Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing the Branch Office Fred Baumhardt & Sandeep Modhvadia Security Technology Architects Microsoft.

Published byDina Austin Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing the Branch Office Fred Baumhardt & Sandeep Modhvadia Security Technology Architects Microsoft."— Presentation transcript:

1 Securing the Branch Office Fred Baumhardt & Sandeep Modhvadia Security Technology Architects Microsoft

2 What is a Branch Office It is where Enterprise makes money It is where IT Departments don’t have people on the ground It has a high multiplier (10 -10,000+ remote offices) It has typically low Bandwidth It is the 19 th Century Wild West Branch Offices Core Datacenter What is a Branch Office Root Causes Solutions

3 Bandwidth – the root cause Vendor Thinking ! Poor Management – no IT Staff locally, little mngmt technology Large User Base – code name “PEBCAK” High privilege and legacy applications (poor execution control) Branch Offices Core Datacenter Sticky Tape Wet String HLLB – High Latency Low Bandwidth Session Plan Root Causes – Why The Branch Causes Pain Solutions

4 Viruses (self inflicted) Worms (network inflicted) *.ware - Malware/Spyware Users countering policy Service and Network Outage (due to saturation and loss) Cost Branch Offices Core Datacenter Sticky Tape Wet String HLLB – High Latency Low Bandwidth Session Plan Root Causes – How You Feel the Pain Solutions

5 Securing the Branch…. Improve Bandwidth -cache, compress, etc Take Back Control of WAN Take Back Control of LAN Select Branch Application Platforms Assume Branch Conditions in design Train Internal Development Enable Management remotely Start Patching (easier said than done) User Training and Enablement Control of Task Based Work Technologies like SRP, ACLs, LUA Clear policy, Tech Enforced

6 If you can, improve it – it’s a root killer Increase Bandwidth Contracts at next window Consider local Internet Local Breakout w/VPN, MPLS, etc over leased lines Bandwidth has high correlation with security Caching Technology is a great enabler Improve Bandwidth -cache, compress, etc Take Back Control of WAN Take Back Control of LAN

7 ISA Server Branch Feature Pack BITS Caching – so you can start to patch – one download for all clients – works for WUAC, WSUS, SMS, all Microsoft BITS HTTP Compression – Reduce B/W required for HTTP streams HTTP Based Quality of Service – tagging QoS for Network equipment based on URL Caching and pre-population Depending on your cache device content can be pre-deployed during low bandwidth times (like 00:00 -04:00) R2 components like Remote Differential Compression Appliances like Tacit etc that do workload caching Improve Bandwidth -cache, compress, etc Take Back Control of WAN, Take Back Control of LAN

8 Authenticate Traffic Using the WAN Worms are Anonymous – authentication defeats them Start reducing non-essential non controlled traffic Example – Branch Users Group can access RPC UUID 00AABB-FA00000 to AppSRV1 Control of what protocols each user class can use – block all others – map the network to the business Requires a Layer 7 Application Layer device Protocol Inspect the WAN Check syntax of what HTTP, SMTP, RPC, DNS, etc use- enforce protocol conformance to reduce non std (overflow) attacks Goal is to prevent infection from leaving/entering branch Improve Bandwidth -cache, compress, etc Take Back Control of WAN Take Back Control of LAN

9 Branch Host Based Firewalls on Clients Machines treat other network peers as hostile untrusted XP and WS2003 built-in to OS, other OS third party providers Usually Branch Workloads allow this feature to be turned on Win Firewall doesn’t block outbound traffic- APT will Improve Bandwidth -cache, compress, etc Take Back Control of WAN Take Back Control of LAN

10 Decisions on Branch Network taken by Network Team – little consultation to infrastructure concerns Architects can buy applications based on relationship/golf games, not capability Select Branch Application Platforms Assume Branch Conditions in design Train Internal Development SLAs and Bandwidth have been “under-negotiated” Many environments have near total Network Infra monopolies, other architectures exist Network companies want to sell in order: Leased Line, MPLS, xDSL

11 Look at the Development and Purchasing Culture – how are applications for remote offices decided Large move to Web Based Applications in Remote Offices, but seldom is caching or HTTP acceleration thought of Browser clients still require O/S patching etc, and it should be thought of Consider deployment of caching and application acceleration infrastructure Train In-House Developers to think about the deployment conditions they are writing for – send them to work in a remote office for a couple of days Select Branch Application Platforms Assume Branch Conditions in design Train Internal Development

12 A Lot of Remote Management Capabilities already Point to Point - Technologies Terminal Services is fairly efficient in B/W terms HTTP Based Server Consoles like SATK Remote Access like RPC Consoles (not recommended) R2 adding things like Print Management Console Breadth Management Tools SMS, MOM now increasingly bandwidth friendly Management tools moving to BITS as transfer language Other Third party tools increasingly improving b/w usage Enable Management remotely Start Patching (easier said than done) User Training and Enablement

