Henk Den Baes Technology Advisor Microsoft BeLux

Transcription

1 Henk Den Baes Technology Advisor Microsoft BeLux Home USB Drive Independent Consultant Mobile Devices The flow of information has no boundaries Information is shared, stored and accessed outside the control of its owner Host and network security controls aren t the right tools to solve this problem Partner Organization 1

2 Authentication Who are you? Strong Authentication Are you really him/her? Authorization What can you access? Transport Security Can they hear? Application Security Should you be doing that? End Point Security From there? Information Safeguard Should this be left around? Session Security How long can you do this for? Easily publish web and non-web (client/server) applications Easy User Experience No client or thin client installation Single point of access/entry Single sign on Self-Help (Remediation) Password Management 2

3 Policy Translation Enforcement Mechanisms Controls Evolution 9/25/2009 IT JUST WORKS & SECURELY Business/Delegation Rule Creation DATA Rights Management Unified Policy Store WHO? Trusted Identity: user, machine, application WHAT? Data, Hosts, Applications WHAT FOR? Read, Test, Write, Copy, Print, View WHERE Physical Location APPLICATION L7 SSL Inspection HOST Group Policy, IPsec, NAP, Host based inspection TRANSPORT QoS, Encryption, IPv6, IPsec NETWORK ACL, FW, VLAN, WAN Opt, 802.1x, L3 SSL Audit and Compliance Identity Authenticate: Who are you? Risks without: Systems and data accessed by unauthorized personnel Health Validate: The state of the machines involved? OS? Patches? Configuration? Available? Risks without: The spread of malware, in any connection scenario Access Policy for Data Authorize: What can they access? What can they do with it? Risks without: Loss of revenue; regulatory fines; loss of customer confidence 3

4 Assume the underlying network is always insecure Enterprise Network Edge Server Redefine CORPNET edge to cocoon the datacenter and business critical resources Users are remote at all times CORPNET User Data Center and Business Critical Resources CORPNET User BitLocker Drive Encryption Encryption Policy Full Volume Encryption Key (FVEK) Group Policy allows central encryption policy and provides Branch Office protection Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System Uses a v1.2 TPM or USB flash drive for key storage 4

5 72% of organizations use one of the following for remote access: Unified Access Gateway enables strong authentication in CRM and SharePoint with minimal configuration Belgian eid GINA functionality has been distributed among three components: 1. Winlogon (supports multiple logon certificates and containers on the same smart card) 2. Logon user interface (UI) 3. Credential providers (e.g.: FedICT minidriver smart card credential provider size ~100KB) 5

6 Labs Unmanaged guests Dynamically segment your Windows environment into more secure and isolated logical networks based on policy Server Isolation Domain Isolation Protect specific high-valued servers and data Protect managed computers from unmanaged or rogue computers and users Using Network Access Protection Policy Servers such as: Patch, AV 3 Windows Client 1 DHCP, VPN Switch/Router 2 NPS Not policy compliant Policy compliant 4 Restricted Network Remediation Servers Example: Patch If not policy compliant, client is put in a restricted DHCP, Network VLAN If Client policy requests and VPN compliant, Policy given or Server Switch/Router access client (NPS) to to is network fix granted validates up relays resources and full health presents against access status to to ITdefined download corporate current Microsoft health network patches, Network state policy configurations, Policy Server signatures (RADIUS) to (Repeat 1-4) 5 Corporate Network 6

7 Proactive Reactive 9/25/2009 The next generation of Forefront Client Security provides unified protection for business desktops, laptops, and server operating systems that is easier to manage and control. Unified Protection Provides unified endpoint security that integrates antivirus, antispyware, host firewall management, and vulnerability detection in a single solution Encompasses inspection, threat mitigation, and remediation Simplified Administration Manage from a single rolebased console Integrates with existing Microsoft infrastructure Critical Visibility & Control Offers a single dashboard for visibility into threats, vulnerabilities, and configuration risks Enables increased visibility into endpoint security with vulnerability assessment scanning Block, remove, and clean malicious software Collaborate with integrated security system Antivirus/ Antispyware Forefront Stirling Integration Reduce surface area of vulnerabilities Restrict what applications can do Vulnerability Assessments Host Firewall Block known and unknown vulnerabilities Vulnerability Remediation 7

8 In recent tests, Microsoft rated among the leaders in anti-virus protection AVComparatives (Feb 2008) Kaspersky 98.3% Symantec 97.7% McAfee 94.9% Microsoft 93.9% VBA % Received AVComparatives Advanced Certification Test of consumer antivirus products using a malware sample covering approximately the last three years AVTest.org (March 2008) AVK (G Data) 99.9% Trend Micro 98.7% Sophos 98.1% Microsoft 97.8% Kaspersky 97.2% F-Secure 96.8% Norton (Symantec) 95.7% McAfee 95.6% etrust / VET (CA) 72.1% Test based on more than one million malware samples FCS Awards & Certifications AVTest.org (Sept 2008) AVK 2009 (G Data) 99.8% F-Secure 99.2% Norton (Symantec) 98.7% Kaspersky 98.4% Microsoft 97.7% Sophos 97.5% McAfee 93.6% Trend Micro 91.3% CA - VET 65.5% Test based on more than one million malware samples 16 8

