Microsoft Forefront Evolution Forefront Protection 2010 For Exchange Server Features Overview Summary Forefront and Business Ready Security Forefront Protection Evolution and Architecture Forefront Antimalware Protection Forefront Antispam Protection Hybrid.
Download ReportTranscript Microsoft Forefront Evolution Forefront Protection 2010 For Exchange Server Features Overview Summary Forefront and Business Ready Security Forefront Protection Evolution and Architecture Forefront Antimalware Protection Forefront Antispam Protection Hybrid.
Microsoft Forefront Evolution
Forefront Protection 2010
For Exchange Server
Features Overview
Summary
Forefront and Business Ready Security
Forefront Protection Evolution and Architecture
Forefront Antimalware Protection
Forefront Antispam Protection
Hybrid Model – bridging the cloud with premises
Forefront Protection 2010 for Exchange Server:
Key Differentiators and Benefits
Support for earlier Exchange server
versions (Exchange 2003)
Multiple Engine Support
Antivirus protection
Antispam protection
Multiple engines
Enhanced Filtering
Keyword Filtering
File Filtering
Exchange 2007 Integration
Integrated into the Transport
Pipeline
Edge, Hub, and Mailbox
VSAPI for virus scanning
Antispam Protection
DNSBL
New content filter engine
Anti-Backscatter
Hybrid Model
FOPE Integration
Integrated Provisioning
and Management
Administration
Powershell support
New Interface dashboard
Hyper-V support
Improved Performance
Microsoft Antispyware engine
Forefront Protection 2010 for Exchange Server:
Industry-Leading Performance
Forefront Protection 2010 for Exchange Server:
Industry-Leading Performance
Source: http://www.virusbtn.com/vbspam/index
Forefront Protection 2010 for Exchange Architecture
Exchange Server 2007 SP1/Exchange Server 2010
Integrated into Exchange Server Transport Agents Framework
Antimalware
Protection
SMTP Receive Agents:
Connection-level
Filtering
Antispam
Protection
Multidirectional
Filters
SMTP Receive Agents:
PowerShell-driven
User Interface
Routing Agents:
Protocol and Content Virus/Malware/Content
Filtering
Filtering
Exchange Transport SMTP Receive Pipeline
Categorizer
Performance Improvements
Forefront Protection 2010 for Exchange Server vs.
Forefront Security for Exchange 2007
Technology investment
Message throughput improvement
Reduction in Context Switches
Results (5 engines test)
From 25 to 40 messages/second
Measured reduction is 30%
Improvements in CPU Utilization
15% in CPU Utilization improvement
Spam filtering msgs throughput
Gated by Exchange server performance
Forefront Protection for Exchange Server:
Antimalware Filtering
Mail scanned only once at the Edge - saves
processing load on Hub and Mailbox servers
Edge Server
SCAN and STAMP
Mail is stamped with the AV stamp and bypasses
redundant filtering on Hub and Store
Hub Role
Mailbox Role
NO SCAN
NO SCAN
Public Folder
Malware detected on Edge
removed immediately
Edge Server
Hub Role
Mailbox Role
Internet
NO SCAN
NO SCAN
SCAN and STAMP
Mailbox Role
NO SCAN
Public Folder
Client
Forefront Antivirus Store Scanning
Forefront Spyware and Worms Filtering
Set-FseTransportScan -EnableWormPurge $false
Forefront True Type File Filtering
Filter by name, direction, type, or size
Wildcards supported, e.g., “*resume*.doc”
Directionality: <in>*.exe, <out>*.doc
Filters can be combinations of size, name, type & direction
<in>photo1.jpg>10mb, <out>*.mp3>5mb, <in>*>10mb
Suggested files to block: EXE, COM, PIF, SCR, VBS, SHS, CHM and BAT (match files
blocked by Outlook)
Actions
Skip: Detect only
Logs the event but does not block
Delete: Remove contents
Removes the attachment only and replaces with the customized deletion text
Purge: Eliminate message
Deletes both the attachment and the message body
Keyword Filtering
Filters message body and subject based on specified criteria
Filter lists can enable search for words, phrases, and sentences with basic
lexicon
Includes pre-populated lists in 11 languages to scan for:
Profanity
Discriminatory words
Actions: Purge, Identify, Skip/Detect
Inbound/Outbound/Internal scanning
AddAdd-FseFilterListEntry -Keyword -List List1 -Item "Hello“
