420 likes | 441 Vues
Protection: Targeting Spam with Microsoft Forefront. Agenda Next Generation Antispam Protection . Forefront Overview Forefront Security for Exchange Server Forefront Online Security for Exchange Hybrid Software + Services Solution Summary Q&A.
E N D
AgendaNext Generation Antispam Protection • Forefront Overview • Forefront Security for Exchange Server • Forefront Online Security for Exchange • Hybrid Software + Services Solution • Summary • Q&A
Business Ready SecurityHelp securely enable business by managing risk and empowering people Integrate and extend security across the enterprise Protect everywhere, access anywhere Protection Access Identity Management Highly Secure & Interoperable Platform Simplify the security experience, manage compliance from: to: Block Enable Cost Value Siloed Seamless
Code Name "Stirling" Anintegrated security suite that deliverscomprehensive protection across clients, servers, and the edge that is easy to manage and control. “Stirling “Central Management Server Comprehensive Protection Critical Visibility Simplified Management Client &Server OS Network Edge Server Applications Third-Party Partner Solutions Other Microsoft Solutions Active Directory Network Access Protection
Forefront Security for ExchangeFSE At a Glance • An easy to manage premium Antimalware and Antispam solution for Microsoft Exchange servers • Comprehensive Protection • Multi-Layer Antispam • Multi engine Antimalware • File and Keyword filtering • Supports Exchange 2007 and Exchange 2010
Antispam Landscape • Forefront Online Security for Exchange filtered 97.3% of all email it received (H2 2008) • 90% of bounce messages generated during December 2008 were the result of backscatter • Microsoft Security Intelligence Reporthttp://www.microsoft.com/security/portal/sir.aspx
Verified Effectiveness • West Coast Labs • Industry recognized spam testing facility • Premium Antispam certification • Requires 97% catch rate • Forefront Security for ExchangeBeta 2 Test Results • 99% spam catch rate • False positive rate of 0.0005%
FSE Antispam Deployment Edge Internal Network Exchange Edge Exchange Hub Exchange Mailbox Spam Exchange CAS User
SMTP Send Delivery Queue SMTP Receive Submission Queue Categorizer SMTP SMTP Recipient API Ex Submit (MAPI -> SMTP) Pickup Directory Exchange Biz Logic • Exchange Integration • Forefront is built on the top of Exchange’s publically documented Transport APIs • Forefront premium antispam agents can be deployed separately or in conjunction with basic Exchange agents (excluding Content Filter) • Forefront architecture is highly adaptive, extensible, and engine independent. Forefront Antispam Transport Agent/Message API Agent Run Time Engine (MEx) AD
FSE Antispam ProtectionAreas of analysis • IP Source • SMTP / Envelope • Content • Outlook client integration
FSE Antispam ProtectionIP Source Related • IP Allow / Deny Lists • DNSBL • Microsoft Hosted – No additional cost • Aggregates multiple RBL feeds
FSE and DNSBLHow it works • 1. Forefront DNSBL agent is triggered by connection request from the Internet FSE-protected Exchange server • Response • Match returns 127.0.0.x code (drop)No match returns NXDOMAIN (accept) • Microsoft hosted DNSBL is totally transparentThere is nothing additional to purchase or configure Forefront DNSBL agent constructs and sends a specially formatted DNS query to the Microsoft hosted DNSBL server I N T E R N E T Connecting Client 3. Microsoft hosted DNSBL server validates and responds to the query FOSE DNSBL Servers
FSE Antispam ProtectionSMTP Envelope / Data Related • Per Organization • Backscatter Protection • SenderID Verification • Global Sender Filtering • Global Recipient Filtering • Global Exclusion List • Per Recipient • Safe / Blocked Senders • Safe / Blocked Recipients
FSE SenderID FilteringHow it works • 1. Forefront agent is triggered by connection request from the Internet FSE-protected Exchange server • Support for current and legacy representation of DNS entries • SPF 1.0 and SPF 2.0 • DNS record types TXT and SPF (type 99)x Forefront SenderID agent queries the sending mail domain’s DNS server I N T E R N E T 3. Mail senders’s DNS responds to the query Connecting Client 4. Forefront SenderID agent verifies IP of connecting client is authorized to send mail for the domain Mail Domains DNS Servers
FSE Antispam ProtectionContentRelated • New content filtering agent • Integration of Cloudmark Authority ® technology • Carrier grade performance, accuracy and protection • Configurable ranges for certain vs. suspect spam allowing for deletion or quarantine of gray-mail • Forefront Keyword Filtering • Forefront True File Type Filtering
Cloudmark® Content Fingerprinting Fingerprint Cache Spam Reject Legit. FSE-protected Exchange recipient • Message preprocessing occurs to normalize content • Relevant parts of the message are analyzed • Message components reduced to a short set of anonymous fingerprints • Fingerprints compared to local cache of known bad fingerprints • Match :message is identified as abuse • No match: Heuristics are applied • No match & No heuristics: message is identified as legitimate
Content Filter Spam Confidence Level • All “good” e-mail gets assigned an SCL of -1 • Forefront will reassign an SCL of -1 to all mail determined to be in the range of 0 – 4 by the content analyzer. • Prevents re-evaluation by Outlook • E-mail within 5 to 9 is subject to the following actions: • Reject • Delete • Stamp and Continue • Quarantine
