Upload
shanon-shaw
View
218
Download
1
Embed Size (px)
Citation preview
Copyright Microsoft Corp. 2006
Sunil UppalSunil UppalSr. ConsultantSr. ConsultantMicrosoftMicrosoft
Building a Multi-Layered Security Building a Multi-Layered Security Solution for EmailSolution for Email
Copyright Microsoft Corp. 2006
Session ObjectiveSession ObjectiveTo help IT Professionals understand and To help IT Professionals understand and articulate Microsoft’s Secure Messaging articulate Microsoft’s Secure Messaging
solutionsolution
Secure messaging infrastructure – On premiseSecure messaging infrastructure – On premiseMessage Hygiene Message Hygiene
Anti-Spam Anti-Spam
Network edge protectionNetwork edge protection
Anti-virusAnti-virus
Multi-layer solution Multi-layer solution On-premise software complimented with Hosted ServicesOn-premise software complimented with Hosted Services
Copyright Microsoft Corp. 2006
CommunicationCommunicationCollaborationCollaborationBusiness productivity gainsBusiness productivity gains
Worms and VirusesWorms and VirusesEvolving threats to CollaborationEvolving threats to CollaborationSpamSpam
The Interconnected WorldThe Interconnected World
Copyright Microsoft Corp. 2006
What is messaging hygiene?What is messaging hygiene?Maintain corporate messaging environment free of malicious and Maintain corporate messaging environment free of malicious and unauthorized contentunauthorized content
ThreatsThreatsVirus infected e-mailVirus infected e-mail
Unsolicited commercial e-mail (spam)Unsolicited commercial e-mail (spam)
Denial of Service (DoS) attacksDenial of Service (DoS) attacks
Directory Harvesting (DHA) attacksDirectory Harvesting (DHA) attacks
E-mail spoofingE-mail spoofing
Unauthorized mail submission (Relaying)Unauthorized mail submission (Relaying)
PhishingPhishing
Copyright Microsoft Corp. 2006
Malicious and unsolicited e-mail messages Malicious and unsolicited e-mail messages An annoyance to usersAn annoyance to users… … but also a large hit to the infrastructurebut also a large hit to the infrastructure
E-Mail Hygiene – Is it E-Mail Hygiene – Is it important?important?
One dayOne day MS IT Statistics (Dec’2004)MS IT Statistics (Dec’2004)
Connection FilteringConnection Filtering
Sender andSender andRecipient FilteringRecipient Filtering
IntelligentIntelligentMessage FilteringMessage Filtering
Outlook 2003Outlook 2003MailboxMailbox
InboxInbox
Junk E-mailJunk E-mail
Incoming E-mailIncoming E-mail
Out of estimated Out of estimated 50,000,000+50,000,000+ e-mail submission attempts e-mail submission attempts to to microsoft.com microsoft.com domain,domain,
……only about only about 1,500,0001,500,000 messages were legitimatemessages were legitimate
Multi-layered defense is the key!Multi-layered defense is the key!
Copyright Microsoft Corp. 2006
E-mail HygieneE-mail Hygiene - - Layered Layered DefenseDefense
Exchange SMTP Routing HUBs
MailboxServers
Exchange SMTP Gateways
Internet
Connection FilteringSender/Recipient
FilteringAntispam
Clients
Attachment blockingAntivirusAntispam
Attachment filteringAntivirus
Connection FilteringConnection Filtering
Sender andSender andRecipient Recipient FilteringFiltering
IntelligentIntelligentMessage Message FilteringFiltering
OutloOutlook ok
20032003MailbMailb
oxox
InboxInbox
Junk E-mailJunk E-mail
Incoming Incoming E-mailE-mail
Copyright Microsoft Corp. 2006
Connection FilteringConnection Filtering – – Block Block ListsLists
Real-time DNS-based block listsReal-time DNS-based block listsCheck IP of sender against the block list using Check IP of sender against the block list using DNS queries DNS queries If DNS record for sender’s IP exists, block it. If DNS record for sender’s IP exists, block it. Use third-party block lists or roll your ownUse third-party block lists or roll your own
Exchange 2003Exchange 2003Supports multiple RBL providers (applied in Supports multiple RBL providers (applied in order!)order!)Terminates connection (SMTP protocol 550 error)Terminates connection (SMTP protocol 550 error) 550 5.7.1 E-mail rejected because 213.241.32.5 is 550 5.7.1 E-mail rejected because 213.241.32.5 is listed by sbl-xbl.spamhaus.org. Please see listed by sbl-xbl.spamhaus.org. Please see http://www.spamhaus.org/lookup.lasso for more http://www.spamhaus.org/lookup.lasso for more information. If you still need assistance contact information. If you still need assistance contact [email protected]@microsoft.com
Supports customizable response per configured Supports customizable response per configured providerprovider
IP: 1.2.3.4
myrbl.com
SMTP Connect
DNS Request: 4.3.2.1.myrbl.com.
DNS Response: 127.0.0.4.
