Edge Security With Forefront
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Edge Security With Forefront as PDF for free.
More details
- Words: 1,254
- Pages: 35
Edge Security with Forefront Sandeep Modhvadia Security Specialist
Agenda ISA Server 2006 What’s New What’s Improved SSO Publishing Demo Hardware Sizing
Whale Intelligent Application Gateway What is it? How does it Work? Custom Publishing Demo
Q&A
ISA Server 2006 – Improved Exchange Publishing Support for Exchange 2007
Certificate Management Forms Based Authentication Custom Forms Multi-Language Support
Authentication Enhancements Certificates, OTP, Radius, LDAP
ISA Server 2006 – New Features Single Sign On Cookie based authentication
SharePoint publishing Specialised Wizard driven publishing
Cross Array Link Translation
Demo Custom FBA and Single Sign On
What Is Whale Policy & Regulation Awareness Centre
PL IA
A T?
N
T?
Applications Knowledge Centre Citrix OWA … …….. ……… ... Sharepoint . ………....
Corporate G
W H
ISO77 99
O
Java/Browser Embedded
C Tunneling
Authentication
Security
Authorization
W H O
?
User Experience
Application
SSL VPN Gateway
Client/Server
Aware Modules
Specific Applications
High-Availability, Management, Logging, Reporting, Multiple Portals
Exchange/ Outlook OWA
ER E?
Client
W H
Devices Knowledge Centre PDA …....
Linux …….. Windows . ………...
MAC ….....
Web
Basel2
M
SarbOx
overnance
Generic Applications
Citrix
SharePoint/ Portals
Integrated Solution Benefits
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
User types URL into browser
Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
Transaction is sent over internet to external server Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
External eGap, receives packet
Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
All protocol layers and TCP/IP headers are stripped off
Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
Air Gap Switch
File Shares Authentication Stillencrypted data is transferred to memory bank via SCSI connection
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
File Shares Authentication
Air Gap Switch
Switch disconnects from external server, connects to internal server
External World
Applications External e-Gap
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
File Shares Authentication
Air Gap Switch
Data is fetched from appliance memory
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine
File Shares
Data Browser-Side Security Manager HAT Engine
Authentication
Air Gap Switch
Data is decrypted, SSL session is established and platform dependent Endpoint Compliance Module is sent back to browser to interrogate machine
External World
Applications External e-Gap
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
If Endpoint Compliance Module doesn’t find the machine ‘up to scratch’ stricter security policies are enforced
Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine
File Shares
Data Browser-Side Security Manager HAT Engine
Authentication
Air Gap Switch
encrypted login page is generated and sent back
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
Customized login page appears in browser’s window
Air Gap Switch
File Shares Authentication
Data Flow Username: John Smith
Password: *********** External World SecurID: **********
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
User completes authorization credentials & submits response
Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
File Shares Authentication
Air Gap Switch
Air Gap Switch shuttles the data across the air gap
External World
Applications External e-Gap
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection Authentication
Data
SSL Engine Browser-Side Security Manager HAT Engine
Air Gap Switch
Intranet e-Mail
OK File Shares Authentication
Internal eGap Server checks user credentials with appropriate authentication server; user is authenticated. Authentication credentials are combined with Endpoint Compliance results to determine Access Policy
External World
Applications External e-Gap
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
User receives dynamically generated “Home Page” (based on identity and location) and selects desired application
Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
File Shares Authentication
Air Gap Switch
Air Gap Switch shuttles the data across the air gap
External World
Applications External e-Gap
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Data
Authentication Real Web Server SSL Engine Browser-Side Security Manager HAT Engine
Air Gap Switch
Authentication
File Shares (SMB)
Application data is inspected and compared to Mandatory Access Control List
External World
Applications External e-Gap
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication Authentication SSL Engine Browser-Side Data Security Manager HAT Engine
Air Gap Switch
File Shares Authentication HAT Engine determines which backend server to relay the request to
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet
Transaction
e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
Air Gap Switch
File Shares Authentication Data is dispatched to the appropriate server
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
Air Gap Switch
File Shares Authentication
Application generates response
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager Data HAT Engine
File Shares Authentication
Air Gap Switch
Response is converted by HAT engine for external use. Response may also be rewritten and/or blocked depending on Policy
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap SBC
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication response
SSL Engine Browser-Side Security Manager HAT Engine
User works with application as if inside corporate network environment
Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
After user completes session Attachment Wiper cleans up to ensure nothing sensitive remains on access machine
Air Gap Switch
File Shares Authentication
Demo Custom Application Publishing with Whale
Gateway Roadmap
• Whale Intelligent Application Gateway * (incl. ISA Server 2004) • Express Edition • Enterprise Edition • Application Optimizers • Network Connectivity Modules
• Integrated appliances with ISA Server 2006 + Whale IAG • Standard Edition • Enterprise Edition • Updated software for ISA and IAG • OEM-ready • Continued 3rd-party application support • Single-server config
• Unified Access Gateway “Longhorn” Svr-wave • OEM appliances • Software availability • NAP, IPv6, 64-bit support • Consistent policy framework • Broader authentication tools (ADFS, smartcard) • Enhanced network connectivity • Improved enterprise application support
For More Information www.microsoft.com/isaserver www.microsoft.com/forefront
Thank you for attending this TechNet Event Find these slides at: http://www.microsoft.com/uk/technetslides
Agenda ISA Server 2006 What’s New What’s Improved SSO Publishing Demo Hardware Sizing
Whale Intelligent Application Gateway What is it? How does it Work? Custom Publishing Demo
Q&A
ISA Server 2006 – Improved Exchange Publishing Support for Exchange 2007
Certificate Management Forms Based Authentication Custom Forms Multi-Language Support
Authentication Enhancements Certificates, OTP, Radius, LDAP
ISA Server 2006 – New Features Single Sign On Cookie based authentication
SharePoint publishing Specialised Wizard driven publishing
Cross Array Link Translation
Demo Custom FBA and Single Sign On
What Is Whale Policy & Regulation Awareness Centre
PL IA
A T?
