A levelezési infrastruktúra hatékony védelmi megoldásai

Az előadások a következő témára: "A levelezési infrastruktúra hatékony védelmi megoldásai"— Előadás másolata:

1 A levelezési infrastruktúra hatékony védelmi megoldásai
4/4/2017 3:35 AM A levelezési infrastruktúra hatékony védelmi megoldásai Szirtes István tulajdonos, MVP minősítésű oktató Szirtes Technologies Oktatóközpont © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Miről lesz szó? A levelezéssel kapcsolatos aktuális biztonsági kérdések Az Exchange beépített biztonsági elemei FOPE és a Hosted Services bemutatása Együtt hatékonyabb a védelem - Forefront Protection 2010 for Exchange Maximizes malware detection without compromising performance. allows administrators to balance the security and performance needs of their specific environment by providing Intelligent Engine Selection Policy controls that manage the percentage of total selected engines used at any one time for a given scan job, then dynamically selecting the most up-to-date and effective engines to use for each scan. Performance is also maximized by using in-memory scanning, much more efficient than more traditional techniques (such as spooling to disk), as well as multi-threaded scanning that increases mail throughput by enabling the software to analyze multiple messages or documents simultaneously. Optimizes antivirus scanning on E14. Forefront Security for Exchange Server utilizes the transport agents and virus scanning API technologies of E14, helping provide compatibility, stability and optimal scanning performance for E14 server.

3 A levelezés sebezhetőségei
Továbbra is a vírusok és a spamek jelentik a legfőbb problémát A levelek >95%-a spam Jobb esetben csak kellemetlen, rosszabb estben károkozó A maradék üzletileg kritikus Az adathalász üzenetek egyre kifinomultabbak Ha a védelmi megoldásunk elhalálozik, akkor az ügyfeleinket nem tudjuk elérni, ahogy ők sem minket!

4 A legnépszerűbb email alapú fenyegetettségek
URL-be ágyazott Malware Adathalász üzenetek Mellékletben lévő Malware Adat kiszivárogtatás Spam IDC found that organizations are most concerned about -borne malware via URL links (56%), followed by phishing attacks (49%) and -borne malware via attachment (47%), as shown in Figure 2. We believe hackers are increasingly using multiple techniques to bypass older messaging security solutions. The practice of spammers embedding URL links in spam to lure users to malicious Web sites is a trend that IDC expects to increase rapidly. The growing use of blended threats will drive a convergence of Web and messaging security to defend against spam, phishing, spyware, viruses, and malicious Web sites. Messaging Security Survey: The Good, Bad, and Ugly Study # Feb by Brian E. Burke IDC: Február

5 Az IT biztonsági területei
Beépített biztonsági megoldások Biztonságos levelezés Biztonságos együttműködés Végpontok védelme Business Ready Security provides for six user- and asset-focused solutions that help reduce costs and simplify security management around the most-used enterprise IT infrastructure: Integrated Security: Easy to manage, comprehensive malware and information protection across the enterprise Secure Messaging: Secure business communication from virtually anywhere and on any device, while preventing unauthorized use of confidential information Secure Endpoint: Protect client and server operating systems from emerging threats and information loss, while enabling secure access from virtually anywhere and on any device Information Protection: Discover, protect, and control information contained in data in motion, data at rest, and data in use for organizations Identity and Access Management: Simplify identity and access management for secure, compliant access to applications on- premises and in the cloud from any location or device And today’s focus: Secure Messaging: Enable more secure business communication from virtually any location or device, while preventing unauthorized use of confidential information This solution encompasses both core components delivered as part of Windows Server 2008 (R2) and members of the Forefront Business Ready Security product family. Forefront Unified Access Gateway Secure remote access from virtually any location or device Security-enhanced access to applications that adheres to internal security and external compliance mandates Windows Active Directory Federation Services Simple access to hosted and cloud services Intra-company and cross-organization access and single sign-on Externalized authentication and authorization decisions Windows Server 2008 R2 Policy-based access and remediation through Network Access Protection (NAP) Always-on, IPv6-enabled seamless and secure connectivity via DirectAccess (DA) Forefront Protection Manager Single console for centrally managing remote access to SharePoint Server Help drive compliance with enterprise-wide reporting and visibility into threats Active Directory Rights Management Services Prevent information leakage and safeguard confidential data Guard against information leaks with access rights and usage policies no matter where content goes Forefront Protection 2010 for Exchange Protect documents from malware and inappropriate content Maintain compliance by persistently protecting documents Adatvédelem Azonosítás-, és hozzáférés kezelés

