Robert Petrunić, CISSP, CEH, MCITPAlgebra

Agenda

• Kako do sigurnosti? (izazov)• Kako FF pristupa problemu• Što sve spada u FF• FF Endpoint protection 2010• FF Identity Manager• FF TMG i UAG

Kako do sigurnosti (izazov)

Svakodnevni problemi

• Malware, spam, phishing• Zaporke• Korisnici surfaju umjesto da rade• Tuneliranje i skrivanje prometa• Novac (nedostatak)• Nerazumijevanje i needuciranost• Propusti u softveru, 0-day napadi• Kriminalci• Društvene mreže• ...

Problemi ...

Reverse konekcijaExploit i malware s WEB-aExploit i malware internoHTTP/HTTPS tuneliranjeCD/USB stickNezadovoljni korisnikCovert kanali...

Problemi ...

Problemi ...

Potencijalna rješenja

• Edukacija, demistifikacija• End to end trust

− Secure by design− Secure by default− Secure in deployment

• Antivirusni programi• Vatrozid, IDS/IPS, Honeypot• Bolji i sveobuhvatniji alati za

upravljanje• Restrikcije• ForeFront produkti

Kako FF pristupa problemu

Business ready security

• 1.− Zaštita svugdje− Pristup od bilo

kuda

• 2. − Integrirano− Proširivo

• 3. − Jednostavno− upravljivo

Što sve spada u FF

Što sve spada u FF

• FF Endpoint protection• FF Application Security

− FF Online Protection for Exchange− FF Protection for Exchange − FF Protection for Office Communication

Server FF Protection for SharePoint

• FF Network (Edge) Access and protection− FF Threath Management Gateway− FF Unified Access Gateway

• FF Identity Management − FF Identity Manager 2010

FEP + Security Management Pack• FEP (Forefront Endpoint protection)

− Antivirusno i sigurnosno rješenje za klijente

− Integrirano unutar SCCM 2007

• FEP Security Management Pack − Antivirusno i sigurnosno rješenje za

poslužitelje− Integrirano unutar SCCM 2007

• FEP 2012 je u RC-u !!!

FEP + Security Management Pack• Nude:

− Integraciju s postojećom upravljačkom infrastrukturom− SCCM 2007

− Antimalware engine (dokazano dobar)− Izvješćivanje (MS SQL reporting servisi)− policy based antimalware management− Firewall management− Migracija s postojećih rješenja (FF Client

security)

FEP + Security Management Pack• Jednostavno za deployment• Jednostavno za upravljanje• Unified protection

− Antimalware (virusi, trojanci, rootkitovi, crvi, spyware ...)

− Procjena ranjivosti− Upravljanje Windows vatrozidom− NIS (Network inspection system)

FEP + Security Management Pack• Sistemski zahtijevi (Poslužitelj)

− 2 GB memorije− FEP server (600 MB), FEP baza (1,25 GB),

FEP reporting baza (1,25 GB)− Windows server 2003 SP2 ili noviji− SQL server 2005 SP3 ili noviji− Microsoft SCCM 2007 SP2 ili noviji− Windows installer 3.1, .NET 3.5 SP1

Deployment

SQLReportingServices

SCCMSoftwareDistribution

SCCMDesiredConfigurationManagement

SCCM Server

DATA

Config. /Dashboard

Reports

EVENTS

Desktops, Laptops, and Servers

TELEMETRY

SpyNet

Network File Share

• Total client deployment to date: 110K• Target deployment: 250K

Distribucija FEP klijenta

• 2 metode::− Distribucija putem SCCM-a− Pokretanjem .exe datoteke s parametrima

− Ručna instalacija− Skriptirana instalacija− Third-party instalacijski alati− Group Policy instalacija− Predinstalirano u OS image− ...