N
T?
Applications Knowledge Centre Citrix OWA … …….. ……… ... Sharepoint . ………....
Corporate G
W H
ISO77 99
O
Java/Browser Embedded
C Tunneling
Authentication
Security
Authorization
W H O
?
User Experience
Application
SSL VPN Gateway
Client/Server
Aware Modules
Specific Applications
High-Availability, Management, Logging, Reporting, Multiple Portals
Exchange/ Outlook OWA
ER E?
Client
W H
Devices Knowledge Centre PDA …....
Linux …….. Windows . ………...
MAC ….....
Web
Basel2
M
SarbOx
overnance
Generic Applications
Citrix
SharePoint/ Portals
Integrated Solution Benefits
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
User types URL into browser
Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
Transaction is sent over internet to external server Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
External eGap, receives packet
Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
All protocol layers and TCP/IP headers are stripped off
Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
Air Gap Switch
File Shares Authentication Stillencrypted data is transferred to memory bank via SCSI connection
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
File Shares Authentication
Air Gap Switch
Switch disconnects from external server, connects to internal server
External World
Applications External e-Gap
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
File Shares Authentication
Air Gap Switch
Data is fetched from appliance memory
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine
File Shares
Data Browser-Side Security Manager HAT Engine
Authentication
Air Gap Switch
Data is decrypted, SSL session is established and platform dependent Endpoint Compliance Module is sent back to browser to interrogate machine
External World
Applications External e-Gap
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
If Endpoint Compliance Module doesn’t find the machine ‘up to scratch’ stricter security policies are enforced
Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine
File Shares
Data Browser-Side Security Manager HAT Engine
Authentication
Air Gap Switch
encrypted login page is generated and sent back
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
Customized login page appears in browser’s window
Air Gap Switch
File Shares Authentication
Data Flow Username: John Smith
Password: *********** External World SecurID: **********
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
User completes authorization credentials & submits response
Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
File Shares Authentication
Air Gap Switch
Air Gap Switch shuttles the data across the air gap
External World
Applications External e-Gap
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection Authentication
Data
SSL Engine Browser-Side Security Manager HAT Engine
Air Gap Switch
Intranet e-Mail
OK File Shares Authentication
Internal eGap Server checks user credentials with appropriate authentication server; user is authenticated. Authentication credentials are combined with Endpoint Compliance results to determine Access Policy
External World
Applications External e-Gap
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
User receives dynamically generated “Home Page” (based on identity and location) and selects desired application
Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
File Shares Authentication
Air Gap Switch
Air Gap Switch shuttles the data across the air gap
External World
Applications External e-Gap
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Data
Authentication Real Web Server SSL Engine Browser-Side Security Manager HAT Engine
Air Gap Switch
Authentication
File Shares (SMB)
Application data is inspected and compared to Mandatory Access Control List
External World
Applications External e-Gap
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication Authentication SSL Engine Browser-Side Data Security Manager HAT Engine
Air Gap Switch
File Shares Authentication HAT Engine determines which backend server to relay the request to
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet
Transaction
Authentication SSL Engine Browser-Side Security Manager HAT Engine
Air Gap Switch
File Shares Authentication Data is dispatched to the appropriate server
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
Air Gap Switch
File Shares Authentication
Application generates response
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager Data HAT Engine
File Shares Authentication
Air Gap Switch
Response is converted by HAT engine for external use. Response may also be rewritten and/or blocked depending on Policy
External World
Applications External e-Gap
Internal e-Gap
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap SBC
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication response
SSL Engine Browser-Side Security Manager HAT Engine
User works with application as if inside corporate network environment
Air Gap Switch
File Shares Authentication
External World
Applications External e-Gap
Internal e-Gap SBC
Virtual Web Server
App-Level Inspection
Intranet e-Mail
Authentication SSL Engine Browser-Side Security Manager HAT Engine
After user completes session Attachment Wiper cleans up to ensure nothing sensitive remains on access machine
Air Gap Switch
File Shares Authentication
Demo Custom Application Publishing with Whale
Gateway Roadmap
• Whale Intelligent Application Gateway * (incl. ISA Server 2004) • Express Edition • Enterprise Edition • Application Optimizers • Network Connectivity Modules
• Integrated appliances with ISA Server 2006 + Whale IAG • Standard Edition • Enterprise Edition • Updated software for ISA and IAG • OEM-ready • Continued 3rd-party application support • Single-server config
• Unified Access Gateway “Longhorn” Svr-wave • OEM appliances • Software availability • NAP, IPv6, 64-bit support • Consistent policy framework • Broader authentication tools (ADFS, smartcard) • Enhanced network connectivity • Improved enterprise application support
For More Information www.microsoft.com/isaserver www.microsoft.com/forefront
Thank you for attending this TechNet Event Find these slides at: http://www.microsoft.com/uk/technetslides
Related Documents
Edge Security With Forefront
November 2019 12
Microsoft Forefront Server Security
November 2019 9
Introducing Microsoft Forefront Client Security
November 2019 10
Education With Global Edge
April 2020 10
Forefront Security For Exchange Server Evaluation Guide
November 2019 10