• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Threat Management Gateway 2010- Forefront Community launch 2010

Threat Management Gateway 2010 - Forefront Community launch 2010



Threat Management Gateway 2010

Threat Management Gateway 2010



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Threat Management Gateway 2010- Forefront Community launch 2010 Threat Management Gateway 2010 - Forefront Community launch 2010 Presentation Transcript

    • Threat Management Gateway 2010 Krzysztof Bińkowski
    • Agenda        Overview URL filtering (URL-F) Edge Malware Protection (EMP) HTTPS Inspections ISP Redundancy (ISP-R) Network Inspection System (NIS) TMG 2010 tools and virtualization 2
    • Threat Management Gateway 2010 Overview
    • TMG & UAG Forefront Edge Security and Access products provide enhanced network edge protection and application-centric, policy-based access to corporate IT infrastructures Protection Access
    • TMG New Features • HTTP Antivirus/ antimalware • URL Filtering • HTTPS forward inspection Secure Web Access • VoIP traversal (SIP) • Enhanced NAT • ISP Link Redundancy Firewall • NAP integration with VPN role • SSTP Remote Access • Exchange Edge/FPE integration • Anti-Virus • Anti-spam • Network Inspection System (NIS) • Security Assessment and Response (SAS) E-mail Protection Intrusion Prevention • Array Management • Scenario UI & Wizards • Change tracking • Enhanced reporting • W2K8, native 64-bit • Update Center : •HTTP: AV+URL Filtering • Email: AV+Anti-Spam • NIS signatures Deployment & Management Subscription Services 5
    • TMG Features Summary ISA 2006 TMG 2010 Network firewall   Application firewall   Internet access protection (proxy)   Basic OWA & SharePoint publishing   Exchange publishing (RPC over HTTP)   IPSec VPN (remote & site-to-site)     Web caching, HTTP compression Windows Server 2008, 64-Bit (only)  New Web anti-virus, anti malware  New URL filtering  New Email anti-malware, anti-spam  New Network intrusion prevention  New Integration with codename “Stirling”  New Enhanced UI, management, reporting  New
    • TMG versioning Standard Edition Supported deployment scenarios CPUs Standalone server Enterprise Edition • • Servers in a Standalone Array Servers in an array managed by EMS Up to 4 CPUs Unlimited Array/NLB/CARP support No, you can only have one Server Yes Enterprise Management No Yes, with added ability to manage Standard Editions Not supported Supported Publishing   VPN support   Forward proxy/cache, compression   Network IPS (NIS)   Require subscription Require subscription Require exchange license Require exchange license Stirling integration Web AV + URL Filtering Email AV/AS
    • Upgrading from SE to EE  A valid EE product key is required
    • Setup Feature TMG Supported OS Windows Server 2008 SP2 x64 Windows Server 2008 R2 x64 EMS Windows Server 2008 SP2 x64 Windows Server 2008 R2 x64 TMG management console Windows Server 2008 R2-SP2 x32, x64 Windows Vista SP1 x32, x64 Windows 7 x32, x64
    • Threat Management Gateway 2010 URL Filtering
    • URL-F Introduction  URL Filtering allows controlling end-user access to Web sites and protecting the organization by denying access to known malicious sites and to sites displaying inappropriate or pornographic materials, based on predefined URL categories  The typical use case for this feature includes:     Enhancing your security. Lowering liability risks. Improving the productivity of your organization. Saving network bandwidth.
    • MRS – Microsoft Reputation Services   Aggregate reputation data from multiple vendors Use telemetry in order to improve data accuracy iFilter Marshal 8e6 IE Security MRS BrightCl oud
    • URL Filtering  Microsoft Reputation Service (MRS) returns one of 80 “category” indications for each URL  Including “Unknown” MRS www.soccer.com ? category = sports + in cache www.soccer.com Request Content Content Firewall rule: Allow category Sports after 5 PM only
    • URL category usage  URL category information is used for      Rules (Allow/Deny rules according to category) Log EMP exclusion list HTTPS exclusion list No reverse lookups.
    • Administration  « URL Denied » error message can be customized
    • Category query tool  Available from the Web Protection Tasks  Allows the administrator to know the category of a URL and source of categorization (local cache, MRS, override)
    • URL category overrides Available from the Web Protection Tasks  Gives the possibility to assign a URL to a different category that its default category (returned by MRS) 
    • Licensing URL Filtering is a subscription based service  Per-user and per-year  License must be valid for URL Filtering to work 
    • System Rule   Traffic with MRS is SSL encrypted A system rule allows HTTPS between LocalHost to Microsoft Reputation Service Sites domain name set
    • URL Filtering
    • Threat Management Gateway 2010 Edge Malware Protection
    • Edge Malware Protection  Inspect web traffic on the edge to prevent any malware from infecting machines inside the organization  Easier to keep the edge updated with malware signatures rather then individual client machines  Unmanaged machines that might not have host AV up to date are also protected  Malware activity detected on the edge can be easily monitored thanks to logging and reporting
    • Scenario   Supported scenario : access download Unsupported scenarios : Access upload  Publishing download  Publishing upload 
    • Client Comforting     Accumulating an entire file and scanning it may take a significant amount of time During this period of time, the client doesn't receive any data and as a result a software timeout can occur or the user can even cancel the download. “Client comforting” defines a set of methods that guaranty a good user’s experience while content is inspected on the Edge Comforting methods:  Delayed Download  HTML Progress Page  Trickling:  Standard  Fast
    • End User Scenarios – Delayed 1) User browses to site.com and attempts to download a file 2) site.com responds with content 3) TMG accumulates the content, timing the download and inspection site.com request request response response 4) In case the content is downloaded and inspected in less than X seconds (Delivery Delay) TMG passes the whole file to the client
    • End User Scenarios – Progress Page End user will receive an HTML Progress Page if time for download and inspection exceeds X seconds (delivery delay) and if some others conditions are satisfied (see next slide) site.com request request response progress page
