A
great deal of confusion exists about the role that the Forefront Edge
line can play in a SharePoint environment. Much of that confusion stems
from the misconception that Forefront TMG or Forefront UAG are only
proxy server products. Both Forefront Edge products are, on the
contrary, fully functional firewalls, VPN servers, web caching proxies,
and application reverse-proxy solutions. In addition, the Forefront Edge
line addresses specific business needs to provide a secured
infrastructure and improve productivity through the proper application
of its built-in functionality. Determining how these features can help
to improve the security and productivity of a SharePoint environment is
subsequently of key importance.
In addition to the built-in
functionality available within the Forefront Edge line, a whole host of
third-party integration solutions provide additional levels of security
and functionality. Enhanced intrusion detection support, content
filtering, web surfing restriction tools, and customized application
filters all extend the capabilities of the Forefront Edge line and
position it as a solution to a wide variety of security needs within
organizations or many sizes.
Outlining the High Cost of Security Breaches
It is rare when a week goes by
without a high-profile security breach, denial-of-service (DoS) attack,
exploit, virus, or worm appearing in the news. The risks inherent in
modern computing have been increasing exponentially, and effective
countermeasures are required in any organization that expects to do
business across the Internet.
It has become impossible to
turn a blind eye toward these security threats. On the contrary, even
organizations that would normally not be obvious candidates for attack
from the Internet must secure their services, as the vast majority of
modern attacks do not focus on any one particular target, but sweep the
Internet for any destination host, looking for vulnerabilities to
exploit. Infection or exploitation of critical business infrastructure
can be extremely costly for an organization. Many of the productivity
gains in business recently have been attributed to advances in
information technology functionality, including SharePoint-related
gains, and the loss of this functionality can severely impact the bottom
line.
In addition to productivity
losses, the legal environment for businesses has changed significantly
in recent years. Regulations such as Sarbanes-Oxley (SOX), HIPAA, and
Gramm Leach Bliley have changed the playing field by requiring a certain
level of security and validation of private customer data.
Organizations can now be sued or fined for substantial sums if proper
security precautions are not taken to protect client data. The atmosphere
surrounding these concerns provides the backdrop for the evolution and
acceptance of the Forefront Edge line of products.
Outlining the Critical Role of Firewall Technology in a Modern Connected Infrastructure
It is widely
understood today that valuable corporate assets such as SharePoint sites
cannot be exposed to direct access to the world’s users on the
Internet. In the beginning, however, the Internet was built on the
concept that all connected networks could be trusted. It was not
originally designed to provide robust security between networks, so
security concepts needed to be developed to secure access between
entities on the Internet. Special devices known as firewalls were
created to block access to internal network resources for specific
companies.
Originally, many
organizations were not directly connected to the Internet. Often, even
when a connection was created, there was no type of firewall put into
place because the perception was that only government or high-security
organizations required protection.
With the explosion of
viruses, hacking attempts, and worms that began to proliferate,
organizations soon began to understand that some type of firewall
solution was required to block access to specific “dangerous” TCP or UDP
ports that were used by the Internet’s TCP/IP Protocol. This type of
firewall technology would inspect each arriving packet and accept or
reject it based on the TCP or UDP port specified in the packet of
information received.
Some of these firewalls were
ASIC-based firewalls, which employed the use of solid-state microchips,
with built-in packet-filtering technology. These firewalls, many of
which are still used and deployed today, provided organizations with a
quick-and-dirty way to filter Internet traffic, but did not allow for a
high degree of customization because of their static nature.
The development of
software-based firewalls coincided with the need for simpler management
interfaces and the ability to make software changes to firewalls quickly
and easily. The most popular firewall brand in organizations today,
CheckPoint, falls into this category, as do other popular firewalls such
as SonicWall and Cisco PIX. The Forefront Edge line was built and
developed as a software-based firewall, and provides the same degree of
packet-filtering technology that has become a virtual necessity on the
Internet today.
More recently, holes
in the capabilities of simple packet-based filtering technology has made
a more sophisticated approach to filtering traffic for malicious or
spurious content a necessity. The Forefront Edge line responds to these
needs with the capabilities to perform application-layer filtering on
Internet traffic.
Understanding the Growing Need for Application Layer Filtering
Nearly all organizations with a
presence on the Internet have put some type of packet-filtering firewall
technology into place to protect the internal network resources from
attack. These types of packet-filter firewall technologies were useful
in blocking specific types of network traffic, such as vulnerabilities
that utilize the RPC protocol, by simply blocking TCP and UDP ports that
the RPC protocol would use. Other ports, on the other hand, were often
left wide open to support certain functionality, such as the TCP 80 or
443 ports, utilized for HTTP and HTTPS web browsing and for access to
SharePoint. As previously mentioned, a packet-filter firewall is only
able to inspect the header of a packet, simply understanding which port
the data is meant to utilize, but unable to actually read the content. A
good analogy to this would be if a border guard were instructed to only
allow citizens with specific passports to enter the country, but had no
way of inspecting their luggage for contraband or illegal substances.
The problems that are
becoming more evident, however, is that the viruses, exploits, and
attacks have adjusted to conform to this new landscape, and have started
to realize that they can conceal the true malicious nature of their
payload within the identity of an allowed port. For example, they can
“piggy-back” their destructive payload over a known “good” port that is
open on a packet-filter firewall. Many modern exploits, viruses, and
“scumware,” such as illegal file-sharing applications, piggy-back off of
the TCP 80 or 443 ports, for example. Using the border guard analogy to
illustrate, the smugglers realized that if they put their contraband in
the luggage of a citizen from a country on the border guard’s allowed
list, they could smuggle it into the country without worrying that the
guard will inspect the package. These types of exploits and attacks are
not uncommon, and the list of known application-level attacks continues
to grow.
In the past, when
an organization realized that they had been compromised through their
traditional packet-filter firewall, the knee-jerk reaction common was to
lock down access from the Internet in response to threats. For example,
an exploit that would arrive over HTTP ports 80 or 443 might prompt an
organization to completely close access to that port for a temporary or
semi-permanent basis. This approach can greatly impact productivity as
SharePoint access would be affected. This is especially true in a modern
connected infrastructure that relies heavily on communications and
collaboration with outside vendors and customers. Traditional security
techniques would involve a trade-off between security and productivity.
The tighter a firewall was locked down, for example, the less functional
and productive an end user could be.
In direct response to the
need to maintain and increase levels of productivity without
compromising security, application layer “stateful inspection”
capabilities were built in to the Forefront Edge line that could
intelligently determine whether particular web traffic is legitimate. To
illustrate, the Forefront Edge line inspects a packet using TCP Port 80
to determine if it is a properly formatted HTTP request. Looking back
to the analogy we have been using, the Forefront Edge line is like a
border guard who not only checks the passports, but is also given an
x-ray machine to check the luggage of each person crossing the border.
The more sophisticated
application layer attacks become, the greater the need becomes for a
security solution that can allow for a greater degree of productivity
while reducing the type of risks which can exist in an environment that
relies on simple packet-based filtering techniques.