6 Az Exchange beépített védelmi elemei
4/4/2017 3:35 AM Az Exchange beépített védelmi elemei Az Exchange Server számos beépített védelmi megoldással rendelkezik a külső/belső fenyegetettségek ellen, pl.: spam, adathalászat, üzenetek lehallgatása és meghamisítása Határvédelem Az Edge Server szerepkör egy izolált hálózatban képes kiszűrni a vírusokat és spameket, mielőtt azok elérnék a belső üzenetkezelési infrastruktúrát! Perimeter Before we delve into our Better Together story, its important to point out that Exchange Server 2010 comes with its own comprehensive security features out of the box. Exchange Server 2010 actively protects your users, your systems and your organization’s intellectual property with built-in protection from external and internal threats including spam, phishing attacks as well as interception and tampering of messages (aka snooping and spoofing). Highlights include: Edge Server Role Server that sits in the DMZ between firewalls and your messaging infrastructure. Filters viruses (with Forefront or third-party protection) and spam before they hit your messaging infrastructure. Anti-spam Layered anti-spam filters per: connection, sender, recipient, content Comprehensive built-in anti-spam in the DMZ and behind the firewall with the Edge Server role. Encryption: Internal mail is encrypted by default Support for Mutual Transport Layer Security (mTLS) for secure communications with partners Information Rights Management can now be applied automatically using transport rules Az integrált, több rétegű anti-spam védelmi megoldás egy beérkező levél számos paraméterét vizsgálja, amit javasolt a vállalati infrastruktúra határán elvégezni! Anti-Spam Az összes belső üzenet alapértelmezettként tikosított, de emellett az Exchange támogatja az Information Rights Management alapú adatvédelmet is! Titkosítás © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

7 Beépített titkosítás Optimalizálva a belső és külső levélforgalomra
Felhasználási terület Típus Leírás Belső TLS, RPC, SSL A belső levélforgalom alapértelmezettként titkosított ÚJ! Kikapcsolható a TLS ha WAN gyorsítót használunk IRM ÚJ! Automatikus IRM védelem a Transport szabályokon keresztül Natív IRM támogatás az OWA-ban Vállalatok közötti mTLS Támogatja a biztonságos és kölcsönös (mutual) TLS alapú kapcsolatok kiépítését az Interneten át Exchange 2010 supports several encryption scenarios Across the organization Intra-Org Encryption. All mail traveling within an Exchange Server 2007 organization is encrypted by default. Transport Layer Security (TLS) is used for server-to-server traffic, Remote Procedure Call (RPC) is used for Outlook connections, and Secure Socket Layers (SSL) is used for Client Access traffic (Outlook Web Access, Exchange ActiveSync, and Web Services). This prevents spoofing and provides confidentiality messages in transit. Policy-Based IRM. Information Rights Management (IRM) can now be applied through transport rules to encrypt messages based on sender, receiver, content and other attributes. The AD RMS Prelicensing agent improves the experience of Exchange users when they open rights- protected messages - sticks right to open mail on message itself. Users no longer have to wait for the client to contact an AD RMS cluster to open a rights-protected message. This functionality improves the offline and mobile device synchronization scenarios. In the offline scenario, when a user is running Outlook in cache mode, rights-protected messages are pre-licensed so that if a user opens the rights-protected message when the user is offline, the content is accessible. For mobile devices that synchronize with Exchange 2007, rights-protected messages that are synchronized to the devices running Windows Mobile 6.0 are pre-licensed. Before took 30 seconds, now instant Business to business Support for mTSL (Transcript Security Layer) connectors: For out to partners, Exchange automatically supports TSL (Transcript Security Layer) encryption, including built-in certificates, as long as both hosts support TLS….this means that both inbound and outbound is automatically encrypted. This also ensures mail won’t be sent unless it can establish a secure connection to the partner’s server. Option to disable TLS: allows use of WAN Accelerators such Riverbed

