Edge Security with Forefront

Sandeep Modhvadia
Security Specialist
Agenda

ISA Server 2006

What’s New
What’s Improved
SSO Publishing Demo
Hardware Sizing
Whale Intelligent Application Gateway
What is it?
How does it Work?
Custom Publishing Demo
Q&A
ISA Server 2006 – Improved

Exchange Publishing
Support for Exchange 2007
Certificate Management
Forms Based Authentication
Custom Forms
Multi-Language Support
Authentication Enhancements
Certificates, OTP, Radius, LDAP
ISA Server 2006 – New Features

Single Sign On
Cookie based authentication
SharePoint publishing
Specialised Wizard driven publishing
Cross Array Link Translation
Demo

Custom FBA and Single Sign On

 What Is Whale
Generic
Applications Policy & Regulation

T?
Applications
Knowledge Centre Awareness Centre

N
T?
overnance

IA
OWA Citrix ISO77 Corporate G Web
… A …….. 99
………
... Sharepoint

PL
Basel2
H
. ……….... SarbOx
W

M
Java/Browser

O
Embedded

C
Tunneling Authentication Application Client/Server
Security Authorization SSL VPN Aware
Gateway Modules
User Experience
?

Specific
O

Applications
H
W

High-Availability, Management, Logging, Exchange/

Client Reporting, Multiple Portals Outlook

OWA
E?

Devices
ER

Knowledge Centre
SharePoint/
H

PDA Linux
Citrix
MAC Portals
W

….... ……..
Windows ….....
. ………...
Integrated Solution Benefits
External World Applications Intranet
External e-Gap Internal e-Gap e-Mail

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Security Manager
HAT Engine Authentication

Air Gap Switch

User types URL into 
browser
External World Applications Intranet
External e-Gap Internal e-Gap e-Mail

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Security Manager
Transaction is sent over  HAT Engine Authentication
internet to external server
Air Gap Switch
External World Applications Intranet
External e-Gap Internal e-Gap e-Mail

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Security Manager
HAT Engine Authentication
External e­Gap, receives 
packet Air Gap Switch
External World Applications Intranet
External e-Gap Internal e-Gap e-Mail

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Security Manager
HAT Engine Authentication
All protocol layers and 
TCP/IP headers are  Air Gap Switch

stripped off
External World Applications Intranet
External e-Gap Internal e-Gap e-Mail

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Security Manager
HAT Engine Authentication

Air Gap Switch Still­encrypted data is 

transferred to memory bank 
via SCSI connection
External World Applications Intranet
External e-Gap Internal e-Gap e-Mail

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Security Manager
HAT Engine Authentication

Air Gap Switch

Switch disconnects from 
external server, connects 
to internal server
External World Applications Intranet
External e-Gap Internal e-Gap e-Mail
SBC

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Security Manager
HAT Engine Authentication

Air Gap Switch

Data is fetched from 
appliance memory
External World Applications Intranet
External e-Gap Internal e-Gap e-Mail

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Data
Browser-Side Shares
Security Manager
HAT Engine Authentication

Air Gap Switch

Data is decrypted, SSL session is 
established and  platform dependent 
Endpoint Compliance Module is sent back to 
browser to interrogate machine
 External World Applications Intranet
External e-Gap Internal e-Gap e-Mail
SBC

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Security Manager
HAT Engine Authentication
If Endpoint Compliance Module 
doesn’t find the machine ‘up to  Air Gap Switch
scratch’ stricter security policies 
are enforced
External World Applications Intranet
External e-Gap Internal e-Gap e-Mail

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Data
Browser-Side Shares
Security Manager
HAT Engine Authentication

Air Gap Switch

encrypted login page is 
generated and sent back
 External World Applications Intranet
External e-Gap Internal e-Gap e-Mail

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Security Manager
HAT Engine Authentication

Customized login page 
appears in browser’s  Air Gap Switch

window
Data Flow
Username: John Smith

External World
Password: ***********
Applications Intranet
SecurID: **********
External e-Gap Internal e-Gap e-Mail

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Security Manager
HAT Engine Authentication

User completes 
authorization credentials   Air Gap Switch

& submits response
External World Applications Intranet
External e-Gap Internal e-Gap e-Mail
SBC

