EX04: Exchange 2007 Security, Part II Jim McBee [email protected] .
-
Upload
danielle-arnold -
Category
Documents
-
view
222 -
download
0
Transcript of EX04: Exchange 2007 Security, Part II Jim McBee [email protected] .
![Page 1: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/1.jpg)
EX04: Exchange 2007 Security, Part II
Jim McBee
http://mostlyexchange.blogspot.com
![Page 2: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/2.jpg)
Agenda
Why the Edge Transport Role?Message HygieneSecuring Internet Client AccessSummary
![Page 3: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/3.jpg)
Exchange 2007 Themes
IT Pro Situation
E-mail is mission-critical
E-mail systems too complex/ expensive
Management tasks tedious, not automated
ControlControl
Org-wide Situation
Security the top concern
Spam and viruses compromise the e-mail experience
Regulatory compliance critical in many industries
Built-In Built-In ProtectionProtection
Info Worker Situation
Anywhere Anywhere AccessAccess
Users want easy access to all their communications
Mobile devices are increasingly common
Calendaring is frustrating
![Page 4: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/4.jpg)
Protecting The Perimeter Prevent hostile or unwanted content from
reaching Exchange mailbox servers Enforce messaging policies before e-mail
enters internal network Reduce the attack surface for your Internet
exposed resources Perimeter security
– Exchange Server 2007 Edge Services– Microsoft Forefront Security for Exchange Server– Microsoft ISA Server
![Page 5: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/5.jpg)
Why The Edge Transport Role?
![Page 6: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/6.jpg)
The Need For The Edge (cont.) Mail routers on the organization border have
specialized needs– CAS role is designed for mailbox access– Hub Transport tied into Active Directory– Increased security threats– Must balance conflicting objectives
• Make intelligent routing choices• Reject bad messages, not allow into the organization• Enforce message hygiene and policy• Minimize firewall exposure and reconfiguration
![Page 7: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/7.jpg)
The Need For The Edge
Exchange 2003: Monolithic architecture– No granular control over which code
modules are installed– Some services (Store) are required for RFC-
required functionality.– Active Directory membership
• Need DC and GC access• Exposes entire forest
– Perceived to be vulnerable as a border MTA
![Page 8: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/8.jpg)
Exchange 2007 On The Edge
Full AD integration without AD exposure– EdgeSync
Easier than ever to provide secure transit without a lot of configuration
Enforce policies on the edge for a big compliance win!
Extensive message hygiene featuresFully scriptable
![Page 9: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/9.jpg)
Message Hygiene
![Page 10: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/10.jpg)
Message Hygiene at the Edge
Enterprise-ready capabilities built-in to Exchange 2007 Edge Server role– Anti-spam– Anti-virus
Easily extended for third-party functionality
![Page 11: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/11.jpg)
Fighting Spam in Exchange 2007 Connection filtering
– Drop bad connections based on source IP address• Allow/deny lists• DNS real-time blocklists• Third party allow lists
– Preserve resources (CPU, RAM, bandwidth) Protocol filtering
– Drop bad connections based on SMTP conversation• Sender filtering• Recipient filtering• Protocol errors
– Slow down persistent senders to avoid excessive resource consumption (tarpitting)
![Page 12: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/12.jpg)
Fighting Spam in Exchange 2007 Content filtering
– Reject or bounce messages based on content cues• Intelligent Message Filter (IMF)• Sender ID and domain reputation• Computational puzzles• Transport rules
– Most resource intensive
Quarantine– Managed by administrator– Integrated with IMF
![Page 13: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/13.jpg)
Connection Filtering
Admin-configured allow/deny– By IP– By domain– By sender– By recipient
Real-time lists– Block lists (DNS RBLs)– Allow lists (bonded senders)
![Page 14: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/14.jpg)
Protocol Filtering Sender filters
– Local restrictions– Sender ID
Recipient filters Protocol analysis
– SMTP errors• Example: Bad/missing domain in HELO/EHLO• Example: DNS checks for matching A and PTR records
– Patterns in connections/submissions
Tarpitting
![Page 15: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/15.jpg)