SMTP Error 550 Filter Action
Copyright Microsoft Corp. 2006
Built in Exchange Server 2003Built in Exchange Server 2003Effective to combat mail bombing attacksEffective to combat mail bombing attacksFiltering mail for ??? senders/recipients @microsoft.com Filtering mail for ??? senders/recipients @microsoft.com resulted in up to 30,000,000+ message submissions per day resulted in up to 30,000,000+ message submissions per day savingssavings
10
Sender/Recipient FilteringSender/Recipient Filtering
Copyright Microsoft Corp. 2006
Sender/Recipient FilteringSender/Recipient Filtering
Copyright Microsoft Corp. 2006
Sender/Recipient FilteringSender/Recipient FilteringFilter messages sent from particular email addresses or domainsFilter messages sent from particular email addresses or domains
Temporary measure during mail bombing attacksTemporary measure during mail bombing attacksNot so effective for dynamic anti-spamNot so effective for dynamic anti-spam
Drops connection before message payload is accepted – cheap!Drops connection before message payload is accepted – cheap!Filtering messages with blank sendersFiltering messages with blank senders
Targeting RFC822 From:Targeting RFC822 From:No effect on NDRsNo effect on NDRs
Blocking own domain will break some scenarios (e.g., ListServ)Blocking own domain will break some scenarios (e.g., ListServ)From: <[email protected]>To: <[email protected]>
DistributionList
From: <[email protected]>To: <[email protected]>
Sender Filtering*@contoso.com
Copyright Microsoft Corp. 2006
Recipient LookupRecipient LookupValidates the recipient before accepting messages and returns 550 protocol error if the Validates the recipient before accepting messages and returns 550 protocol error if the recipient is not validrecipient is not valid
Result: No message payload is transmitted – savings in performanceResult: No message payload is transmitted – savings in performanceBut, what if I do But, what if I do RCPT TO: [email protected], RCPT TO: [email protected] TO: [email protected], RCPT TO: [email protected]...
Side effect: Possibility of rapid alias enumeration, a.k.a. DHASide effect: Possibility of rapid alias enumeration, a.k.a. DHAAbout 20 minutes to harvest all valid 4 character aliases by brute force enumerationAbout 20 minutes to harvest all valid 4 character aliases by brute force enumeration
Possible solution: Delay the 550 response for Possible solution: Delay the 550 response for nn seconds: slows down the attacker seconds: slows down the attacker significantly significantly http://support.microsoft.com/default.aspx?kbid=842851 http://support.microsoft.com/default.aspx?kbid=842851 Works only for authoritative domains!Works only for authoritative domains!
SMTP Connect
SMTP Error 550
RecipientLookup
Recipientnot found
à Ehlo …...à Rcpt to: <[email protected]>ß 550 User unknown
Copyright Microsoft Corp. 2006
Protecting Against SpoofingProtecting Against Spoofing
Root cause – anonymous SMTP mail submissionRoot cause – anonymous SMTP mail submission
Best Practice – restrict anonymous SMTP internallyBest Practice – restrict anonymous SMTP internally
For Internet E-mailFor Internet E-mailOption 1:Option 1: Use Exchange 2003 “Resolve anonymous” feature Use Exchange 2003 “Resolve anonymous” feature
Exchange 2003 Gateway Setting
Result on Outlook Client
Copyright Microsoft Corp. 2006
Protecting Against SpoofingProtecting Against Spoofing
Option 2:Option 2:
Authenticate Internet messages with SenderID/SPF technologyAuthenticate Internet messages with SenderID/SPF technology
SPF/SPF/SenderID FrameworkSenderID FrameworkPublish the list of approvedPublish the list of approvede-mail gateways in DNS (SPF record)e-mail gateways in DNS (SPF record)
Authenticate incoming e-mailsAuthenticate incoming e-mailsagainst this listagainst this list
Sender ID Policy ExampleSender ID Policy Example““v=spf1 mx ip4:131.107.3.0/24 –all”v=spf1 mx ip4:131.107.3.0/24 –all”
Microsoft.com Sender ID recordMicrosoft.com Sender ID recordnslookup -q=TXT microsoft.comnslookup -q=TXT microsoft.com
Copyright Microsoft Corp. 2006
Using Message Header ParsingUsing Message Header Parsing
Block List Filtering and Sender ID make decisions based on IP Block List Filtering and Sender ID make decisions based on IP address of the senderaddress of the sender
May have dependency on being the outermost SMTP serverMay have dependency on being the outermost SMTP server
Exchange Server 2003 SP2 Header ParsingExchange Server 2003 SP2 Header Parsing
Microsoft Mail Internet Headers Version 2.0Received: from smtp1.contoso.com ([10.168.0.15]) by EXHUB.contoso.comReceived: from smtp2.contoso.com ([10.168.0.10]) by smtp1.contoso.comReceived: from mailhost.fabrikam.com ([169.254.0.22]) by smtp2.contoso.comReceived: from hub.fabrikam.com ([169.254.0.34]) by mailhost.fabrikam.comReceived: from mail pickup service by hub.fabrikam.com with Microsoft SMTPSVC;From: "Administrator" <[email protected]>To: “Joe Doe" <[email protected]>
Copyright Microsoft Corp. 2006
Restricted/Authenticated DGsRestricted/Authenticated DGs
Distribution Groups (DGs) may contain large recipient populationDistribution Groups (DGs) may contain large recipient population
A single malicious message to a DG - large impactA single malicious message to a DG - large impact
Best Practice: Restrict large/sensitive internal DGsBest Practice: Restrict large/sensitive internal DGs
Protects from Protects from most spam most spam
attacksattacks
Much more Much more secure!secure!
