Module 2: Secure Web Gateway© 2009, Microsoft. All rights reserved. All other trademarks are the property of their respect...
Module Overview      Secure Web Gateway overview      HTTPS inspection      URL filtering      Malware protection      Int...
Lesson 1 – Secure Web Gateway Overview
What is a Secure Web Gateway (SWG)?      “A SWG is a solution that filters unwantedsoftware/malware from user-initiated We...
The Growing Market Potential       Dedicated SWG vendors are the fastest-growing       submarket, averaging 140% year-over...
The Competitive Landscape                                   Websense                                   Trend              ...
Forefront TMG as a Secure Web Gateway                                             URL Filtering,                      Comp...
Secure Web Gateway Layered Security                                Unifies inspection                                techn...
Threats and Controls                    Application                                  HTTPS         Anti-       URLThreats ...
Lesson 2 – HTTPS Inspection
Threats and Controls                    Application                                  HTTPS         Anti-       URLThreats ...
Traditional SSL Security Web browser sends a CONNECT request to the Web proxy     CONNECT host_name:port HTTP/1.1 Web prox...
Forefront TMG HTTPS Traffic Inspection                                                        Network                     ...
Enabling HTTPS Traffic Inspection                                                               Configure HTTPS Inspection...
Generating the HTTPS Inspection Certificate The HTTPS inspection certificate can be either generated by Forefront TMG or i...
Deploying the HTTPS Inspection Certificate Two methods can be used to enable clients to trust the HTTPS Inspection Certifi...
How HTTPS Inspection Works                                                                   Enable HTTPS inspection     ...
Scenario WalkthroughContoso Web Access Policy No browsing to sites that pose security or liability risks, but... Researche...
Configuring HTTPS Inspection                               19
Configuring HTTPS Inspection                               20
Configuring HTTPS Inspection                               21
HTTPS Inspection Notifications Notification provided by Forefront TMG client    Notify user of inspection    History of re...
HTTPS Inspection NotificationUser Experience                                23
Lesson 3 – URL Filtering
Threats and Controls                    Application                                  HTTPS         Anti-       URLThreats ...
Forefront TMG URL Filtering                                    Microsoft Reputation   • Integrates leading URL database   ...
URL Filtering Benefits Control user web access based on URL categories Protect users from known malicious sites Reduce lia...
Microsoft Reputation Service                                        Accuracy                       Comprehensive and flexi...
What Makes MRS Compelling? Existing URL filtering solutions    Single vendor cant be expert in all categories    Categoriz...
How Forefront TMG Leverages MRSMultiple Vendors                 Federated                               MRS               ...
URL Filtering Categories             Security Liability                        Productivity
Categories and Inheritance
URL Filtering Policy  URL categories are standard network objects  Administrator can create custom URL category sets
URL Filtering Policy                       34
Scenario WalkthroughContoso Web Access PolicyNo browsing to sites that pose security or liability risks, but...Researchers...
Contoso’s Web Access Policy Access rule denying            Access rule allowing users everyone access to             in th...
Per-rule Customization                         TMG administrator can                         customize denial             ...
URL Filtering Configuration                              38
Category Query                 Administrator can use                 the URL Filtering                 Settings dialog box...
URL Category Override                        Administrator can override                        the categorization of a URL...
User Experience
User Experience                  HTML tags                              42                                   42
Lesson 4 – Malware Protection
Threats and Controls                    Application                                  HTTPS         Anti-       URLThreats ...
HTTP Malware Inspection                                        MU or WSUS                                                 ...
Content Trickling                      Firewall Service      GET msrdp.cab                           GET msrdp.cab        ...
Progress Notification                            Firewall Service                                                         ...
Malware Scanner Behavior         • Partial inspection for Standard Trickling High    • Final inspection for files smaller ...
Enabling Malware Inspection                              Activate the Web                              Protection license ...
Scenario WalkthroughContoso Web Access PolicyNo browsing to sites that pose security or liability risks, but...Researchers...
Malware Inspection Global Settings                                     51
Malware Inspection Global Settings                          Administrator can                          configure malware  ...
Malware Inspection Per-rule Overrides                                        53
User ExperienceContent Blocked
User ExperienceProgress Notification                        55
Lesson 5 – Intrusion Prevention
The Problem Un-patched vulnerabilities   Average survival time of unpatched Windows® XP   less than 20 minutes   About two...
Defining a Intrusion Prevention System (IPS)                            Allow Known              Block Known              ...
Network Inspection System (NIS) Protocol decode-based traffic inspection system that uses signatures of known vulnerabilit...
New Vulnerability Use Case    Vulnerability is discovered    Response team prepares and tests the vulnerability signature ...
Network Inspection SystemPowered by GAPA Generic Application Protocol Analyzer    A framework and platform for safe and fa...
Network Inspection System Architecture           Design Time  Protocol Parsers    Signatures                              ...
NIS Response Process                          Threat                       Identification         Signature               ...
Enabling and Configuring NIS
Other Network Protection Mechanisms Common OS attack detection DNS attack filtering IP option filtering Flood mitigation  ...
Common OS Attack Detection                      Inspects traffic for the                      following common attacks:   ...
DNS Attack Filtering                       Enables the following                       checks in DNS traffic:             ...
IP Options Filtering                       Forefront TMG can                       block IP packets based                 ...
Flood Mitigation                   Forefront TMG flood                   mitigation mechanism                   uses: Cust...
Questions
Lab 2: Secure Web Gateway         In this lab, you will:           Create web access policies for Contoso           users,...
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Forefront, Windows and other product names are or may be reg...