9 Firewall Management: Centralized management of the Windows Firewall Windows XP/2003, Windows Vista/2008, and Windows 7 Support Inbound and Outbound Filtering Configure Firewall Exceptions for Ports, Applications, Services Configure Network Location Profiles for Roaming Users Centralized Visibility: Firewall State in the Enterprise Sensors for Security Incident Detection Activity Monitoring Statistics Internet IPSec VPN Remote User Requires Client Installation Doesn t work Web from everywhere Server Connects unmanaged PCs to corporate network Reverse Proxy Doesn t resolve non-web applications Doesn t scale when publishing numerous applications Terminal Services Typically limited deployments given server computing requirements ISA ISA Server Corpnet Quarantine DNS Server 1 6 Central Location Branch Office Active Directory Mobile Worker In Airport IAS RADIUS Home Office 9

10 Provide employees, partners and customers with to or resource, from on Unite all Microsoft Access gateways into a single solution Increasingly, people envision a world of anywhere access - a world in which the information, the communities, and the content that they value is available instantly and easily, no matter where they are. Bill Gates, Enabling Secure Anywhere Access in a Connected World, Feb 2007 The UAG provides SSL-based application access and protection with endpoint security management, enabling granular access control and content inspection from a broad range of devices and locations to lineof-business, intranet, and client/server resources. Control Access Protect Assets Safeguard Information Secure, browserbased access to corporate applications and data from more locations and more devices Ensure the integrity and safety of network and application infrastructure by blocking malicious traffic and attacks Comprehensive policy enforcement drives compliance with legal and business guidelines for using sensitive data 10

11 Data Center / Corporate Network Exchange Mobile CRM SharePoint IIS based Home / Friend / Kiosk Internet Layer3 VPN HTTPS (443) IBM, SAP, Oracle Terminal / Remote Desktop Services DirectAccess Non web Business Partners / Sub-Contractors AD, ADFS, RADIUS, LDAP. NPS, ILM Employees Managed Machines Array management Simplified wizard-based deployment Wizards for Microsoft Applications publishing Customizable Portal and Internal Site Virtual appliance SQL logging SCOM Pack Detection & Responses (ESAS) SDK-only integration Performance Reliability Scalability Improved CEC compliance SDL Common Criteria SW only Improved SP publishing Single IP Exchange Server publishing Web application load balancing Kerberos delegation, IWA Deployment and Admin Monitoring Enterprise Readiness Application Publishing NAP integration side by side with UAG's end point security Non IE Browser support (Firefox on Windows, Mac, Linux) Windows Mobile / Simbian - Active Sync Feature Phones EasyPass Login SharePoint Mobile Office Mobile support Remote Terminal Application Publishing Portal with web & TS apps SSTP side by side with network connector and IPSec VPN Smart Card / Cert only authentication OTP-only authentication Partner Federation with ADFS End Point Compliance Mobile Rich Access Technologies Authentication 11

12 Improved SharePoint publishing Web application load balancing - WNLB Kerberos delegation, IWA Native RPC over HTTP Application Publishing Outlook Web Access ActiveSync Internet HTTPS (443) UAG Client Access Server Client Access Server Client Access Server OutlookAnywhere Authentication End-point health detection Enterprise Readiness Edge Ready Load Balancing SSO 12

13 Step 2: Provide Step the 1: internal Step name 3: Choose of the the type of Configure SharePoint application the same Server. you wish external to name publish. on your SharePoint server. Provide the external name. All Done! This is AAM Alternate Access Mapping URLs paths are same internal and external: IAG/UAG is the only SSL VPN using AAM. IAG/UAG is the only SSL VPN that can publish 100% of SharePoint 2007 functionality IAG was tested and certified by SharePoint product group 13

14 Comprehensive anywhere access solution available in Windows 7 Provides seamless, always-on, secure connectivity to on-premise and remote users alike Eliminates the need to connect explicitly to corpnet while remote Facilitates secure, end-to-end communication and collaboration Leverages a policy-based network access approach Simplifies IT management and lowers total cost of ownership Enables IT to easily service/secure/update/provision mobile machines whether they are inside or outside the network Lab, Client ISA FW, TSG 802.1x Non-compliant Client Device Non-compliant Client Device Secure Boundary X Internet Dedicated Resources VPN Gateway Compliant Windows 7 Client Healthy Resources Always on Always healthy Always secure RODC Compliant Client Corporate Network Compliant Windows 7 Client Customer Site Compliant Windows 7 Client Cust FW Downlevel or Mobile Client Business Partner Always-on connectivity across different networks A focus on driving access decisions based on policy and a trusted identity, rather than the limitations of network topology. Non-compliant Client Device Requires users to connect (lost productivity) Client must be made healthy prior to network access (Lost productivity plus IT time and expense) NPS/NAP Servers 14

15 More Productivity Always-on access to corpnet while roaming No explicit user action required it just works Same user experience on premise and off More secure Healthy, trustable host regardless of network Richer policy control near assets Ability to extend regulatory compliance to roaming assets More manageable and cost effective Simplified remote management of mobile resources as if they were on the LAN Lower total cost of ownership (TCO) with an always managed infrastructure Unified secure access across all scenarios and networks Integrated administration of all connectivity mechanisms UAG and DirectAccess Extends access to line of business servers with IPv4 support Access for down level and non Windows clients Enhances scalability and management Simplifies deployment and administration Hardened Edge Solution IPv6 IPv6 Always On SSL-VPN Exchange CRM SharePoint IIS based IBM, SAP, Oracle IPv6 or IPv4 + IPv4 15

16 Services Edge Server Applications Client and Server OS Information Protection Identity Management Active Directory Federation Services (ADFS) Systems Management Guidance Developer Tools 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 16