Embed Size (px)
Citation preview
9/25/2009
1
Henk Den BaesTechnology AdvisorMicrosoft BeLux
Independent
Consultant
Partner
Organization
Home
Mobile Devices
USB Drive
The flow of information has no boundaries
Information is shared, stored and accessed outside the control of its owner
Host and network security controls aren’t the right tools to solve this problem
9/25/2009
2
Authentication – Who are you?
Strong Authentication – Are you really him/her?
Authorization – What can you access?
Transport Security – Can they hear?
Application Security – Should you be doing that?
End Point Security – From there?
Information Safeguard – Should this be left around?
Session Security – How long can you do this for?
Easily publish web and non-web (client/server) applications
Easy User ExperienceNo client or thin client installation
Single point of access/entry
Single sign on
Self-Help (Remediation)
Password Management
9/25/2009
3
IT JUST WORKS…&…SECURELY
Unified Policy Store
En
forcem
en
tM
ech
an
ism
s
Po
licy T
ran
sla
tio
n
HOSTGroup Policy, IPsec, NAP,
Host based inspection
DATARights Management
NETWORKACL, FW, VLAN, WAN Opt,
802.1x, L3 SSL
TRANSPORTQoS, Encryption, IPv6,
IPsec
APPLICATIONL7 SSL Inspection
Co
ntr
ols
Evo
luti
on
WHAT FOR?Read, Test, Write, Copy,
Print, View
WHAT?Data, Hosts, Applications
WHO?Trusted Identity: user, machine, application
Business/Delegation Rule Creation
Audit and Compliance
WHEREPhysical Location
Identity Authenticate: Who are you?
Risks without: Systems and data accessed by unauthorized personnel
Health Validate: The state of the machines involved? OS? Patches? Configuration? Available?
Risks without: The spread of malware, in any connection scenario
Access Policy for DataAuthorize: What can they access? What can they do with it?
Risks without: Loss of revenue; regulatory fines; loss of customer confidence
9/25/2009
4
Edge Server
Data Center and
Business Critical
Resources
CORPNET
User
Enterprise
Network
CORPNET
User
Assume the underlying network is always
insecure
Redefine CORPNET edge to cocoon the
datacenter and business critical resources
Users are remote at all times
BitLocker™ Drive Encryption
Group Policy allows central encryption policy and provides
Branch Office protection
Provides data protection, even when the system is in
unauthorized hands or is running a different or exploiting
Operating System
Uses a v1.2 TPM or USB flash drive for key storage
Full Volume
Encryption Key
(FVEK)Encryption
Policy
9/25/2009
5
72% of organizations use one of the following forremote access:
Unified Access Gateway enables strong authentication in CRM and SharePoint with minimal configuration
1. Winlogon (supports multiple logon certificates and
containers on the same smart card)
2. Logon user interface (UI)
3. Credential providers (e.g.: FedICT minidriver smart card
credential provider size ~100KB)
GINA functionality has been distributed
among three components:
Belgian eID
9/25/2009
6
Dynamically segment your Windows
environment into more secure and isolated logical
networksbased on policy
Labs
Unmanaged guests
Server Isolation Protect specific high-valued servers and data
Domain Isolation Protect managed computers from unmanaged or rogue computers and users
1
RemediationServers
Example: Patch
Using Network Access Protection
RestrictedNetwork
1
Windows
Client
2
2DHCP, VPN or Switch/Router relays health status
to Microsoft Network Policy Server (RADIUS)
3
3Network Policy Server (NPS) validates against IT-
defined health policy4
If not policy compliant, client is put in a restricted
VLAN and given access to fix up resources to
download patches, configurations, signatures
(Repeat 1 - 4)
Not policy
compliant
5If policy compliant, client is granted full access to
corporate network
Policy
compliant
NPSDHCP, VPN
Switch/Router
4
Policy Serverssuch as: Patch, AV
Corporate Network5
Client requests access to network and presents
current health state
9/25/2009
7
Simplified Administration
Unified Protection
Critical Visibility & Control
Manage from a single role-
based console
Integrates with existing
Microsoft infrastructure
Offers a single dashboard
for visibility into threats,
vulnerabilities, and
configuration risks
Enables increased visibility
into endpoint security with
vulnerability assessment
scanning
The next generation of Forefront Client Security provides
unified protection for business desktops, laptops, and
server operating systems that is easier to manage and
control.