Upcoming SlideShare
Loading in …5
×

50357 a enu-module02

858 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
858
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
53
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • “Introducing the Secure Web Gateway A SWG is a product that filters unwanted software or malware from user-initiated Web/Internet traffic and enforces corporate and regulatory policy compliance. To achieve this goal, SWGs must, at a minimum, include URL filtering, as well as malicious code detection and filtering. Leading solutions will also be able to provide Web application-level controls for at least some of the more popular applications, including IM. SWGs should integrate with directories to provide authentication and authorization, along with group- and user-level policy enforcement. An SWG must bring together all these functions, without compromising performance for end users, which has been a challenge for traditional antivirus Web filtering. URL filtering includes the categorization of known Web sites into groups to enable comprehensive reporting as well as blocking some sites, for acceptable usage, productivity and security risks. There is also an increasing requirement for dynamic risk analysis of uncategorized sites and pages. Web reputation will be an area of differentiation as vendors invest in ways to better identify and classify Web sites and domains.Malicious code filtering eliminates all malicious and potentially unwanted code from Web traffic. The most-common malware detection techniques are signature-based detection of known malware. However, as threats continue to evolve, we expect leading vendors to offer a cocktail of non-signature-based malware detection techniques to detect and block unknown and more-evasive threats. Web application-level controls enable businesses to carefully manage adoption and use of public Internet-based applications, such as IM, Internet telephony (for example, Skype), multiplayer games, Web storage, Wikis, peer-to-peer, public VoIP, blogs, data-sharing portals, Web backup, remote PC access, Web conferencing, chat and streaming media”.Gartner Group, “Introducing the Secure Web Gateway”, March 2007
  • “The total [SWG] composite market exceeded $1 billion in 2007 and was growing at a rate of 44% year over year. Dedicated SWG vendors are the fastest-growing submarket, averaging 140% year-over-year growth. We expect average market growth rates to be in the 25% to 35% range for the next two years. This growth will be fueled by increased penetration of dedicated SWG devices, incremental feature revenue and the impact of appliance-based products replacing software.” Gartner Group, 2008
  • The following new Forefront TMG features support the Secure Web Gateway role:Web antimalware is part of a Web Protection subscription service for Forefront TMG. Web antimalware scans Web pages for viruses, malware, and other threats. URL filtering allows or denies access to Web sites based on URL categories (such as pornography, drug, hate, or shopping). Organizations can not only prevent employees from visiting sites with known malware, but also protect business productivity by limiting or blocking access to sites that are considered productivity distractions. URL filtering is also part of the Web Protection subscription service.Network Inspection System (NIS) enables traffic to be inspected for exploits of Microsoft vulnerabilities. Based on protocol analysis, NIS can block classes of attacks while minimizing false positives. Protections can be updated as needed.HTTPS inspection enables HTTPS-encrypted sessions to be inspected for malware or exploits. Specific groups of sites (for example, banking sites) can be excluded from inspection for privacy reasons. Users of the Forefront TMG client can be notified of the inspection. Logging and reporting – Forefront TMG collects log information for traffic handled by the Microsoft Firewall service and by the Web Proxy filter, and generates reports that summarize and analyze log information. It also provides the ability to send runtime event alerts (both pre-defined system alerts and custom alerts).
  • To provide HTTPS protection, Forefront TMG acts as an intermediary between the client computer that initiates the HTTPS connection and the secure Web site. When a client computer initiates a connection to a secure Web site, Forefront TMG intercepts the request and does the following:Establishes a secure connection (an SSL tunnel) to the requested Web site and validates the site’s server certificate.Copies the details of the Web site's certificate, creates a new SSL certificate with those details, and signs it with a Certification Authority certificate called the HTTPS inspection certificate.Presents the new certificate to the client computer, and establishes a separate SSL tunnel with it.Because the HTTPS inspection certificate was previously placed in the client computer’s Trusted Root Certification Authorities certificate store, the computer trusts any certificate that is signed by this certificate. By cutting the connection and creating two secure tunnels, the Forefront TMG server can decrypt and inspect all communication between the client computer and the secure Web site during this session.
  • The certificate used for HTTPS inspection can be generated by Forefront TMG itself, or issued by a CA and then imported into Forefront TMG.Forefront TMG has the option to not inspect traffic, but validate site certificates.Select this option to check only the validity of secure Web site certificates. The certificate used by Forefront TMGfor HTTPS inspection has to be trusted by the clients. Active Directory can be used to do this for the domain joined machines.Some sources (for example, top executives) and some destinations (for example, financial institutions) may be excluded from HTTPS traffic.Clients can be notified that the HTTPS traffic is being inspected. This requires the use of the Forefront TMG client.
  • Commercial CAs will not typically issue HTTPS inspection certificates, because these certificates are themselves CA certificates, not end-entity certificates. Organizations will either use their internal PKIs to issue these certificates, or have Forefront TMG generate them.The HTTPS inspection certificate is stored to the configuration storage, and array members can begin using the HTTPS inspection certificate after synchronizing with the configuration storage.
  • There are two methods by which you can import the HTTPS inspection trusted root CA certificate to client computers: Automatically through Active Directory – Automatic deployment using Active Directory is the recommended method, because the certificate is stored in a secured location, and it saves administrators the overhead of manual deployment.Note: Automatic certificate deployment requires Forefront TMG to be deployed in a domain environment. Manually on each client computer – If you are not using Active Directory, the certificate must be installed manually on each client computer, and it must be placed in the local computer certificate store. Note that deployment through Active Directory will only work for browsers that use the Windows® certificate store (for example, Windows® Internet Explorer®, Opera, Chrome). Other browsers will need to be configured manually.
  • Let’s walk through a sample scenario where Contoso’s web access policy requires all HTTPS traffic to be inspected.
  • HTTPS inspection is configured using the Configure HTTPS Inspection task in the access policy task bar, or by using the Web Access Policy wizard.
  • The TMG administrator has the option to enable HTTPS inspection, to enable a validate-only policy where TMG will validate the server certificate but not actually inspect the traffic, or to disable it entirely. For the last two options, no certificate is required.
  • Administrators can choose to notify users that HTTPS traffic is being inspected.HTTPS Inspection certificates can be automatically generated by Forefront TMG or an existing certificate can be used. This certificate needs to be a CA certificate (that is, it needs to have an indication that it is a CA certificate in its Basic Constraints).
