Upload
oren
View
44
Download
0
Embed Size (px)
DESCRIPTION
Kako povečati varnost omrežja s Forefront TMG. Jože Markič, Kompas Xnet d.o.o. joze.markic@kompas - xnet.si. Agenda. Kaj je TMG? TMG postavitve Primerjava z ISA Subscriptions Secure Web Gateway HTTPS inspection URL filtering Malware protection Intrusion prevention. - PowerPoint PPT Presentation
Citation preview
2
Agenda
• Kaj je TMG?• TMG postavitve• Primerjava z ISA• Subscriptions• Secure Web Gateway
o HTTPS inspectiono URL filteringo Malware protectiono Intrusion prevention
Forefront Edge Security and Access Products
Before Now
Network Protection
Network Access
The Forefront Edge Security and Access products provide enhanced network edge protection and application-centric, policy-based access to corporate IT infrastructures
Integrated and comprehensive protection from Internet-based threats
Unified platform for all enterprise remote access needs
Forefront TMG Value PropositionFirewall – Control network policy access at the edge
Secure Web Gateway – Protect users from Web browsing threats
Secure E-mail Relay – Protect users from e-mail threatsRemote Access Gateway – Enable users to remotely access corporate resourcesIntrusion Prevention – Protect desktops and servers from intrusion attempts
Comprehensive
Integrated
Simplified
Forefront TMG Deployment Scenarios• All-in-one solution for medium
businesses• Firewall, VPN, Web security, IPS, e-mail
relay in a single box
Unified Threat Management
(UTM)
• Authenticating proxy with security• Web antivirus and URL filtering• Inspection of HTTP and HTTPS traffic
Secure Web Gateway
• Secure Web publishing• Dial-in VPN• Site to site VPN
Remote Access Gateway
• Antispam• Antivirus• E-mail filtering
Secure E-mail Relay
Features Summary
• VoIP traversal• Enhanced NAT• ISP link redundancy
Firewall
• HTTP antivirus/antispyware
• URL filtering• HTTPS forward inspection
Secure Web Access
• Exchange Edge integration
• Antivirus• Antispam
E-mail Protection
• Network inspection system
Intrusion Prevention
• NAP integration with client VPN
• SSTP integration
Remote Access
• Array management• Change tracking• Enhanced reporting• W2K8, native 64-bit
Deployment and Management
• Malware protection
• URL filtering• Intrusion prevention
Subscription Services
Network layer firewallApplication layer firewallInternet access protection (proxy)Basic OWA and SharePoint publishing
IPSec VPN (remote and site-to-site)
Web caching, HTTP compression
Web antivirus, antimalware
URL filtering
E-mail antimalware, antispamNetwork intrusion prevention
Features SummaryComparing with ISA Server 2006ISA Server
2006ForefrontTMG
NewNewNewNew
Enhanced UI, management, reporting New
Exchange publishing (RPC over HTTP)
Windows Server® 2008 R2, 64-bit (only) New
E
Forefront TMG LicensingTwo editions and Two Client Access Licenses (CALs)
Standard EditionFull UTM
Enterprise Edition Scalability and management
Web protection E-mail protection
Subscriptions
Comparing Forefront TMG EditionsStandard Edition Enterprise Edition
Number of CPUs Up to 4 CPUs Unlimited
Array/NLB/CARP support
Enterprise management
Yes, with added ability for EMS to manage SEs
Publishing
VPN support
Forward proxy/cache, compression
Network IPS (NIS)
E-mail protection Requires Microsoft® Exchange Server License (Server + CALs)
and installation by the admin
Subscriptions
• Subscription-based licenseso Sold as Client Access Licenses (CALs) o Charged per user/per year
• Protection Componentso E-mail protection
• Antispam• Antivirus
o HTTP protection• Antimalware• URL filtering
o Network Inspection System is free!
