In-Depth

Microsoft Forefront: Strictly Business

Microsoft doesn’t put enough edge into its security products, yet.

Depending on personal biases, you may agree or dispute Microsoft’s claim it is serious about security. If you carved the company’s security offerings into a separate company, the resulting group would be considered a lightweight in the industry. Yet several analysts and industry execs see the 800-pound gorilla as a formidable competitor.

Microsoft’s consumer offering, Live OneCare, throws antivirus, antispyware, souped-up firewall, and backup programs into a package. My opinion: it works. It is neither best-of- breed nor has the best features for the price, but the product works.

Microsoft’s rebranded its divergent business-oriented security products with the Forefront name. Each entry also works—but whether should embrace, scoff, or put these products on your watch list depends heavily on your existing IT structure.

For sheer volume of units, the Forefont Client Security endpoint product will attract the most notice. Still in beta testing after a year, it’s based on technologies from two acquisitions, GeCAD for antivirus and Giant Company Software for antispyware. Alas, the holy grail of network access control (NAC) is not included.

A central management console can handle configuration, signature updates, alters, and reporting. The same console can also push settings to a single machine or sets of machines based on Active Directory objects such as OUs or groups.

The client itself works on Windows 2000 and later machines and, for small installations, a Windows 2003 server handles the administrative functions. However, the full backoffice functions used in most businesses requires Windows 2003 server, MS SQL Server 2005 Enterprise, Windows Server Update Services 2, and a couple of add-ins (Microsoft Management Console 3.0, Group Policy Management Console 2.0, and .NET Framework 2.0).

In many cases, most medium and large business and institutions have an automated mechanism to push software to endpoints. I’ve seen a 300+ gigabyte database under MS SQL holding data from several thousand host-based firewalls, so for most large deployments, the infrastructure overhead for the clients isn’t unusual.

The current Forefront application server AV/filtering side is represented by three products based on the Sybari Antigen acquisition: Exchange Server, SharePoint Server, and Instant Messaging. The latest Exchange and SharePoint versions recently emerged from betas. Forefront for IM, a new product, works with either Microsoft Live Communications Server (LCS) or IMlogic’s IM Manager and also enforces IM usage policies. Under most license agreements, the cost for each products runs close to a few dollars a month per user.

Moving to the edge, Forefront offers something old, as in the updated ISA (Internet Security and Application) Server 2006 (which is the venerable firewall), more Web proxy/Web cache, and sometimes VPN server/gateway. What may catch more attention is something new, Microsoft’s IAG (Intelligent Application Gateway) 2007 which comes from the MS acquisition of SSL VPN-maker Whale Communications last year.

Each one of these products has either direct (such as McAfee or Sophos or Symantec for client endpoints or application server AV) or indirect (such as Cisco or Nortel or Juniper for firewalls and VPNs), established, and strong competition.

In security, the only constant is change. Staying up on the leading edge of activities of hackers and malcontents, plus keeping current with regulatory issues and auditing, takes a considerable infrastructure for monitoring threats, developing countermeasures, and reacting swiftly. Basically, these vendors have chops in security. Will Microsoft show the same?

A Lack of Buzz

That’s why a lack of buzz is strangely disquieting. In the multiple security discussion lists I monitor, Microsoft products are frequently subjects, but informal contributions by Microsoft employees are rare. I see far more work from other security vendors than from Microsoft. Even when attempting to discuss Forefront with Microsoft, the company was unusually mute compared to other security vendors. That leaves me personally disquieted about Microsoft’s commitment.

But this is not a case of the emperor having no clothes. Although the jury on is still out on product performance, the Forefront products “work,” though none is best of breed. So this is more like Microsoft having weaved a shirt and pair of pants that covers you but isn’t the three-piece suit that you may really need.

Microsoft once had second-place products in the form of Excel and Word. As Robert Ayoub, an analyst at Frost and Sullivan, points out, “Microsoft hasn’t been seen as a strong player, but [it] has the potential if the packaging is right and the products work well.” Ayoub points to the model of Internet Explorer, with which Microsoft “acquired their way into success.”

Ayoub thinks “people are happy and stable with XP,” but with the right bundling and price points, the Client Security product should be on an IT manager’s watch list. He thinks that MS shops with an interest in SSL VPNs should find IAG 2007 attractive.

For the rest, if you are MS-centric with MS licensing agreements then the other Forefront products should be considered. But for most enterprises and institutions with mixed environments, Forefront may get some spot jobs in the enterprise but no one will abandon working client, VPN, and application security solutions.

But even if Forefront never crosses your doors, the products give IT managers more choices and more pressure on other vendors for features and pricing. And that keep our security needs fully dressed.

Must Read Articles