Copyright Microsoft Corp. 2006
Spam FilteringSpam Filtering
Educating users about spamEducating users about spamSpam fighting starts with guarding your Spam fighting starts with guarding your e-mail addresse-mail address
Fighting spam at multiple levelsFighting spam at multiple levelsGateway (filtering)Gateway (filtering)Mailbox (move to Junk E-mail)Mailbox (move to Junk E-mail)Client (move to Junk E-mail)Client (move to Junk E-mail)
Spam Confidence levelSpam Confidence levelExchange 2003 feature rather than a solutionExchange 2003 feature rather than a solution
Copyright Microsoft Corp. 2006
Spam Confidence Level (SCL)Spam Confidence Level (SCL)
Message property to indicate a certainty that the message is spam Message property to indicate a certainty that the message is spam or notor not
Values: -1, 0-9Values: -1, 0-9Propagated within EXCH50 blobPropagated within EXCH50 blob
Can be leveraged/stamped by anti-spam solutionCan be leveraged/stamped by anti-spam solutionExchange 2003 has two thresholds/actionsExchange 2003 has two thresholds/actions
At the SMTP gateway levelAt the SMTP gateway levelAt the Store levelAt the Store level
Exposing SCL in OutlookExposing SCL in Outlook http://blogs.msdn.com/exchange/archive/2004/05/26/142607.aspxhttp://blogs.msdn.com/exchange/archive/2004/05/26/142607.aspx
Copyright Microsoft Corp. 2006
Intelligent Message Filter Intelligent Message Filter (IMF)(IMF)
Key infrastructure design points:Key infrastructure design points:IMF is positioned before anti-virus scanningIMF is positioned before anti-virus scanningAll SMTP transport behind IMF must beAll SMTP transport behind IMF must be
Authenticated Authenticated Supports EXCH50 blob propagationSupports EXCH50 blob propagation
MessageEnvelope
EXCH50 Blobwith SCL rating
Message bodyRFC 2822
Internet
Exchange 2003Mailbox Server
Exchange 2003SMTP Gateway
+IMF
Third Party SMTP Server
Copyright Microsoft Corp. 2006
Intelligent Message Filter Intelligent Message Filter (IMF)(IMF)
Analysis message content Analysis message content and assigns SCL valueand assigns SCL value
Deploying IMF in a single-Deploying IMF in a single-forest scenarioforest scenario
Deploying IMF in a multiple-Deploying IMF in a multiple-forest scenarioforest scenario
EXCH50 blob transferEXCH50 blob transferExch50AuExch50AutthCheckEnabledhCheckEnabled
EstablishingEstablishingauthenticated SMTP authenticated SMTP connectionsconnections
Exchange 2003Gateway
IntelligentMessage
Filter
SCL SCL
Exchange 2003Gateway
IntelligentMessage
Filter
SCL SCL
SCL
Copyright Microsoft Corp. 2006
Intelligent Message FilterIntelligent Message FilterTopological PlacementTopological Placement
Outermost message content analysis componentOutermost message content analysis componentInstall on SMTP gatewaysInstall on SMTP gatewaysAssign to External SMTP VS onlyAssign to External SMTP VS only
Inbound mail scanningInbound mail scanning
For more information: http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/imfdeploy.mspxFor more information: http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/imfdeploy.mspx
Inte
rne
t
Mailbox serversExchange 2003 Gateway Servers
Antispam filtering
Exchange 2003HUB Servers
Antivirus filteringContent filtering
Copyright Microsoft Corp. 2006
Intelligent Message FilterIntelligent Message FilterCustomizationCustomization
IMF Modes at the GatewayIMF Modes at the GatewayGatewayGateway
No ActionNo ActionArchiveArchiveDeleteDeleteRejectReject
Custom Error Message (Exchange SP2)Custom Error Message (Exchange SP2)HKLM\Software\Microsoft\Exchange\ContentFilter HKLM\Software\Microsoft\Exchange\ContentFilter
CustomRejectResponseCustomRejectResponse
Forcing content scanning for authenticated connectionsForcing content scanning for authenticated connectionsHKLM\Software\Microsoft\Exchange\ContentFilter HKLM\Software\Microsoft\Exchange\ContentFilter CheckAuthSessions=1CheckAuthSessions=1
21
Copyright Microsoft Corp. 2006
Anti-virus Anti-virus Possible Protection FrontiersPossible Protection Frontiers
Gateway level Gateway level Transport Event SinksTransport Event SinksTransport VSAPITransport VSAPIDedicated virus scanning SMTP MTADedicated virus scanning SMTP MTA
Information Store levelInformation Store levelVSAPI 2.xVSAPI 2.xESEESEMAPIMAPI
Client levelClient levelMethods have different dependencies, pros and consMethods have different dependencies, pros and cons
Copyright Microsoft Corp. 2006
Anti-virus - Anti-virus - Evaluation CriteriaEvaluation Criteria