  • To receive notifications of HTTPS inspection, client computers must have the HTTPS inspection trusted root certification authority (CA) certificate installed in the local computer’s Trusted Root Certification Authorities certificate store. If the certificate is not installed in this specific certificate store, the user will not receive balloon notifications of HTTPS inspection.To enable HTTPS inspection notifications on Forefront TMG serverIn the Forefront TMG Management console, in the tree, click the Web Access Policy node.In the Tasks pane, click Configure HTTPS Inspection. On the Client Notification tab, click Notify users that HTTPS inspection is being inspected, and then click OK. To enable HTTPS inspection notification on Forefront TMG Client1. On the Secure Connection Inspection tab, select Notify me when content sent to secure Web sites is inspected.
  • Notifications are shown as a balloon by the Forefront TMG client.The user may also ask the browser to display the web site certificate information, which will be shown as issued by Forefront TMG.
  • URL filtering identifies certain types of Web sites (for example, known malicious sites and sites that display inappropriate or pornographic materials) and allows or blocks access to the sites based on predefined URL categories. The default categorization of a specific Web site is determined by the Microsoft Reputation Service (MRS) and can be edited by the Forefront TMG system administrator. When a request to access a Web site is received, Forefront TMG queries MRS to determine the categorization of the Web site. If the Web site has been categorized as a blocked URL category or category set, Forefront TMG blocks the request.When users request access to a Web site to which access is blocked, they receive a denial notification that includes the denied request category. In some cases, users may contact the administrator to dispute the categorization of the Web site. In such a case, you can check whether the URL was categorized properly. If the Web site was not categorized correctly, you can create a custom setting for this URL. For moreinformation, see the Microsoft TechNet article Introduction to managing URL filtering (http://technet.microsoft.com/en-us/library/dd897045.aspx).Forefront TMG features over 70 URL categories. A URL category is a collection of URLs that match a pre-defined criterion, such as, malicious, anonymizers, or illegal drugs. Categories are grouped by category sets, which can be used to simplify the configuration of Forefront TMG policies.Forefront TMG uses Microsoft Reputation Service (MRS), a cloud-based object categorization system hosted in Microsoft data centers, to categorize the URLs that users request. MRS is designed to provide comprehensive reputation content to enable core trust scenarios across Microsoft solutions. MRS maintains a database with tens of millions of unique URLs and their respective categories.
  • The benefits of applying URL filtering include:Enhancing your security by preventing access to malicious sites (such as phishing sites).Lowering liability risks by preventing access to sites that display inappropriate materials (such as, hate, criminal activities, or pornography sites).Improving the productivity of your organization, by preventing access to non-productive sites (such as games or instant messaging).Using URL filtering related reports and log entries to learn about the Web usage in your organization (such as the most commonly browsed URL categories).Excluding sites from inspection by the HTTPS and malware inspection mechanisms (such as excluding financial sites from HTTPS inspection because of privacy considerations).
  • The Microsoft Reputation Service (MRS) team wanted to confront an inherent problem with traditional URL filtering solutions: the problem domain is simply too large for any single vendor to provide a complete solution on its own. As a result, there are multiple vendors, each one specializing in a specific area of the solution.Some vendors specialize in identifying malicious sites and spam URLs, while others are rich with productivity related categories. Some specialize in covering the Internet's long tail(see http://en.wikipedia.org/wiki/The_Long_Tail), while others provide quick classification of previously unknown sites. Some use human-based classification, and others use machine-based techniques. Some are great with Web2.0 style URLs, and the list goes on. Even those vendors who employ several classification techniques and cover multiple categories can't deal with the huge and ever-expanding challenges of today's Web.MRS team's idea was simple: Let's leverage complementary capabilities of different vendors/sources to create a unified database that is best suited to deal with the challenges described above. And so, they have implemented a scalable architecture that allows incorporation of multiple streams of data into a merged database. In this way, each vendor and source brings its unique strengths to create a common solution.MRS already integrates several data sources and others will be on-boarded in the following months. Some of these data sources are internal to Microsoft, and others are the result of collaboration with third party partners. One such agreement, announced during RSA, is an agreement with Marshal8e6. (see this link for more information: http://www.marshal8e6.com/i/Marshal8e6-to-Provide-Web-Security-Library-to-Microsoft-,news.960~.asp)But the real benefit of MRS is that because it is a Web service, and because of its unique architecture, MRS can easily incorporate new databases in a way that is completely transparent to its customers. We expect the MRS unified database to expand over time and become the recognized industry leader. Forefront TMG customers will benefit naturally from this ongoing upgrade, through our Web security subscription services.
  • For policy purposes, URL Categories are standard network objects that can be used as destinations in Web access policies. Categories are also grouped into a higher-level hierarchy called Category Sets. Category Sets can also be used in Forefront TMG policy to simplify configuration.
  • Policies use URL categories as standard network objects in the Web access policy.
  • Let’s walk through a sample scenario where Contoso’s Web access policy requires that no browsing should be allowed to sites that pose specific risks to the organization, but also defines an exception to a specific group of users and a specific category of Web site.
  • URL Filtering is configured using the Configure URL Filtering task in the access policy task bar, or by using the Web Access Policy wizard.
  • Looking up a URL categoryThe following procedure describes how to query the URL filtering database regarding the categorization of a URL or IP address.  In the Forefront TMG Management Console, in the tree, click Web Access Policy.In the Tasks pane, click Query for URL Category.On the Category Query tab, type a URL or IP address, and then click Query. The result of the category is displayed on the tab, as well as some insight as to the source of the categorization (for example, by override, IP address, or URL alias).
  • To change a domain's categorization, copy the URL or IP address, and click the URL Category Override tab. For more information, see the Microsoft TechNet article Overriding URL categorization (http://technet.microsoft.com/en-us/library/dd897110.aspx).
  • In this example, the user receives a phishing message that persuades the user to click on a link to http://www.phishingsite.com.
  • URL filtering identifies the link as a known phishing site and blocks the user from connecting to it.The Forefront TMG administrator can customize the message displayed to the user by adding custom text or HTML. Or the administrator can redirect the user to a specific URL (for example, a page displaying the organization’s web access policy).
