Kako povečati varnost omrežja s Forefront

TMG

Jože Markič, Kompas Xnet d.o.o.joze.markic@kompas-xnet.si

2

Agenda

• Kaj je TMG?• TMG postavitve• Primerjava z ISA• Subscriptions• Secure Web Gateway

o HTTPS inspectiono URL filteringo Malware protectiono Intrusion prevention

Forefront Edge Security and Access Products

Before Now

Network Protection

Network Access

The Forefront Edge Security and Access products provide enhanced network edge protection and application-centric, policy-based access to corporate IT infrastructures

Integrated and comprehensive protection from Internet-based threats

Unified platform for all enterprise remote access needs

Forefront TMG Value PropositionFirewall – Control network policy access at the edge

Secure Web Gateway – Protect users from Web browsing threats

Secure E-mail Relay – Protect users from e-mail threatsRemote Access Gateway – Enable users to remotely access corporate resourcesIntrusion Prevention – Protect desktops and servers from intrusion attempts

Comprehensive

Integrated

Simplified

Forefront TMG Deployment Scenarios• All-in-one solution for medium

businesses• Firewall, VPN, Web security, IPS, e-mail

relay in a single box

Unified Threat Management

(UTM)

• Authenticating proxy with security• Web antivirus and URL filtering• Inspection of HTTP and HTTPS traffic

Secure Web Gateway

• Secure Web publishing• Dial-in VPN• Site to site VPN

Remote Access Gateway

• Antispam• Antivirus• E-mail filtering

Secure E-mail Relay

Features Summary

• VoIP traversal• Enhanced NAT• ISP link redundancy

Firewall

• HTTP antivirus/antispyware

• URL filtering• HTTPS forward inspection

Secure Web Access

• Exchange Edge integration

• Antivirus• Antispam

E-mail Protection

• Network inspection system

Intrusion Prevention

• NAP integration with client VPN

• SSTP integration

Remote Access

• Array management• Change tracking• Enhanced reporting• W2K8, native 64-bit

Deployment and Management

• Malware protection

• URL filtering• Intrusion prevention

Subscription Services

Network layer firewallApplication layer firewallInternet access protection (proxy)Basic OWA and SharePoint publishing

IPSec VPN (remote and site-to-site)

Web caching, HTTP compression

Web antivirus, antimalware

URL filtering

E-mail antimalware, antispamNetwork intrusion prevention

Features SummaryComparing with ISA Server 2006ISA Server

2006ForefrontTMG

NewNewNewNew

Enhanced UI, management, reporting New

Exchange publishing (RPC over HTTP)

Windows Server® 2008 R2, 64-bit (only) New

E

Forefront TMG LicensingTwo editions and Two Client Access Licenses (CALs)

Standard EditionFull UTM

Enterprise Edition Scalability and management

Web protection E-mail protection

Subscriptions

Comparing Forefront TMG EditionsStandard Edition Enterprise Edition

Number of CPUs Up to 4 CPUs Unlimited

Array/NLB/CARP support

Enterprise management

Yes, with added ability for EMS to manage SEs

Publishing

VPN support

Forward proxy/cache, compression

Network IPS (NIS)

E-mail protection Requires Microsoft® Exchange Server License (Server + CALs)

and installation by the admin

Subscriptions

• Subscription-based licenseso Sold as Client Access Licenses (CALs) o Charged per user/per year

• Protection Componentso E-mail protection

• Antispam• Antivirus

o HTTP protection• Antimalware• URL filtering

o Network Inspection System is free!

11

Single Adapter Scenario

• Forefront TMG supports using a single network adapter

• Supported scenarioso Secure Web Gateway (forward Web proxy and cache)o Web Publishing (reverse Web proxy and cache)o Remote client VPN access

• Unsupported scenarioso Application layer inspection (except for Web proxy)o Server publishingo Non-Web clients

• Firewall client• Secure NAT

o Site-to-site VPNs

12

Secure Web Gateway

Threats and Controls

ThreatsApplication Layer Firewall

HTTPS Inspectio

n

Anti-malwar

eURL

Filtering NIS

Malware

Phishing

Liability

Data Leakage

Lost ProductivityLoss of Control

Full Partial Enabler

Forefront TMG HTTPS Traffic Inspection

• HTTPS Inspection terminates the SSL traffic at the proxy for both ends, and inspects the traffic against different threatso Trusted certificate generated by proxy matching the URL expected by the client

14

Internet

Contoso.com

SIGNED BY

VERISIGN

SSL

Contoso.com

SIGNED BY TMG

SSL SSL

URL Filtering

Malware Inspection

Network Inspection System

15

Enabling HTTPS Traffic Inspection

Contoso.com

SIGNED BY TMG

Internet

Contoso.com

SIGNED BY

VERISIGN

Certificate deployment(via Active Directory® or Import/Export)

Configure HTTPS Inspection:• Proxy certificate

generation/import and customization.

