Securing the Branch Office Fred Baumhardt & Sandeep Modhvadia Security Technology Architects Microsoft.

Slides:



Advertisements
Similar presentations
The System Center Family Microsoft. Mobile Device Manager 2008.
Advertisements

Enabling IPv6 in Corporate Intranet Networks
Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.
1. 2 Branch Office Network Performance Caches content downloaded from file and Web servers Users in the branch can quickly open files stored in the cache.
System Center Operations Manager 2007 Management Pack Roadmap (Apr/May 2008)
WSUS Presented by: Nada Abdullah Ahmed.
Benefits of CA Technology & HVB Bank Romania Study Case Bucharest, May 31, 2005.
Optimizing the User Experience Throughout the Infrastructure Consolidation Process Dan Smith, Enterprise Solutions Manager, GTSI Chris Theon, Practice.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Securing Exchange, IIS, and SQL Infrastructures
Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.
Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
Grow strong branches with TradeWeb and the Microsoft ® Branch Office Solution.
Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.
Kaspersky Open Space Security: Release 2 World-class security solution for your business.
PCM2U Presentation by Paul A Cook IT SERVICES. PCM2U Our History  Our team has been providing complete development and networking solutions for over.
IT:Network:Microsoft Applications
Module 16: Software Maintenance Using Windows Server Update Services.
Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: February 2010.
Norman SecureSurf Protect your users when surfing the Internet.
Virtual Private Network prepared by Rachna Agrawal Lixia Hou.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Clinic Security and Policy Enforcement in Windows Server 2008.
Terminal Services in Windows Server ® 2008 Infrastructure Planning and Design.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Stuart Cunningham - Computer Platforms COMPUTER PLATFORMS Computer & Network Security & User Support & Training Week 11.
PETS – Power Exchange Trading Software Power Exchange Trading Software for Online Bidding, Billing and much more.
IT:Network:Microsoft Server 2 Chapter 27 WINDOWS SERVER UPDATE SERVICES.
Security Overview for Microsoft Infrastructures Fred Baumhardt and James Noyce Infrastructure Solutions and Security Solutions Teams Microsoft Security.
IMPLEMENTING F-SECURE POLICY MANAGER. Page 2 Agenda Main topics Pre-deployment phase Is the implementation possible? Implementation scenarios and examples.
October 15, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint SOEN321-Information-Systems Security Revision.
1. 2 Branch Office Network Performance Caches content downloaded from file and Web servers Users in the branch can quickly open files stored in the cache.
Module 14: Configuring Server Security Compliance
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.
Managing Windows Software & Updates SUS Server MS Baseline Security Analyzer Software and Group Policy Paul “The Yellow Dart” Peterson University of Minnesota.
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.
Network Edge Protection: A Technical Deep-Dive into Internet Security & Acceleration Server
Microsoft ® Windows ® Small Business Server 2003 R2 Sales Cycle.
Selling Strategies Microsoft Internet Security and Acceleration (ISA) Server 2004 Powerful Protection for Microsoft Applications.
Terminal Services Technical Overview Olav Tvedt TVEDT.info Microsoft Speaker Community
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Satisfy Your Technical Curiosity Specialists Enterprise Desktop -
WSV Problem Background 3. Accelerated Protocols and Workloads 4. Deployment and Management 2. BranchCache Solution Modes 5. BranchCache Protocols.
Forefront – Security in Education Stephen Cakebread Security Solutions Sales Professional Microsoft Corporation.
Microsoft Management Seminar Series SMS 2003 Change Management.
Security: The Goal Computers are as secure as real world systems, and people believe it. This is hard because: Computers can do a lot of damage fast. There.
ISA SERVER 2004 Group members : Sagar Bhakta – [intro] Orit Ahmed – [installation] Michael Wijaya [advantages] Rene Salazar - [features]
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
Reducing server sprawl and IT power/cooling costs Moving from reactive to proactive state Quickly troubleshooting PC and laptop issues Deploying new.
Ed Tech Audit Case Study Pete Reilly. Process Meetings with the Superintendent Extended meetings with the technology coordinator Meeting with each administrator.
Managing your IT Environment. Microsoft Operations Manager 2005 Overview.
Service Pack 2 System Center Configuration Manager 2007.
Planning Server Deployments Chapter 1. Server Deployment When planning a server deployment for a large enterprise network, the operating system edition.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Get Full Protection on Microsoft Azure with Symantec™ Endpoint Protection 12.1 MICROSOFT AZURE ISV PROFILE: SYMANTEC Symantec™ Endpoint Protection is an.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
The BEST Citrix/Microsoft RDS alternative
Chapter 5 Electronic Commerce | Security Threats - Solution
Chapter 5 Electronic Commerce | Security Threats - Solution
MCSA VCE
Firewalls.
Virtual Private Network
File Transfer Issues with TCP Acceleration with FileCatalyst
Intel Active Management Technology
Designing IIS Security (IIS – Internet Information Service)
Server Security Technologies
Security Insights: Secure Messaging
Presentation transcript:

