/Stamp and Continue/Quarantine SCL assigned to the message and can be enforced on a per-recipient basis
demo Spam Configuration and Management
Forefront Unified Monitoring and Reporting Author policy Deploy Correct Collect Events Analyze View Alerts & Reports Single Node – basic reports available for each technology layer, Multi Node – advanced reports available via Forefront Protection Manager, Single connection point to reporting via Forefront UI, Agent Logs, Perfmon Data, Incidents and Quarantine Database, Rich Eventing Model.
Simplify Security Management Simplify security, manage compliance • Unified policy management for on- premise and cloud-based messaging servers • Enterprise-wide visibility into e-mail threats through a single console • Help enable compliance with in-depth reporting capabilities • Easy to use inerfaces and templates for system configuration and threat response “ Source: New Solution Helps Pharmaceutical Maker Improve IT Performance and Security. Microsoft case study, June 2008. http: //www. microsoft. com/casestudies/Case_Study_Detail. aspx? Case. Study. ID=4000002230
demo Malware protection
Protection 2010 for Exchange Server Forefront Protection 2010 for Exchange Server: an extension into Online Services
Hybrid Messaging Security With FPE + FOPE + Exchange Firewall On-Premise Software Internet Spam policy Mail Spam policy FOPE Gateway Full Management Policy SMTP Mail Exchange Edge Exchange Hub Mailbox Server Antivirus and antispam protection for Exchange Server 2007/2010 Server Roles Protection 2010 for Exchange Server
Malware Protection: Multiple Engines Spam Protection: Layered Defense Protection 2010 for Exchange Server Key Differentiators Ease of Administration, Monitoring, and Reporting Hybrid Model: Integration with Online Service
Forefront Protection 2010 for Exchange Server Benefits Integrated multiple engine malware protection, Best of breed spam protection for on the premises and in the cloud customers: Precise spam detection with above 99% catch rate, Reduction in Carbon Footprint of spam by early rejection of unwanted messaging stream. Hybrid Model and Ease of Administration: Low TCO with High ROI for Exchange organizations, Flexible implementation.
Exchange + Forefront Better Together Security Summary Exchange 2010 provides… Default encryption and broader support for IRM Extensive infrastructure for per-user SCL Incremental Edge Synch for safe/blocked senders Per recipient list aggregation from Outlook Forefront 2010 extends foundation with… Premium multiple engine antimalware Auto-configuration of antispam agents Unified management of FPE, Exchange, FOPE Leading antispam content filter engine (above 99% detection rate) Option of hosted and hybrid protection for lower TCO Config/maintenance-free setup.
More Info…. • Microsoft FPE Web Site • NEW! Microsoft FPE Whitepapers • • • Forefront Protection 2010 for Exchange Server Antispam Framework Forefront Protection 2010 For Exchange Server Antispam Forefront Protection 2010 for Exchange Server Scan Actions And Sequence Monitoring Forefront Protection 2010 for Exchange Server • Microsoft BRS – Secure Messaging • Microsoft Edge - FPE
Additional Sessions • SIA 317 – Microsoft Forefront Online Services – Overview, Architecture and Roadmap • SIA 02 -DEMO – End-to-End E-mail Protection • SIA 05 -IS – Secure Messaging using AD RMS and Exchange 2010 • SIA 304 – Windows Server 2008 R 2 AD RMS
question & answer
Please Complete An Evaluation Form Your input is important! Multiple ways to access Online Evaluation Forms: 1. Comm. Net stations located throughout conference venues 2. Via a Windows Mobile device 3. Via the Comm. Net “Julian” offline Windows Mobile evaluation 4. and session scheduling tool From any wired or wireless connection to: https: //www. My. Tech. Ready. com For more information please refer to your Pocket Guide Speaker – Click Here to Launch Video
Complete an evaluation on Comm. Net and enter to win an Xbox 360 Elite!
Content Filter Updates Better Together for ECAL customers receive premium Forefront content filter and updates, ECAL customers will always have the freshest spam fingerprints, “Lights Out” engine updates Content Filter Updates (Exchange 2007) Content Filter Updates (Forefront Protection 2010) Type Signatures Fingerprints Update Frequency Sigs - every 6 hours, Engine updates via service packs ~45 seconds (micro) ~5 minutes (full) Engine updates “On The Fly” Source Machine Learning (consumer) Global Feedback Loop (enterprise)
Secure Messaging – The Road Ahead CY 2009 H 2 Management Consoles Platform Protection & Access Management Currently Shipping Subject to Change CY 2010 H 1
- Slides: 48