• Source and destination exclusions

• Validate only option• Notification

Client notifications about HTTPS inspection (via Firewall client)

Certificate validation (revocation, trusted, expiration validation, etc.)

16

Configuring HTTPS Inspection

17Configuring HTTPS

Inspection

18Configuring HTTPS

Inspection

19HTTPS Inspection

Notifications• Notification provided

by Forefront TMG cliento Notify user of inspectiono History of recent notificationso Management of Notification

Exception List• May be a legal

requirement in some geographies

20

HTTPS Inspection NotificationUser Experience

Forefront TMG URL Filtering

Internet

• 91 built-in categories• Predefined and

administrator defined category sets

• Integrates leading URL database providers• Subscription-based

• URL category override• URL category query• Logging and reporting

support• Web Access Wizard

integration

• Customizable, per-rule, deny messages

URL DB

Microsoft ReputationService

TMG

URL Filtering Benefits

• Control user web access based on URL categories• Protect users from known malicious sites• Reduce liability risks• Increase productivity• Reduce bandwidth and Forefront TMG resource

consumption• Analyze Web usage

What Makes MRS Compelling?

• Existing URL filtering solutionso Single vendor cant be expert in all categorieso Categorization response time

• MRS unique architectureo MRS merges URL databases from multiple sources/vendors

• Multi-vendor AV analogyo Based on Microsoft internal sources as well as collaboration with third

party partnerso Scalable

• Ongoing collaborative efforto Recently announced an agreement with Marshal8e6o More announcements to follow

Feedback mechanism on Category overrides

• Fetch on cache miss• SSL for auth &

privacy• No PII

How Forefront TMG Leverages MRSMultiple Vendors

MicrosoftDatacenters

MRS

Query (URL)

CategorizerFetchURL

Policy

Cache

SSL Telemetry Path(also SSL)

FederatedQuery

Cache:• Persistent• In-memory• Weighted TTL

Combines with Telemetry Data

URL Filtering Categories

Liability

Security

Productivity

26

URL Filtering category precedence

• No. Category• 1 "Malicious"• 2 "Pornography"• 3 "Botnet"• 4 "Phishing"• 5 "Criminal Activities"• 6 "Hate/Discrimination„• …• 75 "Unknown"

http://www.microsoft.com/security/portal/mrs/

Categories and Inheritance

URL Filtering Policy• URL categories are standard network objects• Administrator can create custom URL category

sets

29

URL Filtering Policy

30Contoso’s Web Access

Policy• Access rule allowing

users in the Research group to access gambling and gambling-related sites

Access rule denying everyone access to Liability and Security sites

Per-rule Customization• TMG administrator

can customize denial message displayed to the user on a per-rule basiso Add custom text or HTMLo Redirect the user to a

specific URL

32

URL Filtering Configuration

Category Query• Administrator can

use the URL Filtering Settings dialog box to query the URL filtering databaseo Enter the URL or IP address

as inputo The result and its source

are displayed on the tab

34

URL Category Override

• Administrator can override the categorization of a URLo Feedback to MRS

via Telemetry

User Experience

http://www.phishingsite.com

36

User Experience

36

HTML tags

37

Novost v SP1

38

HTTP Malware Inspection

Internet

Third party plug-ins can be used (native Malware inspection must be disabled)

• Integrates Microsoft Antivirus engine

• Signature and engine updates• Subscription-based

• Source and destination exceptions• Global and per-rule inspection options

(encrypted files, nested archives, large files…)

• Logging and reporting support • Web Access Wizard integration

Content delivery methods by content type

SignaturesDB

MU or WSUS

TMG

Content Trickling

40

Firewall ServiceWeb ProxyMalware Inspection Filter

Request Context

Scanner

GET msrdp.cabGET msrdp.cab

200 OK

Accumulated ContentAccumulated ContentAccumulated ContentAccumulated ContentAccumulated Content

