Despite the vast sums poured into security, it is still the number one challenge for IT departments and vendors today. It seems that every week another security product is launched with the promise that it can transform the security landscape. On top of that, every day anti-malware software warns of new attacks while analysts are constantly quoted over the risks to corporate data.
About the only thing that the security vendors can agree on is that no single product or approach is enough to keep data secure. The current phrase is “blended security” where you deploy a range of tools including anti-virus, anti-spyware, anti-malware, encryption and others. These do not just come from one vendor nor do they sit in one place in your network.
Security at the edge using firewalls to stop unauthorised access. Stateful packet inspection of all inbound and outbound traffic to spot suspect traffic. Anti-virus and other products on local machines as well as on each server and even each segment on the network.
All of this is supposed to make the network and data secure. Just installing these solutions is not enough, however, to guarantee security. They need to be maintained, configured, managed and integrated. The two biggest challenges are management and integration.
This is where Microsoft believes that it has a significant play. To beef up its existing security products it purchased anti-virus vendor Sybari, two years ago. Since then, it has been using those products as the basis of a new set of tools under the Forefront name.
The first two Forefront tools, Forefront Server for Exchange and Forefront Server for SharePoint shipped for Microsoft Volume Licensing customers. We have had them both running on servers to see how they work, how reliable they are and what issues they might have.
Obtaining the Forefront Server products can be done in one of two ways. You can purchase via a Microsoft Volume Licence agreement and then have the software sent via a distributor. Alternatively purchase the licence and then download the software from the Forefront website. This is a 120-day licence but once you put the key into the software it becomes the full version.
All documentation, guides and configuration materials can be downloaded from the Forefront website. If you have access to the TechEd website there are a number of good videos and presentations that you should watch.
Forefront Server for SharePoint (FSSP) installation is simple. Run the setup program and choose local or remote installation. You then have the choice of client Admin console or full installation. For the servers that you want to protect, you need the full installation.
We wanted to put Forefront on a single server that currently has both Exchange and SharePoint server installed. We started by installing Forefront Server for SharePoint (FSSP) which completed normally. But as soon as we started the Forefront Server for Exchange (FSE) it told us there was a previous version and wanted to upgrade it. Then it told us there was a problem and wouldn’t install at all.
This made no real sense so we settled for two different installations. This raises an interesting issue for those using Small Business Server (SBS) who may well use just a single server for Exchange and SharePoint Services. If they have to choose between one version of Forefront then they will always worry about how well they are protected.
During the Forefront installations, it randomly selects four of the anti-virus engines to run alongside the Microsoft Antimalware Engine which you cannot deselect. It is up to you which of the engines you want to use and you can simply change the choices using the tick box next to each engine. Microsoft best practice is to use at least five engines but the ultimate choice is yours.
There are nine options in all, including the Microsoft one and the other eight are AhnLab Antivirus Scan Engine, CA Vet, Authentium Command Antivirus, Norman Virus Control, CA InoculateIT, Kaspersky Antivirus Technology, Sophos Virus Detection and VirusBuster Antivirus.
Each of the two installations runs slightly differently. The FSSP is very simple and only wants an administrative account that has access to the servers and an account that it can use for the installation.
FSE is slightly different. You have to make choices right from the start as to how secure you want it to be. This is the Quarantine setting and there are two option – secure mode and compatibility mode. In secure mode, anything – messages and attachments – moved from Quarantine will be re-scanned and run through the filters. In compatibility mode, no filter matching takes place.
Where you install FSE will also change the way that the installation program runs and how you later need to configure it. This is important, especially for the anti-spam updates.
After the installation has finished there is no need to restart the machine. Forefront does stop and start any services such as Exchange but this does not need operator intervention.
To work with Forefront you open the Forefront Server Security Administrator (FSSA). It will ask you the server to connect to and then your licence key. If you have no key you can run it for 120 days in trial mode. Microsoft claims that this is the full product with no differences but we only ran it as a licensed product for safety.
Depending on your installation, FSSP or FSE, your experience with the FSSA will be different. This is because they are managing very different sets of data. One of the big issues with FSSP is managing the scanning of files placed into document libraries. The defaults here are set within SharePoint Server and not inside FSSA. You need, therefore to be able to administer both areas.