Securing the Branch Office Fred Baumhardt & Sandeep Modhvadia Security Technology Architects Microsoft

What is a Branch Office It is where Enterprise makes money It is where IT Departments don’t have people on the ground It has a high multiplier (10 -10,000+ remote offices) It has typically low Bandwidth It is the 19 th Century Wild West Branch Offices Core Datacenter What is a Branch Office Root Causes Solutions

Bandwidth – the root cause Vendor Thinking ! Poor Management – no IT Staff locally, little mngmt technology Large User Base – code name “PEBCAK” High privilege and legacy applications (poor execution control) Branch Offices Core Datacenter Sticky Tape Wet String HLLB – High Latency Low Bandwidth Session Plan Root Causes – Why The Branch Causes Pain Solutions

Viruses (self inflicted) Worms (network inflicted) *.ware - Malware/Spyware Users countering policy Service and Network Outage (due to saturation and loss) Cost Branch Offices Core Datacenter Sticky Tape Wet String HLLB – High Latency Low Bandwidth Session Plan Root Causes – How You Feel the Pain Solutions

Securing the Branch…. Improve Bandwidth -cache, compress, etc Take Back Control of WAN Take Back Control of LAN Select Branch Application Platforms Assume Branch Conditions in design Train Internal Development Enable Management remotely Start Patching (easier said than done) User Training and Enablement Control of Task Based Work Technologies like SRP, ACLs, LUA Clear policy, Tech Enforced

If you can, improve it – it’s a root killer Increase Bandwidth Contracts at next window Consider local Internet Local Breakout w/VPN, MPLS, etc over leased lines Bandwidth has high correlation with security Caching Technology is a great enabler Improve Bandwidth -cache, compress, etc Take Back Control of WAN Take Back Control of LAN

ISA Server Branch Feature Pack BITS Caching – so you can start to patch – one download for all clients – works for WUAC, WSUS, SMS, all Microsoft BITS HTTP Compression – Reduce B/W required for HTTP streams HTTP Based Quality of Service – tagging QoS for Network equipment based on URL Caching and pre-population Depending on your cache device content can be pre-deployed during low bandwidth times (like 00:00 -04:00) R2 components like Remote Differential Compression Appliances like Tacit etc that do workload caching Improve Bandwidth -cache, compress, etc Take Back Control of WAN, Take Back Control of LAN

Authenticate Traffic Using the WAN Worms are Anonymous – authentication defeats them Start reducing non-essential non controlled traffic Example – Branch Users Group can access RPC UUID 00AABB-FA00000 to AppSRV1 Control of what protocols each user class can use – block all others – map the network to the business Requires a Layer 7 Application Layer device Protocol Inspect the WAN Check syntax of what HTTP, SMTP, RPC, DNS, etc use- enforce protocol conformance to reduce non std (overflow) attacks Goal is to prevent infection from leaving/entering branch Improve Bandwidth -cache, compress, etc Take Back Control of WAN Take Back Control of LAN

Branch Host Based Firewalls on Clients Machines treat other network peers as hostile untrusted XP and WS2003 built-in to OS, other OS third party providers Usually Branch Workloads allow this feature to be turned on Win Firewall doesn’t block outbound traffic- APT will Improve Bandwidth -cache, compress, etc Take Back Control of WAN Take Back Control of LAN

