SloWUG – 2011.02 – TMG - WordPress.com

greenpepperwhinnySecurity

Nov 3, 2013 (4 years and 1 month ago)

94 views

Kako povečati varnost
omrežja s
Forefront

TMG

Jože Markič, Kompas Xnet d.o.o.

joze.markic@kompas
-
xnet.si

Agenda


Kaj je TMG?


TMG postavitve


Primerjava z ISA


Subscriptions


Secure

Web

Gateway

o
HTTPS
inspection

o
URL filtering

o
Malware protection

o
Intrusion prevention



2

Forefront Edge Security
and

Access Products

Before

Now

Network
Protection

Network
Access

The Forefront Edge Security and Access products provide enhanced
network edge protection and application
-
centric, policy
-
based access to
corporate IT infrastructures

Integrated and comprehensive
protection

from Internet
-
based threats

Unified platform for all
enterprise remote access needs

Forefront TMG Value Proposition

Firewall


Control network policy access at
the edge

Secure Web Gateway


Protect users from
Web browsing threats

Secure E
-
mail Relay


Protect users from

e
-
mail threats

Remote Access Gateway


Enable users to
remotely access corporate resources

Intrusion Prevention


Protect desktops and
servers from intrusion attempts

Comprehensive

Integrated

Simplified

Forefront
TMG Deployment Scenarios


All
-
in
-
one solution for medium businesses


Firewall, VPN, Web security, IPS, e
-
mail relay
in a single box

Unified Threat
Management (UTM)


Authenticating proxy with security


Web antivirus and URL filtering


Inspection of HTTP and HTTPS traffic

Secure Web Gateway


Secure Web publishing


Dial
-
in VPN


Site to site VPN

Remote Access
Gateway


Antispam


Antivirus


E
-
mail filtering

Secure E
-
mail Relay

Features Summary



VoIP traversal



Enhanced NAT



ISP link
redundancy

Firewall


HTTP antivirus/

antispyware


URL filtering


HTTPS forward
inspection

Secure Web
Access


Exchange Edge
integration


Antivirus


Antispam

E
-
mail
Protection


Network
inspection
system

Intrusion
Prevention


NAP integration
with client VPN


SSTP integration


Remote
Access


Array management


Change tracking


Enhanced reporting


W2K8, native 64
-
bit

Deployment and
Management


Malware protection


URL filtering


Intrusion
prevention

Subscription
Services

Network layer firewall

Application layer
firewall

Internet access protection (proxy)

Basic OWA and SharePoint publishing

IPSec VPN (remote and site
-
to
-
site)

Web caching, HTTP compression

Web antivirus, antimalware

URL filtering

E
-
mail antimalware, antispam

Network intrusion prevention

Features Summary

Comparing with ISA Server 2006

ISA Server

2006

Forefront

TMG

































New

New

New

New

Enhanced UI, management, reporting



New

Exchange publishing (RPC over HTTP)





Windows Server® 2008 R2, 64
-
bit (only)



New

E

Forefront TMG Licensing

Two editions and Two Client Access Licenses (CALs)

Standard Edition

Full UTM

Enterprise Edition

Scalability and management

Web protection

E
-
mail protection

Subscriptions

Comparing Forefront
TMG
Editions

Standard Edition

Enterprise Edition

Number of
CPUs

Up to 4 CPUs

Unlimited

Array/NLB/CARP
support





Enterprise management



Yes, with added ability for

EMS to manage SEs

Publishing





VPN

support





Forward proxy/cache,
compression





Network IPS (NIS)





E
-
mail protection

Requires

Microsoft® Exchange Server License (Server + CALs)

and installation by the admin

Subscriptions


Subscription
-
based licenses

o
Sold as Client Access Licenses (CALs)

o
Charged per user/per year


Protection Components

o
E
-
mail protection


Antispam


Antivirus

o
HTTP protection


Antimalware


URL filtering

o
Network Inspection System is free!


