Meet two security professionals of midsized companies who both are quite pleased with Forefront Client Security,...
Forefront Security for Exchange Server, Forefront Security for SharePoint and Forefront Threat Management Gateway.
George Podolak, Pei Cobb Freed & Partners
George Podolak's company works on projects for sensitive clients like the Federal Reserve and the International Monetary Fund (IMF), and the last thing he wants is for their intellectual property to spill out on to the Internet. There are many ways to address these fears, but one important defense is making sure employees aren't inadvertently going to sites that would lead to malicious downloads like keyloggers.
Podolak, IT director at the NYC-based architecture firm Pei Cobb Freed & Partners, had always been confident in his firewall's ability to monitor incoming traffic, but external traffic was a different story.
"We never did anything for outgoing connections," he said, resulting in some of his employees unintentionally visiting inappropriate sites.
By installing the Microsoft Threat Management Gateway, part of Microsoft's Forefront Security Suite, essentially as a proxy server, Podolak now sets up customizable block policies that keep his employees from visiting phishing websites, pornographic pages or other suspicious destinations that may lead to malicious executables that could compromise the security of budgets, drawings or other documentation related to a given architecture project.
Podolak added that the Microsoft gateway product also gave him some reassurance concerning large-sale attacks.
"Because we have a proxy server, if we see anything going on that we think is going to be a larger attack, we can go to the Threat Management Gateway Server and stop [that traffic]."
Specifically what thrilled Podolak about Forefront was the all-in-one view he received in the Forefront Protection Manager console, "a thing of beauty," he said. Podolak said he struggled with the visibility of his previous security arrangements: one screen monitoring client antivirus, another watching Exchange, each with various reports.
"You would have three to four screens instead of one console," Podolak said. "You can do [separate] reports, but by then it could be too late," as an attack or compromise could've already occurred.
Aside from the Threat Management Gateway, Podolak also uses other parts of the Forefront Security Suite, including Microsoft Forefront Client Security, Microsoft Forefront Security 2007 for Exchange Server and Microsoft Forefront Security for SharePoint. Their status can all be viewed on one screen.
"He can monitor spam coming in on the Exchange server, he can monitor SharePoint, and he can see which PCs have been infected."
The Forefront Production Manager console also allows Podolak to prioritize the importance of his servers, assigning which are critical. Exchange and SQL Server, for example, are more critical assets than the FTP server, and his alerts are arranged accordingly; his Exchange notifications appear at the top of his console list.
"Even a mild hit, and it blares right at you," Podolak said.
The console also reveals "critical" and "high importance" alerts related to his employees' individual endpoint security statuses. When asked for an example, Podolak quickly pointed to a failed malware cleaning of a Trojan downloader located in a machine in his accounting department. The visibility allows Podolak to find the problem computer and remove it from the network.
"You can take a look at where that asset is located and ask, 'is it critical to the firm's well-being?' You are reacting, but it's not like you have to wait for a user [to contact you]. We see it right on the screen and can pull them off the network."
Once more details are known about an infection, Podolak added, he can see if his machines are transmitting outward. He can then go to his Threat Management Gateway proxy server, shut down outgoing traffic and allow incoming traffic to the Exchange server.
Although Podolak still worries about zero-day threats, Microsoft Forefront has put him at ease: "I feel more confident. I don't have to worry as much about people getting caught in phishing sites and downloading drive-by malware. Although that's not an end-all, it does give you confidence that you are protecting the network."
Will Wilson, Guardian Real Estate Services
As director of information systems at Portland, Oregon-based Guardian Real Estate Services LLC, Will Wilson's security needs are similar to those of many medium-sized businesses: retain and secure customer data.
That task can be a complicated one when firewall, desktop security and email security products are all provided by different vendors. Various vendors may make it more difficult for security managers to keep the different applications up to date with patches.
With Forefront, Wilson appreciated the ease and cost savings of one licensing platform, one that provides various layers of defenses. "You have a single vendor that covers multiple security vectors, from Exchange, to firewall, to edge, to cloud-based filtering to SharePoint," Wilson said.
Guardian deployed Microsoft Forefront Client Security and Forefront Security for Exchange Server in 2007. In April 2008, like Podolak's company, Guardian participated in Microsoft technology adoption programs (TAPs), projects designed for companies to try out and offer feedback on early technology, for Forefront Protection 2010 for Exchange Server and Forefront Threat Management Gateway 2010.
Wilson receives information from these sources in the central report management system, Forefront Protection Manager, one he said is "one of the best reporting systems that I've seen." Like Podolak, Wilson is pleased with his ability to view the status of his firewall, Exchange server and client security easily.
The director particularly appreciated the analysis from Microsoft Forefront Client Security.
"You can get some specific drill-down graphical reports," he said, "specifically to the instance: what system and what user account."
Wilson praised Microsoft's client protection security platform and how it enforced browser security policies and computer behavioral policies, in addition to malware protection. The dashboard view of Forefront Client Protection console helps Wilson keep an eye on problems with machines in the organization.
Listing what he can look for: "What computers are having a problem? Are they missing service updates? Have they been scanned? Is there a threat that points to larger problems? These computers haven't checked in a couple days. Why aren't they phoning home?"
Guardian has about 500 employees across six states and 330 network users accessing resources. Like Podolak, Wilson feels very comfortable with the company's ability to defend itself against external threats.
"I feel 100% confident in our protection against the outside world," he said. What makes him feel so sure: "the fact that nothing's happened to us."
Still needing a hand?
From a security perspective, both Podolak and Wilson don't think they are out of the gate just yet. Wilson still feels like an area of concern is internal security, being able to have document leakage protection or other DLP implementations -- arrangements he considers a pain to administer.
In an ideal world, Podolak wishes for more heuristic protection in Forefront against zero-day threats. The ideal model, he said, would be one that provides similar views to that of the SANS Internet Storm Center, which monitors malicious traffic and provides data and intrusion detection reports on large-scale threats, like suspicious probes on particular ports.
For Podolak, implementing the new software in a stable environment presented both risk and reward. Podolak ran beta releases until January 2008 as part of the Microsoft TAP, and early on, he experienced an increase in spam. Because Podolak had a 2003 and 2007 Exchange server running, it took a couple of Live Meeting sessions with Microsoft engineers on the Forefront and Exchange teams to figure out the spam problem and create a new receive connector, a gateway for incoming mail, that handled the email transfer correctly between the servers.
"So whenever you introduce new capabilities, especially with beta software, you run some risks, some downtime, some user pain. But the rewards [are there] at the end."
Overall, Wilson and Podolak's reviews of the Forefront Security suite have been solid ones, and the suite has given them security assurance within their organizations. "The system has proven to be very effective for us. Security is something we don't think about here, because our protection runs and runs well," Wilson said.
Send comments on this technical tip: firstname.lastname@example.org.