Policy configuration

Third-party detection

Silent removal of third-party products

FEP client installation

Signature update

Client Distribution Flow

Automatsko uklanjanja postojećeg AV-a:

• Symantec Endpoint Protection verzija 11

• Symantec Corporate Edition verzija 10• McAfee VirusScan Enterprise verzija 8.5

i verzija 8.7• Trend Micro OfficeScan verzija 8.0 i

verzija 10.0• Forefront Client Security verzija 1

uključujući i Operations Manager agenta

DEMO – FF client security

Management

Management Scenarios

• Policy Management− Scheduled scans− Scan exclusions− Update locations− Client Configuration

• Desired Configuration Management (DCM)− Clients out of policy− Unhealthy clients− Out of date clients

• Reporting− Malware activity− Computer health− Summary or detailed views

Unified Management Interface

• Simplified operations for client management and security through a unified console

• Centralized console for policy management and monitoring

• Enterprise-wide visibility into client security

• Quick identification and remediation of client security issues

Malware Activity

Advanced Protection

Signatures

Samples

Goals for Protection in FEP 2010

Customer machine

MMPC

Blocking threat infections Neutralizing active threats

Real-time Protection

Generics & Heuristics

Browser Protection

Network Vulnerability Shielding

Anti-rootkit

Behavior Monitoring

Dynamic Signature Service

Malware Response

Forefront Protection Stack: Summary

Anti-Rootkit

Generics and Heuristics

Real-time Protection

Behavior Monitoring

Dynamic Signature Service

Malware Response

Provide high-quality protection

Browser Protection

Cover more attack vectors

Discovering new threat

Delivering signatures faster

Network Vulnerability Shielding

FEP Supported Clients• Client SKUs:

− Windows XP SP3 (x86)− No Network Inspection System (Vulnerability Shielding)

support− Windows Vista (x86 and x64)

− SP1 required for NIS support− Windows 7 (x86 and x64)− Windows 7 XP Mode

• Server SKUs:− Windows Server 2003 SP2 (x86 and x64) + R2− Windows Server 2008 (x86 and x64) + R2

DEMO – FEP konzola u SCCM-u

Što je FIM?

• FIM = ILM 2007 + − integrirani user management, − self—service portali za upravljanje:

− Credentialima, grupama i policy-em

• Glavne razlike: − IT može bez pisanja custom koda

upravljati heterogenim identitetima− Useri pomoću poznatih alata (Office,

SharePoint, Windows) upravljaju karakteristikama svojih identiteta

− Developeri mogu proširiti platformu (otvorena platforma)

FIM features

Credential Management

Heterogeneous certificate management with 3rd party CAsManagement of multiple credential types, including One Time PasswordsSelf-service password reset integrated with Windows logon

GroupManagement

Rich Office-based self-service group management toolsOffline approvals through OfficeAutomated group and distribution list updates

UserManagement

Integrated provisioning of identities, credentials, and resourcesAutomated, codeless user provisioning and de-provisioningSelf-service profile management

PolicyManagement

SharePoint-based console for policy authoring, enforcement & auditingExtensible WS– * APIs and Windows Workflow Foundation workflowsHeterogeneous identity synchronization and consistency

FIM arhitekturaSolutions Group

MgmtCredential

MgmtPolicy Mgmt

CustomUser Mgmt

Outlook Portal Windows Custom

ILM Clients

ILM PlatformILM SyncILM Service

AuthZWorkflow

AuthN Workflow

Delegation& Permissions

Action Workflow

AppDB

Adapters

Request Processor

SyncDB

Directories Databases E-Mail Systems

Applications

Identity Stores

Cert Mgmt

ILM-CMDB

ILM-CM

ILM-CM Portal

FIM management agenti

• AD DS• AD LDS• AD GAL• Delimited tekst file• Bilo koji file bazirani

data source• Fixed width tekst

fileovi• IBM DB2

• IBM Tivoli DS• LDIF• Novel eDirectory• Oracle database• SAP R/3• MS SQL• SUN DS• Netscape DS

• Management agent ==== sinhronizira FIM sa spojenim data sorce-om

FIM Scenariji

• 3 najčešća scenarija:− Smart card logon− VPN (IPSec, SSL)− Secure E-mail (S/MIME)

Smartcard logon

VPN

Secure E-mail (S/MIME)

FIM licenciranje

• Serverska licenca − Za FIM 2010 servere

• Klijentska licenca− Za svakog usera čiji identitet ili cert je

upravljan FIM-om− Za svakog usera koji pristupa FIM

softveru− Vanjski usera (CAL ili external connector)

Before Now

Network Protection

Network Access

Integrated and comprehensive protection from Internet-based threats

Unified platform for all enterprise remote access needs

Što je TMG?

