threat management gateway 2010- forefront community launch 2010
DESCRIPTION
Threat Management Gateway 2010TRANSCRIPT
Threat Management Gateway 2010
Krzysztof Bińkowski
Agenda
2
Overview
URL filtering (URL-F)
Edge Malware Protection (EMP)
HTTPS Inspections
ISP Redundancy (ISP-R)
Network Inspection System (NIS)
TMG 2010 tools and virtualization
Threat Management Gateway 2010
Overview
TMG & UAG
Forefront Edge Security and Access products provideenhanced network edge protection and application-centric,policy-based access to corporate IT infrastructures
Protection
Access
TMG New Features
• HTTP Antivirus/ antimalware
• URL Filtering
• HTTPS forward inspection
Secure Web Access
• VoIP traversal (SIP)
• Enhanced NAT
• ISP Link Redundancy
Firewall
• Exchange Edge/FPE integration
• Anti-Virus
• Anti-spam
E-mail Protection
• Network Inspection System (NIS)
• Security Assessment and Response (SAS)
Intrusion Prevention
• NAP integration with VPN role
• SSTP
Remote Access
• Array Management
• Scenario UI & Wizards
• Change tracking
• Enhanced reporting
• W2K8, native 64-bit
Deployment & Management
• Update Center :
•HTTP: AV+URL Filtering
•Email: AV+Anti-Spam
•NIS signatures
Subscription Services
5
Network firewall
Application firewall
Internet access protection (proxy)
Basic OWA & SharePoint publishing
IPSec VPN (remote & site-to-site)
Web caching, HTTP compression
Web anti-virus, anti malware
URL filtering
Email anti-malware, anti-spam
Network intrusion prevention
TMG Features Summary
ISA 2006
TMG 2010
New
New
New
New
Integration with codename “Stirling” New
Enhanced UI, management, reporting New
Exchange publishing (RPC over HTTP)
Windows Server 2008, 64-Bit (only) New
TMG versioning
Standard Edition Enterprise Edition
Supported deployment scenarios
Standalone server• Servers in a Standalone Array• Servers in an array managed by EMS
CPUs Up to 4 CPUs Unlimited
Array/NLB/CARP support No, you can only have one Server Yes
Enterprise Management NoYes, with added ability to manage Standard
Editions
Stirling integration Not supported Supported
Publishing
VPN support
Forward proxy/cache, compression
Network IPS (NIS)
Web AV + URL Filtering Require subscription Require subscription
Email AV/AS Require exchange license Require exchange license
Upgrading from SE to EE
A valid EE product key is required
Setup
Feature Supported OS
TMG Windows Server 2008 SP2 x64
Windows Server 2008 R2 x64
EMS Windows Server 2008 SP2 x64
Windows Server 2008 R2 x64
TMG
management
console
Windows Server 2008 R2-SP2 x32, x64
Windows Vista SP1 x32, x64
Windows 7 x32, x64
Threat Management Gateway 2010
URL Filtering
URL-F Introduction
URL Filtering allows controlling end-user access to Web
sites and protecting the organization by denying access
to known malicious sites and to sites displaying
inappropriate or pornographic materials, based on
predefined URL categories
The typical use case for this feature includes:
Enhancing your security.
Lowering liability risks.
Improving the productivity of your organization.
Saving network bandwidth.
BrightCloud
MRS – Microsoft Reputation Services
Aggregate reputation data from multiple vendors
Use telemetry in order to improve data accuracy
MRS
IE Security
iFilter Marshal 8e6
URL Filtering
Microsoft Reputation Service (MRS) returns one of 80 “category” indications for each URL
Including “Unknown”
Firewall rule:Allow category Sports after 5 PM only
www.soccer.com
Content
Request
Content
MRS
www.soccer.com ?
category = sports
+ in cache
URL category usage
URL category information is used for
Rules (Allow/Deny rules according to category)
Log
EMP exclusion list
HTTPS exclusion list
No reverse lookups.
Administration
« URL Denied » error message can be customized
Category query tool
Available from the Web Protection Tasks
Allows the administrator to know the category of a URL and source of categorization (local cache, MRS, override)
URL category overrides
Available from the Web Protection Tasks
Gives the possibility to assign a URL to a differentcategory that its default category (returned by MRS)
Licensing
URL Filtering is a subscription based service
Per-user and per-year
License must be valid for URL Filtering to work
System Rule
Traffic with MRS is SSL encrypted
A system rule allows HTTPS between LocalHostto Microsoft Reputation Service Sites domainname set
URL Filtering
Threat Management Gateway 2010
Edge Malware Protection
Edge Malware Protection
Inspect web traffic on the edge to prevent any malware from infecting machines inside the organization
Easier to keep the edge updated with malware signatures rather then individual client machines
Unmanaged machines that might not have host AV up to date are also protected
Malware activity detected on the edge can be easilymonitored thanks to logging and reporting
Scenario
Supported scenario : access download
Unsupported scenarios :
Access upload
Publishing download
Publishing upload
Client Comforting
Accumulating an entire file and scanning it may take a significant amount of time
During this period of time, the client doesn't receive any data and as a result a software timeout can occur or the user can even cancel the download.
“Client comforting” defines a set of methods that guaranty a good user’s experience while content is inspected on the Edge
Comforting methods:
Delayed Download
HTML Progress Page
Trickling:
Standard
Fast
End User Scenarios – Delayed
site.com
request
1) User browses to site.com and attempts to download a file2) site.com responds with content3) TMG accumulates the content, timing the download and inspection
4) In case the content is downloaded and inspected in less than X seconds (Delivery Delay) TMG passes the whole file to the client
request
response response
End User Scenarios – Progress Page
site.com
requestrequest
response
End user will receive an HTML Progress Page if time for download and inspection exceeds X seconds (delivery delay) and if some others conditions are satisfied (see next slide)
progress page
End User Scenarios – Scanning completed
If content is safe (or successfully cleaned), the page informs the user that the content is ready and displays a button for downloading the content, otherwise the page notifies the user that a malware was detected. In that case, the file is purged immediately from the temporary storage.