Functionality testsFunctionality testsGateway integration method (Event sink/VSAPI)Gateway integration method (Event sink/VSAPI)
Support for different message encodingsSupport for different message encodingsS/MIME scanningS/MIME scanning
TNEF scanningTNEF scanning
Mail direction awarenessMail direction awareness
Attachment filtering capabilityAttachment filtering capability
NotificationsNotifications
Handling exceptionsHandling exceptions
Virus actionsVirus actions
Copyright Microsoft Corp. 2006
Protecting Against DoS Protecting Against DoS attacksattacks
Extremely difficult to guard againstExtremely difficult to guard againstDoS at the messaging layer and network layer are differentDoS at the messaging layer and network layer are differentSpam and virus attacks often result in DoS effectSpam and virus attacks often result in DoS effectCountermeasuresCountermeasures
Anti-virus and Anti-spam systemsAnti-virus and Anti-spam systemsMessage size limits (global/SMTP VS)Message size limits (global/SMTP VS)Authenticated only DL’s / Empty DL’sAuthenticated only DL’s / Empty DL’sMax recipients restrictionMax recipients restrictionCriteria based filteringCriteria based filteringConnection restrictionsConnection restrictionsManage relay restrictions/inbound domainsManage relay restrictions/inbound domains
Proactive monitoringProactive monitoring
Copyright Microsoft Corp. 2006
Client Side TechnologiesClient Side TechnologiesAttachment blocking, script strippingAttachment blocking, script stripping
http://www.microsoft.com/office/ork/xp/four/outg03.htmhttp://www.microsoft.com/office/ork/xp/four/outg03.htm
Stripping web beaconsStripping web beaconsUser Trusted & Junk Senders listsUser Trusted & Junk Senders listsClient side spam filteringClient side spam filtering
Update for Outlook 2003: Junk E-mail Filter (KB870765)Update for Outlook 2003: Junk E-mail Filter (KB870765)
Outlook client version control (Q288894)Outlook client version control (Q288894)
Copyright Microsoft Corp. 2006
Outlook 2003/OWA 2003Outlook 2003/OWA 2003Web BeaconsWeb Beacons
Copyright Microsoft Corp. 2006
Outlook 2003Outlook 2003Client Side Spam FilteringClient Side Spam Filtering
Outlook spam filtering applies to externally Outlook spam filtering applies to externally submitted e-mailsubmitted e-mail
Copyright Microsoft Corp. 2006
Exchange 2003 Gateway Exchange 2003 Gateway Platform for Messaging HygienePlatform for Messaging Hygiene
Two SMTP Virtual Servers Two SMTP Virtual Servers approachapproach
Different handling Different handling of inbound and outbound of inbound and outbound e-mail e-mail
Easier metrics gatheringEasier metrics gathering
Exchange 2003 Exchange 2003 GatewaysGateways
Exchange 2003 Exchange 2003 Routing HUBsRouting HUBs
Mailbox ServersMailbox ServersExternal External
Messaging Messaging SystemsSystems
Exchange 2003 SMTP Gateway
Inbound SMTP VS(2)
Outbound SMTP VS (1)
SMTP
Connector
Inbound SMTP Virtual Server
AnonymousBasic AuthenticationIntegrated Windows Auth.
Apply Sender Filter
Relay for Anonymous
Relay for Authenticated
IP Restrictions
Apply Recipient FilterApply Connection FilterApply Intelligent Message FilterApply SenderID Filter
Outbound SMTP Virtual Server
AnonymousBasic AuthenticationIntegrated Windows Auth.
Apply Sender Filter
Relay for AnonymousRelay for AuthenticatedIP Restrictions
Apply Recipient Filter
Apply Connection Filter
Apply Intelligent Message Filter
Apply SenderID Filter
Copyright Microsoft Corp. 2006
Exchange Exchange 20032003
GatewaysGateways
Exchange 2003Exchange 2003HubsHubs Mailbox Mailbox
serversserversClientsClients
Antivirus and Anti-Spam: Antivirus and Anti-Spam: DesignDesignGateway ServerGateway Server
TransportTransport
SCL>=GatewaySCL>=GatewayThreshold?Threshold?
Exchange IMFExchange IMFOther Anti-SpamOther Anti-Spam
SolutionsSolutions
Sender/RecipientSender/RecipientFilteringFiltering
Filter ActionFilter Action
Connection FilteringConnection FilteringRBLsRBLs
NoNoYesYes
Gateway ServerGateway ServerTransportTransport
Attachment StrippingAttachment Stripping
Virus ScanningVirus Scanning
SCLSCL
Mailbox ServerMailbox ServerStoreStore
SCL StoreSCL StoreThresholdThreshold
User Safe/User Safe/BlockedBlockedSendersSenders
SCL>StoreSCL>StoreThreshold?Threshold?
Junk mailJunk mailInboxInbox
YesYes NoNoSCLSCL
ClientClient(Outlook 2003)(Outlook 2003)
Desktop Anti-Desktop Anti-VirusVirus
Attachment blockingAttachment blocking
User Safe/BlockedUser Safe/BlockedSendersSenders
Spam?Spam?