8 Beépített spam szűrési technikák áttekintése
Course 10135A Module 6: Implementing Messaging Security Beépített spam szűrési technikák áttekintése Szolgáltatás A szűrés az üzenet alábbi paraméterén alapul Connection Filtering A külső SMTP kiszolgáló IP címe Content Filtering Az üzenet tartalma Sender ID A küldő kiszolgáló IP címe, ahonnan a levél érkezett Sender Filtering Az SMTP fejléc MAIL FROM mezőjében szereplő küldő Recipient Filtering Az SMTP fejléc RCPT TO mezőjében szereplő címzett Sender Reputation A küldő számos adatát figyelembe véve, egy megadott időben összevonva Attachment Filtering A mellékelt fájl neve, kiterjesztése vagy a MIME fájl típusa As you start this topic, ask the students about the anti-spam tools they are using currently in their organizations. Ask them how effective the tools are, and how much effort is involved in managing the solution. Next, discuss the agents available in Exchange Server 2010, and briefly discuss their functionality. If students are not familiar with the Exchange Server 2003 or Exchange Server 2007 anti-spam features, you might want to spend some additional time describing connection, recipient, and sender filtering, because this lesson does not cover them in detail.

9 A demókörnyezet Contoso.com Fabrikam.com E14 EDGE DC, DNS
E14 HUB, CAS, MAILBOX DC, DNS E14 HUB, CAS, MAILBOX

10 Beépített Anti-Spam szűrők Három réteg az átfogó védelemért
Kapcsolat szűrés 1 Bejövő levél IP Allow/Deny lists Third-party DNS block lists Global accept-deny lists 1 Kapcsolat szűrés Protokoll szűrés 2 2 Protokoll szűrés Admin karantén Sender reputation Protocol Analysis Sender/Receiver filtering Safelist Aggregation Sender ID SMTP Tarpitting 3 Tartalom szűrés Objective: Review core anti-spam protection for Exchange 2010 (from Exchange 2007). Here’s a simple schematic to help customers visualize our filtering approach. Connection filtering examines the IP address and filters by using (third-party) real-time (non-Microsoft) DNS block lists, rule-based block lists and global accept /deny and exception lists. Exchange provides an integrated, IP based block-and-allow list based on sender reputation. Lists are automatically updated as new versions become available. Administrators can establish additional IP allow-or-deny lists as needed. Sender-Recipient filtering scans specific addresses using: Sender Filtering blocks IP addresses of well-known spammers. When the Edge Transport server spots specific trends from a given domain, it can impose certain actions to either quarantine or reject incoming messages. Sender ID checks against a database to ensure that the sender address originates from the domain it claims to come from. Sender ID helps prevent domain spoofing and protect legitimate senders’ domain names and reputation and helps recipients more effectively identify and filter junk and phishing scams. Recipient Filter – blocks incoming messages addressed to aliases commonly used by spammers and specific valid recipients, such as unmonitored mailboxes and global distribution groups. Recipient lookup - blocks messages with invalid or nonexistent recipients Safelist Aggregration - Via EdgeSync, the Edge Transport server respects Outlook 2003 and Outlook safe sender lists to help reduce false positives. SMTP Tarpitting – enables throttling back of server response if potential spam is detected Protocol analysis calculates a Sender Reputation Level per sender and enables administrators to set a SRL threshold. The SRL is calculated by the Content Filter based on consolidated guidance from Connection, Sender/Recipient, Sender Reputation, Sender ID verification, and Outlook Postmark validation. Administrators can pre-configure actions on the message based on this SCL rating. Actions may include deliver to the inbox or junk mail folder, deliver to the spam quarantine, or reject outright and no deliver. NEW! Safe Sender Synch – reduces times to synch safe senders/blocked senders from Outlook from up to 8 hours in Exchange 2007 to an automatic, 30 second process. Content filtering scans all content within an . Highlights include: SmartScreen technology used to assess the contents of incoming messages to assign an SCL rating for junk processing based on transport and store thresholds. Microsoft SmartScreen content filtering technology uses a database extracted from billions of messages to understand the characteristics of spam messages and assess the probability that any message is spam). Anti-phishing capabilities are also built-in to help detect fraudulent links or spoofed domains and protect users from these types of online scams. When used with Outlook 2007, a phishing warning or block appears in the user interface. Computational postmark scanning – Content Filter understands postmarks applied by Outlook 2007 to mark as legitimate Attachment Filter agent – enables blocking or stripping of mail based on a file name or extension of attachments Bi-weekly updates – automatic updates to the Content Filter (daily with Forefront via the ECAL) Administrator Quarantine – captures suspicious messages (over a set SCL threshold) that an administrator can review and delete/allow Outlook provides its own junk mail filter, including safe sender / safe recipients lists, blocked senders and anti-phishing support. Postafiók Tartalom szűrés 3 SmartScreen Anti-Phishing Quarantine Postmark Scanning SCL Value Bi-weekly updates Attachment Filtering Beérkezett üzenetek Levélszemét © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 10 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Inkrementális Edge Sync Gyorsabb szinkronizáció a biztonságos/blokkolt küldőkkel
E2010: EDGE szinkronizálás = 30 másodperc E2007: Teljes AD szinkronizálás az Edge szerepkörrel ≥ 4 óra E2007: Biztonságos küldők + E2010: Blokkolt E2010: AUTO feltöltés = 30 másodperc E2007: Kézi feltöltés ≥ 4 óra A biztonságos és blokkolt küldők listája másodpercek alatt szinkronizálható az Edge kiszolgálóval!