Standard Trickling
site.com
request
User’s experience : download will start at a very low transfer rate and speeds up after inspection completion
request
response
• TMG will deliver content to the client using Trickling when Delayed download and Progress can’t apply. Trickling consists in sending very small chunk of data to the client until the whole file is inspected.
trickled response
• TMG will use this method if the client application is not a browser (not able to handle the dynamic code embedded in the Progress Page).
Fast Trickling
Similar to Standard Trickling Intended to be used for media files played by online
players (like YouTube) TMG delivers the data as fast as possible to the end
user to keep a good user experience. The tradeoff between user experience and inspection
performance is governed by the FastTricklingModeCOM setting User experience degrades (but inspection performance
improves) when the EMP filter need more minimum bytesto perform a partial inspection so increasing buffering on TMG
Threat Management Gateway 2010
HTTPS Inspections
HTTPS Inspection
Today more and more web traffic is https. Some of this traffic is legitimate; some isn’t and might contain malicious traffic.
We have lot of tools for http protection (antimalware, NIS ..), but no for https protection as this traffic is tunneled through the Proxy.
This feature will enable the TMG administrator to inspect outgoing https traffic on the edge and will prevent the end user from downloading malicious software (malware) that could infect the entire organization.
HTTPS Traffic Inspection
Microsoft Confidential
Motivation
In order to be able to inspect outgoing https traffic, TMG will break HTTPS connections using a man in the middle mechanism (doing sort of “bridging”)
HTTPS InspectionMechanism
In Web browser:https://www.fabrikam.com
www.fabrikam.com
In TMG request:https://www.fabrikam.com
SSL
Request
Certificate
SSL
Request
Certificate
Signed by Verisign
www.fabrikam.com
Signed by”TMG CA”
TMG CA Certificate not installed on client
The CA certificate (e.g. self signed certificate) used by TMG must be deployed on the client, otherwise the client won’t trust the certificate issued by TMG on behalf of the web server (user won’t receive the inspection notifications in that case)
If the client does not have the CA certificate used by TMG, it will receive the error below when accessing an SSL web site if https inspection is enabled.
CA Certificate generation and deployment
The CA certificate used by TMG to issue the certificate can be of two types:
a generated self signed certificate
an existing trusted certificate authority
CA Certificate generation and deployment
This CA certificate must then be deployed on the client computers (under “Trusted Root Certification Authorities” of the Local computer certificates store), otherwise the client won’t trust the server certificate received from TMG
Two possible deployment methods for the CA certificate:
User notifications
Client must have TMG Client to receive notification of inspection
and CA Certificate must be properly deployed on client
HTTPS Inspections
Threat Management Gateway 2010
Network Inspection System (NIS)
Intrusion Prevention System
Intrusion Prevention System
Forefront Network Inspection System (NIS)Closing the vulnerability window between vulnerability announcement and patch deployment
Signatures distribution by Microsoft Update
Concurrent with security patches or in response to a 0-Day attack
Using NIS for IPS
Detect and prevent known vulnerability-based attack attempts at the Edge of the network or in datacenter
Same day availability of the patch and NIS signature
Closes the vulnerability window which is needed for patch testing\deployment:
Patches need to be tested more thoroughly
Customer acceptance (similar to AV updates)
50
Vulnerabilityfound Signature authoring team
TMG
TMG: Network Inspection System
51
NIS Demo
Threat Management Gateway 2010
ISP Redundancy
ISP-R – Introduction
New feature introduced in TMG that allows the coexistence of 2 ISP connections
With this feature TMG ensures Internet connectivity is not lost even when one Internet service provider (ISP) is down
Two different scenarios:
High Availability of Internet connectivity
TMG will use a backup line in case the primary is down (Failover)
Load balancing between ISP providers /connections
TMG will use 2 concurrent ISP connections
Feature Overview
Scenarios
2 network adapters’ scenario: TMG is configured with 2 NICs on the external network. Each NIC has a different subnet and is connected to a different ISP.
Single network adapter scenario: TMG is configured with single NIC on the external network with 2 different subnets – one for each ISP.
Note that Windows will display a warning when the administrator defines more than one default gateway on the system. In our case we can ignore this warning.
ISP-R
Threat Management Gateway 2010
TMG 2010 Virtualization / Tools
TMG 2010 Virtualization
Security Considerations with Forefront Edge Virtual Deployments
Zabezpieczanie ISA Server i Forefront TMG w środowisku wirtualnym
TMG 2010 Tools
Microsoft Forefront Threat Management Gateway Best Practices Analyzer Tool
Forefront Threat Management Gateway 2010 Capacity Planning Tool
Microsoft® Forefront Threat Management Gateway (TMG) 2010 Tools & Software Development Kit
TMG 2010 EXAM
70-157 - Exam MCTS MCTS: Forefront Integrated Security, Configuring
EXAM BETA - Q3 2010 ?
Microsoft PRESS
Forefront Threat Management Gateway Administrator’s Companion
http://blogs.technet.com/b/isablog/
What's new in TMG Reports?
TMG Reports – New Security Insights
Dziękuję za uwagę
Security and Forensics Blog
http://security-forensics.spaces.live.com/
http://ms-groups.pl/mssug/ [email protected]
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.