edge security with forefront sandeep modhvadia security specialist
Post on 22-Dec-2015
234 views
TRANSCRIPT
Edge Security with Forefront Edge Security with Forefront
Sandeep ModhvadiaSandeep ModhvadiaSecurity SpecialistSecurity Specialist
AgendaAgenda
ISA Server 2006ISA Server 2006What’s NewWhat’s New
What’s ImprovedWhat’s Improved
SSO Publishing DemoSSO Publishing Demo
Hardware SizingHardware Sizing
Whale Intelligent Application GatewayWhale Intelligent Application GatewayWhat is it?What is it?
How does it Work?How does it Work?
Custom Publishing DemoCustom Publishing Demo
Q&AQ&A
ISA Server 2006 – ImprovedISA Server 2006 – Improved
Exchange PublishingExchange PublishingSupport for Exchange 2007Support for Exchange 2007
Certificate ManagementCertificate Management
Forms Based AuthenticationForms Based AuthenticationCustom FormsCustom Forms
Multi-Language SupportMulti-Language Support
Authentication EnhancementsAuthentication EnhancementsCertificates, OTP, Radius, LDAPCertificates, OTP, Radius, LDAP
ISA Server 2006 – New FeaturesISA Server 2006 – New Features
Single Sign OnSingle Sign OnCookie based authenticationCookie based authentication
SharePoint publishingSharePoint publishingSpecialised Wizard driven publishingSpecialised Wizard driven publishing
Cross Array Link TranslationCross Array Link Translation
Custom FBA and Single Sign OnCustom FBA and Single Sign On
DemoDemo
What Is WhaleWhat Is Whale
ClientHigh-Availability, Management, Logging, Reporting, Multiple Portals
Authentication
Authorization
User Experience
Tunneling
Security
Specific Applications
Web
Client/Server
Java/Browser Embedded
Exchange/ Outlook
OWA
SharePoint/Portals
Citrix
Generic Applications
Application
Aware
Modules
SSL VPN Gateway
Applications Knowledge Centre
OWA …………...
Citrix……..
Sharepoint. ………....
Devices Knowledge Centre
PDA…....
Linux……..
Windows. ………...
MAC….....
ISO7799 Corporate Governance
SarbOx Basel2
Policy & Regulation Awareness Centre
WHO?
WHAT?
WHERE?
COMPLIA
NT?
Integrated Solution BenefitsIntegrated Solution Benefits
External WorldExternal World
Air Gap Switch
External e-Gap
Virtual Web Server
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Authentication
Browser-Side Security Manager
Applications
File Shares
HAT Engine
User types URL into browser
External WorldExternal World
Air Gap Switch
External e-Gap
Virtual Web Server
Transaction is sent over internet to external server
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File Shares
AuthenticationHAT Engine
Applications
External WorldExternal World
Air Gap Switch
External e-Gap
Virtual Web Server
External e-Gap, receives packet
IntranetIntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File Shares
AuthenticationHAT Engine
Applications
External WorldExternal World
Air Gap Switch
External e-Gap
Virtual Web Server
All protocol layers and TCP/IP headers are
stripped off
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File Shares
AuthenticationHAT Engine
Applications
External WorldExternal World
Air Gap Switch
External e-Gap
Virtual Web Server
Still-encrypted data is transferred to memory bank
via SCSI connection
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File Shares
AuthenticationHAT Engine
Applications
External WorldExternal World
Air Gap Switch
External e-Gap
Virtual Web Server
Switch disconnects from external server, connects
to internal server
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File Shares
AuthenticationHAT Engine
Applications
External WorldExternal World
Air Gap Switch
External e-Gap Internal e-GapSBC
Virtual Web Server
Data is fetched from appliance memory
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File Shares
AuthenticationHAT Engine
Applications
External WorldExternal World
Air Gap Switch
External e-Gap
Virtual Web Server
Data is decrypted, SSL session is established and platform dependent
Endpoint Compliance Module is sent back to browser to interrogate machine
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File SharesData
AuthenticationHAT Engine
Applications
External WorldExternal World
Air Gap Switch
External e-Gap Internal e-GapSBC
Virtual Web Server
SSL Engine
If Endpoint Compliance Module doesn’t find the machine ‘up to scratch’ stricter security policies
are enforced
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File Shares
AuthenticationHAT Engine
Applications
External WorldExternal World
Air Gap Switch
External e-Gap
Virtual Web Server
encrypted login page is generated and sent back
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File SharesData
AuthenticationHAT Engine
Applications
External WorldExternal World
Air Gap Switch
Virtual Web Server
Customized login page appears in browser’s
window
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File Shares
AuthenticationHAT Engine
Applications
External e-Gap
Data FlowData Flow
External WorldExternal World
Air Gap Switch
External e-Gap
Virtual Web Server
User completes authorization credentials
& submits response
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File Shares
AuthenticationHAT Engine
Applications
Username: John Smith
Password: ***********
SecurID: **********
External WorldExternal World
Air Gap Switch
External e-Gap Internal e-GapSBC
Virtual Web Server
Air Gap Switch shuttles the data across the air gap
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File Shares
AuthenticationHAT Engine
Applications
IntranetInternal e-Gap
SBC
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File Shares
External WorldExternal World
Air Gap Switch
External e-Gap Internal e-Gap
Virtual Web Server App-Level Inspection
SSL Engine
Internal e-Gap Server checks user credentials with appropriate authentication
server; user is authenticated.