12 Server Decryption Agent Titkosított IRM-mel védett levél
AV-AS vizsgálat az IRM-védett üzeneteken Üzenetek automatikus újra titkosítása a levél feldolgozási folyamatba beépítve Objective: Discuss tighter integration with AD RMS and benefits of decryption agent. The Server Decryption agent allows IRM protected messages to be decrypted by the system for virus scanning (as well as archiving, journaling purposes, and content filtering) Transport rules and journaling are all implemented as transport agents running on the transport extensibility APIs The extensibility API is “IRM-aware” meaning we automatically decrypt and re-encrypt all messages in the transport pipeline Decryption and re-encryption is transparent to the agents, so they continue accessing and modifying messages without a change

13 Microsoft biztonsági termékpalettája
Már kapható 2009 2010 2010 2. félév 1. félév 2. félév Felügyelet Management Consoles Védelmi és elérési megoldások AD RMS AD RMS Platform AD FS AD LDS AD CS AD DS NAP AD FS AD LDS AD CS AD DS Windows Identity Foundation NAP

14 Exchange Hosted Services
Hosted Filtering (FOPE) Akár a céges belső szabályozások szerinti működés melletti spam és vírusszűrés Hosted Archive (+FOPE) A vállalat korlátlan tárhelyet kap a felhasználói postafiókok archiválására 10 éves adatmegőrzési idővel Hosted Encryption (+FOPE) Szabály alapú titkosítás, ahol az üzenet jellemzői alapján dönthetünk, hogy szükséges-e a titkosítás vagy sem Hosted Continuity (+FOPE) Elsődleges üzenetkezelési rendszer kiesése esetén is képesek a felhasználók valós időben leveleket küldeni és fogadni, illetve elérik a 30 napnál nem régebbi üzeneteiket