Single Adapter Scenario


Forefront TMG supports using a single network
adapter


Supported scenarios

o
Secure Web Gateway (forward Web proxy and cache)

o
Web Publishing (reverse Web proxy and cache)

o
Remote client VPN access


Unsupported scenarios

o
Application layer inspection (except for Web proxy)

o
Server publishing

o
Non
-
Web clients


Firewall client


Secure NAT

o
Site
-
to
-
site VPNs



11

Secure Web Gateway

12


Threats and Controls

Threats

Application

Layer
Firewall

HTTPS
Inspection

Anti
-

malware

URL

Filtering

NIS

Malware

Phishing

Liability

Data Leakage

Lost Productivity

Loss of Control

Full

Partial

Enabler

Forefront
TMG HTTPS Traffic
Inspection


HTTPS Inspection terminates the SSL traffic at the
proxy for both ends, and inspects the traffic against
different threats

o
Trusted certificate generated by proxy matching the URL expected by the
client

14

URL Filtering

Malware
Inspection

Network
Inspection
System

Enabling HTTPS Traffic Inspection

15

Certificate deployment

(via Active Directory
®

or
Import/Export)

Configure HTTPS Inspection:


Proxy certificate generation/import
and customization.


Source and destination exclusions


Validate only option


Notification

Client notifications about HTTPS
inspection (via Firewall client)

Certificate validation

(revocation,
trusted, expiration validation, etc.)

Configuring HTTPS Inspection

16

Configuring HTTPS Inspection

17

Configuring HTTPS Inspection

18

HTTPS

Inspection Notifications


Notification provided by
Forefront TMG client

o
Notify user of inspection

o
History of recent notifications

o
Management of Notification
Exception List


May be a legal
requirement in some
geographies

19

HTTPS Inspection Notification

20

User Experience

Forefront TMG URL Filtering


91 built
-
in categories


Predefined and administrator
defined category sets


Integrates leading URL database
providers


Subscription
-
based


URL category override


URL category query


Logging and reporting support


Web Access Wizard integration


Customizable, per
-
rule,
deny messages

TMG

URL Filtering Benefits


Control user web access based on URL categories


Protect users from known malicious sites


Reduce liability risks


Increase productivity


Reduce bandwidth and Forefront TMG resource
consumption


Analyze Web usage

What Makes MRS Compelling?


Existing URL filtering solutions

o
Single vendor cant be expert in all categories

o
Categorization response time


MRS unique architecture

o
MRS merges URL databases from multiple sources/vendors


Multi
-
vendor AV analogy

o
Based on Microsoft internal sources as well as collaboration with third
party partners

o
Scalable


Ongoing collaborative effort

o
Recently announced an agreement with Marshal8e6

o
More announcements to follow

Feedback
mechanism on
Category overrides


Fetch on cache
miss


SSL for auth &
privacy


No PII

How Forefront TMG Leverages MRS

Multiple Vendors

MRS

Query (URL)

Categorizer

Fetch

URL

Policy

Cache

SSL

Telemetry Path

(also SSL)

Federated

Query

Cache:



Persistent



In
-
memory



Weighted TTL

Combines with
Telemetry Data

URL Filtering Categories

Liability

Security

Productivity

URL
Filtering

category

precedence


No.

Category


1

"Malicious"


2

"Pornography"


3

"Botnet"


4

"Phishing"


5

"Criminal Activities"


6

"
Hate/Discrimination„





75

"
Unknown
"


http://www.microsoft.com/security/portal/mrs/


26

Categories and Inheritance

URL Filtering Policy


URL categories are standard network objects


Administrator can create custom
URL category sets


URL Filtering Policy

29

Contoso’s Web Access Policy


Access rule allowing
users in the Research
group to access
gambling and
gambling
-
related sites

30

Access rule denying
everyone access

to
Liability and Security
sites

Per
-
rule Customization


TMG administrator
can customize denial
message displayed
to the user on a per
-
rule basis

o
Add custom text or HTML

o
Redirect the user to a
specific URL


URL Filtering Configuration

32

Category Query


Administrator can use
the URL Filtering
Settings dialog box to
query the URL filtering
database

o
Enter the URL or IP address
as input

o
The result and its source are
displayed on the tab

URL Category Override


Administrator can
override the
categorization of a URL

o
Feedback to MRS

via Telemetry


34

User Experience

http://www.phishingsite.com

User Experience


36

36

HTML tags

Novost v SP1


37


38

HTTP Malware Inspection

Third party plug
-
ins can be
used (native Malware
inspection must be disabled)


Integrates Microsoft Antivirus engine


Signature and engine updates


Subscription
-
based


Source and destination exceptions


Global and per
-
rule inspection options
(encrypted files, nested archives, large
files…)