Junk mailJunk mailInboxInbox
InternetInternet
Copyright Microsoft Corp. 2006
Anti-virus and Anti-spamAnti-virus and Anti-spamBest PracticesBest Practices
Implement layered defensesImplement layered defensesScan for spam before scanning for virusesScan for spam before scanning for virusesImplement virus scanning for both inbound and outbound Implement virus scanning for both inbound and outbound mailmailTest AV products on various message encodings and Test AV products on various message encodings and attachment formatsattachment formatsConfigure gateway anti-virus to be mail direction awareConfigure gateway anti-virus to be mail direction awareAt the gatewayAt the gateway
Consider “Block on fail” principle for anti-virusConsider “Block on fail” principle for anti-virusConfigure anti-virus to Configure anti-virus to purgepurge worm infected e-mails worm infected e-mailsImplement attachment blockingImplement attachment blockingDo not send security notifications to the InternetDo not send security notifications to the Internet
Copyright Microsoft Corp. 2006
Securing Exchange Securing Exchange CommunicationsCommunications
What do you want to secure?What do you want to secure?User data in transitUser data in transit
User credentialsUser credentials
System data in transitSystem data in transit
What do you want to secure it from?What do you want to secure it from?External threatsExternal threats
Internal threatsInternal threats
Securing Exchange CommunicationsSecuring Exchange CommunicationsStrong authenticationStrong authentication
Confidentiality of e-mail dataConfidentiality of e-mail data
Copyright Microsoft Corp. 2006
Confidentiality of e-mail dataConfidentiality of e-mail dataMail transportMail transport
SMTP internallySMTP internallySMTP externallySMTP externally
Front End-to-Back End communicationsFront End-to-Back End communicationsHTTP (OWA, OMA, EAS, RPC/HTTP)HTTP (OWA, OMA, EAS, RPC/HTTP)IMAP4/POP3IMAP4/POP3
Client AccessClient AccessOutlook to ExchangeOutlook to ExchangeMobile clients to Front EndMobile clients to Front End
Copyright Microsoft Corp. 2006
Securing AuthenticationSecuring AuthenticationUse Windows Integrated authenticationUse Windows Integrated authenticationProactively disable insecure (Basic) authentication throughout the Proactively disable insecure (Basic) authentication throughout the messaging infrastructure wherever possiblemessaging infrastructure wherever possible
ldifde -d "CN=Microsoft Exchange,CN=Services,CN=Configuration, ldifde -d "CN=Microsoft Exchange,CN=Services,CN=Configuration, DC=contoso,DC=com" -r "(objectClass=protocolCfgSMTPServer)" -p Subtree -l DC=contoso,DC=com" -r "(objectClass=protocolCfgSMTPServer)" -p Subtree -l msExchAuthenticationFlags -f CON:msExchAuthenticationFlags -f CON:
1 – Anonymous, 2 – Basic, 4 – Windows Integrated1 – Anonymous, 2 – Basic, 4 – Windows Integrated
If Basic authentication is absolutely required, use transport level If Basic authentication is absolutely required, use transport level security (SSL/TLS, IPSEC)security (SSL/TLS, IPSEC)
C:\>base64>> decode TEFCXGpvZWRvdzpUb3RhMTF5JGVjdXJI
DOMAIN\joedoe:Tota11y$ecuredecode succeeded
Copyright Microsoft Corp. 2006
`
`
Securing Exchange AuthenticationSecuring Exchange Authentication
Mobile OWA Mobile OWA ClientsClients ISA Server 2004ISA Server 2004 FrontFront
EndEnd
MailboxMailboxServerServer
MailboxMailboxServerServer
SMTP SMTP GatewayGateway
External SMTP External SMTP GatewayGateway
Outlook 2003 Outlook 2003 ClientClient
Outlook 2003 Outlook 2003 ClientClient
Forms Based AuthenticationForms Based Authentication
Kerberos or Windows IntegratedKerberos or Windows Integrated
Anonymous authenticationAnonymous authentication
Proactively disable not needed/insecure authenticationProactively disable not needed/insecure authenticationldifde -d "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com" ldifde -d "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com"
-r "(objectClass=protocolCfgSMTPServer)" -p Subtree -l msExchAuthenticationFlags -f CON:-r "(objectClass=protocolCfgSMTPServer)" -p Subtree -l msExchAuthenticationFlags -f CON:
1 – Anonymous, 2 – Basic, 4 – Windows Integrated1 – Anonymous, 2 – Basic, 4 – Windows Integrated
InternetPerimeterNetwork
ExchangeORG
Copyright Microsoft Corp. 2006
`
`
Securing Exchange Data in TransitSecuring Exchange Data in Transit
MailboxMailboxServerServer
MailboxMailboxServerServer
SMTP SMTP GatewayGateway
External SMTP External SMTP GatewayGateway
Outlook 2003 Outlook 2003 ClientClient
Outlook 2003 Outlook 2003 ClientClient
Following the “block on fail” principleFollowing the “block on fail” principleRequiring SSLRequiring SSLInsecure connections are not acceptedInsecure connections are not accepted
ExchangeORG
HTTPS
IPsec
RPC Encryption
TLS for SMTP
Mobile OWA Mobile OWA ClientsClients ISA Server 2004ISA Server 2004 FrontFront
EndEnd
InternetPerimeterNetwork
Copyright Microsoft Corp. 2006
Using ISA and Exchange Using ISA and Exchange TogetherTogether
Exchange Client Access Scenarios:Exchange Client Access Scenarios:OWAOWA
OMA, ActiveSyncOMA, ActiveSync
RPC/HTTPRPC/HTTP
ISA Server 2004 provides additional ISA Server 2004 provides additional security:security:
Application layer inspectionApplication layer inspection
Authentication solutionsAuthentication solutions
Firewall protectionFirewall protection
Logging and MonitoringLogging and Monitoring
RPC filtering (for Exchange 2000)RPC filtering (for Exchange 2000)
Copyright Microsoft Corp. 2006
E-mail Access: Traditional E-mail Access: Traditional FirewallFirewall
Firewall rules open ports to allow traffic to Firewall rules open ports to allow traffic to and from mail server:and from mail server:
Incoming connections on email server for SMTP, Incoming connections on email server for SMTP, POP3, Outlook Web Access (using SSL)POP3, Outlook Web Access (using SSL)