  • Web traffic may contain malicious software (commonly called malware) such as worms, viruses, and spyware. Forefront TMG uses definitions of known viruses, worms, and other malware, which it downloads from Microsoft Update or Windows Server Update Services (WSUS), for malware inspection. The Forefront TMG Malware Inspection Filter scans Web pages and files that were requested by client computers, and either cleans it of harmful HTTP content, or blocks it from entering the internal network.
  • Because malware inspection may cause some delay in the delivery of content from the server to the client, Forefront TMG enables you to shape the user experience while Web content is scanned for malware, by selecting one of the following delivery methods for scanned content:TricklingForefront TMG sends portions of the content to the user as the files are inspected. This process helps prevent the client application from reaching a time-out limit before the entire content is downloaded and inspected.
  • Progress notificationForefront TMG sends an HTML page to the client computer, which informs the user that the requested content is being inspected, and displays an summary of the download and inspection progress. After download and inspection of the content are completed, the page informs the user that the content is ready, and providesa button that the user can click to download the content.
  • This topic describes how to enable malware inspection for HTTP traffic in outbound requests. In Forefront TMG, you enable malware inspection globally, and then on a per rule basis. To enable malware inspection in Forefront TMG, you must:Activate the Web Protection license.Enable malware inspection on Web access rules.To enable global malware inspectionIn the Forefront TMG Management Console, in the tree, click the server name node.On the Tasks tab, click Launch Getting Started Wizard, and then click Define deployment options.Make a selection on the Microsoft Update Setup page, and click Next.On the Forefront TMG Protection Features Settings page, do the following: Select one of the licenses to enable Web protection.If you selected the Activate purchased license and enable Web Protection option, type the license activation code next to Key.Verify that Enable malware inspection is selected.Continue advancing through the wizard, and then click Finish. After enabling malware inspection globally on Forefront TMG, you must enable it on specific access rules, as follows: If you are creating new access rules, you can enable inspection via the Web Access Policy Wizard, or the New Access Rule Wizard. If you already have a rule on which you want to apply malware inspection, you can edit the properties of the rule.
  • Let’s walk through a sample scenario where Contoso’s web access policy requires that:All Web traffic should be inspected against malware.No files larger than 500MB should be downloaded from the Web.
  • Global malware inspection settings are configured by clicking on Configure Malware Inspection under Policy Editing Tasks in the Web Access Policy. These settings will apply to all web access rules, unless explicitly overridden.
  • Low severity threat– Potentially unwanted software that might collect information about you or your computer or change how your computer works, but is operating in agreement with licensing terms displayed when you installed the software.Medium severity threat– Programs that might affect your privacy or make changes to your computer that could negatively impact your computing experience, for example, by collecting personal information or changing settings.High sensitivity threat – Programs that might collect your personal information and negatively affect your privacy or damage your computer, for example, by collecting information or changing settings, typically without your knowledge or consent.Suspicious files– Suspicious files may display one of more characteristics or behaviors associated with known malware. Files reported as suspicious are often detected proactively and may not have been previously seen by analysts. Files detected as suspicious are quarantined, and users may be prompted to submit these files for further analysis, so that specific detection may be added if required.Corrupted files– Corrupted files are those that have been modified in some way and may no longer function as intended.Detection of these files can be configured by the Forefront TMG administrator. Encrypted files– Encrypted files are those that have been transformed using encryption into an unreadable format for the purposes of secrecy. Once encrypted, the data cannot be interpreted (either by humans or machines) until it is decrypted. Malware may use encryption in order to make its code unreadable, which may hinder its detection and removal from the affected computer.
  • The Forefront TMG administrator can override the general malware inspection settings on a per Web access rule basis.
  • Progress notificationForefront TMG sends an HTML page to the client computer, that informs the user that the requested content is being inspected, and displays a summary of the download and inspection progress. After the content has been download and inspected, the page informs the user that the content is ready, and displays a button that the user can click to download the content.
  • Because there are increasing numbers of zero-day attacks at the network and application layer, we are constantly looking for ways to protect hosts and networks against exploitation of the discovered vulnerabilities. One of the key problems is that attackers can usually develop and use exploits for the disclosed vulnerabilities faster than patches can be developed and deployed. A review of past vulnerabilities shows that it can take up to a month to develop and release patches after the initial attacks reports, and then another one to two weeks for the customer to deploy the patch across the vulnerable computers. This leaves computers vulnerable to attacks and exploitationfor over a month.
  • What is the motivation behind Network Inspection System (NIS)?Because information worker users increasingly find it more difficult to achieve anytime anywhere access in a re-perimeterized world, ubiquitous and comprehensive protection for the outbound access scenario is paramount. Outbound access is defined as user-initiated network access—whether on the Internet or corporate network, and regardless of application or protocol. End users are predominately accessing the Internet using a Web browser, which creates an easy attack surface for malicious hackers. The nature of the Web demands unique protections around protocol vulnerabilities, including the frequently used HTTP and HTTPs protocols as well as other protocols such as RPC, SMB, and the different mail protocols. NIS is Microsoft’s response to this new and growing IT concern. In its first release, NIS is integrated with Forefront TMG as a component of the Intrusion Prevention System (IPS).
  • NIS is a protocol decode-based traffic inspection system that uses signatures of known vulnerabilities to detect and potentially block attacks on network resources. NIS provides comprehensive protection for Microsoft network vulnerabilities (researched and developed by Microsoft Malware Protection Center - NIS Response Team) in addition to an operational signature distribution channel which enables dynamic signature snapshot distribution. For more information, see the Microsoft Malware Protection Center Threat Research & Response Blog (http://blogs.technet.com/mmpc/)The main differentiator in NIS is Signature Quality (minimum false positive and false negative) on Microsoft-focused vulnerabilities. NIS vulnerability signatures (versus exploit-based) cover all typesof exploit attacks which exploit vulnerability in contrast to attacks that exploit specific detections (which are susceptible to evasion).
  • Motivated by the large number of application-level protocols and new ones constantly emerging, Microsoft Research (MSR) have architected a Generic Application-level Protocol Analyzer (GAPA), that includes a protocol specification language (GAPAL) and an analysis engine that operates on network streams and traces. GAPA allows rapid creation of protocol analyzers, greatly reducing the development time needed (See the MSR research paper: http://research.microsoft.com/pubs/70223/tr-2005-133.pdf ). In Forefront TMG, NIS is based on the GAPA research as a signature-based Intrusion Prevention System (IPS).
