Beta Man

Forefront's Communications Are 'Stirling'

Upcoming anti-malware suite offers integrated solution across the enterprise.

• By Peter Varhol
• 06/01/2008

Forefront consists of several components. These include a management console and dashboard for security configuration and enterprise-wide visibility, and the new versions of the Forefront products, including Forefront Client Security, Forefront Security for Exchange Server, Forefront Security for SharePoint and the Forefront Threat Management Gateway (currently Internet Security & Acceleration Server).

What is most significant, perhaps, is this version of Forefront includes Dynamic Response, a Microsoft technology built into each component that allows the entire software suite to share and use security information to dynamically respond to threats across multiple layers of the organization. There's a level of communication among the components that you won't find with point products from multiple vendors.

For this column, I looked at the management console and client component only. Next month I'll take a quick look at the Exchange and SharePoint components, as well as the Threat Management Gateway.

You install the server component by running the setup wizard. The wizard setup program installs database files associated with Stirling, verifies that the system meets the prerequisites, and completes the installation silently within 10 minutes. The second part is to install the administrative console, which can be installed on any system in the domain.

The best way to install the client components is to set up a Windows Server Update Services (WSUS) server to distribute client installation files and anti-malware definitions. However, you can also install it to the client from the admin console. The nice thing about using a WSUS server for the anti-malware definitions is that it can be made completely automatic.

Down to Business
Once you have the client components installed on the systems, you can set up policies from the admin console. For example, you can configure Forefront to work with the Windows Firewall on the client systems, setting it up as a policy and sending it to each of the client systems. You can also set it up to change configurations based on the status of the system. For example, I can define a policy that specifies the Windows Firewall is turned on only when disconnected from the network, and that certain ports are disabled at that time.

But the real advantage in Stirling may be its Dynamic Response feature. That feature lets components communicate threat information and take actions based on that information. For example, the gateway can determine when a Trojan on a PC opens ports to the outside, and instructs the client component to isolate that PC from the network and run a full system scan. I'll be able to demonstrate this more concretely once I have the Threat Management Gateway installed next month (although I'm still leery of intentionally introducing malware onto my network).

If you're using multiple products in protecting your network, especially if those products come from multiple vendors, then the Forefront suite can make sense for you. It can also make sense if you like the idea of updating anti-malware definitions in the same manner as Windows patches -- through a WSUS server.

I didn't encounter any difficulties in installing and configuring the Forefront server and client components, or the admin console. The beta seemed well done, with no hiccups. To some extent, a security solution is graded on its ability to identify and neutralize malware, a capability that I didn't test. Microsoft's track record here is less than stellar, with Forefront most recently reported to have misdiagnosed Skype as malware (it would have disabled my Skype installation, for instance).