Firewall – Control network policy access at the edge

Secure Web Gateway – Protect users from Web browsing threats

Secure E-mail Relay – Protect users from e-mail threats

Remote Access Gateway – Enable users to remotely access corporate resources

Intrusion Prevention – Protect desktops and servers from intrusion attempts

Comprehensive

Integrated

Simplified

Features• VoIP traversal• Enhanced NAT• ISP link redundancy

Firewall

• HTTP antivirus/antispyware

• URL filtering• HTTPS forward inspection

Secure Web Access

• Exchange Edge integration

• Antivirus• Antispam

E-mail Protection

• Network inspection system

Intrusion Prevention

• NAP integration with client VPN

• SSTP integration

Remote Access

• Array management• Change tracking• Enhanced reporting• W2K8, native 64-bit

Deployment and Management

• Malware protection

• URL filtering• Intrusion prevention

Subscription Services

Network layer firewallApplication layer firewallInternet access protection (proxy)Basic OWA and SharePoint publishing

IPSec VPN (remote and site-to-site)Web caching, HTTP compression

Web antivirus, antimalware

URL filtering

E-mail antimalware, antispamNetwork intrusion prevention

• Comparing with ISA Server 2006ISA Server 2006

ForefrontTMG

New

New

New

New

Enhanced UI, management, reporting New

Exchange publishing (RPC over HTTP)

Windows Server® 2008 R2, 64-bit (only)

New

TMG vs. ISA 2006

• HTTPS inspekcija• URL filtering• Antimalware WEB zaštita• Ugrađen IPS• Poboljšana E-mail zaštita• Poboljšana podrška za NAT• Poboljšana podrška za VoIP• 64 bitni OS

NIS

• Baziran na signaturama• Tri tipa signatura:

− Vulenrability based− Exploit based− Policy based

• Baziran na GAPA-i (Generic Application level Protocol Analyzer)

• Poznati browser bazirani napadi• MMPC (Microsoft Malware protection

center) istražuje ranjivosti i piše signature

NIS – proces izrade signatura

NIS podržani protokoli

• HTTP, DNS, • SMB, SMB2, NetBIOS, MSRPC,• SMTP, POP3, IMAP, MIME • ... za sad ...

NIS planiranje

• Kapacitet− Troši do 30% dodatnih resursa na TMG

serveru s uključenom antimalware inspekcijom

− Većina toga otpada na HTTP promet

HTTPS inspekcija

• Rješava problem tuneliranja• Sprječava pristup stranicama s

neispravnim certifikatima• Postoji mogućnost izuzetaka• TMG generira certifikate (MitM)

URL filtering - namjena

• Povećanje sigurnosti• Povećanje produktivnosti• Smanjanje rizika odgovornosti• Smanjanje potrošnje bandwith-a

URL filtering - MRS

• Microsoft reputation services (MRS) cloud bazirani reputation centar hostan u Microsoft datacentru

• TMG podatke s MRS-a pohranjuje lokalno (TTL)

• Koristi filtere više vendora svaki specijaliziran za neko područje

URL filtering

• Preko 80 URL kategorija (Child Pornography, Anonymizers, BotNets, Gambling, Malicious, Hate/Discrimination ...)

• Razlika između ISA servera gdje je administrator trebao importirati i raditi kategorije

• Jednostavno podešavanje (kategorije)• Mogućnost izuzetaka• Reporting – tko su useri koji

konstantno krše politike tvrtke?• Moguće lokalno prepisati MSR policy

Antimalware inspekcija

• Hvata web bazirani malware• Reže sumnjiv promet prije ulaska u

internu mrežu• Antivirusni softver na rubu mreže

UAG vs. TMG

• Forefront TMG 2010− Enables users to safely and productively

use the Internet without worrying about malware and other threats

• Forefront UAG− Comprehensive, secure remote access to

corporate resources

• Forefront UAG is the preferred solution for providing remote access− Forefront TMG 2010 still provides support

for remote access features, but not the recommended solution

UAG appliance

DEMO

TMGkonzolanove funkcionalnosti

Problemi i rješenja

• Zero day napadi, Malware, Phishing, spam− FF Endpoint security− TMG

• Politike (policy), zaporke i regulatorni zahtijevi, društvene mreže− TMG− FIM

• Zaporke − FIM

• Nerazumijevanje i needuciranost− Svi alati iz FF porodice (user dio je

jednostavan)

Linkovi

• ForeFront• Virtualni labovi• Video prezentacije

Pitanja ?

Hvala !