  • Aim of Telemetry:Understand current malware landscapeImprove signature qualityTMG sends:Signature MatchesProtocol Parse ErrorsNo PII in Basic ModeEncourage customers to use it.
  • The Microsoft Malware Protection Center (MMPC) identify threats based on information received from various sources, including Microsoft Telemetry Service. When Malware Protection or NIS identifies an attack or potential malware, it reports information to Microsoft about the potential attack. This information is stored and analyzed by Microsoft to help identify attack patterns and improve precision and efficiency of threat mitigations.Based on this information, the MMPC develops a NIS signature for the vulnerability. This signature is tested to confirm that it properly identifies the threat and does not cause false positives, and then it is released through Microsoft Update.
  • Forefront TMG also includes other network protection mechanisms in addition to NIS:
  • Detection of common attacksCommon attacks include the following:Windows out-of-band (WinNuke) attack – An attacker launches an out-of-band denial-of-service (DoS) attack against a host protected by Forefront TMG. If the attack is successful, it causes the computer to fail or creates a loss of network connectivity on vulnerable computers.Land attack – An attacker sends a TCP SYN packet with a spoofed source IP address that matches the IP address of the targeted computer, and with a port number that is allowed by the Forefront TMG policy rules, so that the targeted computer tries to establish a TCP session with itself. If the attack is successful, some TCP implementations could go into a loop, which would cause the computer to fail.Ping of death – An attacker attaches a large amount of information (exceeding the maximum IP packet size) to an Internet Control Message Protocol (ICMP) echo (ping) request. If the attack is successful, a kernel buffer overflows, causing the computer to fail.IP half scan – An attacker repeatedly attempts to connect to a targeted computer, but does not send ACK packets in response to SYN/ACK packets. During a normal TCP connection, the source initiates the connection by sending a SYN packet to a port on the destination system. If a service is listening on that port, the service responds with a SYN/ACK packet. The client that initiates the connection then responds with an ACK packet, and the connection is established. If the destination host is not waiting for a connection on the specified port, it responds with an RST packet. Most system logs do not log completed connections until the final ACK packet is received from the source. Sending other types of packets that do not follow this sequence can elicit useful responses from the target host, without causing a connection to be logged. UDP bomb – An attacker attempts to send a User Datagram Protocol (UDP) datagram, with illegal values in certain fields, which could cause some older operating systems to fail when the datagram is received. By default, no alert is configured for this type of attack.Port scan – An attacker attempts to count the services that are running on a computer by probing each port for a response. You can specify the number of ports that can be scanned before an event is generated.When Forefront TMG intrusion detection is enabled and offending packets are detected, they are dropped and an event that triggers an Intrusion Detected alert is generated. By default, the Intrusion Detected alert is reset automatically after one minute, during which time Forefront TMG continues to block offending packets but without issuing an alert. You can configure this alert to send you an e-mail notification when it is triggered. You can also enable logging of the dropped packets.The name of each type of detected attack corresponds to an additional condition in the definition of the Intrusion Detected event. For each additional condition (type of attack), you can define and enable an alert which specifies the actions to be taken in response to the event, and is issued by the Microsoft Firewall service, when all the conditions specified in the alert are met. The actions that can be triggered by an alert include: sending an e-mail message, invoking a command, writing to a log, and starting or stopping Forefront TMG services.
  • The Forefront TMG Domain Name System (DNS) filter intercepts and analyzes all inbound DNS traffic that is destined for the internal network and other protected networks. If DNS attack detection is enabled, you can specify that the DNS filter checks for the following types of suspicious activity:DNS host name overflow – When a DNS response for a host name exceeds 255 bytes, applications that do not check host name length may overflow internal buffers when copying this host name, allowing a remote attacker to execute arbitrary commands on a targeted computer.DNS length overflow – When a DNS response for an IP address exceeds 4 bytes, some applications executing DNS lookups will overflow internal buffers, allowing a remote attacker to execute arbitrary commands on a targeted computer. Forefront TMG also checks that the value of RDLength does not exceed the size of the rest of the DNS response.DNS zone transfer – A client system uses a DNS client application to transfer zones from an internal DNS server.When offending packets are detected, they are dropped and an event that triggers a DNS Intrusion alert is generated. You can configure the alerts to notify you that an attack was detected. When the DNS Intrusion event is generated five times during one second for DNS zone transfer, a DNS Zone Transfer Intrusion alert is triggered. By default, after the applicable predefined alerts are triggered, they are not triggered again until they are reset manually
  • Forefront TMG can drop all IP packets with any IP option in their header, all IP packets that have any of a list of selected IP options in their header, or all IP packets whose header contains any IP option that is not in the list of selected IP options. Forefront TMG can also drop all IP fragments. This topic includes procedures for enabling IP options filtering and IP fragment filtering. For more information about IP options filtering and IP fragment filtering, see the Microsoft TechNet article Overview of intrusion detection (http://technet.microsoft.com/en-us/library/cc995155.aspx).
