Kako povečati varnost
omrežja s
Forefront
TMG
Jože Markič, Kompas Xnet d.o.o.
joze.markic@kompas
-
xnet.si
Agenda
•
Kaj je TMG?
•
TMG postavitve
•
Primerjava z ISA
•
Subscriptions
•
Secure
Web
Gateway
o
HTTPS
inspection
o
URL filtering
o
Malware protection
o
Intrusion prevention
2
Forefront Edge Security
and
Access Products
Before
Now
Network
Protection
Network
Access
The Forefront Edge Security and Access products provide enhanced
network edge protection and application
-
centric, policy
-
based access to
corporate IT infrastructures
Integrated and comprehensive
protection
from Internet
-
based threats
Unified platform for all
enterprise remote access needs
Forefront TMG Value Proposition
Firewall
–
Control network policy access at
the edge
Secure Web Gateway
–
Protect users from
Web browsing threats
Secure E
-
mail Relay
–
Protect users from
e
-
mail threats
Remote Access Gateway
–
Enable users to
remotely access corporate resources
Intrusion Prevention
–
Protect desktops and
servers from intrusion attempts
Comprehensive
Integrated
Simplified
Forefront
TMG Deployment Scenarios
•
All
-
in
-
one solution for medium businesses
•
Firewall, VPN, Web security, IPS, e
-
mail relay
in a single box
Unified Threat
Management (UTM)
•
Authenticating proxy with security
•
Web antivirus and URL filtering
•
Inspection of HTTP and HTTPS traffic
Secure Web Gateway
•
Secure Web publishing
•
Dial
-
in VPN
•
Site to site VPN
Remote Access
Gateway
•
Antispam
•
Antivirus
•
E
-
mail filtering
Secure E
-
mail Relay
Features Summary
•
VoIP traversal
•
Enhanced NAT
•
ISP link
redundancy
Firewall
•
HTTP antivirus/
antispyware
•
URL filtering
•
HTTPS forward
inspection
Secure Web
Access
•
Exchange Edge
integration
•
Antivirus
•
Antispam
E
-
mail
Protection
•
Network
inspection
system
Intrusion
Prevention
•
NAP integration
with client VPN
•
SSTP integration
Remote
Access
•
Array management
•
Change tracking
•
Enhanced reporting
•
W2K8, native 64
-
bit
Deployment and
Management
•
Malware protection
•
URL filtering
•
Intrusion
prevention
Subscription
Services
Network layer firewall
Application layer
firewall
Internet access protection (proxy)
Basic OWA and SharePoint publishing
IPSec VPN (remote and site
-
to
-
site)
Web caching, HTTP compression
Web antivirus, antimalware
URL filtering
E
-
mail antimalware, antispam
Network intrusion prevention
Features Summary
Comparing with ISA Server 2006
ISA Server
2006
Forefront
TMG
New
New
New
New
Enhanced UI, management, reporting
New
Exchange publishing (RPC over HTTP)
Windows Server® 2008 R2, 64
-
bit (only)
New
E
Forefront TMG Licensing
Two editions and Two Client Access Licenses (CALs)
Standard Edition
Full UTM
Enterprise Edition
Scalability and management
Web protection
E
-
mail protection
Subscriptions
Comparing Forefront
TMG
Editions
Standard Edition
Enterprise Edition
Number of
CPUs
Up to 4 CPUs
Unlimited
Array/NLB/CARP
support
Enterprise management
Yes, with added ability for
EMS to manage SEs
Publishing
VPN
support
Forward proxy/cache,
compression
Network IPS (NIS)
E
-
mail protection
Requires
Microsoft® Exchange Server License (Server + CALs)
and installation by the admin
Subscriptions
•
Subscription
-
based licenses
o
Sold as Client Access Licenses (CALs)
o
Charged per user/per year
•
Protection Components
o
E
-
mail protection
•
Antispam
•
Antivirus
o
HTTP protection
•
Antimalware
•
URL filtering
o
Network Inspection System is free!
Single Adapter Scenario
•
Forefront TMG supports using a single network
adapter
•
Supported scenarios
o
Secure Web Gateway (forward Web proxy and cache)
o
Web Publishing (reverse Web proxy and cache)
o
Remote client VPN access
•
Unsupported scenarios
o
Application layer inspection (except for Web proxy)
o
Server publishing
o
Non
-
Web clients
•
Firewall client
•
Secure NAT
o
Site
-
to
-
site VPNs
11
Secure Web Gateway
12
Threats and Controls
Threats
Application
Layer
Firewall
HTTPS
Inspection
Anti
-
malware
URL
Filtering
NIS
Malware
Phishing
Liability
Data Leakage
Lost Productivity
Loss of Control
Full
Partial
Enabler
Forefront
TMG HTTPS Traffic
Inspection
•
HTTPS Inspection terminates the SSL traffic at the
proxy for both ends, and inspects the traffic against
different threats
o
Trusted certificate generated by proxy matching the URL expected by the
client
14
URL Filtering
Malware
Inspection
Network
Inspection
System
Enabling HTTPS Traffic Inspection
15
Certificate deployment
(via Active Directory
®
or
Import/Export)
Configure HTTPS Inspection:
•
Proxy certificate generation/import
and customization.