Outgoing connections from email server for SMTPOutgoing connections from email server for SMTP
Limitation:Limitation:Control over what channels are opened, but no Control over what channels are opened, but no control over what type of network traffic is sent to control over what type of network traffic is sent to email server over these channelsemail server over these channels
Exchange Server
Allow: Port 25 (SMTP)
Allow: Port 110 (POP3)
Allow: Port 25Allow: Port 443 (SSL)Internet
Allow: Port 135 (RPC)
Copyright Microsoft Corp. 2006
How Exchange 2000 RPC WorksHow Exchange 2000 RPC Works99223333
RPC Server (Exchange 2000)
RPC Client (Outlook)
TCP 135:
Port for {
0E4A…}Port 4402: D
ata
The RPC server maintains a table of Universally Unique Identifiers (UUID) and assigned port
1
The client connects to TCP port 135 on the server to query for the port associated with a UUID
2
The server responds with theassociated port
3
The client reconnects to server on the designated port to access Exchange
4
Server: Port 4
402
Internet
Copyright Microsoft Corp. 2006
RPC and Traditional FirewallsRPC and Traditional Firewalls
Open port 135 for Open port 135 for incoming trafficincoming traffic
Open every port Open every port that RPC that RPC mightmight use use for incoming trafficfor incoming traffic
RPC Server (Exchange 2000)
RPC Client (Outlook)
TCP 135:
Port for {
0E4A… ?Port 4402: D
ata
Server: Port 4
402
Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC
accessaccess
Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC
accessaccess
Internet
Copyright Microsoft Corp. 2006
Exchange 2000 and ISA ServerExchange 2000 and ISA ServerRPC Server
(Exchange 2000)
Outlook
TCP 135:
Port for {
0E4A… ?Port 4402: D
ata
Server: Port 4
402
Internet
Initial connection:Initial connection:Only allows valid RPC trafficOnly allows valid RPC traffic
Blocks non-Exchange queriesBlocks non-Exchange queries
Secondary connectionSecondary connectionOnly allows connectionOnly allows connectionto port used byto port used byExchangeExchange
Enforces Enforces encryptionencryption
Copyright Microsoft Corp. 2006
OWA: Traditional FirewallOWA: Traditional Firewall
Web traffic to OWA is encryptedWeb traffic to OWA is encryptedStandard SSL encryptionStandard SSL encryption
Security against eavesdropping and impersonationSecurity against eavesdropping and impersonation
Limitation:Limitation:Default OWA implementation does not protect Default OWA implementation does not protect against application layer attacksagainst application layer attacks
Exchange Server OWA Front End
OWA Traffic
Password Guessing
Web Server Attacks
SSL Tunnel
Concept of defense in depth requires inspection of OWA traffic at firewall
Concept of defense in depth requires inspection of OWA traffic at firewall
Internet
Copyright Microsoft Corp. 2006
Web Server Attacks
Password Guessing
How ISA Server Protects OWAHow ISA Server Protects OWA
AuthenticationAuthenticationUnauthorized requests are blocked before they reach the Exchange Unauthorized requests are blocked before they reach the Exchange serverserver
Enforces all OWA authentication methods at the firewallEnforces all OWA authentication methods at the firewall
Provide forms-based authentication at the firewall before reaching OWAProvide forms-based authentication at the firewall before reaching OWA
InspectionInspectionInvalid HTTP requests or requests for non-OWA content are blockedInvalid HTTP requests or requests for non-OWA content are blocked
Inspection of SSL traffic before it reaches Exchange server*Inspection of SSL traffic before it reaches Exchange server*
ConfidentialityConfidentialityEnsures encryption of traffic over the Internet at the firewallEnsures encryption of traffic over the Internet at the firewall
Can prevent the downloading of attachments to client computers Can prevent the downloading of attachments to client computers separate from intranet usersseparate from intranet users
OWA Traffic
SSL Tunnel
InspectionAuthentication
Internet
Exchange Server OWA Front End
*Note: Full ISA inspection is not available if GZip compression is used *Note: Full ISA inspection is not available if GZip compression is used by OWA.by OWA.
Copyright Microsoft Corp. 2006
RPC/HTTP encapsulates RPC traffic RPC/HTTP encapsulates RPC traffic inside HTTPinside HTTP
Internal Web server (RPC proxy) extracts Internal Web server (RPC proxy) extracts RPC traffic from HTTPRPC traffic from HTTP
Advantage: Most firewalls allow HTTP trafficAdvantage: Most firewalls allow HTTP traffic
Problem: Traditional firewalls leave RPC Problem: Traditional firewalls leave RPC proxy exposed to Web-based attacksproxy exposed to Web-based attacks
How RPC/HTTP WorksHow RPC/HTTP Works
RPC Traffic
Web Server Attacks
InternetHTTP Traffic
Exchange Client Access
Services
Copyright Microsoft Corp. 2006
RPC over HTTP with ISA ServerRPC over HTTP with ISA Server
ISA Server terminates SSL tunnelISA Server terminates SSL tunnelInspects HTTP traffic for protocol complianceInspects HTTP traffic for protocol compliance
Blocks requests for all URLs except Blocks requests for all URLs except http://.../rcp/...http://.../rcp/...
No direct connections from Internet to No direct connections from Internet to Exchange ServerExchange Server
Application layer protection for HTTP trafficApplication layer protection for HTTP traffic
RPC Traffic
Web Server Attacks
Internet Exchange Client Access
Services
Copyright Microsoft Corp. 2006
Easy ISA Configuration and Easy ISA Configuration and AdministrationAdministration
Mail Publishing Wizard makes configuration easy
and prevents configuration mistakes
Mail Publishing Wizard makes configuration easy
and prevents configuration mistakes
Copyright Microsoft Corp. 2006
So where are we today?So where are we today?Assess your environmentAssess your environment
Is Spam a real threat to your infrastructure?Is Spam a real threat to your infrastructure?