Logging and reporting support


Web Access Wizard integration

Content delivery methods
by content type

TMG

Content Trickling

40

Firewall Service

Web Proxy

Malware Inspection Filter

Request Context

Scanner

GET msrdp.cab

GET msrdp.cab

200 OK

Accumulated
Content

Accumulated
Content

Accumulated
Content

Accumulated
Content

Accumulated
Content

200 OK

Progress
Notification

41

Firewall Service

Web Proxy

Malware Inspection
Filter

Primary Request
Context

Secondary Request
Context

Downloads Map

Scanner

GET setup.exe

GET setup.exe

200 OK (setup.exe)

Accumulated
Content

Accumulated
Content

Accumulated
Content

200 OK (HTML)

GET
GetDownloadStatus

200 OK (Retrieving)

GET
GetDownloadStatus

200 OK (Scanning)

GET
GetDownloadStatus

200 OK (Ready)

GET FinalDownload

200 OK (setup.exe)

Enabling Malware Inspection


Activate the Web
Protection license


Enable malware
inspection on Web
access rules

o
Web Access Policy
Wizard or New
Access Rule
Wizard for new
rules

o
Rule properties for
existing rules



42

Malware Inspection Global
Settings


Administrator can
configure malware
blocking behavior:

o
Low, medium and high
severity threats

o
Suspicious files

o
Corrupted files

o
Encrypted files

o
Archive bombs


Too many depth levels or
unpacked content too
large

o
File size too large


43

Malware Inspection Per
-
rule
Overrides


44

User Experience

Content Blocked

User Experience

Progress Notification

46

Network Inspection System (NIS)


Protocol decode
-
based traffic inspection system
that uses signatures of known vulnerabilities

o
Vulnerability
-
based signatures (vs. exploit
-
based signatures used by
competing solutions)

o
Detects and potentially block attacks on network resources


NIS helps organizations reduce the vulnerability
window

o
Protect machines against known vulnerabilities until patch can be
deployed

o
Signatures can be released and deployed much faster than patches,
concurrently with patch release, closing the vulnerability window


Integrated into Forefront TMG

o
Synergy with HTTPS Inspection


47


Vulnerability is discovered


Response team prepares and tests the vulnerability signature


Signature released by Microsoft and deployed through
distribution service, on security patch release


All un
-
patched hosts behind Forefront TMG are protected

Corporate Network

New Vulnerability Use Case

48

Signature

Authoring

Testing

TMG

Signature

Distribution

Service

Vulnerability

Discovered

Signature Authoring

Team

NIS

Response Process

Threat
Identification

Threat
Research

Signature
Development

Signature
Testing

Encyclopedia
Write
-
up

Signature
Release

Targeting 4 hours

Enabling and Configuring NIS


Client Types


Web proxy client

o
CERN
-
compatible browsers/applications


SecureNAT client

o
Any host supporting IP


Forefront TMG client

o
Formerly ISA firewall client

o
Windows computers

51

Client Comparison

Feature

SecureNAT

Client

Forefront

TMG Client

Web Proxy

Client

Installation
required

IP Routing
configuration

Yes

Web browser
configuration

OS Support

Any OS
supporting TCP/IP

Windows only

Any proxy
-
aware
Web application

Protocol support

Requires
application filters
for multiple
-
connection
protocols

All Winsock
applications

HTTP, HTTPS, and
FTP download

User
-
level
authentication

No

Yes

Yes

Web Proxy Client Configuration


Generate configuration


Discover configuration

o
Automatic configuration script

o
Web Proxy Auto Discovery (WPAD)

o
Static proxy configuration


Enforce configuration

o
Manual

o
Group policy

o
Forefront TMG client

53

SecureNAT clients


Only requires proper routing


Clients perform DNS resolution


Limitations:

o
No user information passed

o
No support for secondary connections

(without application filter)


Use for:

o
Non
-
Web protocols

o
Simple, unauthenticated protocols

o
Non
-
Windows systems




Forefront TMG Client


Formerly known as ISA Firewall client


Supports all WinSock
-
based applications

o
FwcWsp.dll registered with WinSock protocol stack

o
FwcWsp tracks all WinSock calls

o
All remote TCP calls sent to FWC listener (TCP 1745)

o
User information passed on all requests


Use for:

o
User
-
based access authentication to non
-
Web protocols

o
Complex protocols with secondary connections


55

Forefront TMG Client Discovery


Secure discovery using
Active Directory, with
fallback to DHCP and
DNS

o
Secure discovery uses AD to store
discovery information for domain
members

o
Forefront TMG client and Web
proxy discovery

o
Allows global and site
-
specific
markers

o
Configured using
TmgAdConfig.exe




56

TmgAdConfig add

site <Site>
-
type <winsock|webproxy>
-
url <URL>

Server
-
side Configuration


Domains and Addresses
tabs determine routing


57

58