Upload
mohinuddin-mustaq
View
217
Download
0
Embed Size (px)
Citation preview
7/29/2019 microsoft-exchange-security-solution-guid
1/10
Deploying a service-oriented
perimeter or Microsot Exchange
F5 PARTNERSHIP SOLUTION GUIDE
F5 and MicrosotExchange Security Solutions
7/29/2019 microsoft-exchange-security-solution-guid
2/10
WHAT'S INSIDE
Pre-Authentication
Mobile Device Security
Web Application Security
3
5
7
7/29/2019 microsoft-exchange-security-solution-guid
3/10
Go Beyond Network
Firewalls to Protect
Microsot ExchangeBusiness need and user demand or access to email anytime, anywhere,
and rom any device has created challenges or IT departments to keep
this business-critical application secure, ast, available, and compliant.
Extending your security perimeter outward can improve security and
availability or Microsot Exchange email services published over the
Internet (Outlook Web App, Exchange ActiveSync, Outlook Anywhere,and Exchange Web Services). F5 Application Delivery Controllers
(ADCs) oer an ICSA Labs certied network and application rewall
solution that creates a service-oriented perimeter or Exchange. With
intelligent monitoring o trac, pre-authentication, and access control
or mobile devices, F5 helps you deploy highly available and secure
email services.
7/29/2019 microsoft-exchange-security-solution-guid
4/10
Avert threats beore they
reach the data center interior
Preventing invalid and potentially malicious trac rom entering your data center
can be challenging. Traditional network rewalls are designed to perorm a basic
level o ltering based on port, but are not designed to inspect and enorce highly
intelligent security policies using surrounding contextual knowledge about the
user, the application service being requested, or the device being used.
In act, SSL encrypted application trac needs to pass through the network
rewall and on to another device near or on an internal data center network
or terminationusually a hardware load balancer or even a specic application
server itsel. The challenge lies in enorcing eective security measures beore the
trac reaches the internal network when the inormation needed to make access
decisions is encrypted.
Relying on your servers to process the unnecessary and potentially malicious
requests wastes valuable resources, slows perormance, and leaves your business
vulnerable to attacks, so the next choice is the hardware load balancer.
Pre-Authentication
T H E C H A L L E N G E S
K E Y B E N E F I T S
Improve your security posture Ensure only authorized trac
reaches Exchange servers
Reduce cost to operate andmaintain security inrastructure
3
7/29/2019 microsoft-exchange-security-solution-guid
5/10
T H E S O L U T I O N
F5 BIG-IP Access Policy Manager (APM) extends your security perimeter so that threats
are eliminated beore they reach your data center. BIG-IP APM is certied by ICSA Labs as a
rewall device, but it is dierent rom traditional network rewalls because it can intelligently
inspect trac or inormation about users, devices, and applications to increase security.
For Microsot email services, including Outlook Web App (OWA), Exchange ActiveSync
(EAS), and Outlook Anywhere (OA), BIG-IP APM prevents invalid trac rom ever reaching
Exchange Server through pre-authentication, authorization, and device access control.
User credentials are cached by BIG-IP APM, which proxies connections to Windows Active
Directory and the Exchange Client Access server (CAS) array. These connections are made
up o a set o customized verications. For example, user name and password are used to
prove the authenticity o the user. This user account can then be used to determine whether
permissions are granted to access a given corporate resource such as Microsot Exchange.
Pre-authentication ensures that only authenticated and authorized trac reaches the internal
network where Exchange Client Access servers are located. Since only necessary trac enters
that network, processing load on servers is reduced, which helps their perormance.
Using BIG-IP APM Visual Policy Editor, a workfow-like access path can be designed with
orked logic and causal relationships to exactly represent corporate constraints or approved
access and customized responses or validation ailures. BIG-IP APM provides support
or dozens o types o queries out o the box, such as collecting dierent types o logon
inormation rom users and perorming queries into Microsot Active Directory to veriy
specic inormation about users, security group memberships, and prole settings.
After
MobileUsers
Client AccessServers
Hub MailboxServers
Attacker
Attacker
OWAOAEAS
EWS
BIG-IPLocal Traffic Manager
MobileUsers
Client AccessServers
Hub MailboxServers
ReverseProxy
Attacker
Attacker
OWAOA
EASEWS
BIG-IPLocal Traffic Manager
Effective SecurityPerimeter on
Internal Network
Effective SecurityPerimeter on
Network Edge
BIG-IPAccess Policy Manager
Before
7/29/2019 microsoft-exchange-security-solution-guid
6/10
Provide secure access to email
rom mobile devices
The consumerization o IT and bring-your-own-device (BYOD) work policies have
created a huge increase in access to corporate email rom mobile devices. In
todays world, email must be accessible to known trusted devices as well as an
ever increasing assortment o unknown and untrusted devices.