The first thing to do in FSSP is to configure the update schedule. By default this is set to daily but if you are in a high risk environment, you may want to make this a shorter period. One issue that must be thought through is how to deal with the application of security patches to SharePoint. Critical updates to SharePoint require that both SharePoint and FSSP are stopped and restarted so you will need to factor this into your management plan.
With FSE, the configuration depends on the role of the server. For example, the Transport Scan function is designed for an Exchange Server with either the Hub Transport or Edge Transport role installed. This allows it to scan all messages in real-time as they enter, leave or are routed internally.
Configuring the anti-virus is similar with both products. You need to set the engines to use and then decide on the Bias settings. Bias is about the number of engines and the degree of “certainty” you can expect from the scan.
One of the more time consuming tasks is trying to build a complete file filter. Although you can use wildcards, it is too easy to end up capturing “good” files. This means that you need to spend time checking what has been captured by the filters and slowly tuning them. Early on this will be a lot of work but over time it will become simply a monitoring task.
Microsoft’s reasons for buying into this market make sense. They know that the security issue is one that continues to haunt them and they have the biggest footprint of all software vendors. This makes them an easy target so they simply wanted to strengthen their story.
Unfortunately, it seems to have done so in a way that makes no sense. For a company that spends its time talking about grown-up systems management, Forefront is a backward step. For example, it takes a considerable amount of effort to configure any of the Forefront Servers. Once you have done this, you might think that you can then deploy those settings to other servers inside the organisation.
Microsoft took the decision that in the first version of the Forefront Servers it would not allow settings to be created and then deployed to multiple servers. As a result, you need to recreate your settings across multiple servers. This has a huge security implication.
If you are having to recreate and set security on each server rather than create a single settings file that can be deployed or imported, servers will end up out of sync. Anytime security products are out of sync, there are gaps in your protection. Firewall vendors realised this many years ago and when the hardware firewall appliances appeared from vendors such as WatchGuard and SonicWALL they came with the ability to export and import settings.
To compound this problem, Forefront is not integrated with Active Directory. This means that you need to create Forefront accounts to do some of the administrative work. Having been through this with Exchange and SQL Server over many years, it might seem reasonable that Microsoft would not make this error again.
Both of these problems are accepted by the Forefront team who claim that they will be fixed. The product for fixing the management problem is Forefront Server Security Management Console but that has only recently gone into beta. It is unlikely that it will ship much before the release of Windows Server 2008. With another six months to go before then, this seems to be very tardy.
Another downside of this lack of integration is scanning of mail. You can install Forefront at various points in your Exchange environment but it doesn’t pass a tag with the message to say that it has been scanned. This means that multiple scans are taking place of every email. This is a difficult issue. The more something is checked the more secure it will be. However every scan comes at a price of process time and power. It should be possible for Forefront to tell itself that mail has been scanned to reduce the duplication.
What Microsoft has done is take control of all of the anti-virus server licences that come with Forefront. Although they come from different vendors, you will get them as part of the Forefront licence. Microsoft is responsible for shipping out the upgrades to all of these products rather than you create accounts with each of the AV vendors. Microsoft claims that it can turn around any updates from Kaspersky, CA, et al and deliver them to Forefront customers within 7 minutes.
What this does mean is that any existing licences with these vendors cannot be used inside Forefront although you may want to keep them for other servers.
There are other issues over the security integration, or lack thereof. Forefront is not the only security product from Microsoft. There is ISA Server and policies inside AD which are used to secure and manage users. With Network Access Protection (NAP) shipping inside Windows Server 2008, there will be yet another layer of security protection for the network and data.
Microsoft needs to sit back and think carefully about how it intends to deploy all of this. A single management policy engine that will deploy settings to all the security products is what customers need. They do not need this proliferation of point solutions. To be able to set the rules by which any product can move a file around the network and then deploy that as a Group Policy object would be very cool and it is hoped that Microsoft is moving that way.
Forefront Server as an integrated process inside Exchange and SharePoint is a good thing. These are the two locations where there is a vast amount of incoming data and where it would be a disaster should any malware or virus get uploaded.
Having deployed multiple copies of Forefront on VMs just to see how well it works together and what the management overhead is, I’m very disappointed. Microsoft seems to have completely misjudged the market here.
Looking forward to the post-Windows Server 2008 launch, when the Forefront product family – servers, client, management – are all available and integrated, this will be a solution to seriously consider. Today, it’s something to look at but I wouldn’t want to base my security on it just yet.