FSE Antispam ProtectionOutlook Client Related • No more junk mail… almost • Mail determined to be clean is delivered directly to the user’s inbox • User’s custom settings are evaluated on the server
demo Forefront Security for Exchange Antispam John Gargiulo Sr. Program Manager Lead Microsoft
FSE Antispam Message Flow Summary ConnectionRelated SMTPRelated Content Related Outlook • Safelisted Mail • Guaranteed to Inbox • Immediate Delivery • Rich rendering Yes Yes No No Yes Safe IP Bypass Valid Message Flow • AS Processed Mail • Guaranteed to Inbox • Delivery after AS filtering • Conditional Rendering Maybe • SPAM and Bcon • Reduced Delivery Rates • Moved to JEF • Mail not Richly Rendered Reject Reject Quarantine Filter IP Allow IP Block DNSBL Global Lists BackscatterPer-recipient Lists SenderID Content Analysis Quarantine Keyword File Filtering Junk Mail Folder Conditional Rendering End User List Management
Forefront Online Security for Exchange(FOSE) Terry Zink Program Manager Microsoft
FOSE Overview Real-time threat prevention Layered anti-spam and antivirus Customized policy enforcement Microsoft Forefront Online Security for Exchange Key Highlights 100% virus detection 98% spam detection 1:250,000 false positives 99.999% network uptime Rapid email delivery (< 1 minute)
FOSE Architecture Overview Internet Cloud I N T E R N E T FOSE Online Service Customer Mail server Spam quarantine
FOSE Global Network Infrastructure • Network infrastructure that delivers reliability and scalability • Hosted services provisioned across a global network infrastructure • Fully redundant, load-balanced architecture • Scalability to handle all message volume variations Washington Ireland Netherlands Virginia California Texas Singapore
FOSE Antispam Improvements • Extended Reputation Lists • IP reputation lists • URL reputation lists • Backscatter Spam Mitigation • Outbound Spam Mitigation
Enhanced Reputation Lists Bad URLs URIBL.com Spam Rules Database Spam Filter Non-Permitted IPs Clean-up Process Internet Service Providers
Enhanced Reputation Lists Bad URLs URIBL.com Spam Rules Database Spam Filter Non-Permitted IPs Clean-up Process Internet Service Providers
BackscatterThe Problem • ‘Backscatter spam’ gums up many e-mail inboxes • Dubbed backscatter spam, this latest fad is clogging email accounts and slowing victims’ inboxes to a crawl. Up to 3% of all email today is backscatter… http://www.usatoday.com/tech/news/2008-10-20-backspatter-spam_N.htm • 90% of FOSE bounce messages are backscatter • 6 million / day • Number 2 customer complaint
FOSE Backscatter ProtectionHow it works – Valid NDR I N T E R N E T Valid User (you@example.com) FOSE Receiving Mail Server • 1. Outbound customers sends email through FOSE 3. Receiver cannot deliver, must send bounce message The FOSE Server inserts custom tokens • 4. FOSE Inbound Server looks for tokens 5. Tokens exist, deliver NDR to user <prvs=12we34fnr=you@example.com>
FOSE Backscatter Protection • How it works – Backscatter NDR I N T E R N E T Valid User (you@example.com) Receiving Mail Server FOSE Spammer 1. Spammer generates an email with a forged MAIL FROM address and sends to receiving email server<you@example.com> 3. FOSE Inbound Server looks for tokens 4. No tokens exist! Message is backscatter spam! Receiver cannot deliver, must send bounce message
Outbound Spam Mitigation FOSE Regular Outbound Customer 1 Customer 2 Customer 3 FOSE NDR Pool FOSE Spam Filter
Outbound Spam Monitoring Customer 1 Customer 3 spamloop@... Spam! Spam! Spam! FOSE Spam Filter SEWR Report Statistical Analysis Alert! Statistics
Hybrid Solution Bringing together on-premise and hosted protection
FOSE GatewayThe bridge between on-premisee and the cloud • Managed from on-premise systems • Forefront Code Name Stirling console • FSE Stand alone UI • Synchronizes on-premise data with FOSE • Active Directory information • FSE Antispam policy • Collects data from FOSE to on-premise systems • Quarantine information • Statistics
FOSE Gateway – Policy ManagementHow it works I N T E R N E T FOSE Gateway FOSEBackend Forefront Stirling Console Forefront Edge Server 1. Antispam policy defined on Stirling Console 3. FOSE Gateway pushes policy to FOSE Backend via web service call 2. Policy assigned to asset group and pushed out to Edge Server and FOSE Gateway 4. Antispam policy put into effect on FOSE Backend
FOSE Gateway – Data CollectionHow it works I N T E R N E T FOSE Gateway FOSEBackend Forefront Code Name Stirling Console 1. FOSE Server makes scheduled web service calls to FOSE Backend to collect quarantine and statistics information 2. FOSE Gateway sends data to the Stirling Server for centralized storage 3. FOSE information available to administrator alongside on-premise data via the Stirling Console
Summary • Forefront provides a premium antispam solution for on-premise, hosted, and hybrid environments • Simplified management experience across on-premise and hosted environments from a single console • Innovative, leading technology to combat spam and keep it out of your inbox • Microsoft is committed to helping you fight and win the war on spam
Call To Action • Maintain the good reputation of your mail domain, reduce spam and improve mail delivery by deploying Forefront Antispam technologies
Required Slide A slide outlining the 2009 evaluation process and prizes will be provided closer to the event.
Required Slide © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.