  • The Forefront TMG flood mitigation mechanism uses:Connection limits that identify and block malicious traffic.Logging of flood mitigation events.Alerts that are triggered when a connection limit is exceeded.The default configuration settings for flood mitigation help ensure that Forefront TMG continues to function under a flood attack. Forefront TMGclassifies the traffic and provides different levels of service to different types of traffic. Traffic that is considered malicious (with intent to cause a flood attack) can be denied, and meanwhile Forefront TMG will continue to serve all other traffic.The Forefront TMG flood mitigation mechanism helps to identify various types of flood attacks, including the following:Worm propagation – An infected host scans a network for vulnerable hosts by sending TCP connect requests to randomly selected IP addresses and a specific port. Resources are depleted at an accelerated rate, if there are policy rules based on Domain Name system (DNS) names, which require a reverse DNS lookup for each IP address.TCP flood attacks – An offending host establishes numerous TCP connections with a Forefront TMG server or other servers that are protected by Forefront TMG. In some cases, the attacker sequentially opens and immediately closes many TCP connections, in an attempt to elude the counters. This consumes a large amount of resources.SYN attacks – An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server without completing the TCP handshake, leaving the TCP connections half-open.HTTP denial of service attacks – A single offending host or a small number of hosts send a huge number of HTTP requests to a Forefront TMG server. In some cases, the attacker sends HTTP requests at a high rate over a persistent (keep-alive) TCP connection. Because the Forefront TMG Web proxy authenticates every request, this consumes a large amount of resources.Non-TCP distributed denial of service (DDoS) attacks – A large number of offending hosts send requests to a Forefront TMG server. Although the total amount of traffic sent to the victim is enormous, the amount of traffic sent from each offending host can be small.UDP flood attacks – An offending host opens numerous concurrent UDP sessions with a Forefront TMG server.Connection LimitsForefront TMG provides a quota mechanism that imposes connection limits for TCP and non-TCP traffic, handled by the Microsoft Firewall service. Connection limits are applied to requests from internal client computers configured as SecureNAT clients, Firewall clients, Web proxy clients in forward proxy scenarios, and to requests from external clients handled by Web publishing and server publishing rules in reverse proxy scenarios. The mechanism helps prevent flood attacks from specific IP addresses, and helps administrators identify IP addresses that generate excessive traffic, which might be a symptom of a worm or other malware infection.A connection limit policy can be configured for an array or a standalone Forefront TMG server. A connection limit policy includes the following categories of connection limits:Connection limits that establish how many TCP connect requests and HTTP requests are allowed from a single IP address, that is not included in the list of IP address exceptions during one minute.Connection limits that establish how many concurrent transport-layer protocol connections may be accepted from a single IP address, that is not included in the list of IP address exceptions. These include connection limits for TCP connections, UDP sessions, and ICMP and other raw IP connections. Custom connection limits that establish how many connect requests and how many concurrent transport-layer protocol connections may be accepted from a single special IP address, that is included in the list of IP address exceptions. IP address exceptions might include published servers, chained proxy servers, and network address translation (NAT) devices (routers), which would require many more connections than most other IP addresses. Custom connection limits are applied to TCP connections, UDP sessions, and ICMP and other raw IP connections.
  • 50357 a enu-module02

    1. 1. Module 2: Secure Web Gateway© 2009, Microsoft. All rights reserved. All other trademarks are the property of their respective owners.
    2. 2. Module Overview Secure Web Gateway overview HTTPS inspection URL filtering Malware protection Intrusion prevention
    3. 3. Lesson 1 – Secure Web Gateway Overview
    4. 4. What is a Secure Web Gateway (SWG)? “A SWG is a solution that filters unwantedsoftware/malware from user-initiated Web/Internettraffic and enforces corporate and regulatory policy compliance. To achieve this goal, SWGs must, at a minimum, include URL filtering, malicious code detection and filtering, and application controls for popular Web-based applications, such as instant messaging (IM) and Skype.”Gartner Secure Web Gateway Magic Quadrant, August 2008
    5. 5. The Growing Market Potential Dedicated SWG vendors are the fastest-growing submarket, averaging 140% year-over-year growth 3000 2500 2000 SaaS 1500 Appliance Software 1000 500 0 2008 2009 2010 2011 2012Source: Gartner Secure Web Gateway Magic Quadrant, August 2008
    6. 6. The Competitive Landscape Websense Trend 20% Microsoft 12% 54% McAfee/Secure Computing Blue Coat 6% 5% 3% Other
    7. 7. Forefront TMG as a Secure Web Gateway URL Filtering, Competitive Malware Feature Set Inspection, NIS Array Support, Load balancing Easily Scalable Manageable Web Access Wizard, Task Logging & Oriented Reporting Support Integrated New reports, Policy Management, log fields Directory Services Integration, Licensing 7
    8. 8. Secure Web Gateway Layered Security Unifies inspection technologies to: Malware Inspection Protect against multi-channel threats URL Filtering Simplify deployment Keeps security up to date Network Application Inspection with updates to: Layer Proxy System Web antimalware HTTPS Inspection URL filtering Network Inspection Logging & Reporting System Windows Server® 2008 / R2
    9. 9. Threats and Controls Application HTTPS Anti- URLThreats Layer NIS Inspection malware Filtering FirewallMalwarePhishingLiabilityData LeakageLost ProductivityLoss of Control Full Partial Enabler
    10. 10. Lesson 2 – HTTPS Inspection
    11. 11. Threats and Controls Application HTTPS Anti- URLThreats Layer NIS Inspection malware Filtering FirewallMalwarePhishingLiabilityData LeakageLost ProductivityLoss of Control Full Partial Enabler
    12. 12. Traditional SSL Security Web browser sends a CONNECT request to the Web proxy CONNECT host_name:port HTTP/1.1 Web proxy allows the request to be sent to the TCP port specified in the request Proxy informs the client that the connection is established Clients sends encrypted packets directly to destination on specified port without proxy mediationWhat lies withinthis encrypted tunnel?
