Forefront tmg 2010 virtualization

11,786 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
11,786
On SlideShare
0
From Embeds
0
Number of Embeds
6,114
Actions
Shares
0
Downloads
103
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Forefront tmg 2010 virtualization

  1. 1.
  2. 2. Virtualization of Forefront Threat Management Gateway 2010<br />Esmaeil Sarabadani<br />Mct, mcsa/mcse security<br />REDYNAMICS ASIA SDN. BHD.<br />
  3. 3. What will be covered …<br />Why do we virtualize the edge?<br />Virtual Edge Security Concerns<br />The Story of The Parent …<br />Defining The Traffic Flow and The Traffic Profile<br />Deploying Forefront TMG as the Virtual Edge Firewall<br />Deploying Forefront TMG as a Three-Legged and Back-to-Back Firewall<br />Designing a Virtual perimeter network or DMZ<br />Tips For a Better Management and Performance<br />
  4. 4. Why do we virtualize the edge?<br />Faster disaster recovery in case of edge failure<br />Increasing the complexity of the network for hackers<br />Suitable for small businesses<br />
  5. 5. Virtualization of The Network edgeConcerns …<br />Software is less secure than hardware<br />Hardware firewalls are all software-based but just come in a hardware package<br />
  6. 6. Virtualization of The Network edgeConcerns …<br />More complicatednetwork structure<br />More difficult to manage<br />The same old argument against Windows security to be placed on the edge:<br />Exchange Server 2010 Edge Role<br />Office Communication Server 2007 Edge Role<br />ISA Server is 10 years old without any exploits<br />Linux is more secure than Windows<br />Information from www.securityfocus.com<br />
  7. 7. The story of the parent …Physical vs. Virtual<br />Virtual<br />Physical<br />√<br />TMG<br />TMG<br />TMG<br />Application<br />Application<br />Application<br />Parent <br />Operating System<br />Child (Guest)<br />Operating System<br />Operating System<br />Hypervisor<br />Hardware<br />Hardware<br />
  8. 8. The story of the parent …<br />If theparentis compromised, the whole virtualized environment is compromised.<br />Internet<br />Virtual Networking Components<br />Guest OS<br />Parent with TMG<br />Guest OS<br />COMPROMISED<br />COMPROMISED<br />COMPROMISED<br />Virtual Networking Components<br />LAN<br />
  9. 9. The story of the parent …<br />DO NOT install TMG on the parent partition<br />Windows Server 2008 R2 Core on the parent<br />DO NOT use the parent as a workstation… It’s a SERVER …<br />Restrict the management of the parent<br />Enable Bitlocker on the parent<br />Keep the parent OS up-to-date<br />Disconnectthe parent from the internet<br />
  10. 10. Configuring the parent partition<br />demo <br />
  11. 11. TMG as an Edge Firewall<br />Internet<br />Physical NIC<br />External virtual Switch<br />Connected to the internet<br />Disconnected <br />from the internet<br />Virtual NIC 2<br />Hyper-V<br />Guest OS with TMG<br />Parent OS<br />Virtual NIC 1<br />External virtual Switch<br />Connected to the LAN<br />Physical NIC<br />LAN<br />
  12. 12. Deploying TMG as an Edge Firewall<br />demo <br />
  13. 13. Defining The Traffic Profile<br />Virtual Environments make the network structure complex for the attackers to penetrate<br />Capture the network traffic on TMG host using Microsoft Network Monitor tool<br />Avoid the use of Allow All rule<br />Restrict RPC and DCOM to specific ports<br />
  14. 14. Defining a Traffic Profile<br />demo <br />
  15. 15. Designing The Perimeter Network or DMZ<br /><ul><li>The Two Well-known DMZ Designs:</li></ul>What’s the DMZ?<br />DMZ (Demilitarized Zone) is a sub-network that contains and exposes an organization’s external services to the internet. <br />Three-Legged FW<br />LAN<br />LAN<br />Perimeter Network<br />Front-end FW<br />Back-end FW<br />Internet<br />Internet<br />Perimeter Network<br />Back-to-Back Firewall Design<br />Three-Legged Firewall Design<br />