11
Single Adapter Scenario
• Forefront TMG supports using a single network adapter
• Supported scenarioso Secure Web Gateway (forward Web proxy and cache)o Web Publishing (reverse Web proxy and cache)o Remote client VPN access
• Unsupported scenarioso Application layer inspection (except for Web proxy)o Server publishingo Non-Web clients
• Firewall client• Secure NAT
o Site-to-site VPNs
12
Secure Web Gateway
Threats and Controls
ThreatsApplication Layer Firewall
HTTPS Inspectio
n
Anti-malwar
eURL
Filtering NIS
Malware
Phishing
Liability
Data Leakage
Lost ProductivityLoss of Control
Full Partial Enabler
Forefront TMG HTTPS Traffic Inspection
• HTTPS Inspection terminates the SSL traffic at the proxy for both ends, and inspects the traffic against different threatso Trusted certificate generated by proxy matching the URL expected by the client
14
Internet
Contoso.com
SIGNED BY
VERISIGN
SSL
Contoso.com
SIGNED BY TMG
SSL SSL
URL Filtering
Malware Inspection
Network Inspection System
15
Enabling HTTPS Traffic Inspection
Contoso.com
SIGNED BY TMG
Internet
Contoso.com
SIGNED BY
VERISIGN
Certificate deployment(via Active Directory® or Import/Export)
Configure HTTPS Inspection:• Proxy certificate
generation/import and customization.
• Source and destination exclusions
• Validate only option• Notification
Client notifications about HTTPS inspection (via Firewall client)
Certificate validation (revocation, trusted, expiration validation, etc.)
16
Configuring HTTPS Inspection
17Configuring HTTPS
Inspection
18Configuring HTTPS
Inspection
19HTTPS Inspection
Notifications• Notification provided
by Forefront TMG cliento Notify user of inspectiono History of recent notificationso Management of Notification
Exception List• May be a legal
requirement in some geographies
20
HTTPS Inspection NotificationUser Experience
Forefront TMG URL Filtering
Internet
• 91 built-in categories• Predefined and
administrator defined category sets
• Integrates leading URL database providers• Subscription-based
• URL category override• URL category query• Logging and reporting
support• Web Access Wizard
integration
• Customizable, per-rule, deny messages
URL DB
Microsoft ReputationService
TMG
URL Filtering Benefits
• Control user web access based on URL categories• Protect users from known malicious sites• Reduce liability risks• Increase productivity• Reduce bandwidth and Forefront TMG resource
consumption• Analyze Web usage
What Makes MRS Compelling?
• Existing URL filtering solutionso Single vendor cant be expert in all categorieso Categorization response time
• MRS unique architectureo MRS merges URL databases from multiple sources/vendors
• Multi-vendor AV analogyo Based on Microsoft internal sources as well as collaboration with third
party partnerso Scalable
• Ongoing collaborative efforto Recently announced an agreement with Marshal8e6o More announcements to follow
Feedback mechanism on Category overrides
• Fetch on cache miss• SSL for auth &
privacy• No PII
How Forefront TMG Leverages MRSMultiple Vendors
MicrosoftDatacenters
MRS
Query (URL)
CategorizerFetchURL
Policy
Cache
SSL Telemetry Path(also SSL)
FederatedQuery
Cache:• Persistent• In-memory• Weighted TTL
Combines with Telemetry Data
URL Filtering Categories
Liability
Security
Productivity
26
URL Filtering category precedence
• No. Category• 1 "Malicious"• 2 "Pornography"• 3 "Botnet"• 4 "Phishing"• 5 "Criminal Activities"• 6 "Hate/Discrimination„• …• 75 "Unknown"
http://www.microsoft.com/security/portal/mrs/
Categories and Inheritance
URL Filtering Policy• URL categories are standard network objects• Administrator can create custom URL category
sets
29
URL Filtering Policy
30Contoso’s Web Access
Policy• Access rule allowing
users in the Research group to access gambling and gambling-related sites
Access rule denying everyone access to Liability and Security sites
Per-rule Customization• TMG administrator
can customize denial message displayed to the user on a per-rule basiso Add custom text or HTMLo Redirect the user to a
specific URL
32
URL Filtering Configuration
Category Query• Administrator can
use the URL Filtering Settings dialog box to query the URL filtering databaseo Enter the URL or IP address
as inputo The result and its source
are displayed on the tab
34
URL Category Override
• Administrator can override the categorization of a URLo Feedback to MRS
via Telemetry
User Experience
http://www.phishingsite.com
36
User Experience
36
HTML tags
37
Novost v SP1
38
HTTP Malware Inspection
Internet
Third party plug-ins can be used (native Malware inspection must be disabled)
• Integrates Microsoft Antivirus engine
• Signature and engine updates• Subscription-based