Authentication credentials are combined with Endpoint Compliance results to
determine Access Policy
Data
Intranet
Authentication
OK
HAT Engine
Applications
External WorldExternal World
Air Gap Switch
External e-Gap Internal e-GapSBC
Virtual Web Server
SSL Engine
User receives dynamically generated “Home Page” (based on identity and
location) and selects desired application
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File Shares
AuthenticationHAT Engine
Applications
External WorldExternal World
Air Gap Switch
External e-Gap
Virtual Web Server
Air Gap Switch shuttles the data across the air gap
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
File SharesBrowser-Side
Security ManagerAuthenticationHAT Engine
Applications
External WorldExternal World
Air Gap Switch
External e-Gap Internal e-GapSBC
Virtual Web Server App-Level Inspection
Real Web Server
SSL Engine
Intranet
File Shares (SMB)
Application data is inspected and compared
to Mandatory Access Control List
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File Shares
Data
AuthenticationHAT Engine
Applications
IntranetInternal e-Gap
SBC
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File Shares
External WorldExternal World
Air Gap Switch
External e-Gap Internal e-Gap
Virtual Web Server App-Level Inspection
SSL Engine
HAT Engine determines which back-end server to
relay the request to
Data
Intranet
AuthenticationHAT Engine
Applications
Authentication
External WorldExternal World
Air Gap Switch
External e-Gap
Virtual Web Server
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
File SharesBrowser-Side
Security Manager
Data is dispatched to the appropriate
server
AuthenticationHAT Engine
Applications
Transaction
External WorldExternal World
Air Gap Switch
External e-Gap
Virtual Web Server
Application generates response
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
File SharesBrowser-Side
Security ManagerAuthenticationHAT Engine
Applications
External WorldExternal World
Air Gap Switch
External e-Gap
Virtual Web Server
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
Response is converted by HAT engine for external use.
Response may also be rewritten and/or blocked
depending on Policy
File Shares
AuthenticationHAT EngineData
Applications
External WorldExternal World
Air Gap Switch
External e-Gap
Virtual Web Server
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File Shares
AuthenticationHAT Engine
Applications
External WorldExternal World
Air Gap Switch
External e-Gap SBC
Virtual Web Server
response
IntranetInternal e-Gap
SBC
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File Shares
AuthenticationHAT Engine
Applications
User works with application as if inside corporate network
environment
External WorldExternal World
Air Gap Switch
External e-Gap Internal e-GapSBC
Virtual Web Server
SSL Engine
After user completes session Attachment Wiper cleans up to
ensure nothing sensitive remains on access machine
IntranetInternal e-Gap
App-Level Inspection
Authentication
SSL Engine
Browser-Side Security Manager
File Shares
AuthenticationHAT Engine
Applications
Custom Application Publishing with Custom Application Publishing with WhaleWhale
DemoDemo
Gateway RoadmapGateway Roadmap
• Whale Intelligent Application Gateway * (incl. ISA Server 2004)
• Express Edition• Enterprise Edition
• Application Optimizers• Network Connectivity
Modules
• Integrated appliances with ISA Server 2006 + Whale IAG
• Standard Edition• Enterprise Edition
• Unified Access Gateway “Longhorn” Svr-wave
• OEM appliances• Software availability
• Updated software for ISA and IAG
• OEM-ready• Continued 3rd-party
application support• Single-server config
• NAP, IPv6, 64-bit support
• Consistent policy framework
• Broader authentication tools (ADFS, smartcard)
• Enhanced network connectivity
• Improved enterprise application support
For More InformationFor More Information
www.microsoft.com/isaserver
www.microsoft.com/forefront
Thank you for attending this TechNet Event
Find these slides at:http://www.microsoft.com/uk/technetslides