Provides unified endpoint
security that integrates
antivirus, antispyware, host
firewall management, and
vulnerability detection in a
single solution
Encompasses inspection,
threat mitigation,
and remediation
Block, remove, and clean malicious software
Host
FirewallRestrict what applications can do
Vulnerability
RemediationBlock known and unknown vulnerabilities
Reduce surface area of vulnerabilitiesVulnerability
Assessments
Collaborate with integrated security systemForefront “Stirling”
Integration
Pro
active
Reactive
Antivirus/
Antispyware
9/25/2009
8
AVComparatives(Feb 2008)
Test of consumer antivirus products
using a malware sample covering
approximately the last three years
Received AVComparatives
Advanced Certification
FCS Awards & Certifications
In recent tests, Microsoft rated among the leaders in anti-virus protection
Test based on more than
one million malware samples
AVTest.org(March 2008)
Kaspersky 98.3%
Symantec 97.7%
McAfee 94.9%
Microsoft 93.9%
VBA32 87.7%
AVK (G Data) 99.9%
Trend Micro 98.7%
Sophos 98.1%
Microsoft 97.8%
Kaspersky 97.2%
F-Secure 96.8%
Norton (Symantec) 95.7%
McAfee 95.6%
eTrust / VET (CA) 72.1%
AVTest.org(Sept 2008)
AVK 2009 (G Data) 99.8%
F-Secure 99.2%
Norton (Symantec) 98.7%
Kaspersky 98.4%
Microsoft 97.7%
Sophos 97.5%
McAfee 93.6%
Trend Micro 91.3%
CA - VET 65.5%
Test based on more than
one million malware samples
16
9/25/2009
9
Firewall Management: Centralized management
of the Windows Firewall
Windows XP/2003, Windows Vista/2008, and Windows 7
Support Inbound and Outbound Filtering
Configure Firewall Exceptions for Ports, Applications, Services
Configure Network Location Profiles for Roaming Users
Centralized Visibility: Firewall State in the Enterprise
Sensors for Security Incident Detection
Activity Monitoring
Statistics
Central Location
Mobile WorkerIn Airport
Branch Office
Home Office
IPSec VPN
Requires Client Installation
Doesn’t work from everywhere
Connects unmanaged PCs to corporate network
Reverse Proxy
Doesn’t resolve non-web applications
Doesn’t scale when publishing numerous applications
Terminal Services
Typically limited deployments given server computing requirements
Remote UserISA
Active Directory
Internet Corpnet
Quarantine
IAS RADIUS
3
WebServer
DNSServer
ISAServer
5
4 2
6
1
9/25/2009
10
Provide employees, partners and customers with to or
resource, from on
Unite all Microsoft Access gateways into a single solution
Increasingly, people envision a world of anywhere access - a
world in which the information, the communities, and the content
that they value is available instantly and easily, no matter where
they are.
Bill Gates, Enabling Secure Anywhere Access in a Connected
World, Feb 2007
Ensure the integrity
and safety of network
and application
infrastructure by
blocking malicious
traffic and attacks
Comprehensive
policy enforcement
drives compliance
with legal and
business guidelines
for using sensitive
data
The UAG provides SSL-based application access and protection with
endpoint security management, enabling granular access control and
content inspection from a broad range of devices and locations to line-
of-business, intranet, and client/server resources.
Control AccessSafeguard InformationProtect Assets
Secure, browser-
based access to
corporate applications
and data from more
locations and more
devices
9/25/2009
11
DirectAccess
HTTPS (443)
Layer3 VPN
Data Center / Corporate Network
Business Partners /
Sub-ContractorsAD, ADFS,
RADIUS, LDAP….