15 4/4/2017 3:35 AM Forefront Online Protection for Exchange Többrétegű spam és vírusvédelem Külső küldő vagy címzett Vállalati hálózat Online Protection for Exchange Exchange Server Üzleti levél Antivirus Megszűrt kimenő levél Megszűrt beérkező levél Policy Edge Blocking Active Directory * Encryption Directory Synchronization Tool Anti-spam Levélszemét Disaster Recovery Admin Forefront Online Security for Exchange includes layers of anti-spam technology and multiple antivirus engines like FSE. FOSE also includes: Real-Time Message Trace and Reporting Real time reporting and the powerful Message Trace tool give administrators insight into their environment by retrieving the status of any processed by Forefront Online Security for Exchange in real-time. Disaster Recovery If the destination server becomes unavailable for any reason, Forefront Online Security for Exchange helps to ensure no is lost or bounced by automatically queuing for up to five days, attempting to deliver the every 20 minutes. End User Quarantine Administrator Console Levelek kb. 95%-a szemét Felhasználók 15 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

16 FOPE – az architektúra áttekintése
Internet I N T E R FOPE Online szolgáltatás Ügyfél levelező szervere Spam karantén

17 FOPE Szolgáltatási szint megállapodás
99.999% rendelkezésre állás <1 percen belüli levél kézbesítés 100% ismert vírusok kiszűrése >98% hatékonyságú spam szűrés <1 hiba (False Positive) / 250,000 levél Pénzügyi garancia Minél rosszabb a teljesítmény, annál nagyobb a visszafizetés

18 Együtt hatékonyabb a védelem Mélységi védelem
Exchange 2010 Forefront Titkosítás Spam szűrés Vírusvédelem Vállalaton belül alapértelmezett Vállalatok között TLS támogatás IRM támogatás Alapszintű Több motor Anti-Malware detektálás Kiterjesztett Introduce how Exchange security is complimented by the Microsoft Forefront security products. Highlight how integration with Forefront offers: Multi-engine Anti-virus protection NEW premium anti-spam filtering A unified management experience Option of hosted or hybrid protection with FSE + FOSE Egyesített felügyelet Több faktoros védelem Standard CAL Enterprise CAL

19 Forefront Protection 2010 for Exchange
Edge Transport AV/AS Vállalati infrastruktúra Hub Transport Továbbítás, házirendek AV/AS Telefon rendszer (PBX / VOIP) MTA Mailbox Postafiók Adatbázis AV/AS Unified Messaging Hangüzenet és hangvezérlés Mobiltelefon Forefront Security for Exchange Server provides protection for Exchange 2010 Edge, Hub and Mailbox server roles. If a scan fails at the Edge, mail is still scanned at the Hub. This layered protection is a vital backup to help stop malicious attacks before they impact the network or end-user productivity. To eliminate redundant scanning of mail, Forefront Security for Exchange Server attaches a secure antivirus header stamp to each as it is first scanned at an Exchange 2007 Edge or Hub server. The mail is delivered without additional scanning, saving processing load at the Hub and Store. Also stops re-scanning weeks or months-old mail at the Store by limiting the range of a background scan. Incremental background scanning can be scoped to inspect only messages that are most likely to be infected. Web böngésző Client Access Kliens kapcsolódás Web szolgáltatások Outlook (távoli felhasználó) Outlook (helyi felhasználó) Üzleti alkalmazások

20 FPE bevezetési 1x1 Rendszerünket több ponton védjük:
Course 10135A Module 6: Implementing Messaging Security FPE bevezetési 1x1 Rendszerünket több ponton védjük: FPE az Edge vagy a Hub Transport szerverre FPE a Mailbox szerverre FCS a végpontokra Az FPE használatánál gondoljuk végig az alábbiakat: Hány motort fogunk használni Milyen paramétereket vizsgálunk Tartsuk naprakészen a víruskereső motorokat Discuss the options and other considerations for deploying Forefront Security. Mention that as a baseline, it is important to install an antivirus solution on all Hub and Edge Transport servers. You could also discuss the advantages and disadvantages of installing a virus scanner on the Mailbox server. Explain the different types of virus scanners that are available in Forefront Security, and how many should be used to scan messages. A best practice is to select five virus scanners, and scan each message with at least one, but a maximum of three scanners. Lead a discussion with students about on which roles you should or you should not deploy ForeFront for Exchange. Also, discuss some possible scenarios for deploying ForeFront for Exchange .