13 What is the Management Response Plan for Branches ? Some Questions to Ask: How do you contain branch failure ? How will you detect branch failure ? What are your SLAs to the business ? Are there “High Value Assets at branch ? Does your expenditure on remote office correlate to the above ? Enable Management remotely Start Patching (easier said than done) User Training and Enablement

14 Patch Management is Reactive – but necessary Most Companies don’t patch due to B/W Enable Management remotely Start Patching (easier said than done) User Training and Enablement TechnologyCostFlexibilityBandwidthSavingsControlNotesWUACLow Low – MS Only None None – MS Approves Core Product only with MS Update Office, SQL, EXch WSUS Low- Med Medium Full – if WSUS local, else none Admin Approves MS Core Product Only – admins approve – req IIS locally @ Branch (to cache) ISA 2004 BO + WSUS or SMS Low- Med Medium- High Full – ISA cache, WS approves Admin Approves No IIS locally – FW does other tasks and caches, no dist point for SMS required SMS, or other Management Medium - High High SMS – Full – others depend SMS- Admin Full – Others Depend SMS offers full solution including roll back, local distribution etc

15 User Training is Key – Users can be useful to IT Enable Management remotely Start Patching (easier said than done) User Training and Enablement Users – (like pets ) can Help You – If you train them Branch Manager etc can be delegated some tasks Equipment can be swapped out by Users, if it and your design is IPA (Idiot Proof Architecture) Security Policy should be communicated to user base – and peer enforced Users are IT eyes and ears @ branch

16 Control of Task Based Work Technologies like SRP, ACLs, LUA Clear policy, Tech Enforced Whitelists like Software Restriction Policy require Business Investment – but are the most effective Blacklist technologies are “appliantized”, easy to deploy and require signature payments – perfect for the security industry- bad for you You will need to buy lots of different blacklist technologies If your tellers only use the bank application – and they can only run it (and nothing else) – do you need AV ?

17 Control of Task Based Work Technologies like SRP, ACLs, LUA Clear policy, Tech Enforced Remove Admin Privileges from Task Based Users – until Vista this will be very difficult to do for Information Workers Active Directory driven group policy provides a repeatable re- applied lock down – but GPOs depend on DC placement (B/W) Usually Anti(*.*) takes management and bandwidth for signatures Access Control Lists, etc can be very expensive to deploy – LUA for Vista, SRP arent widely deployed For IW branch users, full management is required for security, consider AD GPO, SRP, HBF, Auto Patching

18 Control of Task Based Work Technologies like SRP, ACLs, LUA Clear policy, Tech Enforced Optimal Policy Enforcement Do your users know what their policy is ? Do they know its NOT OK to let someone take the server away “for repair” without authorisation ? Can you Technologically Enforce your Security Policy – if not why is it there? Did you write your policy with legal guidance? Have you adjusted your policy for the branch environment ? Do you have a Monitoring Infrastructure in place to detect contravention ?

19 The latest news on Microsoft security: www.microsoft.com/uk/security www.microsoft.com/uk/technet Read and contribute to our blogs: http://blogs.technet.com/sandeep/default.aspx http://blogs.technet.com/fred/default.aspx Resources

20 We are better at this stuff than you think…

Download ppt "Securing the Branch Office Fred Baumhardt & Sandeep Modhvadia Security Technology Architects Microsoft."

Similar presentations

The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.

Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.
1. 2 Branch Office Network Performance Caches content downloaded from file and Web servers Users in the branch can quickly open files stored in the cache.

1. 2 Branch Office Network Performance Caches content downloaded from file and Web servers Users in the branch can quickly open files stored in the cache.
System Center Operations Manager 2007 Management Pack Roadmap (Apr/May 2008)

System Center Operations Manager 2007 Management Pack Roadmap (Apr/May 2008)
WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
Benefits of CA Technology & HVB Bank Romania Study Case Bucharest, May 31, 2005.

Benefits of CA Technology & HVB Bank Romania Study Case Bucharest, May 31, 2005.
Optimizing the User Experience Throughout the Infrastructure Consolidation Process Dan Smith, Enterprise Solutions Manager, GTSI Chris Theon, Practice.

Optimizing the User Experience Throughout the Infrastructure Consolidation Process Dan Smith, Enterprise Solutions Manager, GTSI Chris Theon, Practice.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Securing Exchange, IIS, and SQL Infrastructures

Securing Exchange, IIS, and SQL Infrastructures
Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.

Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.
Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation

Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
Grow strong branches with TradeWeb and the Microsoft ® Branch Office Solution. www.TradeWeb.net.

Grow strong branches with TradeWeb and the Microsoft ® Branch Office Solution.
Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.

Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
PCM2U Presentation by Paul A Cook IT SERVICES. PCM2U Our History  Our team has been providing complete development and networking solutions for over.

PCM2U Presentation by Paul A Cook IT SERVICES. PCM2U Our History  Our team has been providing complete development and networking solutions for over.
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications
Module 16: Software Maintenance Using Windows Server Update Services.

Module 16: Software Maintenance Using Windows Server Update Services.
Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: February 2010.

Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: February 2010.

Similar presentations

Ads by Google