f5 networks: миграция c microsoft tmg
DESCRIPTION
В связи с завершением разработки Microsoft Forefront Threat Management Gateway (TMG) множество организаций, использующих или планировавших использовать TMG столкнулись с дилеммой: как и, более важно, что администраторы будут использовать для защиты своих приложений Microsoft, имеющих доступ в Интернет типа Exchange, SharePoint и Lync? F5 Networks предлагает ответ на эти вопросы. Подробности описываются в данной презентации.TRANSCRIPT
МИГРАЦИЯ ОТ MICROSOFT TMG НА РЕШЕНИЯ F5 NETWORKS
2© F5 Networks, Inc.
“With the departure of Threat Management Gateway (TMG)
how, or more importantly, what will administrators use to
secure their Internet-facing Microsoft Applications?
MS TMG end of sale December 2012
3© F5 Networks, Inc.
Threat Management Gateway vs F5
До f5 С f5
Internet
Devices
Load Balancing, DDoS Protection,
Firewall
Data Center
Exchange Lync SharePointWeb Servers
Exchange Lync SharePointWeb Servers
[Hardware Firewall]
[Hardware Firewall]
Internet
4© F5 Networks, Inc.
TMG – Traffic Management Use case
Traffic Management is a core focus of F5, and the TM feature set found inBIG-IP LTM far exceeds anything else in the market today.
До f5
С f5
TMG включает в себя базовый функционал по обработке http трафика.• Простая балансировка HTTP/HTTPs соединений• Три варианта мониторинга: Simple get, ICMP, TCP port check• Два варианта устойчивости: Source, Cookie• SSL Engine: Offloading / Bridging / Rewrite Redirect Support
F5 является лидером рынка по балансировке и обеспечению балансировки и высокоустойчивости любых приложений.• Балансировка трафика любых протоколов в режиме full proxy• Monitoring: Application aware health and availability, Synthetic client transactions• Persistence: Multiple options with custom abilities• SSL Engine: Full hardware based PKI support with advanced functionality
5© F5 Networks, Inc.
TMG – Client AuthenticationUse case
Customers migrating to F5 will be able to take advantage of a rich set of authentication and authorization features unique to F5. Endpoint inspection, AD interrogation, & layered auth are compelling capabilities that will be new to your customer. Management through the Visual Policy Editor will also make managing the advanced functionality even easier.
Before f5
with f5
TMG offered customers a broad spectrum of authentication schemes (KCD, Basic, NTLM, Negotiate, Kerb, LDAP, Radius, AD, OTP, Client Cert, etc) with support for authentication translation.• Landing Pages: Customized• Cross forest: Supported• Single Sign On: Limited
Release 11.3 added client NTLM support, the BIG-IP matches up well against TMGs range of supported authentication schemes and translation functionality.• Landing Pages: Customized• Cross forest: Supported• Single Sign On: Full
6© F5 Networks, Inc.
TMG – Network Layer (3,4) FirewallUse case
With historically strong DOS & DDOS mitigation technology (syn cookies, connection limits, resource thresholds/watermarks, etc), recent certifications (ICSA) give credibility to F5s posture as a perimeter security device. Add to that BIG-IPs global address map & filtering capabilities, and you have firewalling with geographic awareness.
Before f5
with f5
TMG is a certified (CC EAL4+) network firewall suitable for placement at the perimeter ofany network. DOS prevention is supported via a set of connection (TCP, Half Open, UDP,HTTP RPS, non-TCP) limits per IP per second.• Layer 3,4 Firewall Rules Supported• Layer 3,4 DOS Prevention Connection Limits
BIG-IP is an ICSA & CC certified network firewall suitable for placement at the perimeter ofany network as well.• Layer 3,4 Firewall Rules Supported• Layer 3,4 DOS Prevention Advanced with DDOS prevention
7© F5 Networks, Inc.
TMG – Remote Access & VPNUse case
Customers migrating to F5 will be able to take advantage of a rich set of authentication and authorization features unique to F5.
Before f5
with f5
TMG included an RA/VPN engine with several access protocols.• Access Protocols L2TP, PPTP, SSTP• Methods Site to Site (IPSec) , Remote User• Quarantine Supported• Authentication Username/Password, Certificate
APM/EDGE delivers a rich & full remote access & site to site feature set that providesclientless or client based options, endpoint inspection, quarantining. Providing client access over browser based HTTPS connections means that client management will no longer be an administrative burden. Management through APMs VPE (Virtual Policy Editor) makes management of complex security rules easy.
8© F5 Networks, Inc.
TMG – Application Layer 7 FirewallUse case
F5 provides bespoke security policies for a broad range of Microsoft Applications and Services
Before f5
with f5
TMG offered L7 firewalling in a set of application filters that covered several protocols• Protocol filters HTTP, SMTP, ……• Added Protection Virus Scanning, SPAM filtering• TMGs L7 firewalling does rely on subscription services to keep maintained.
F5’s ASM is designed with a focus on HTTP, SMTP, FTP, & XML security, with the flexibility to build policies specific to applications leveraging those protocols & data types. An automatic policy building engine will adapt to application updates, and visibility/analytics are presented through a web based real time dashboard. Pre-built policies ship for popular applications such as SharePoint and Exchange.
9© F5 Networks, Inc.
A Strategic Point of Control for Application Delivery • An application delivery controller provides a strategic point of control where
corporate applications can be deployed more securely and policy can be implemented consistently.
• BIG-IP provides a central point from which to administer access to multiple applications. Without this central management point solution, access must be configured and managed separately at each internal resource, such as Exchange and SharePoint.
• Single Sign-On, (SSO) across multiple on-premise and cloud-based applications.
• Endpoint Inspection• With the BIG-IP® Access Policy Manager® (APM), administrators can manage
access to corporate resources based upon the device that is trying to connect. Administrators can also ensure that the approved device adheres to corporate policies for AV status, OS versions, patch levels, and more.
Reverse Proxy / Pre-Authentication“Much like a nightclub bouncer working the door, the ADC isolates internal resources from external access, allowing only authenticated and authorized users to enter the corporate LAN and use internal resources.”
10© F5 Networks, Inc.
• Multi-factor Authentication and Authorization
• Remote access solutions provide a much more secure authentication mechanism than what can be natively found on most applications.
• The BIG-IP with APM, (Access Policy Manager) integrates with a number of authentication mechanisms including RSA SecurID, RADIUS OTP, and client-side certificates.
• Using the flexibility of the BIG-IP APM Visual Policy Editor (see below) and BIG-IP iRules®, administrators can integrate with a variety of authentication providers and technologies.
Figure 1: BIG-IP APM Visual Policy Editor.
• Ability to query Active Directory for user attributes such as AD group membership, assigned mailbox database, and device IDs. Attributes, along with deep packet inspection, can then be used to dynamically apply policy further enhancing device security.
Reverse Proxy / Pre-Authentication
11© F5 Networks, Inc.