200 OK

Progress Notification41

Firewall ServiceWeb ProxyMalware Inspection Filter

Primary Request Context

Secondary Request Context

Downloads Map

Scanner

GET setup.exeGET setup.exe

200 OK (setup.exe)

Accumulated ContentAccumulated ContentAccumulated Content

200 OK (HTML)

GET GetDownloadStatus

200 OK (Retrieving)

GET GetDownloadStatus

200 OK (Scanning)

GET GetDownloadStatus

200 OK (Ready)

GET FinalDownload

200 OK (setup.exe)

42

Enabling Malware Inspection• Activate the Web

Protection license• Enable malware

inspection on Web access ruleso Web Access Policy

Wizard or New Access Rule Wizard for new rules

o Rule properties for existing rules

43Malware Inspection Global

Settings• Administrator can

configure malware blocking behavior:o Low, medium and high

severity threatso Suspicious fileso Corrupted fileso Encrypted fileso Archive bombs

• Too many depth levels or unpacked content too large

o File size too large

44Malware Inspection Per-

rule Overrides

User ExperienceContent Blocked

User ExperienceProgress Notification

46

Network Inspection System (NIS)• Protocol decode-based traffic inspection system

that uses signatures of known vulnerabilitieso Vulnerability-based signatures (vs. exploit-based signatures used by

competing solutions)o Detects and potentially block attacks on network resources

• NIS helps organizations reduce the vulnerability windowo Protect machines against known vulnerabilities until patch can be

deployedo Signatures can be released and deployed much faster than patches,

concurrently with patch release, closing the vulnerability window• Integrated into Forefront TMG

o Synergy with HTTPS Inspection

47

48

• Vulnerability is discovered• Response team prepares and tests the vulnerability

signature• Signature released by Microsoft and deployed through

distribution service, on security patch release• All un-patched hosts behind Forefront TMG are protected

Corporate Network

New Vulnerability Use Case

SignatureAuthoring Testing

TMGSignatureDistribution

Service

VulnerabilityDiscovered

Signature AuthoringTeam

NIS Response ProcessThreat

Identification

Threat Research

Signature Developme

nt

Signature Testing

Encyclopedia Write-up

Signature Release

Targeting 4 hours

Enabling and Configuring NIS

51

Client Types

• Web proxy cliento CERN-compatible browsers/applications

• SecureNAT cliento Any host supporting IP

• Forefront TMG cliento Formerly ISA firewall cliento Windows computers

Client Comparison

FeatureSecureNAT

ClientForefront

TMG ClientWeb Proxy

ClientInstallation required

IP Routing configuration

Yes Web browser configuration

OS Support Any OS supporting

TCP/IP

Windows only Any proxy-aware Web application

Protocol support

Requires application filters for multiple-

connection protocols

All Winsock applications

HTTP, HTTPS, and FTP

download

User-level authentication

No Yes Yes

53

Web Proxy Client Configuration

• Generate configuration• Discover configuration

o Automatic configuration scripto Web Proxy Auto Discovery (WPAD)o Static proxy configuration

• Enforce configurationo Manualo Group policyo Forefront TMG client

SecureNAT clients

• Only requires proper routing• Clients perform DNS resolution• Limitations:

o No user information passedo No support for secondary connections

(without application filter)• Use for:

o Non-Web protocolso Simple, unauthenticated protocolso Non-Windows systems

55

Forefront TMG Client

• Formerly known as ISA Firewall client• Supports all WinSock-based applications

o FwcWsp.dll registered with WinSock protocol stacko FwcWsp tracks all WinSock callso All remote TCP calls sent to FWC listener (TCP 1745)o User information passed on all requests

• Use for:o User-based access authentication to non-Web protocolso Complex protocols with secondary connections

56

Forefront TMG Client Discovery• Secure discovery using

Active Directory, with fallback to DHCP and DNSo Secure discovery uses AD to

store discovery information for domain members

o Forefront TMG client and Web proxy discovery

o Allows global and site-specific markers

o Configured using TmgAdConfig.exe

TmgAdConfig add –site <Site> -type <winsock|webproxy> -url <URL>

57

Server-side Configuration• Domains and Addresses

tabs determine routing

58

?