Do you have all the layers in place?Do you have all the layers in place?
Does your team has the requisite skills?Does your team has the requisite skills?
Do you have the right infrastructure in place?Do you have the right infrastructure in place?
Think again…Think again…
Do you really want to manage all this?Do you really want to manage all this?
Is there an alternate? Hold on…Is there an alternate? Hold on…
Do you want an additional layer?Do you want an additional layer?
Do you want a stop - gap arrangement?Do you want a stop - gap arrangement?
Copyright Microsoft Corp. 2006
IT ProsIT ProsE-mail is mission
critical
E-mail must always be available
E-mail maintenance is expensive and resource-intensive
Manage cost & Manage cost & complexitycomplexity
Security ProsSecurity ProsSecurity top
concern
Regulatory compliance critical in many industries
Threats continue to evolve
Counter-measures are expensive and difficult to update
Secure, protect Secure, protect and complyand comply
Information Information WorkersWorkers
Inbox value and Inbox value and accessaccess
Users want uninterrupted access to their inbox
Spam and viruses distract users from business productivity
What are the What are the Challenges?Challenges?
Copyright Microsoft Corp. 2006
Multi-Layer Secure MessagingMulti-Layer Secure Messaging
Network Edge ProtectionNetwork Edge Protection
Services and on-premise software protect against spam and viruses before they penetrate the Services and on-premise software protect against spam and viruses before they penetrate the networknetwork
Firewall ProtectionFirewall Protection
Protocol and application-layer inspection enable secure, remote access to Exchange serverProtocol and application-layer inspection enable secure, remote access to Exchange server
Internal Anti-virus ProtectionInternal Anti-virus Protection
Protects against malicious threats, while enforcing e-mail content policies Protects against malicious threats, while enforcing e-mail content policies BETTER TOGETHER WITH EXCHANGEBETTER TOGETHER WITH EXCHANGE
Software and services use multiple scanning engines to protect Exchange inboxes from threatsSoftware and services use multiple scanning engines to protect Exchange inboxes from threats
Au
then
ticati
on
an
d A
uth
ori
zati
on
Managed ServicesManaged Services
Corporate Corporate NetworkNetwork
Exte
rnal
Fir
ew
all
ISA ServerISA Server
Inte
rnal
Fir
ew
all
DMZDMZ
On-Premise SoftwareOn-Premise Software
Antigen for Antigen for ExchangeExchange
Antigen for SMTP Antigen for SMTP GatewaysGateways
Advanced Spam Advanced Spam ManagerManager
FrontBridge E-mail FrontBridge E-mail Filtering ServicesFiltering Services
InternetInternet
Copyright Microsoft Corp. 2006
Multi-Layer Secure Multi-Layer Secure Messaging Messaging
What are the products?What are the products?FrontBridge Email Filtering ServicesFrontBridge Email Filtering Services
Hosted, internet-based messaging servicesHosted, internet-based messaging services
Provides anti-virus, anti-spam, content, Provides anti-virus, anti-spam, content, and file filteringand file filtering
Uses multiple scanning enginesUses multiple scanning engines
Block majority of threats before they reach Block majority of threats before they reach your networkyour network
Tremendous gain in security and efficiencyTremendous gain in security and efficiency
Copyright Microsoft Corp. 2006
Multi-Layer Secure Multi-Layer Secure Messaging Messaging
What are the products?What are the products?Antigen for SMTP/ExchangeAntigen for SMTP/Exchange
On-premise, server-based mail On-premise, server-based mail scanning softwarescanning software
Provides anti-virus, anti-spam, content Provides anti-virus, anti-spam, content and file filteringand file filtering
Multiple complementary technologies used Multiple complementary technologies used
Complete end user controlComplete end user control
Protection against internal threats and Protection against internal threats and virus propagationvirus propagation
Copyright Microsoft Corp. 2006
Multi-Layer Secure Multi-Layer Secure Messaging Messaging
What are the products?What are the products?ISA Server 2004ISA Server 2004
On-premise, server-based application On-premise, server-based application layer firewalllayer firewall
Provides secure publishing of Outlook Provides secure publishing of Outlook Web AccessWeb Access
Enhanced security for mobile workforceEnhanced security for mobile workforce
Provides SMTP protocol scanningProvides SMTP protocol scanning
Copyright Microsoft Corp. 2006
Multi-Layer Secure Multi-Layer Secure Messaging Messaging
Better TogetherBetter TogetherUsing all three offerings in a layered Using all three offerings in a layered solution provides the best level of solution provides the best level of protectionprotection
Defense in depthDefense in depth
Preliminary cleaning of spam and viruses Preliminary cleaning of spam and viruses via FrontBridge lessens the processing via FrontBridge lessens the processing load for the on-premise solutionsload for the on-premise solutions
Single vendor purchase simplifies Single vendor purchase simplifies licensing and support issueslicensing and support issues
Copyright Microsoft Corp. 2006
FrontBridge ServicesFrontBridge Services
InternetInternet
ContinuityContinuity
FilteringFiltering
EncryptionEncryption
Mail FlowMail Flow
ArchivingArchiving
FirewaFirewallll
End UsersEnd Users
E-Mail E-Mail ServerServer
No onsite IT managementNo onsite IT management
Fastest response to threatsFastest response to threats