    13. 13. Forefront TMG HTTPS Traffic Inspection Network Malware URL Filtering Inspection Inspection System Internet SIGNED BY SIGNED VERISIGN Contoso.com BY TMG Contoso.com HTTPS Inspection terminates the SSL traffic at the proxy for both ends, and inspects the traffic against different threats Trusted certificate generated by proxy matching the URL expected by the client 13
    14. 14. Enabling HTTPS Traffic Inspection Configure HTTPS Inspection: • Proxy certificate generation/import Certificate deployment and customization. (via Active Directory® or • Source and destination exclusions Import/Export) • Validate only option • Notification Internet SIGNED BY SIGNED VERISIGN Contoso.com BY TMG Contoso.comClient notifications about HTTPS inspection (via Firewall client) Certificate validation (revocation, trusted, expiration validation, etc.) 14
    15. 15. Generating the HTTPS Inspection Certificate The HTTPS inspection certificate can be either generated by Forefront TMG or issued by a trusted CA Administrators can customize the self generated certificate Commercial CAs will not typically issue HTTPS inspection certificates HTTPS inspection certificate stored in the configuration store Used by all array members
    16. 16. Deploying the HTTPS Inspection Certificate Two methods can be used to enable clients to trust the HTTPS Inspection Certificate Automatically through Active Directory (AD), will use AD trusted root store to configure trust for all clients in the AD forest Requires Forefront TMG to be deployed in a domain environment Will not work for browsers that do not use the Windows certificate store for trust Manually on each computer, using root certificate installation procedure required by the browser
    17. 17. How HTTPS Inspection Works  Enable HTTPS inspection  Generate trusted root certificateInstall trusted root certificateon clients contoso.com https://contoso.com https://contoso.com SIGNED SIGNED BY BY TMG VERISIGN Contoso.com Contoso.com 1. Intercept HTTPS traffic 2. Validate contoso.com server certificate 3. Generate contoso.com server proxy certificate on TMG 4. Copy data from the original server certificate to the proxy certificate 5. Sign the new certificate with TMG trusted root certificate 6. [TMG manages a certificate cache to avoid redundant duplications] 7. Pretend to be contoso.com for client 8. Bridge HTTPS traffic between client and server 17
    18. 18. Scenario WalkthroughContoso Web Access Policy No browsing to sites that pose security or liability risks, but... Researchers need access to gambling sites This includes access to encrypted archives Malware Inspection should be enabled for all Web traffic HTTPS Inspection should be enabled, with user notifications Deny all Web downloads larger than 500MB 18
    19. 19. Configuring HTTPS Inspection 19
    20. 20. Configuring HTTPS Inspection 20
    21. 21. Configuring HTTPS Inspection 21
    22. 22. HTTPS Inspection Notifications Notification provided by Forefront TMG client Notify user of inspection History of recent notifications Management of Notification Exception List May be a legal requirement in some geographies 22
    23. 23. HTTPS Inspection NotificationUser Experience 23
    24. 24. Lesson 3 – URL Filtering
    25. 25. Threats and Controls Application HTTPS Anti- URLThreats Layer NIS Inspection malware Filtering FirewallMalwarePhishingLiabilityData LeakageLost ProductivityLoss of Control Full Partial Enabler
    26. 26. Forefront TMG URL Filtering Microsoft Reputation • Integrates leading URL database Service providers• 91 built-in categories • Subscription-based• Predefined and administrator defined category sets • Customizable, per-rule, deny messages URL DB Internet TMG • URL category override • URL category query • Logging and reporting support • Web Access Wizard integration
    27. 27. URL Filtering Benefits Control user web access based on URL categories Protect users from known malicious sites Reduce liability risks Increase productivity Reduce bandwidth and Forefront TMG resource consumption Analyze Web usage
    28. 28. Microsoft Reputation Service Accuracy Comprehensive and flexible category taxonomy Broad coverage through path inheritance Overlapping and complementary URL metadata sources Accuracy measured and tuned across providers (Weighting) Telemetry-based error reporting and client data capture Unknowns ranked and resolved based on prevalence Performance Four-tier architecture Protocol-level packaging Bloom filters Availability Globally-scaled, fault-tolerant architecture Multi-layer dynamic caching (On-premise + Service)
    29. 29. What Makes MRS Compelling? Existing URL filtering solutions Single vendor cant be expert in all categories Categorization response time MRS unique architecture MRS merges URL databases from multiple sources/vendors Multi-vendor AV analogy Based on Microsoft internal sources as well as collaboration with third party partners Scalable Ongoing collaborative effort Recently announced an agreement with Marshal8e6 More announcements to follow
    30. 30. How Forefront TMG Leverages MRSMultiple Vendors Federated MRS QueryCombines with Telemetry Path SSL (also SSL)Telemetry Data Cache • Feedbackcache Cache:on Fetch • Persistent mechanism on miss • Category overrides • In-memory SSL for auth & Query (URL) Fetch • Weighted TTL privacy URL • No PII Categorizer Policy
    31. 31. URL Filtering Categories Security Liability Productivity
    32. 32. Categories and Inheritance
    33. 33. URL Filtering Policy URL categories are standard network objects Administrator can create custom URL category sets
    34. 34. URL Filtering Policy 34
    35. 35. Scenario WalkthroughContoso Web Access PolicyNo browsing to sites that pose security or liability risks, but...Researchers need access to gambling sitesThis includes access to encrypted archivesMalware Inspection should be enabled for all Web trafficHTTPS Inspection should be enabled, with user notificationsDeny all Web downloads larger than 500MB 35
    36. 36. Contoso’s Web Access Policy Access rule denying Access rule allowing users everyone access to in the Research group to Liability and Security sites access gambling and gambling-related sites 36
    37. 37. Per-rule Customization TMG administrator can customize denial message displayed to the user on a per-rule basis Add custom text or HTML Redirect the user to a specific URL
    38. 38. URL Filtering Configuration 38
    39. 39. Category Query Administrator can use the URL Filtering Settings dialog box to query the URL filtering database Enter the URL or IP address as input The result and its source are displayed on the tab
    40. 40. URL Category Override Administrator can override the categorization of a URL Feedback to MRS via Telemetry 40
    41. 41. User Experience
    42. 42. User Experience HTML tags 42 42
    43. 43. Lesson 4 – Malware Protection
    44. 44. Threats and Controls Application HTTPS Anti- URLThreats Layer NIS Inspection malware Filtering FirewallMalwarePhishingLiabilityData LeakageLost ProductivityLoss of Control Full Partial Enabler