21 Forefront Anti-virus Több malware motor együttes használata
Egyszerű telepítési megoldás összetett integrációs technológiák használatával Az összes keresőmotort beépítve tartalmazza alapáron Egyidejűleg akár 5 motor futtatása bármilyen keresésre A B C E D Messaging and Collaboration Servers Both FSE and FOSE integrates industry leading antimalware and antispam engine Each scanning process can use up to 5 different antimalware engines. (3 are included with FOSE)

22 Az összetett motor előnyei
Válaszidők (órában) Egymotoros megoldás Gyors válasz az új fenyegetésekre Hibamentes védelem a redundancia következtében Különböző antivírus motorok és heurisztikus keresések WildList Számok Malware neve Forefront Motorok Vendor A Vendor B Vendor C 01/09 autorun_itw542.ex_ 0.00 89.83 buzus_itw3.ex_ 2.92 10.87 53.98 conficker_itw5.dl_ 113.55 koobface_itw18.ex_ 360.65 momibot_itw2.ex_ 982.05 pinit_itw2.ex_ 42.85 205.03 873.23 zbot_itw30.ex_ zbot_itw31.ex_ 0.67 990.50 1.17 53.75 zbot_itw39.ex_ 946.40 02/09 agent_itw94.ex_ 204.17 723.10 autorun_itw580.ex_ 341.37 917.60 336.67 autorun_itw585.ex_ 602.93 autorun_itw594.ex_ 704.05 42.40 magania_itw21.ex_ 522.60 onlinegames_itw624.ex_ 386.88 22.12 onlinegames_itw627.ex_ 207.33 60.88 7.42 onlinegames_itw643.ex_ 22.13 6.22 32.18 zbot_itw42.ex_ 03/09 autoit_itw90.ex_ autorun_itw597.ex_ 555.12 16.88 autorun_itw598.ex_ 2.88 187.27 667.85 autorun_itw601.ex_ 510.32 autorun_itw616.ex_ ircbot_itw485.ex_ 3.37 0.37 79.05 mariof_itw2.ex_ 309.40 945.95 653.03 onlinegames_itw651.ex_ 145.48 55.47 zbot_itw43.ex_ 757.28 AV lab response times were tested for 365 “In the Wild” viruses and variants that appeared from January – March 2009. Tested the next generation of Forefront server security engine set vs. three single-engine vendors Results 203 viruses were proactively detected by all labs 162 viruses showed significant variations in detection times. The Forefront engine set performed much better when compared to three leading competitors tested. Forefront server security engines had an average detection time of 6 hours for this three month period. The competitive solutions had average detection times of 26 hours, 83 hours and 206 hours, respectively. Kevesebb mint 5 óra 5 és 24 óra között Több mint 24 óra Forrás: AV-Test.org 2009 ( 22 22

23 Mennyire jó a technológia?
AVTest.org Provides 98% detection of malware and 100% detection of rootkits.  Andreas Marx, CEO of AV-Test.org, says MSE's 100 percent rootkit detection rate was "very impressive." Softpedia Received 5 out of 5 stars and an “excellent” rating.  “MSE is exactly what a home user needs: elevated protection against malware in an application that requires as little effort possible to configure, with a clear interface and uncomplicated options.  All this at no cost at all….” On-demand detection WildList Viruses Worms & bots Polymorphic viruses Trojans McAfee 100% 90.62% Microsoft 92.75% Symantec 92.13% Vendor Proactive Detection Rate # of False Positives Avira 69% 24 Microsoft 60% 2 G Data 44 ESET NOD32 56% 13 BitDefender 50% 25 Kaspersky 14 eScan 17 AVG 45% TrustPort 42% 27 Avast 28 Sophos 37% 5 Symantec 35% 7 McAfee 25% Norman 23% 23 Kingsoft 19% 66 F-Secure 14% Virus Bulletin (October 2009) “Scanning speeds leaned towards the better end of the scale, and detection rates showed a continuation of Microsoft’s  inexorable improvement, with some excellent scores in the [proactive] sets once again...” AV Comparatives Proactive Detection (May 2009)