ClearClear-FSEReport –ScanJob Transport,Realtime,Scheduled,OnDemand
ExportExport-FseSettings -Element "ScanJobs", "AntiSpamSettings" -Path c:\test.xml
GetGet-FseFilterList -Keyword | Format-List
ImportImport-FSEHostedServicesPolicy –Path c:\admin\setfopepolicy.txt
NewNew-FseFilterList -Keyword -List List1 -Item "Hello"
RemoveRemove-FseIncident -All
StartFseScheduledScan
StopStop-FseOnDemandScan
SuspendSuspend-FSEOnDemandScan
# Use PowerShell Operators:
Get-FseSignatureUpdate | where {$_.Engine -eq 'MICROSOFT'}
Check Incidents for the last 48 hours:
Get-FseIncident | ft RecipientNames, IncidentCategory,
DetectionTime| where {$_.DetectionTime -ge $CheckTime}
Area
Source analysis
Protocol analysis
Content analysis
UX
Layer
Forefront End To End Antispam Framework
Connection
SMTP
Content
Outlook
Cloudmark Engine
Junk E-Mail Filter
Features
IP Allow/Block Lists
FOPE
Sender Filtering
FOPE
DNSBL
SenderID Filter
Recipient Filtering
FOPE
Backscatter
FOPE
FOPE
FOPE
Hybrid Model
FOPE
TLD/Encodings Block
FOPE
Quarantine
Safelists aggregation
Global and Per-Recipient Exception Lists
Message Flow
Yes
Yes
No
Safe IP
Bypass
Safelisted Mail
Yes
No
Bypass
• Guaranteed to Inbox
• Immediate Delivery
• Rich rendering
No
Content Filter
AS Processed Mail
No
Spam
IP Block
DNSBL
Spoofing
Backscatter
Blocked Sender
Blocked Recipient
Maybe
Yes
Reject
Reject
Reject
Quaranti
ne
Reject
• Guaranteed to Inbox
• Delivery after AS scans
• Conditional Rendering
Bacn
• Moved to JEF
• Mail not richly rendered
• Subject to Quarantine
18
New Features and Technologies
DNSBL filter
Content Filter
Backscatter
Integrated
DNS blocklist from
multiple third-party
and internal vendors
Industry-leading thirdparty content filtering
engine with premium
efficiency
Protection from spam
and malicious payload
delivered via bogus
NDRs
Hybrid Model
On-Premises Online Integration
Ease of Administration and Reporting
“Lights Out” antispam UX
Forefront DNSBL implementation
Connecting Client
Forefront-protected
Exchange server
I
N
T
E
R
N
E
T
1. DNSBL agent triggered by Connection request from the Internet,
2. FPE DNSBL agent constructs a DNS query with attached
hashed token and sends the query to the Forefront DNSBL
backend service,
3. Forefront DNSBL service validates the hash and responds to the
query,
4. The backend service will send the following response:
•
•
Forefront
DNSBL backend
DNSBL Advantages:
If a match found, it will return 127.0.0.x code
If no match found, NXDOMAIN will be returned
5. DNSBL feature is totally transparent to administration – there is
nothing to configure!
Significantly reduces the Carbon Footprint of Spam
Responsible for rejecting up to 95 % of all mail transaction requests
"Why I'm getting this NDR??!"
Forefront Backscatter Protection
Outbound
Categorizer
Exchange internal
sender
Anti-Backscatter Agent:
• Implemented as RoutingAgent
• Acts only on Outbound mail
• Attaches a token to P1.MailFrom:
External recipient
Token Definition:
• BATV-compliant
• Hashed tag (based off a key, time, sender,
•
expiration, etc.)
Keys maintained and rotated
Forefront Backscatter protection
Inbound
Transport Pipeline
NDR generating
MTA
SMTP Receive Agent:
• Disabled by default
• Acts upon DSNs only
Exchange
NDR recipient
Backscatter Filter logic:
• NDR discovery
• Token verification
• Acceptance decision
Token Verification:
• Decrypt the sig using proper key
• Verify integrity of the sig
• If correct – strip off the sig, stamp the header, and
•
accept NDR
If incorrect – Discard
Forefront Content Filter Fingerprinting
Message Fingerprinting
Fingerprint
Content
Analysis Cache
•
•
•
•
•
•
•
•
Fingerprinting applied to every
incoming message*
Relevant parts of the entire
message are fingerprinted
URL/Domain
Information Entropy
Redirectors
Pattern Hash
Pattern Dictionary
Dynamic Patterns
Longest Common String
Image Framework (decoding/noise
reduction)
Message reduced to anonymous
fingerprints
Fingerprints don’t indicate whether Cache data updated every 45
the message is legit or spam
seconds
* Exceptions apply (Safe Senders/Recipients/Safe Listed IPs, etc.)