• Source and destination exceptions• Global and per-rule inspection options
(encrypted files, nested archives, large files…)
• Logging and reporting support • Web Access Wizard integration
Content delivery methods by content type
SignaturesDB
MU or WSUS
TMG
Content Trickling
40
Firewall ServiceWeb ProxyMalware Inspection Filter
Request Context
Scanner
GET msrdp.cabGET msrdp.cab
200 OK
Accumulated ContentAccumulated ContentAccumulated ContentAccumulated ContentAccumulated Content
200 OK
Progress Notification41
Firewall ServiceWeb ProxyMalware Inspection Filter
Primary Request Context
Secondary Request Context
Downloads Map
Scanner
GET setup.exeGET setup.exe
200 OK (setup.exe)
Accumulated ContentAccumulated ContentAccumulated Content
200 OK (HTML)
GET GetDownloadStatus
200 OK (Retrieving)
GET GetDownloadStatus
200 OK (Scanning)
GET GetDownloadStatus
200 OK (Ready)
GET FinalDownload
200 OK (setup.exe)
42
Enabling Malware Inspection• Activate the Web
Protection license• Enable malware
inspection on Web access ruleso Web Access Policy
Wizard or New Access Rule Wizard for new rules
o Rule properties for existing rules
43Malware Inspection Global
Settings• Administrator can
configure malware blocking behavior:o Low, medium and high
severity threatso Suspicious fileso Corrupted fileso Encrypted fileso Archive bombs
• Too many depth levels or unpacked content too large
o File size too large
44Malware Inspection Per-
rule Overrides
User ExperienceContent Blocked
User ExperienceProgress Notification
46
Network Inspection System (NIS)• Protocol decode-based traffic inspection system
that uses signatures of known vulnerabilitieso Vulnerability-based signatures (vs. exploit-based signatures used by
competing solutions)o Detects and potentially block attacks on network resources
• NIS helps organizations reduce the vulnerability windowo Protect machines against known vulnerabilities until patch can be
deployedo Signatures can be released and deployed much faster than patches,
concurrently with patch release, closing the vulnerability window• Integrated into Forefront TMG
o Synergy with HTTPS Inspection
47
48
• Vulnerability is discovered• Response team prepares and tests the vulnerability
signature• Signature released by Microsoft and deployed through
distribution service, on security patch release• All un-patched hosts behind Forefront TMG are protected
Corporate Network
New Vulnerability Use Case
SignatureAuthoring Testing
TMGSignatureDistribution
Service
VulnerabilityDiscovered
Signature AuthoringTeam
NIS Response ProcessThreat
Identification
Threat Research
Signature Developme
nt
Signature Testing
Encyclopedia Write-up
Signature Release
Targeting 4 hours
Enabling and Configuring NIS
51
Client Types
• Web proxy cliento CERN-compatible browsers/applications
• SecureNAT cliento Any host supporting IP
• Forefront TMG cliento Formerly ISA firewall cliento Windows computers
Client Comparison
FeatureSecureNAT
ClientForefront
TMG ClientWeb Proxy
ClientInstallation required
IP Routing configuration
Yes Web browser configuration
OS Support Any OS supporting
TCP/IP
Windows only Any proxy-aware Web application
Protocol support
Requires application filters for multiple-
connection protocols
All Winsock applications
HTTP, HTTPS, and FTP
download
User-level authentication
No Yes Yes
53
Web Proxy Client Configuration
• Generate configuration• Discover configuration
o Automatic configuration scripto Web Proxy Auto Discovery (WPAD)o Static proxy configuration
• Enforce configurationo Manualo Group policyo Forefront TMG client
SecureNAT clients
• Only requires proper routing• Clients perform DNS resolution• Limitations:
o No user information passedo No support for secondary connections
(without application filter)• Use for:
o Non-Web protocolso Simple, unauthenticated protocolso Non-Windows systems
55
Forefront TMG Client
• Formerly known as ISA Firewall client• Supports all WinSock-based applications
o FwcWsp.dll registered with WinSock protocol stacko FwcWsp tracks all WinSock callso All remote TCP calls sent to FWC listener (TCP 1745)o User information passed on all requests
• Use for:o User-based access authentication to non-Web protocolso Complex protocols with secondary connections
56
Forefront TMG Client Discovery• Secure discovery using
Active Directory, with fallback to DHCP and DNSo Secure discovery uses AD to
store discovery information for domain members
o Forefront TMG client and Web proxy discovery
o Allows global and site-specific markers
o Configured using TmgAdConfig.exe
TmgAdConfig add –site <Site> -type <winsock|webproxy> -url <URL>
57
Server-side Configuration• Domains and Addresses
tabs determine routing
58
?