24 Premium Anti-Spam Funkcionális áttekintés
Exchange 2010 + Forefront Előnyök Kapcsolat szűrés Forefront DNS szűrési lista A több forrásból egyesített DNS szűrési lista Nincs szükség konfigurációra Forefront egységes felügyelet Protokoll szűrés Egyesített felügyelet A Sender/Recipient/Sender ID szűrési funkciók egységesített felületen Anti-Backscatter Megakadályozza az NDR típusú backscatter spam áradatot Tartalom szűrés Cloudmark szűrő Microsoft saját spam szűrő motorja 99% találati ráta; 0.04% false pozitív eredmény Nincs szükség konfigurációra Forefront fájlok típusszűrése A valódi fájlformátumot is vizsgálja, nem csak a fájl kiterjesztését Képes a tömörített fájlokon belüli fenyegetettségeket is kiszűrni Globális kivétel listák A küldők és címzettek kivétel listája egy egyszerűsített felületen keresztül szerkeszthető Forefront Security for Exchange now provides its own anti-spam filtering which builds on the existing Exchange anti- spam agents Connection Filtering Exchange provides great static lists. Exchange also provides ability to add 3rd party providers Forefront utilizes the 3rd party addition capabilities of Exchange and auto-configures the DNSBL. Aggregates DNS data from a number of providers such as Hotmail, Spamhaus and Forefront Online – no configuration required Protocol Filtering Unified Management Exchange provides super-efficient, and SMTP pipeline integrated, high quality agents Management UI consolidates Sender/Recipient/Sender ID filtering for simplified management Anti-backscatter agent Additional Forefront agent blocks bounce-back messages sent to non-existent recipients using a spoofed sender’s address Spammers collect real addresses, often through computer viruses that steal addresses from corporate databases. Then they fake — or "spoof" — those addresses to send spam that appears to come from an individual. The trouble comes when spam sent from your spoofed address is aimed at recipinets that don't actually exist. (Spammers often blast messages to bulk lists that include addresses that are old or non-existent.) The bounced-back is returned to the address of the victimized user. Content Filtering Cloudmark Filter Microsoft has partnered with Cloudmark to offer their content analysis engine Cloudmark Authority Engine (CMAE) is a lightweight anti-spam plug-in for Microsoft Exchange that provides high-accuracy, real-time protection against spam, phishing, and -borne viruses. In recent testing by West Coast Labs, we achieved a premium anti-spam checkmark certification with over 99% spam detection. Unlike Exchange content filter, administrators don’t have to configure keywords and write regular expressions Quarantine Unlike the Exchange quarantine – which is actually just a mailbox – the Forefront quarantine is a directory which is automatically set up. Since we control it, putting virus’ in there is safer. If you use Stirling, you have a consolidated view and management of quarantine. Attachment Filtering Forefront True File Type Filtering Inspects the file type, not just the extension Prevents sending a file under a different name Can also spot and delete files within ZIP and other compressed formats