    • End User Scenarios – Scanning completed If content is safe (or successfully cleaned), the page informs the user that the content is ready and displays a button for downloading the content, otherwise the page notifies the user that a malware was detected. In that case, the file is purged immediately from the temporary storage.
    • Standard Trickling • TMG will use this method if the client application is not a browser (not able to handle the dynamic code embedded in the Progress Page). • TMG will deliver content to the client using Trickling when Delayed download and Progress can’t apply. Trickling consists in sending very small chunk of data to the client until the whole file is inspected. site.com request request response trickled response User’s experience : download will start at a very low transfer rate and speeds up after inspection completion
    • Fast Trickling Similar to Standard Trickling  Intended to be used for media files played by online players (like YouTube)  TMG delivers the data as fast as possible to the end user to keep a good user experience.  The tradeoff between user experience and inspection performance is governed by the FastTricklingMode COM setting   User experience degrades (but inspection performance improves) when the EMP filter need more minimum bytes to perform a partial inspection so increasing buffering on TMG
    • Threat Management Gateway 2010 HTTPS Inspections
    • HTTPS Inspection Today more and more web traffic is https. Some of this traffic is legitimate; some isn’t and might contain malicious traffic.  We have lot of tools for http protection (antimalware, NIS ..), but no for https protection as this traffic is tunneled through the Proxy.  This feature will enable the TMG administrator to inspect outgoing https traffic on the edge and will prevent the end user from downloading malicious software (malware) that could infect the entire organization. 
    • HTTPS Traffic Inspection Microsoft Confidential
    • Motivation  In order to be able to inspect outgoing https traffic, TMG will break HTTPS connections using a man in the middle mechanism (doing sort of “bridging”)
    • HTTPS Inspection Mechanism Signed by”TMG CA” www.fabrikam.com Request Signed by Verisign www.fabrikam.com Request Certificate SSL In Web browser: https://www.fabrikam.com Certificate SSL In TMG request: https://www.fabrikam.com
    • TMG CA Certificate not installed on client The CA certificate (e.g. self signed certificate) used by TMG must be deployed on the client, otherwise the client won’t trust the certificate issued by TMG on behalf of the web server (user won’t receive the inspection notifications in that case)  If the client does not have the CA certificate used by TMG, it will receive the error below when accessing an SSL web site if https inspection is enabled. 
    • CA Certificate generation and deployment  The CA certificate used by TMG to issue the certificate can be of two types: a generated self signed certificate  an existing trusted certificate authority 
    • CA Certificate generation and deployment   This CA certificate must then be deployed on the client computers (under “Trusted Root Certification Authorities” of the Local computer certificates store), otherwise the client won’t trust the server certificate received from TMG Two possible deployment methods for the CA certificate:
    • User notifications  Client must have TMG Client to receive notification of inspection and CA Certificate must be properly deployed on client
    • HTTPS Inspections
    • Threat Management Gateway 2010 Network Inspection System (NIS)
    • Intrusion Prevention System
    • Intrusion Prevention System Forefront Network Inspection System (NIS) Closing the vulnerability window between vulnerability announcement and patch deployment Signatures distribution by Microsoft Update Concurrent with security patches or in response to a 0-Day attack
    • Using NIS for IPS TMG Vulnerability found Signature authoring team  Detect and prevent known vulnerability-based attack attempts at the Edge of the network or in datacenter  Same day availability of the patch and NIS signature  Closes the vulnerability window which is needed for patch testingdeployment:   Patches need to be tested more thoroughly Customer acceptance (similar to AV updates) 50
    • TMG: Network Inspection System 51
    • NIS Demo
    • Threat Management Gateway 2010 ISP Redundancy
    • ISP-R – Introduction  New feature introduced in TMG that allows the coexistence of 2 ISP connections  With this feature TMG ensures Internet connectivity is not lost even when one Internet service provider (ISP) is down
    • Feature Overview Two different scenarios:  High Availability of Internet connectivity   TMG will use a backup line in case the primary is down (Failover) Load balancing between ISP providers /connections  TMG will use 2 concurrent ISP connections
    • Scenarios 2 network adapters’ scenario: TMG is configured with 2 NICs on the external network. Each NIC has a different subnet and is connected to a different ISP.  Single network adapter scenario: TMG is configured with single NIC on the external network with 2 different subnets – one for each ISP.  Note that Windows will display a warning when the administrator defines more than one default gateway on the system. In our case we can ignore this warning. 
    • ISP-R
    • Threat Management Gateway 2010 TMG 2010 Virtualization / Tools
    • TMG 2010 Virtualization Security Considerations with Forefront Edge Virtual Deployments Zabezpieczanie ISA Server i Forefront TMG w środowisku wirtualnym
    • TMG 2010 Tools    Microsoft Forefront Threat Management Gateway Best Practices Analyzer Tool Forefront Threat Management Gateway 2010 Capacity Planning Tool Microsoft® Forefront Threat Management Gateway (TMG) 2010 Tools & Software Development Kit
    • TMG 2010 EXAM  70-157 - Exam MCTS MCTS: Forefront Integrated Security, Configuring EXAM BETA - Q3 2010 ? Microsoft PRESS Forefront Threat Management Gateway Administrator’s Companion   http://blogs.technet.com/b/isablog/
    • What's new in TMG Reports?
    • TMG Reports – New Security Insights
    • Dziękuję za uwagę Security and Forensics Blog http://security-forensics.spaces.live.com/ http://ms-groups.pl/mssug/ Krzysztof.Binkowski@gmail.com
    • © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.