•
Source and destination exclusions
•
Validate only option
•
Notification
Client notifications about HTTPS
inspection (via Firewall client)
Certificate validation
(revocation,
trusted, expiration validation, etc.)
Configuring HTTPS Inspection
16
Configuring HTTPS Inspection
17
Configuring HTTPS Inspection
18
HTTPS
Inspection Notifications
•
Notification provided by
Forefront TMG client
o
Notify user of inspection
o
History of recent notifications
o
Management of Notification
Exception List
•
May be a legal
requirement in some
geographies
19
HTTPS Inspection Notification
20
User Experience
Forefront TMG URL Filtering
•
91 built
-
in categories
•
Predefined and administrator
defined category sets
•
Integrates leading URL database
providers
•
Subscription
-
based
•
URL category override
•
URL category query
•
Logging and reporting support
•
Web Access Wizard integration
•
Customizable, per
-
rule,
deny messages
TMG
URL Filtering Benefits
•
Control user web access based on URL categories
•
Protect users from known malicious sites
•
Reduce liability risks
•
Increase productivity
•
Reduce bandwidth and Forefront TMG resource
consumption
•
Analyze Web usage
What Makes MRS Compelling?
•
Existing URL filtering solutions
o
Single vendor cant be expert in all categories
o
Categorization response time
•
MRS unique architecture
o
MRS merges URL databases from multiple sources/vendors
•
Multi
-
vendor AV analogy
o
Based on Microsoft internal sources as well as collaboration with third
party partners
o
Scalable
•
Ongoing collaborative effort
o
Recently announced an agreement with Marshal8e6
o
More announcements to follow
Feedback
mechanism on
Category overrides
•
Fetch on cache
miss
•
SSL for auth &
privacy
•
No PII
How Forefront TMG Leverages MRS
Multiple Vendors
MRS
Query (URL)
Categorizer
Fetch
URL
Policy
Cache
SSL
Telemetry Path
(also SSL)
Federated
Query
Cache:
•
Persistent
•
In
-
memory
•
Weighted TTL
Combines with
Telemetry Data
URL Filtering Categories
Liability
Security
Productivity
URL
Filtering
category
precedence
•
No.
Category
•
1
"Malicious"
•
2
"Pornography"
•
3
"Botnet"
•
4
"Phishing"
•
5
"Criminal Activities"
•
6
"
Hate/Discrimination„
•
…
•
75
"
Unknown
"
http://www.microsoft.com/security/portal/mrs/
26
Categories and Inheritance
URL Filtering Policy
•
URL categories are standard network objects
•
Administrator can create custom
URL category sets
URL Filtering Policy
29
Contoso’s Web Access Policy
•
Access rule allowing
users in the Research
group to access
gambling and
gambling
-
related sites
30
Access rule denying
everyone access
to
Liability and Security
sites
Per
-
rule Customization
•
TMG administrator
can customize denial
message displayed
to the user on a per
-
rule basis
o
Add custom text or HTML
o
Redirect the user to a
specific URL
URL Filtering Configuration
32
Category Query
•
Administrator can use
the URL Filtering
Settings dialog box to
query the URL filtering
database
o
Enter the URL or IP address
as input
o
The result and its source are
displayed on the tab
URL Category Override
•
Administrator can
override the
categorization of a URL
o
Feedback to MRS
via Telemetry
34
User Experience
http://www.phishingsite.com
User Experience
36
36
HTML tags
Novost v SP1
37
38
HTTP Malware Inspection
Third party plug
-
ins can be
used (native Malware
inspection must be disabled)
•
Integrates Microsoft Antivirus engine
•
Signature and engine updates
•
Subscription
-
based
•
Source and destination exceptions
•
Global and per
-
rule inspection options
(encrypted files, nested archives, large
files…)
•
Logging and reporting support
•
Web Access Wizard integration
Content delivery methods
by content type
TMG
Content Trickling
40
Firewall Service
Web Proxy
Malware Inspection Filter
Request Context
Scanner
GET msrdp.cab
GET msrdp.cab
200 OK
Accumulated
Content
Accumulated
Content
Accumulated
Content
Accumulated
Content
Accumulated
Content
200 OK
Progress
Notification
41
Firewall Service
Web Proxy
Malware Inspection
Filter
Primary Request
Context
Secondary Request
Context
Downloads Map
Scanner
GET setup.exe
GET setup.exe
200 OK (setup.exe)
Accumulated
Content