25 FPE Backscatter védelem Hogyan működik?
4/4/2017 3:35 AM FPE Backscatter védelem Hogyan működik? I N T E R Valós feladó FPE Fogadó MTA 1. A feladó levelet küld a vállalati infrastruktúrán keresztül 3. A fogadó DSN vagy NDR üzenetet küld vissza Az FPE Backscatter védelmi elem egy tokent generál a levélhez 4. Az FPE keresi a levélben a korábban generált tokent 5. Ha létezik a token, akkor kézbesül a DSN vagy az NDR © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 FPE Backscatter védelem
4/4/2017 3:35 AM FPE Backscatter védelem Hogyan működik – Backscatter NDR I N T E R Valós feladó FPE Fogadó MTA 1. A Spammer létrehoz egy levelet a MAIL FROM mezőben egy hamis címmel, és elküldi a megtámadott levelező szerverre, hogy az továbbítsa azt a vállalati feladónak Spammer 3. Az FPE ellenőrzi a beérkező levél tokenjét 4. Nincs token! A levél Backscatter spam! A fogadó MTA továbbítja a DSN vagy NDR üzenetet az eredeti feladónak © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 Cloudmark Frissítések
ECAL vásárlóknak prémium Forefront szűrés és frissítések Simább átállás az Exchange összetett szűrésről Forefront-ra Cloudmark motor spam értékelése az SCL pontozással összefügg Smartscreen frissítések (Exchange 2007) Cloudmark frissítések (Exchange 2010) Típus Aláírások Ujjlenyomatok Frissítési gyakoriság Minden 6. órában 30-45 másodpercenként (micro) ~5 percenként (teljes) Frissítések forrása Gépek tanulása alapján (fogyasztói) Központi visszacsatolások (vállalati) ECAL customers move to Cloudmark premium content filter Smooth transition from Exchange Content Filter to Cloudmark Cloudmark plugs in (and configures automatically) into the Exchange Stack Cloudmark verdict translated to SCL rating to preserve the SCL infrastructure Rolls all into a simplified UI/Management. Use RBAC for out-of-box operation Cloudmark updates: FSE continues to offer rapid engine and signature updates for its antispam engine. The engine update is offered through Microsoft’s Rapid Update System, which delivers a new engine within one hour of its availability. The signatures are automatically updated by the spam engine every 45 seconds to five minutes, depending on the type of signature. The updates are scheduled automatically. You can turn on the manual mode and schedule it yourself; however, we do not recommend configuring the update schedules for antispam. Cloudmark has 11 signature-sets. Each set updates at different frequency. The fastest update is 45 seconds. Cloudmark update is fingerprints versus signatures in case of SmartScreen. SmartScreen updates are based on machine learning (currently we have no Enterprise Feedback Loop). Cloudmark updates are based on a Global Threat Network Feedback Loop. Global Threat Network (GTN): Relies on a self-organizing community of users to flag spam. Because spam consists of a single message seen by a large number of individuals, the training load associated with an automated spam filter is distributed across a large community of individuals who all receive the same unwanted messages. This self- organizing community collectively classifies new messages as “spam” or “not spam.” Operating on a massive scale, the GTN filters spam globally for some 180 million people. The GTN uses the first few reports to determine if a message is spam or legitimate , so that only a few reporters are necessary to train the classifier for a new spam attack. To ensure the integrity of user-submitted feedback, a reputation metric analyzer at the core of GTN models historical consensus and disagreement in the recipient community. This automated, real-time approach significantly improves the catch rate and reduces false positives.

28 Kombinált védelem FOPE + FPE + Exchange
Tűzfal Vállalati alkalmazások Internet Spam házirend Spam házirend FOSE Gateway Komplett felügyeleti szabály In this slide we show how Forefront Online Security for Exchange hosted hygiene service can be integrated into overall protection scheme On premise, security polices, including spam policies can be established. Spam policies can be pushed to Forefront Online Security hosted service. This provides for local management of hosted antispam policies. This provides a hybrid solution where the hosted service provides spam protection in the cloud. Since the percentage of spam can be over 90% of an organizations incoming mail, hosted spam protection can allow more efficient use of on premise resources. SMTP Edge Hub Levelező szerver Online Protection for Exchange

29 Exchange + Forefront - együtt hatékonyabbak
Amit az Exchange 2010 nyújt… Alapértelmezett titkosítás és az IRM beépített támogatása Rugalmasan konfigurálható anti-spam funkciók Felhasználó alapú SCL értékek Inkrementális Edge Sync folyamat a biztonságos/blokkolt küldők listájához A címzett listát az Outlookkal is szinkronizálja A Forefront által nyújtott többletszolgáltatások Több anti-malware motor együttes használata Egyszerűen konfigurálható anti-spam ügynökök Egyesített felügyelet az FSE, Exchange, FOSE termékekhez Kiváló hatékonyságú anti-spam motorok (98% detektálási ráta) Költségek csökkentésének lehetősége a hostolt és hibrid védelmi megoldásokkal Állítsd be és felejtsd el!!!

30 4/4/2017 3:35 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.