Fingerprints compared to local
cache of known bad fingerprints
Spam
Reject
Legitimate
Match: message is identified
abuse
No match: message is
identified as legitimate
SCL Value
Spam Confidence Level Definitions (Exchange)
-1
Messages coming from a trusted source (AUTH’d or safe listed)
0
Messages categorized as not spam
1- 4
The likelihood of messages being spam is extremely low low
5-9
The likelihood of messages being spam is high extremely high
Stops junk e-mail and malware before they reach your network
Active
Protection
Provides always-available e-mail with user-based Quarantine
Meets most compliance requirements
High-availability global network backed by SLAs
Enterprise-Class
Reliability
Reduced
Cost of
Administration
Secure operations process that meets audit standards
Reduces complexity of IT environment
Quickly activates with simple MX record change
Saves time on antispam management; frees up resources
Deployed quickly without additional Capital Expenditures
FPE Hybrid Model Overview
On-Premise Software
Firewall
Internet
Spam policy
Mail
Spam policy
FOPE Gateway
Full Management Policy
SMTP
Mail
Exchange Hub
Mailbox Server
Antivirus and antispam protection for Exchange Server 2007/2010 Server Roles
• FOPE sync:
• Per-recipient Safe Senders
List
Steps to successfully enable FPE/FOPE Hybrid Model
1. Follow these steps to prepare your Exchange environment and enable
management of the FOPE gateway in FPE:
Register with FOPE and create an account
http://go.microsoft.com/fwlink/?LinkId=128194
Install the FOPE Gateway
Configure the FOPE settings in FPE and retrieve the FOPE datacenter IP
addresses.
Redirect your mail to the FOPE datacenter by changing your Mail Exchange (MX)
records
2. Configure your firewall rules and Exchange Edge receive connector information
This will ensure that only mail that has been filtered by FOPE
is accepted into your organization.
Setting up Hybrid Model
Change
your MX
record
Create Account
FOPE Service
Your Organization
SMTP Mail
Mail Server
Forefront Protection 2010 for Exchange Server Summary
An easy to manage Premium Antimalware and Antispam Protection
Solution for Microsoft Exchange Server
Comprehensive
Protection
Premium Antispam protection (on
premises and in the cloud)
Integrated
Security
Intelligent engine selection
• Automated updating
Monitoring security state in real-time
• Inclusive management console with
security/protection views
Multiple Malware engine protection
against emerging threats
New:
Content and Keyword Filtering
New:
Spyware protection: MSAV
Encrypted messages scanning
Simplified
Management
Integration with Exchange 2007 and
2010/IRM
New :
Manage on premises and off premises
security policies
Fast response to security incidents
Hybrid Model
Malware Protection:
Multiple Engines
Spam Protection:
Layered Defense
Key Differentiators
Ease of Administration,
Monitoring, and Reporting
Hybrid Model:
Integration with
Online Service
SIA324 |Business Ready Security: Microsoft Exchange Server 2010 and the Microsoft Forefront Secure
Messaging Solution, Better Together
SIA314 |Secure Messaging: Microsoft Forefront Protection 2010 for Exchange Server
SIA316 | Behind the Spam: A Look at Botnets, Malware, and the Spammers Who Run Them
SIA04-INT |Secure Messaging: Implementing Microsoft Forefront Online Protection for Exchange Best Practices, Pitfalls and Support
SIA04-HOL | Microsoft Forefront Online Protection for Exchange Administration and Reporting
SIA10-HOL | Secure Messaging Solution: Business Ready Security with Microsoft Forefront and Active
Directory
Red SIA-1 | Microsoft Forefront Secure Messaging Solution
Learn more about our solutions:
http://www.microsoft.com/forefront
Try our products:
http://www.microsoft.com/forefront/trial
www.microsoft.com/teched
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn
Sign up for Tech·Ed 2011 and save $500
starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registration
Join us in Atlanta next year