    45. 45. HTTP Malware Inspection MU or WSUS • Integrates Microsoft Antivirus engineThird party plug-ins can be used • Signature and engine updates(native Malware inspection must • Subscription-based be disabled) Content delivery methods by content type Signatures DB Internet TMG • Source and destination exceptions • Global and per-rule inspection options (encrypted files, nested archives, large files…) • Logging and reporting support • Web Access Wizard integration
    46. 46. Content Trickling Firewall Service GET msrdp.cab GET msrdp.cab Web Proxy 200 OK Malware Inspection 200 OK Filter Request Context Accumulated Content Scanner 46
    47. 47. Progress Notification Firewall Service GET GET setup.exe GET FinalDownload GET setup.exe Web Proxy GetDownloadStatus 200 OK (setup.exe) Malware Inspection 200 OK (Retrieving) 200 OK (setup.exe) 200 OK (Scanning) 200 OK (Ready) (HTML) Filter Primary Request Context Accumulated Content Secondary Request Context Downloads Map Scanner 47
    48. 48. Malware Scanner Behavior • Partial inspection for Standard Trickling High • Final inspection for files smaller than 1 MB when Progress Page is not used • Partial inspection for Fast TricklingNormal • Final inspection for files larger than 1 MB but smaller than 50 MB when Progress Page is not used • Final inspection when Progress Page is used Low • Final inspection for files larger than 50 MB Low Priority Queue Normal Priority Queue High Priority Queue Antimalware Engine 48
    49. 49. Enabling Malware Inspection Activate the Web Protection license Enable malware inspection on Web access rules Web Access Policy Wizard or New Access Rule Wizard for new rules Rule properties for existing rules 49
    50. 50. Scenario WalkthroughContoso Web Access PolicyNo browsing to sites that pose security or liability risks, but...Researchers need access to gambling sitesThis includes access to encrypted archivesMalware Inspection should be enabled for all Web trafficHTTPS Inspection should be enabled, with user notificationsDeny all Web downloads larger than 500MB 50
    51. 51. Malware Inspection Global Settings 51
    52. 52. Malware Inspection Global Settings Administrator can configure malware blocking behavior: Low, medium and high severity threats Suspicious files Corrupted files Encrypted files Archive bombs Too many depth levels or unpacked content too large File size too large 52
    53. 53. Malware Inspection Per-rule Overrides 53
    54. 54. User ExperienceContent Blocked
    55. 55. User ExperienceProgress Notification 55
    56. 56. Lesson 5 – Intrusion Prevention
    57. 57. The Problem Un-patched vulnerabilities Average survival time of unpatched Windows® XP less than 20 minutes About two percent of Windows® machines are fully patched Vulnerability window Increasing number of zero days Attackers craft exploits faster than customers can deploy patches Encryption and protocol tunneling are a complicated problem for a defense technology (for example, HTTPS) 57
    58. 58. Defining a Intrusion Prevention System (IPS) Allow Known Block Known Block Unknown Good Bad Bad Execution Application Resource Behavioral Level Control Shielding Containment Application Application and AV Application Level System Inspection Hardening Network Inspection System Network Firewall Attack-Facing Vulnerability- Level Network Facing Network Inspection InspectionSource: Host-Based Intrusion Prevention Systems (HIPS) Update – Gartner 2007 58
    59. 59. Network Inspection System (NIS) Protocol decode-based traffic inspection system that uses signatures of known vulnerabilities Vulnerability-based signatures (vs. exploit-based signatures used by competing solutions) Detects and potentially block attacks on network resources NIS helps organizations reduce the vulnerability window Protect machines against known vulnerabilities until patch can be deployed Signatures can be released and deployed much faster than patches, concurrently with patch release, closing the vulnerability window Integrated into Forefront TMG Synergy with HTTPS Inspection 59
    60. 60. New Vulnerability Use Case Vulnerability is discovered Response team prepares and tests the vulnerability signature Signature released by Microsoft and deployed through distribution service, on security patch release All un-patched hosts behind Forefront TMG are protected Corporate Network Signature AuthoringVulnerability Team Signature TMGDiscovered Distribution Service Signature Testing Authoring 60
    61. 61. Network Inspection SystemPowered by GAPA Generic Application Protocol Analyzer A framework and platform for safe and fast low level protocol parsing Supports extensibility and layering Enables creating parsing-based rules for checking and applying specific conditions (for example, signatures) GAPA technology powers Microsoft’s Network Inspection System (NIS) 61
    62. 62. Network Inspection System Architecture Design Time Protocol Parsers Signatures Microsoft Update Run Time NIS Engine Telemetry and Portal 62
    63. 63. NIS Response Process Threat Identification Signature Threat Release Research Targeting 4 hours Encyclopedia Signature Write-up Development Signature Testing
    64. 64. Enabling and Configuring NIS
    65. 65. Other Network Protection Mechanisms Common OS attack detection DNS attack filtering IP option filtering Flood mitigation 65
    66. 66. Common OS Attack Detection Inspects traffic for the following common attacks: WinNuke Land Ping of Death IP Half Scan Port Scan UDP Bomb Offending packets are dropped and an event generated triggering an Intrusion Detected alert 66
    67. 67. DNS Attack Filtering Enables the following checks in DNS traffic: DNS host name overflow – DNS response for a host name exceeding 255 bytes DNS length overflow – DNS response for an IPv4 address exceeding 4 bytes DNS zone transfer – DNS request to transfer zones from an internal DNS server 67
    68. 68. IP Options Filtering Forefront TMG can block IP packets based on the IP options set Deny all packets with any IP options Deny packets with the selected IP options Deny packets with all except selected IP options Forefront TMG can also block fragmented IP packets 68
    69. 69. Flood Mitigation Forefront TMG flood mitigation mechanism uses: Custom Limit Limit Connection limits that 600 used to identify and are 6000 160 400 block malicious traffic 80 Logging of flood 600 6000 mitigation events 1000Alerts that are triggered 160when a connection limit 600 exceeded is 400 TMG comes with default configuration settings Exceptions can be set per computer set 69
    70. 70. Questions
    71. 71. Lab 2: Secure Web Gateway In this lab, you will: Create web access policies for Contoso users, including inspection of HTTPS sessions Modify web access policy to include protection from malware Investigate the Network Inspection System (NIS) Lab 2 - Exercises 3, 4, and 5 Estimated Completion Time: 60 min
    72. 72. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Forefront, Windows and other product names are or may be registered trademarks and/ortrademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. BecauseMicrosoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guaranteethe accuracy of any information provided after the date of this presentation.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

    ×