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Security Manager
HAT Engine Authentication

Air Gap Switch

Air Gap Switch shuttles the 
data across the air gap
External World Applications Intranet
External e-Gap Internal e-Gap e-Mail
SBC

Virtual Web Server App-Level

Inspection
Authentication
Data
SSL Engine
OK
File
Browser-Side Shares
Security Manager
HAT Engine Authentication

Air Gap Switch

Internal e­Gap Server checks user 
credentials with appropriate authentication 
server; user is authenticated.
Authentication credentials are combined 
with Endpoint Compliance results to 
determine Access Policy
 External World Applications Intranet
External e-Gap Internal e-Gap e-Mail
SBC

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Security Manager
HAT Engine Authentication
User receives dynamically 
generated “Home Page”  Air Gap Switch
(based on identity and 
location) and selects desired 
application
External World Applications Intranet
External e-Gap Internal e-Gap e-Mail

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Security Manager
HAT Engine Authentication

Air Gap Switch

Air Gap Switch shuttles the 
data across the air gap
External World Applications Intranet
External e-Gap Internal e-Gap e-Mail
SBC

Data
Virtual Web Server App-Level
Inspection
Authentication
Real Web Server

SSL Engine
File
Browser-Side Shares
Security Manager (SMB)
HAT Engine Authentication

Application data is 
Air Gap Switch
inspected and compared 
to Mandatory Access 
Control List
External World Applications Intranet
External e-Gap Internal e-Gap e-Mail
SBC

Virtual Web Server App-Level

Inspection
Authentication
Authentication
SSL Engine
File
Browser-Side Shares
Data
Security Manager
HAT Engine Authentication

Air Gap Switch

HAT Engine determines 
which back­end server to 
relay the request to
External World Applications Intranet
External e-Gap Internal e-Gap Transaction e-Mail

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Security Manager
HAT Engine Authentication

Air Gap Switch

Data is dispatched to 
the appropriate 
server
External World Applications Intranet
External e-Gap Internal e-Gap e-Mail

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Security Manager
HAT Engine Authentication

Air Gap Switch

Application 
generates response
External World Applications Intranet
External e-Gap Internal e-Gap e-Mail

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Data
Security Manager
HAT Engine Authentication

Air Gap Switch

Response is converted by 
HAT engine for external use.
Response may also be 
rewritten and/or blocked 
depending on Policy
External World Applications Intranet
External e-Gap Internal e-Gap e-Mail

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Security Manager
HAT Engine Authentication

Air Gap Switch

 External World Applications Intranet
External e-Gap Internal e-Gap e-Mail
SBC SBC

Virtual Web Server App-Level

Inspection
Authentication

response SSL Engine

File
Browser-Side Shares
Security Manager
HAT Engine Authentication
User works with application as if 
inside corporate network  Air Gap Switch
environment
 External World Applications Intranet
External e-Gap Internal e-Gap e-Mail
SBC

Virtual Web Server App-Level

Inspection
Authentication

SSL Engine
File
Browser-Side Shares
Security Manager
HAT Engine Authentication
After user completes session 
Attachment Wiper cleans up to  Air Gap Switch
ensure nothing sensitive 
remains on access machine
Demo

Custom Application Publishing with

Whale
Gateway Roadmap

• Unified Access Gateway

“Longhorn” Svr-wave
• Integrated appliances • OEM appliances
• Whale Intelligent with ISA Server 2006 + • Software availability
Application Gateway * Whale IAG
(incl. ISA Server 2004) • Standard Edition
• Express Edition • Enterprise Edition • NAP, IPv6, 64-bit
support
• Enterprise Edition
• Consistent policy
• Application Optimizers • Updated software for
framework
• Network Connectivity ISA and IAG
• Broader
• OEM-ready
Modules • Continued 3rd-party authentication tools
(ADFS, smartcard)
application support
• Enhanced network
• Single-server config
connectivity
• Improved enterprise
application support
For More Information

www.microsoft.com/isaserver
www.microsoft.com/forefront
Thank you for attending this TechNet Event

Find these slides at:

http://www.microsoft.com/uk/technetslides