Centralized control Centralized control
SMTP platform-agnosticSMTP platform-agnostic
Unparalleled reliability and Unparalleled reliability and scalabilityscalability
Copyright Microsoft Corp. 2006
FrontBridge E-Mail FilteringFrontBridge E-Mail Filtering
Edge and Edge and connection-connection-based blockingbased blocking
Directory Directory services, real-services, real-time attack time attack prevention, prevention, multi-layer multi-layer virus scanning virus scanning and content and content filteringfiltering
Advanced spam Advanced spam filteringfiltering
Fingerprinting, Fingerprinting, SPF lookups, SPF lookups, rules based rules based scoringscoring
E-Mail queuing E-Mail queuing
E-Mail E-Mail quarantinequarantine
Copyright Microsoft Corp. 2006
Antigen - Multiple Scan Engine Antigen - Multiple Scan Engine
• Manage up to 8 scan enginesManage up to 8 scan engines
• Eliminate single point of failureEliminate single point of failure
• Minimize window of exposure Minimize window of exposure during outbreaks during outbreaks
Scan Engine 1Scan Engine 1
Scan Engine 4Scan Engine 4
Scan Engine 2Scan Engine 2
Scan Engine 3Scan Engine 3QuarantiQuarantinene
Copyright Microsoft Corp. 2006
Antigen for SMTP GatewaysAntigen for SMTP Gateways
Detects and removes e-mail viruses Detects and removes e-mail viruses at the network edgeat the network edge
Scans SMTP stack to disable threats Scans SMTP stack to disable threats within a message during the routing within a message during the routing processprocess
Provides advanced content filtering Provides advanced content filtering capabilities for messages and capabilities for messages and attachmentsattachments
Integrates file filtering, keyword Integrates file filtering, keyword filtering, anti-spam, and content filtering, anti-spam, and content filtering during the routing processfiltering during the routing process
Protects Windows Server 2003 and Protects Windows Server 2003 and Windows 2000 Server SMTP Windows 2000 Server SMTP gatewaysgateways
Proactively notifies administrators Proactively notifies administrators of virus incidents and scan events of virus incidents and scan events by e-mail or event logby e-mail or event log
SMTP Gateway Server/Routing Server
Internet
Firewall
Exchange Servers
Users
Copyright Microsoft Corp. 2006
Antigen for ExchangeAntigen for ExchangeDetects and removes viruses in Detects and removes viruses in e-mail messages and attachmentse-mail messages and attachments
Scans at SMTP stack (most Scans at SMTP stack (most processing intensive scans)processing intensive scans)
Scans real-time at Exchange Scans real-time at Exchange information Storeinformation Store
Provides on-demand and Provides on-demand and scheduled scans of information scheduled scans of information storestore
Uses Microsoft-approved virus Uses Microsoft-approved virus scanning API integration for scanning API integration for Exchange 2000 and 2003Exchange 2000 and 2003
Provides advanced content-filtering Provides advanced content-filtering capabilities for messages and capabilities for messages and attachmentsattachments
Integrates file filtering, keyword Integrates file filtering, keyword filtering and anti-spam at the filtering and anti-spam at the SMTP routing levelSMTP routing level
Protects Exchange Server 5.5, 2000, Protects Exchange Server 5.5, 2000, and 2003and 2003
ISA Server
Exchange Front End
Exchange Site 1
Exchange Site 2
Internet
Exchange Public Folder Server
Exchange Mailbox Server
Copyright Microsoft Corp. 2006
ConclusionConclusionTop things to rememberTop things to remember
Establish and document security requirementsEstablish and document security requirements
Enforce security at multiple levels – defense in depthEnforce security at multiple levels – defense in depth
Establish layered e-mail hygiene defensesEstablish layered e-mail hygiene defenses
Secure Exchange servers by roleSecure Exchange servers by role
Bring Exchange Front Server out of perimeter network. Use reverse Bring Exchange Front Server out of perimeter network. Use reverse proxy solutions for secure Exchange publishing (ISA).proxy solutions for secure Exchange publishing (ISA).
Use only secure authentication methods. Disable unneeded ones.Use only secure authentication methods. Disable unneeded ones.
Enforce e-mail data encryption where neededEnforce e-mail data encryption where needed
Copyright Microsoft Corp. 2006
For More InformationFor More Information
http://www.microsoft.com/securemessaging http://www.microsoft.com/securemessaging Combines FrontBridge, Antigen and ISA informationCombines FrontBridge, Antigen and ISA information
Microsoft IT deployments and best practices: Microsoft IT deployments and best practices: http://www.microsoft.com/technet/itshowcasehttp://www.microsoft.com/technet/itshowcase
Whitepapers on FrontBridge services Whitepapers on FrontBridge services http://www.frontbridge.comhttp://www.frontbridge.com
Sign up for a free trial of FrontBridge filtering services Sign up for a free trial of FrontBridge filtering services http://www.frontbridge.com/forms/form_evaluation.phphttp://www.frontbridge.com/forms/form_evaluation.php
Download evaluation copy of Antigen and Advanced Spam Manager Download evaluation copy of Antigen and Advanced Spam Manager http://www.sybari.com/eval http://www.sybari.com/eval
Copyright Microsoft Corp. 2006
© 2006 Microsoft Corporation. All rights reserved.© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.