Tarpitting: How It Works
1. An SMTP client establishes connection.
2. After a configurable error threshold, Exchange adds a delay to each SMTP responses.
3. With each subsequent error or protocol violation, Exchange increases the delay time.
4. The SMTP client continues to get valid responses – just farther apart.
5. The SMTP client maintains the connection while successfully completing fewer actions.
![Page 16: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/16.jpg)
Sender ID By-domain DNS-based policy to identify hosts trusted
to send mails from that domain– Published in DNS– Backwards compatible with Sender Protection Framework
(SPF)– Check envelope (MAIL FROM) or Purported Responsible
Address (PRA) Server can take action at check time or integrate
results with IMF Performed by Edge
– Usually performed by the first server in the organization to handle a given message
– If that server isn’t Edge, Exchange may not get the full benefit of the Sender ID check
![Page 17: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/17.jpg)
Content Filtering Intelligent Message Filter (IMF)
– Uses SmartScreen technology– Compares and weights composite score from several data
sources• Sender ID (if used)• IP address presence on blocklists (if so configured)• Message characteristics
– Provides two confidence levels: spam and phish Custom weight lists
– Administrator configurable word lists allow fine-tuning of IMF results
Transport rules allow centralized dynamic response to time-critical threats
Quarantine
![Page 18: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/18.jpg)
IMF FeaturesAutomatic updates
– Every 2 weeks– Daily with Enterprise licenses
Integrates domain reputation– Sender ID– Local dynamic domain reputation
Computational puzzlesSelf-adjusts as administrators remove
false positives from quarantineAnti-phishing protection
![Page 19: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/19.jpg)
Microsoft Forefront Security
![Page 20: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/20.jpg)
Microsoft Forefront Security
![Page 21: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/21.jpg)
Attachment Filtering
Strip attachments– By file size– By MIME content type– By file extension
Look inside ZIP archivesCreate rules on the fly to block emerging
threats
![Page 22: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/22.jpg)
Transport AV By Role
Edge Transport– Filters inbound and outbound traffic
Hub Transport– Filters all email between mailboxes– …even on the same server
Mailbox– Scan the mailbox store– Use legacy VSAPI 2.5 interface
![Page 23: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/23.jpg)
Microsoft Hosted Exchange Services
![Page 24: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/24.jpg)
Exchange Options
Provides Provides choicechoice in how you deploy, manage your messaging infrastructure in how you deploy, manage your messaging infrastructure
Exchange Hosted Services Exchange Hosted Services complementcomplement any Exchange mailbox any Exchange mailbox
Exchange Hosted Filtering included with Enterprise Client Access LicensesExchange Hosted Filtering included with Enterprise Client Access Licenses
HOSTED EXCHANGEHOSTED EXCHANGE((through service through service
providersproviders))
Complementary ServicesComplementary ServicesChoice for MessagingChoice for Messaging
![Page 25: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/25.jpg)
Securely Publishing Exchange Resources To The Internet
![Page 26: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/26.jpg)
Microsoft ISA Server Protection Reverse proxy Exchange services
– Outlook Web Access– RPC over HTTPS– ActiveSync
Offload Forms-Based Authentication– ISA Server has FBA logon form
Delegated authentication at the ISA Server– Authenticate user prior to allowing internal access– Supports Smart Card authentication
![Page 27: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/27.jpg)
Enterprise Topology
SMTPClients
PBX/VoIP
Mailbox
Mailbox
PublicFolders
InternalClients
`
EdgeTransport
Routing
Hygiene
HubTransport
Routing
Policy
ExternalClients
`Unified
Messaging
Voice Messaging
Fax
Outlook Voice Access
ClientAccess
ApplicationsOWA
ProtocolsEAS, POP, IMAP, Outlook Anywhere
ProgrammabilityWeb services, Web parts
ISA Server
Reverse Proxy
Forms Based Authentication
![Page 28: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/28.jpg)
SummaryMessage hygiene out of the box
– Four-stage granular anti-spam– Transport anti-virus by role
Microsoft Forefront Security for Exchange Server provides antivirus protection
Exchange Hosted Services offers you flexibility
ISA Server improves security for Internet exposed resources
![Page 29: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/29.jpg)
For more information
Visit TechNet:– http://www.microsoft.com/technet
Visit the Exchange 2007 home page: – http://www.microsoft.com/exchange/preview/default.mspx
Microsoft Forefront– http://www.microsoft.com/forefront/default.mspx
![Page 30: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/30.jpg)
Questions?
![Page 31: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/31.jpg)
Antigen for SMTP Gateways
Detects and removes e-mail viruses at the network edge
Scans SMTP stack to disable threats within a message during the routing process
Provides advanced content filtering capabilities for messages and attachments
Integrates file filtering, keyword filtering, anti-spam, and content filtering during the routing process
Protects Windows Server 2003 and Windows 2000 Server SMTP gateways
Proactively notifies administrators of virus incidents and scan events by e-mail or event log
SMTP Gateway Server/Routing Server
Internet
Firewall
Exchange Servers
Users
![Page 32: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/32.jpg)
Antigen for Exchange
Detects and removes viruses in e-mail messages and attachments
Scans at SMTP stack (most processing intensive scans)
Scans real-time at Exchange information store
Provides on-demand and scheduled scans of information store
Uses Microsoft-approved virus scanning API integration for Exchange 2000 and 2003
Provides advanced content-filtering capabilities for messages and attachments
Integrates file filtering, keyword filtering and anti-spam at the SMTP routing level
Protects Exchange Server 5.5, 2000, and 2003
ISA Server
Exchange Front End
Exchange Site 1
Exchange Site 2
Internet
Exchange Public Folder Server
Exchange Mailbox Server
![Page 33: EX04: Exchange 2007 Security, Part II Jim McBee jmcbee@somorita.com .](https://reader033.fdocuments.us/reader033/viewer/2022061305/551423225503466d1a8b4948/html5/thumbnails/33.jpg)
Extending AVAgent framework for third party
integrationExchange 2007 provides new capabilities
– Managed MIME parsing and composing– Content-Transfer encoding (Base64, QP,
UUEncode, BinHex)– Managed TNEF and RTF parsing and
composing– Managed iCalendar/vCard parsing and
composing