Decisions on Branch Network taken by Network Team – little consultation to infrastructure concerns Architects can buy applications based on relationship/golf games, not capability Select Branch Application Platforms Assume Branch Conditions in design Train Internal Development SLAs and Bandwidth have been “under-negotiated” Many environments have near total Network Infra monopolies, other architectures exist Network companies want to sell in order: Leased Line, MPLS, xDSL

Look at the Development and Purchasing Culture – how are applications for remote offices decided Large move to Web Based Applications in Remote Offices, but seldom is caching or HTTP acceleration thought of Browser clients still require O/S patching etc, and it should be thought of Consider deployment of caching and application acceleration infrastructure Train In-House Developers to think about the deployment conditions they are writing for – send them to work in a remote office for a couple of days Select Branch Application Platforms Assume Branch Conditions in design Train Internal Development

A Lot of Remote Management Capabilities already Point to Point - Technologies Terminal Services is fairly efficient in B/W terms HTTP Based Server Consoles like SATK Remote Access like RPC Consoles (not recommended) R2 adding things like Print Management Console Breadth Management Tools SMS, MOM now increasingly bandwidth friendly Management tools moving to BITS as transfer language Other Third party tools increasingly improving b/w usage Enable Management remotely Start Patching (easier said than done) User Training and Enablement

What is the Management Response Plan for Branches ? Some Questions to Ask: How do you contain branch failure ? How will you detect branch failure ? What are your SLAs to the business ? Are there “High Value Assets at branch ? Does your expenditure on remote office correlate to the above ? Enable Management remotely Start Patching (easier said than done) User Training and Enablement

Patch Management is Reactive – but necessary Most Companies don’t patch due to B/W Enable Management remotely Start Patching (easier said than done) User Training and Enablement TechnologyCostFlexibilityBandwidthSavingsControlNotesWUACLow Low – MS Only None None – MS Approves Core Product only with MS Update Office, SQL, EXch WSUS Low- Med Medium Full – if WSUS local, else none Admin Approves MS Core Product Only – admins approve – req IIS Branch (to cache) ISA 2004 BO + WSUS or SMS Low- Med Medium- High Full – ISA cache, WS approves Admin Approves No IIS locally – FW does other tasks and caches, no dist point for SMS required SMS, or other Management Medium - High High SMS – Full – others depend SMS- Admin Full – Others Depend SMS offers full solution including roll back, local distribution etc

User Training is Key – Users can be useful to IT Enable Management remotely Start Patching (easier said than done) User Training and Enablement Users – (like pets ) can Help You – If you train them Branch Manager etc can be delegated some tasks Equipment can be swapped out by Users, if it and your design is IPA (Idiot Proof Architecture) Security Policy should be communicated to user base – and peer enforced Users are IT eyes and branch

Control of Task Based Work Technologies like SRP, ACLs, LUA Clear policy, Tech Enforced Whitelists like Software Restriction Policy require Business Investment – but are the most effective Blacklist technologies are “appliantized”, easy to deploy and require signature payments – perfect for the security industry- bad for you You will need to buy lots of different blacklist technologies If your tellers only use the bank application – and they can only run it (and nothing else) – do you need AV ?

Control of Task Based Work Technologies like SRP, ACLs, LUA Clear policy, Tech Enforced Remove Admin Privileges from Task Based Users – until Vista this will be very difficult to do for Information Workers Active Directory driven group policy provides a repeatable re- applied lock down – but GPOs depend on DC placement (B/W) Usually Anti(*.*) takes management and bandwidth for signatures Access Control Lists, etc can be very expensive to deploy – LUA for Vista, SRP arent widely deployed For IW branch users, full management is required for security, consider AD GPO, SRP, HBF, Auto Patching

Control of Task Based Work Technologies like SRP, ACLs, LUA Clear policy, Tech Enforced Optimal Policy Enforcement Do your users know what their policy is ? Do they know its NOT OK to let someone take the server away “for repair” without authorisation ? Can you Technologically Enforce your Security Policy – if not why is it there? Did you write your policy with legal guidance? Have you adjusted your policy for the branch environment ? Do you have a Monitoring Infrastructure in place to detect contravention ?

The latest news on Microsoft security: Read and contribute to our blogs: Resources

We are better at this stuff than you think…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.