According to a 2011 CIO.com report, network security breaches, possible loss o
customer enterprise data, potential thet o intellectual property, and diculty
meeting compliance requirements are among the top concerns IT departments
have about employees using personal devices or work.
MobileDeviceSecurity
T H E C H A L L E N G E S
K E Y B E N E F I T S
Seamlessly support access tocorporate resources rom varioustypes o mobile devices
Implement advanced multi-actorauthentication
5
7/29/2019 microsoft-exchange-security-solution-guid
7/10
F5 BIG-IP Access Policy Manager (APM) provides a strategic point o control in
the data center, supporting a variety o approaches or granting or denying email
access to mobile devices. Building on its user authentication and authorization
capabilities, BIG-IP APM also supports the use o user and device security
certicates, Exchange ActiveSync User Policy settings, and other inormation stored
in Active Directory, as well as device inormation provided in the packet fow, suchas device type and device ID, to enorce multi-actor validation.
In Exchange Server, the Client Access server (CAS) role unctions as the access
point or all client trac, including mobile devices that use the Exchange
ActiveSync (EAS) protocol to access mailbox inormation over HTTPS. Using
BIG-IP APM, trac management decisions can be made and enorced at the
network perimeter on a group and or individual basis while still allowing or the
use o built-in Exchange security unctionality such as ActiveSync policies and
remote device wipe.
BIG-IP APM enables customers to enorce a customized security policy or
Exchange access by mobile devices using a fexible set o pre-dened actions
that represent their organizations requirements or access approvaleven rom
devices employees bring rom home.
T H E S O L U T I O N
After
MobileUsers
Client AccessServers
Hub MailboxServers
Attacker
Attacker
OWAOAEAS
EWS
BIG-IPLocal Traffic Manager
MobileUsers
Client AccessServers
Hub MailboxServers
ReverseProxy
Attacker
Attacker
OWAOA
EASEWS
BIG-IPLocal Traffic Manager
Effective SecurityPerimeter on
Internal Network
Effective SecurityPerimeter on
Network Edge
BIG-IPAccess Policy Manager
Before
7/29/2019 microsoft-exchange-security-solution-guid
8/10
Simpliy compliance and
protect sensitive data
Network-level attacks are highly visible and disruptive, but application-level attacks
are what threaten the core o a business. According to Gartner, 95 percent o
security investments are ocused on the network while 75 percent o attacks
happen at the application level. These attacks can leave sensitive datasuch as
employee records, condential inormation, intellectual property, and nancial
recordsvulnerable to thet.
In addition, resolving application-level breaches can be time-consuming and
expensive. According to a WhiteHat security report, the top 10 application
attacks are cross-site scripting, inormation leakage, content spoong, insucient
authorization, SQL injects, predictable resource location, session xation, cross-
site request orgery, insucient authentication, and HTTP response splitting. The
average time reported to resolve these vulnerabilities is 77 days. During those
weeks or months, a business must take down the application or risk its security
being compromised.
The prevalence o application-layer attacks against critical business applications
makes securing those applications and veriying compliance with security
and privacy regulations o paramount importance. Even those organizations
that employ dedicated sta to review compliance and the security posture o
applications preer deploying solutions that automatically and continually provide
compliance and reporting over manual human activity to achieve the same results.
WebApplicationSe
curity
T H E C H A L L E N G E S
K E Y B E N E F I T S
Implement cost-eective PCIcompliance and reporting
Provide continual protectionand built-in remediation
Reduce OpEx by using theADC platorm
7
7/29/2019 microsoft-exchange-security-solution-guid
9/10
F5 BIG-IP Application Security Manager (ASM) oers advanced, built-in
security protection and remote auditing to help you comply with industry security
standards, including PCI DSS, HIPAA, Basel II, and SOX. The system can be
deployed in Learning mode and then switched to Enorcement, where it
provides continual protection.
The deployment, conguration, and operation o BIG-IP ASM delivers compliance
in a cost-eective waywithout requiring multiple appliances, application
changes, or rewrites. Detailed PCI reporting determines i PCI DSS compliance is
being met, and it guides you through the necessary steps to become compliant.
T H E S O L U T I O N
7/29/2019 microsoft-exchange-security-solution-guid
10/10
F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com
L E A R N M O R E
To learn more about F5 solutions or Microsot,
please visit www.f5.com/microsoft.
Tech tips, discussion orums, ree samples,
and more can be ound on DevCentral,F5s global technical community, by visiting
devcentral.f5.com/microsoft.
http://www.f5.com/microsofthttp://localhost/var/www/apps/conversion/tmp/scratch_9/devcentral.f5.com/microsofthttp://localhost/var/www/apps/conversion/tmp/scratch_9/devcentral.f5.com/microsofthttp://www.f5.com/microsoft