Home / Friend /
Kiosk
Employees Managed
Machines
Mobile
Exchange
CRM
SharePoint
IIS based
IBM, SAP, Oracle
Terminal /
Remote Desktop
Services
Non web
NPS, ILM
Internet
•Array management
•Simplified wizard-based deployment
•Wizards for Microsoft Applications publishing
•Customizable Portal and Internal Site
•Virtual appliance
Deployment and Admin
•SQL logging
•SCOM Pack
•Detection & Responses (ESAS) – SDK-only integration
Monitoring
•Performance
•Reliability
•Scalability
•Improved CEC compliance
•SDL
•Common Criteria
•SW only
Enterprise Readiness
•Improved SP publishing
•Single IP Exchange Server publishing
•Web application load balancing
•Kerberos delegation, IWA
Application Publishing
•NAP integration side by side with UAG's end point security
•Non IE Browser support (Firefox on Windows, Mac, Linux)
End Point Compliance
•Windows Mobile / Simbian -Active Sync
•Feature Phones – EasyPassLogin
•SharePoint Mobile
•Office Mobile support
Mobile
•Remote Terminal Application Publishing
•Portal with web & TS apps
•SSTP side by side with network connector and IPSec VPN
Rich Access Technologies
•Smart Card / Cert only authentication
•OTP-only authentication
•Partner Federation with ADFS
Authentication
9/25/2009
12
• Improved SharePoint publishing
• Web application load balancing - WNLB
• Kerberos delegation, IWA
• Native RPC over HTTP
Application Publishing
OutlookAnywhere
InternetHTTPS (443)
UAGOutlook Web Access
ActiveSync
Client Access Server
Authentication
End-point health detection
Enterprise Readiness
Edge Ready
Load Balancing
SSO
Client Access Server
Client Access Server
9/25/2009
13
Step 1:
Choose the type of
application you wish
to publish.
Step 2:
Provide the internal
name of the
SharePoint Server.
Provide the external
name.
AllDone!
Step 3:
Configure the same
external name on your
SharePoint server.
This is AAM – Alternate Access Mapping
URLs paths are same internal and external:
https://hrweb.rap.microsoft.com/Benefits/Stocks
http://hrweb/Benefits/Stocks
IAG/UAG is the only SSL VPN using AAM.
IAG/UAG is the only SSL VPN that can publish 100% of SharePoint 2007 functionality
IAG was tested and certified by SharePoint product group
9/25/2009
14
Comprehensive anywhere access solution available in Windows 7
Provides seamless, always-on, secure connectivity to on-premise and remote users alike
Eliminates the need to connect explicitly to corpnet while remote
Facilitates secure, end-to-end communication and collaboration
Leverages a policy-based network access approach
Simplifies IT management and lowers total cost of ownership
Enables IT to easily service/secure/update/provision mobile machines whether they are inside or outside the network
Always-on
connectivity
across different
networks
A focus on driving
access decisions
based on “policy
and a trusted
identity,” rather
than the
limitations of
network topology.
Always onAlways healthyAlways secure
X
Lab, Client
ISA FW,
TSG 802.1x
Non-compliant
Client Device
Non-compliant
Client Device
Compliant
Windows 7 Client
RODC
Secure
Boundary
Dedicated
Resources
Compliant
Client
Healthy
Resources
NPS/NAP
Servers
Business
Partner
Downlevel
or Mobile
Client
Cust FW
VPN
Gateway
Customer
Site
Internet
Corporate
Network
Compliant
Windows 7 Client Compliant
Windows 7
Client
Requires users to connect (lost productivity)
Client must be made healthy prior to network access(Lost productivity plus IT time and expense)
Non-compliant
Client Device
9/25/2009
15
More Productivity
Always-on access to corpnet while roaming
No explicit user action required – it just works
Same user experience on premise and off
More secureHealthy, trustable host regardless of network
Richer policy control near assets
Ability to extend regulatory compliance to roaming assets
More manageable and cost effectiveSimplified remote management of mobile resources as if they were on the LAN
Lower total cost of ownership (TCO) with an “always managed” infrastructure
Unified secure access across all scenarios and networks
Integrated administration of all connectivity mechanisms
SSL-VPN
+
Always On
IPv6
IPv6
IPv6or
IPv4
IPv4
UAG and DirectAccess
Extends access to line of business servers with IPv4 support
Access for down level and non Windows clients
Enhances scalability and management
Simplifies deployment and administration
Hardened Edge Solution
Exchange
CRM
SharePoint
IIS based
IBM, SAP, Oracle
9/25/2009
16
Guidance
Developer Tools
SystemsManagement
Active Directory Federation Services
(ADFS)
IdentityManagement
Services
Information Protection
Client and Server OS
Server Applications
Edge
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
