Microsoft has developed a pogram called the Security Software Advisor.
This program's goal is to financially reward partners that sell Microsoft security solution, in essence, all the Forefront products (This includes Forefront for clients, for Exchange, SharePoint, but also ISA Server and finally IAG Server VPN client access licenses, not the appliance itself).
By selling those products, a partner can earn up to 30% on the top of the usual margins.
The way it works is pretty easy:
1. The partner (Registered/Certified or Gold Certified) needs to qualify as a security partner and meet the requirements. Either be registered as a partner in another security software vendor’s partner program (Symantec, McAfee...) or be actively enrolled in the Security Solutions competency ; or be a previous Sybari partner; or have passed the exams to meet the Security Solution competency requirements (https://partner.microsoft.com/40014058).
2. Once the partner has sold any Forefront product, he should register the deal details online. Then within a couple of weeks, Microsoft will give the partner back up to 30% of the total deal value. Link here.
More details about the SSA, from the Microsoft partner website : Link
Stirling is a the code name for a new product that will comprise all Microsoft security solutions.
This solution will deliver unified protection, policy control, and security management with a single console. The Forefront solution, codenamed “Stirling,” is a single product that delivers unified security management and reporting with comprehensive, coordinated protection across an organization’s IT infrastructure.
A Beta version should be available before the end of the year or early next year.
All current Forefront products (Forefront for Exchange/SharePoint/LCS/ISA Server/...) would be easily upgradable to Stirling products and licenses.
More to come in the next months :-)
Michael RIVA, MCSE: Security, MCT
IAG Server (formerly known as WHALE) is a SSL VPN appliance that considerably simplifies the way you can provide remote access to applications. The acquisition of IAG from Whale Communications, was one of those instances where we liked the product so much, we bought the company.
Most SSL VPN solutions are hard to implement, because they do not work from most locations, due to an inability to install client-side software and/or due to firewall restrictions. With IAG Server you simply need a web browser (Internet Explorer, Firefox...) to get access to the published applications.
The uniqueness of IAG Server resides in the fact it will give remote users access to a specific application but not to the local network or servers themselves (the remote user’s machine is never connected to the corporate network). To explain: IAG Server typically would not handle packets from layer 1 to 6 and will only send/receive packets from layer 7 (application layer) to the remote user. In other words it means the remote user does not even get a company’s network IP address. So the user has absolutely no network access at all to a company network, but still he/she will be able to access published applications such as Outlook Web Access, Domino, SAP, WebSphere, SharePoint (Just some examples of the predefined application-specific positive logic to protect back-end servers out of the box).
Out of the box IAG Server is able to work with 60 authentication vendors such as RSA Security, Vasco, Swivel, ActivCard Aladdin. It also works with numerous authentication systems and protocols such as Active Directory, RADIUS, LDAP, NTLM, Lotus Domino, PKI and TACACS+
Another great feature is the “attachment wiper”. This feature will systematically erase all traces of the session from the access device (with a pre-downloaded ActiveX or Java applet).
Every time the remote user logs off or simply closes the internet browser, the applet will kick off and delete any trace, including cookies, user credentials memorised by the browser, URL entries, temporary files created by the downloading of files or any other mechanism during the user session. The “attachment wiper” will overwrite seven times the disk clusters where those files were stored, making any reinstatement attempt technically impossible, even with the help of the FBI/NSA forensic tools!
The other main feature of IAG Server is its capability to instantly generate an “endpoint report”.
IAG will be able to see if there any anti-virus or a certain patch or application level on the remote machine. So depending of the policy and the user group membership we have the possibility to actually dynamically limit access to some features. For example we could define the fact that if a remote user does not have the latest version of the corporate anti-virus solution, he will not be allowed to upload any attachment to his emails.
IAG Server simply eliminates the risk of network attacks and operating system vulnerabilities as it only provides a means to access specific applications (or some of the features only) to approved users from approved machines.
Michael RIVA, MCSE: Security, MCT
Prior to Internet Security and Acceleration (ISA) Server, we had a product called ‘Proxy Server’, which was our web caching solution. Unfortunately for us, most people associate ISA Server with its long distant relative Proxy Server – If asked about ISA Server, they ‘normally’ reply along the lines of “That’s a nice Proxy solution – which I’ll put behind a ‘real’ firewall”. Internet Security and Acceleration (ISA) Server 2006 is actually the third generation of our fully functional firewall, VPN, web caching proxy, and an application reverse-proxy solution (Previous versions were in 2004 and 2000). In the last seven years of ISA, there have only been ten security updates and only three of them where flagged as critical (there was one for ISA 2004 and there hasn’t been any for ISA 2006).
ISA Server’s core firewall component focuses on the application-layer (layer 7) filtering, and especially on the HTTP/FTP/SMTP services. What does that mean? It simply means that ISA will not only open or close a network ports, it will also screen for malformed or malicious network packets.
Application Layer Filtering (ALF) is nowadays the mandatory extra component that makes your network way more secure that it used to be. Relying on a single firewall without having any ALF mechanism either for inbound or outbound connection is really dangerous. Many hackers actually use opened ports on firewalls to send malicious code to an internal server. A DNS attack for example could be performed through any opened port. A malicious piece of code will successfully pass any basic Packet or Circuit Filtering Firewall while having the appropriate ALF solution in the way will simply drop these kinds of packets. There are even ‘solutions’ out there that will let you run any application (that may use any port) through your firewall over port 80 (the port that’s always open, as it’s for HTTP).
You might think ISA Server would be slow, as it scans the network traffic - it is actually very fast, as it is able to handle up to 1.5GB/s. A basic ASIC chip optimized to run a packet filer (this is the case with many firewall vendors) is most of the time a lot slower than ISA. The average speed of an entry level Cisco Pix firewall for example would be around 300MB/s. It is worth pointing out here, that you can either purchase ISA as a dedicated appliance, or ‘build your own’ – in which case the underlying hardware can be as powerful as you need (you can even configure an array of ISA Servers, which will load balance the traffic).
ISA Server can act very well as a Frontend or Backend firewall (or simply as ‘the firewall’ in small to medium environments), but for bigger network environments it is highly recommended to use ISA Server as a Backend solution in conjunction with another third party firewall. There are three reasons for this: Firstly a frontend firewall will take off most of the network load by reducing dramatically the amount of traffic being sent to the DMZ or internal network. Secondly is a good practice to use different vendors for your front and back end firewalls, because if one layer in your defence is compromised, you have another (Defence in Depth). And lastly, because ISA Server is designed to offer an extra layer of security to Exchange, SharePoint, and IIS mainly (we understand exactly what that traffic looks like and are able to work with it on its way through). It is obviously able to provide extended security to any web server or application.
In the Exchange case for example, the authentication mechanism is performed by the ISA Server itself and no longer by the Exchange server. That gives you the insurance of only legitimate traffic being sent to your Exchange server, lowering your Exchange server load in the mean time.
ISA is also able to counter many attacks out of the box such as Windows out-of-band (WinNuke), Land, Ping of Death, IP half scan, UDP bomb, Port scan, DNS host name overflow, DNS length overflow, DNS zone transfer, POP3 buffer overflow, SMTP buffer overflow. This feature is providing an enhanced way to protect your backend servers from external but also internal attacks, from employees, as we see more and more nowadays.
Michael RIVA, MCSE: Security, MCT