  16. 16. TMG as a Three-Legged Firewall<br />Internet<br />Physical NIC<br />DMZ Virtual Switch<br />External virtual Switch<br />Connected to the internet<br />Disconnected <br />from the internet<br />Virtual NIC<br />Virtual NIC 1<br />Hyper-V<br />Guest OS with TMG<br />Guest OS in DMZ<br />Virtual NIC 3<br />Parent OS<br />Virtual NIC 2<br />External virtual Switch<br />Connected to the LAN<br />DMZ<br />Physical NIC<br />LAN<br />
  17. 17. Hyper-V<br />TMG as a Three-Legged Firewall<br />DMZ<br />Internet<br />Guest OS in DMZ<br />Physical NIC<br />Virtual NIC<br />External virtual Switch<br />Connected to the internet<br />External <br />Virtual Switch<br />Disconnected <br />from the internet<br />Virtual NIC 1<br />Physical NIC<br />DMZ Virtual Switch<br />Hyper-V<br />Guest OS with TMG<br />Parent OS<br />Virtual NIC 3<br />Physical NIC<br />Physical Switch<br />Virtual NIC 2<br />External virtual Switch<br />Connected to the LAN<br />Physical NIC<br />LAN<br />
  18. 18. Deploying TMG as a Three-Legged Firewall<br />demo <br />
  19. 19. Designing The Three-Legged DMZ<br />Guest OSs in DMZ are all connected to the same virtual switch.<br />External Virtual Switch<br />Connected to the internet<br />DMZ Virtual Switch<br />Virtual NIC 1<br />Virtual NIC<br />Virtual NIC<br />Guest OS with TMG<br />Virtual NIC 3<br />DC<br />File Server<br />Virtual NIC 2<br />DMZ<br />External Virtual Switch<br />Connected to the LAN<br />
  20. 20. Designing The Three-Legged DMZ<br />Guest OSs in DMZ are connected to different virtual switches.<br />External Virtual Switch<br />Connected to the internet<br />DMZ Virtual Switch #1<br />Virtual NIC 1<br />Virtual NIC<br />Virtual NIC 3<br />Guest OS with TMG<br />File Server<br />DC<br />Virtual NIC 4<br />Virtual NIC 2<br />Virtual NIC<br />DMZ<br />External Virtual Switch <br />Connected to the LAN<br />DMZ Virtual Switch #2<br />
  21. 21. Configuring The DMZ on Hyper-V<br />demo <br />
  22. 22. Designing The Three-Legged DMZTips and Hints …<br />The traffic must flow through TMG.<br />Avoid connecting the Guest OSs to the virtual external switch.<br />Connect servers with different security criteria to separate virtual switches.<br />For every virtual switch that TMG is connecting to, there needs to be a virtual NIC on it.<br />
  23. 23. A Back-to-Back TMG Firewall Design<br />Hyper-v<br />DMZ<br />virtual Switch<br />Back-End FW<br />TMG<br />LAN<br />Front-End FW<br />TMG<br />Internet<br />Virtual NIC 2<br />Virtual NIC 2<br />Virtual NIC 1<br />Virtual NIC 1<br />Physical NIC<br />Physical NIC<br />Virtual NIC<br />Guest OS in DMZ<br />External Virtual Switch<br />Connected to the internet<br />External Virtual Switch<br />Connected to the LAN<br />DMZ<br />
  24. 24. Deploying The Back-to-Back TMG<br />demo <br />
  25. 25. The Virtual Edge Management<br />A dedicated physical interface connected to the management VLAN<br />Will have a different IP address range<br />Will be available even if the virtual infrastructure fails and we still can manage<br />Access to the parent will be isolated<br />
  26. 26. The Virtual Edge Performance<br />
  27. 27. Resources<br />My Blog: http://esihere.wordpress.com/<br />Microsoft Virtualization Technology www.microsoft.com/virtualization/<br />Forefront Threat Management Gateway 2010 http://www.microsoft.com/forefront/threat-management-gateway/en/us/<br />Technet Edge Videos: http://technet.microsoft.com/en-us/edge/default.aspx<br />Technet for System Professionals: http://technet.microsoft.com/<br />My E-Mail Address: e.sarabadani@gmail.com<br />
  28. 28. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.<br />The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.<br />

×