Accumulated
Content
Accumulated
Content
200 OK (HTML)
GET
GetDownloadStatus
200 OK (Retrieving)
GET
GetDownloadStatus
200 OK (Scanning)
GET
GetDownloadStatus
200 OK (Ready)
GET FinalDownload
200 OK (setup.exe)
Enabling Malware Inspection
•
Activate the Web
Protection license
•
Enable malware
inspection on Web
access rules
o
Web Access Policy
Wizard or New
Access Rule
Wizard for new
rules
o
Rule properties for
existing rules
42
Malware Inspection Global
Settings
•
Administrator can
configure malware
blocking behavior:
o
Low, medium and high
severity threats
o
Suspicious files
o
Corrupted files
o
Encrypted files
o
Archive bombs
•
Too many depth levels or
unpacked content too
large
o
File size too large
43
Malware Inspection Per
-
rule
Overrides
44
User Experience
Content Blocked
User Experience
Progress Notification
46
Network Inspection System (NIS)
•
Protocol decode
-
based traffic inspection system
that uses signatures of known vulnerabilities
o
Vulnerability
-
based signatures (vs. exploit
-
based signatures used by
competing solutions)
o
Detects and potentially block attacks on network resources
•
NIS helps organizations reduce the vulnerability
window
o
Protect machines against known vulnerabilities until patch can be
deployed
o
Signatures can be released and deployed much faster than patches,
concurrently with patch release, closing the vulnerability window
•
Integrated into Forefront TMG
o
Synergy with HTTPS Inspection
47
•
Vulnerability is discovered
•
Response team prepares and tests the vulnerability signature
•
Signature released by Microsoft and deployed through
distribution service, on security patch release
•
All un
-
patched hosts behind Forefront TMG are protected
Corporate Network
New Vulnerability Use Case
48
Signature
Authoring
Testing
TMG
Signature
Distribution
Service
Vulnerability
Discovered
Signature Authoring
Team
NIS
Response Process
Threat
Identification
Threat
Research
Signature
Development
Signature
Testing
Encyclopedia
Write
-
up
Signature
Release
Targeting 4 hours
Enabling and Configuring NIS
Client Types
•
Web proxy client
o
CERN
-
compatible browsers/applications
•
SecureNAT client
o
Any host supporting IP
•
Forefront TMG client
o
Formerly ISA firewall client
o
Windows computers
51
Client Comparison
Feature
SecureNAT
Client
Forefront
TMG Client
Web Proxy
Client
Installation
required
IP Routing
configuration
Yes
Web browser
configuration
OS Support
Any OS
supporting TCP/IP
Windows only
Any proxy
-
aware
Web application
Protocol support
Requires
application filters
for multiple
-
connection
protocols
All Winsock
applications
HTTP, HTTPS, and
FTP download
User
-
level
authentication
No
Yes
Yes
Web Proxy Client Configuration
•
Generate configuration
•
Discover configuration
o
Automatic configuration script
o
Web Proxy Auto Discovery (WPAD)
o
Static proxy configuration
•
Enforce configuration
o
Manual
o
Group policy
o
Forefront TMG client
53
SecureNAT clients
•
Only requires proper routing
•
Clients perform DNS resolution
•
Limitations:
o
No user information passed
o
No support for secondary connections
(without application filter)
•
Use for:
o
Non
-
Web protocols
o
Simple, unauthenticated protocols
o
Non
-
Windows systems
Forefront TMG Client
•
Formerly known as ISA Firewall client
•
Supports all WinSock
-
based applications
o
FwcWsp.dll registered with WinSock protocol stack
o
FwcWsp tracks all WinSock calls
o
All remote TCP calls sent to FWC listener (TCP 1745)
o
User information passed on all requests
•
Use for:
o
User
-
based access authentication to non
-
Web protocols
o
Complex protocols with secondary connections
55
Forefront TMG Client Discovery
•
Secure discovery using
Active Directory, with
fallback to DHCP and
DNS
o
Secure discovery uses AD to store
discovery information for domain
members
o
Forefront TMG client and Web
proxy discovery
o
Allows global and site
-
specific
markers
o
Configured using
TmgAdConfig.exe
56
TmgAdConfig add
–
site <Site>
-
type <winsock|webproxy>
-
url <URL>
Server
-
side Configuration
•
Domains and Addresses
tabs determine routing
57
58
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο