Forefront Threat Management Gateway 2010. Introduction to Forefront TMG.
-
Upload
jaquelin-pendleton -
Category
Documents
-
view
249 -
download
4
Transcript of Forefront Threat Management Gateway 2010. Introduction to Forefront TMG.
Forefront TMG Value Proposition
Firewall – Control network policy access at the edge
Secure Web Gateway – Protect users from Web browsing threats
Secure E-mail Relay – Protect users from e-mail threats
Remote Access Gateway – Enable users to remotely access corporate resources
Intrusion Prevention – Protect desktops and servers from intrusion attempts
Comprehensive
Integrated
Simplified
Features Summary
• VoIP traversal• Enhanced NAT• ISP link redundancy
Firewall
• HTTP antivirus/antispyware
• URL filtering• HTTPS forward inspection
Secure Web Access
• Exchange Edge integration
• Antivirus• Antispam
E-mail Protection
• Network inspection system
Intrusion Prevention
• NAP integration with client VPN
• SSTP integration
Remote Access
• Array management• Change tracking• Enhanced reporting• W2K8, native 64-bit
Deployment and Management
• Malware protection
• URL filtering• Intrusion prevention
Subscription Services
5
InternetISP 1
ISP 2
DMZ EXT
DMZ INT
LAN 1
LAN 3
LAN 2
TMG
Branch
VPN client
Deployment ScenariosNetworks
Internal
External
Local Host
DMZ InternalDMZ External
VPN Clients
Deployment ScenariosNetwork Sets
InternetISP 1
ISP 2
DMZ EXT
DMZ INT
LAN 1
LAN 3
LAN 2
TMG
Branch
VPN client
DMZ Networks
7
Deployment Scenarios
Internet
LAN 1
LAN 3
LAN 2
TMG
VPN Client
Internal
Local Host
VPN Clients
Single Adapter
Forefront TMG as a Secure Web Gateway
8
Competitive Feature
Set
Easily Manageab
le
Integrated
Logging & Reporting Support
Scalable
URL Filtering, Malware
Inspection, NIS
Web Access Wizard,
Task Oriented
Policy Management,
Directory Services
Integration, Licensing
Array Support,
Load balancing
New reports, log fields
Windows Server® 2008 / R2
Logging & Reporting
Application Layer Proxy
Network Inspection
System
URL Filtering
HTTPS Inspection
Malware Inspection
Secure Web Gateway Layered Security
Unifies inspection technologies to:
Protect against multi-channel threatsSimplify deployment
Keeps security up to date with updates to:
Web antimalwareURL filteringNetwork Inspection System
How HTTPS Inspection Works
11
https://contoso.com
Enable HTTPS inspection Generate trusted root certificate
Install trusted root certificate on clients
https://contoso.com
1. Intercept HTTPS traffic2. Validate contoso.com server certificate3. Generate contoso.com server proxy certificate on TMG4. Copy data from the original server certificate to the proxy
certificate 5. Sign the new certificate with TMG trusted root certificate6. [TMG manages a certificate cache to avoid redundant
duplications]7. Pretend to be contoso.com for client8. Bridge HTTPS traffic between client and server
contoso.com
Contoso.com
SIGNED BY
VERISIGNContoso.com
SIGNED BY TMG
HTTPS Traffic Inspection Process
HTTPS Inspection terminates the SSL traffic at the proxy for both ends, and inspects the traffic against different threats
Trusted certificate generated by proxy matching the URL expected by the client
12
Internet
Contoso.com
SIGNED BY
VERISIGN
SSL
Contoso.com
SIGNED BY TMG
SSL SSL
URL Filtering
Malware Inspection
Network Inspection
System
13
HTTPS Inspection Notifications
Notification provided by Forefront TMG client
Notify user of inspectionHistory of recent notificationsManagement of Notification Exception List
May be a legal requirement in some geographies
URL Filtering
Internet
• 91 built-in categories• Predefined and
administrator defined category sets
• Integrates leading URL database providers
• Subscription-based
• URL category override• URL category query• Logging and reporting support• Web Access Wizard integration
• Customizable, per-rule, deny messages
URL DB
Microsoft ReputationService
TMG
URL Filtering BenefitsControl user web access based on URL categoriesProtect users from known malicious sitesReduce liability risksIncrease productivityReduce bandwidth and Forefront TMG resource consumptionAnalyze Web usageUtilizes Microsoft Reputation Service
Feedback mechanism on Category overrides
• Fetch on cache miss
• SSL for auth & privacy
• No PII
How TMG Uses Microsoft Reputation Service
Multiple VendorsMicrosoft
Datacenters
MRS
Query (URL)
Categorizer
FetchURL
Policy
Cache
SSLTelemetry Path
(also SSL)
FederatedQuery
Cache:• Persistent• In-memory• Weighted TTL
Combines with
Telemetry Data
What Makes MRS Compelling?Existing URL filtering solutions
Single vendor cant be expert in all categoriesCategorization response time
MRS unique architectureMRS merges URL databases from multiple sources/vendors
Multi-vendor AV analogy
Based on Microsoft internal sources as well as collaboration with third party partnersScalable
Ongoing collaborative effortRecently announced an agreement with Marshal8e6More announcements to follow
Per-rule CustomizationTMG administrator can customize denial message displayed to the user on a per-rule basis
Add custom text or HTMLRedirect the user to a specific URL
22
URL Category Override
Administrator can override the categorization of a URL
Feedback to MRSvia Telemetry
HTTP Malware Inspection
Internet
Third party plug-ins can be used (native Malware inspection must be
disabled)
• Integrates Microsoft Antivirus engine
• Signature and engine updates• Subscription-based
• Source and destination exceptions• Global and per-rule inspection options
(encrypted files, nested archives, large files…)
• Logging and reporting support • Web Access Wizard integration
Content delivery methods by content type
SignaturesDB
MU or WSUS
TMG
Content Trickling
27
Firewall Service
Web Proxy
Malware Inspection Filter
Request Context
Scanner
GET msrdp.cabGET msrdp.cab
200 OK
Accumulated Content
Accumulated Content
Accumulated Content
Accumulated Content
Accumulated Content
200 OK
28
• Partial inspection for Standard Trickling
• Final inspection for files smaller than 1 MB when Progress Page
is not usedHigh
• Partial inspection for Fast Trickling
• Final inspection for files larger than 1 MB but smaller than 50 MB when Progress Page is not
used
Normal
• Final inspection when Progress Page is used
• Final inspection for files larger than 50 MB
Low
Malware Scanner Behavior
Low Priority Queue Normal Priority Queue
High Priority Queue
Antimalware Engine
Network Inspection System (NIS)
Protocol decode-based traffic inspection system that uses signatures of known vulnerabilities
Vulnerability-based signatures (vs. exploit-based signatures used by competing solutions)Detects and potentially block attacks on network resources
NIS helps organizations reduce the vulnerability window
Protect machines against known vulnerabilities until patch can be deployedSignatures can be released and deployed much faster than patches, concurrently with patch release, closing the vulnerability window
Integrated into Forefront TMGSynergy with HTTPS Inspection
33
34
Vulnerability is discoveredResponse team prepares and tests the vulnerability signatureSignature released by Microsoft and deployed through distribution service, on security patch releaseAll un-patched hosts behind Forefront TMG are protected
Corporate Network
New Vulnerability Use Case
SignatureAuthoring Testing
TMGSignature
DistributionService
VulnerabilityDiscovered
Signature AuthoringTeam
Network Inspection System Architecture
35
Design Time
GAPA Language
Compiler
Run Time
Protocol Parsers
Signatures
NIS Engine
Microsoft Update
Network Interception
Signatures & Protocol Parsers
Telemetry
and Portal
NIS Response Process
Threat Identificati
on
Threat Research
Signature Developme
nt
Signature Testing
Encyclopedia Write-up
Signature Release
Targeting 4 hours
37
Other Network Protection MechanismsCommon OS attack detectionDNS attack filteringIP option filteringFlood mitigation
38
DNS Attack FilteringEnables the following checks in DNS traffic:
DNS host name overflow – DNS response for a host name exceeding 255 bytesDNS length overflow – DNS response for an IPv4 address exceeding 4 bytesDNS zone transfer – DNS request to transfer zones from an internal DNS server
39
IP Options FilteringForefront TMG can block IP packets based on the IP options set
Deny all packets with any IP optionsDeny packets with the selected IP optionsDeny packets with all except selected IP options
Forefront TMG can also block fragmented IP packets
40
Forefront TMG flood mitigation mechanism uses:
Connection limits that are used to identify and block malicious trafficLogging of flood mitigation eventsAlerts that are triggered when a connection limit is exceeded
TMG comes with default configuration settings
Exceptions can be set per computer set
Flood Mitigation
600160
80600
1000160600
LimitCusto
m Limit6000400
6000
400
Forefront TMG 2010 vs. Forefront™ Unified Access Gateway (UAG)
Forefront TMG 2010Enables users to safely and productively use the Internet without worrying about malware and other threats
Forefront UAGComprehensive, secure remote access to corporate resources
Forefront UAG is the preferred solution for providing remote access
Forefront TMG 2010 still provides support for remote access features, but not the recommended solution
Product Positioning
Non-HTTP Server PublishingAllows map requests for non-Web servers in one of the TMG 2010 networks
Clients can be either on the Internet or on a different internal networkCan be used to publish most TCP and UDP protocol
Behavior depends on whether non-Web server is behind a NAT relationship or not
If behind NAT, clients will then connect to an IP address belonging to Forefront TMGIf behind a route relationship, TMG 2010 listens for requests on the IP address of the non-Web server
The published server should be configured as a SecureNAT client with a default gateway pointing to TMG 2010
Sample Server Publishing ScenarioDNS Server Publishing
`
TMG
10.0.0.3
192.168.0.3
192.168.0.100DG: 192.168.0.3
203.16.4.1
192.168.0.101DG: 192.168.0.254
192.168.0.254
DNS Server
FTP Server
1. DNS request203.16.4.1 > 10.0.0.3
2. Check rule match
46
Non-HTTP Server PublishingThings to consider when planning Server Publishing
No authentication supportAccess restriction by network elements only
Networks, subnets, or IP addresses
No support in single adapter configurationClient source IP address preserved
Behavior can be changed using rule setting
Application Layer Filter and NIS signature coverageSMTP, POP3, DNS, etc.
Web PublishingProvides secure access to Web content to users from the Internet
Web content may be either on internal networks on in a DMZSupports HTTP and HTTPS connections
Forefront TMG 2010 Web Publishing features:Mapping requests to specific internal paths in specific serversAllows authentication and authorization of users at TMG level
Allow delegation of user credentials after TMG authentication
Caching of the published content (reverse caching)Inspection of incoming HTTPS requests using SSL bridgingLoad balancing of client requests among Web servers in a server farm
Accessing Web Resources
HTTPS
Internet
`HTTPS
ExchangeServer
WebServer
SharePointServer
OWARPC/HTTP(S)ActiveSync
HTTP
HTTPS
HTTP
HTTP
Forefront TMG 2010 can publish multiple internal Web servers, using multiple external IP addresses and protocols
Securing SSL TrafficSSL Bridging:
1. Client on Internet encrypts communications2. TMG 2010 decrypts and inspects traffic3. TMG 2010 sends allowed traffic to published server,
re-encrypting it if required
Authentication Process
1. Client credentials received
2&3. Credentials validated4. Credentials delegated to
internal server5. Server send response6. Response forwarded to
client
51
Single Sign OnSample Scenario – Two Published Web Sites requiring
AuthN
`
Exchange.Company.Com
SharePoint.Company.Com
Without Single Signon:1. User Prompted for authentication2. User Clicks Link to SharePoint3. User Prompted for authentication again
FBA
With Single Signon1. User Prompted for authentication2. User Clicks Link to SharePoint3. User NOT Prompted for authentication
Forefront TMG Virtual Private Networking (VPN)
TMG 2010 supports two types of VPNs:Remote Access VPNSite-to-site VPN
TMG 2010 implements Windows Server® 2008 VPN technology
Implements support for Secure Socket Tunneling Protocol (SSTP)Implements support for Network Access Protection (NAP)
Secure Socket Tunneling Protocol (SSTP)New SSL-based VPN protocol
HTTP with SSL session (TCP 443) between VPN clients and servers to exchange encapsulated IPv4 or IPv6 packetsSupport for unauthenticated Web proxiesSupport for Network Access Protection (NAP)Client support in Windows Vista® SP1
No plans to backport SSTP to previous versions
Network Access Protection (NAP)Windows Policy Validation and Enforcement Platform
PolicyValidation
Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed healthy.Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed healthy.
NetworkRestriction
Restricts network access to computers based on their health.Restricts network access to computers based on their health.
Remediation Provides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed.Provides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed.
OngoingCompliance
Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions.Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions.
NAP Support in Forefront TMG 2010Enforces compliance and provides remediation for clients connecting remotely through Remote Access VPN
Supports all VPN protocols, including SSTP
Different solution than the Remote Access Quarantine Services (RQS) supported in ISA Server 2006
NAP validates health status of the remote client at connection time
VPN network access limitation is done through IP packet filters applied to the VPN connection
Access limited to resources on the restricted network
Network PolicyServer
ClientForefront TMG
2010
Remediation Servers
Ongoing policy updates to
Network Policy Server
RADIUS Access-AcceptAccording to policy, the client is not up to date. Quarantine
client.Restrict client to 10.10.10.0/24
Corporate NetworkRestricted Network
System Health Servers
RADIUS Access-AcceptAccording to policy, the client
is up to date. Grant access – no filters
NAP with Forefront TMG Walkthrough
VPN QEC queries NAPAgent for SOHs
EAP - Request/IdentifyEAP – Request/Start – Send SOH
VPN Session RequestEAP - Response/Identity
PEAP MessageState: Full AccessSOH Responses
Unhealthy SHA performs remediation against remediation
servers
Here is the fix you need.
VPN QEC passes SoH Responses
back to NAPAgent
NAPAgent collects new SoH and
passes to VPN QEC
EAP messagesCan I please have access to the
network?
EAP - Request/IdentifyEAP – Request/Start – Send
SOH
PEAP MessageState: QuarantineSOH Responses
PEAP messagesHere is my SOH
PEAP messagesHere is my SOH
Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.
Quarantine Agent (QA) = Reports client health status, coordinates between SHA and QEC.
NAP Components
NetworkPolicy Server
Quarantine Server
Client
QuarantineAgent
Health policyUpdates
HealthStatements
NetworkAccess
Requests
System Health Servers Remediation Servers
Health Components
System Health Agents (SHA) = Declare health (patch state, virus signature, system configuration, etc.).System Health Validators (SHV) = Certify declarations made by health agents.
Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state.
Enforcement Components
Quarantine Enforcement Clients (QEC) = Negotiate access with network access device(s); DHCP, VPN, 1X, IPSec QECs.
Health Registration Authority = Issues certificates to clients that pass health checks.
Platform Components
System Health Servers = Define health requirements for system components on the client.
Health Result
Network Access Device(Forefront TMG 2010)
Network Access Devices = Provide network access to healthy endpoints.
SHA<n>
SHV<n>
QEC1
QEC2
Mail Protection – Forefront Threat Management Gateway
Full featured SMTP hygieneExchange Edge Transport for SMTP stack
Requires valid license
Integrated with Microsoft® Forefront™ Protection 2010 for Exchange Server
AntimalwareAntispamAntiphishing
Also supports generic SMTP mail servers
E-mail Threats
~98% of all e-mail is spam/maliciousOver 400 billion unwanted e-mails in H2 2008
Estimated cost is $130 billionin 2009Causes 90% of NDRsRisk of software vulnerabilities
61
1H06 2H06 1H07 2H07 1H08 2H08
0%
20%
40%
60%
80%
100%
Percentage of incoming messages filtered by Forefront Online Protection for Exchange, 1H06-2H08
62
The SolutionFilter unwanted e-mail as early as possible
Percentage of incoming messages blocked by Forefront™ Protection for Exchange using edge-blocking and content
filtering, 1H06-2H08
1H06 2H06 1H07 2H07 1H08 2H08
0%
20%
40%
60%
80%
100%
Edge Filtered Content Filtered Unfiltered
E-mail Protection FeaturesProtection at the edge
Protects mail at the edge of the organization with Forefront Protection 2010 for Exchange Server
Advanced protection and premium antispamMultiple scan engines to protect against malware and provide a premium antispam solution
Integrated managementEasy management of Microsoft Exchange Server Edge role and Forefront Protection 2010 for Exchange Server through Forefront TMG
Array deploymentSupport for managing and load balancing traffic among multiple servers
64
Solution ComponentsMicrosoft Products
Forefront Protection 2010 for Exchange Server
Microsoft® Exchange Server® 2007 (or 2010) Edge Transport
Forefront Threat Management Gateway
Windows Server® 2008 x64
Mail Protection – Forefront Threat Management Gateway
Internal Network
Forefront Security for Exchange (FSE)
``
Exchange Edge Role
External Network
TMG Filter Driver
Network Inspection System (NIS)
Receive Connector Send Connector
Multi-layer Filters
Multi-layer Filters
Anti-virus Engines
66
Partner SMTP Server
TLS encrypted
connection
Typical Deployment Topology
myorg.com Internal SMTP
Server
Any SMTP
Servers
Internet
Internal Network
Forefront TMG
SMTP Traffic
SMTP Traffic
EdgeSync(Exchange Server Only)
Array
MX pointing to Forefront TMG external IP address
Configure SMTP Routes
Defines how Forefront TMG routes traffic from and to the organization SMTP serversAt least two routes required:
Internal_Mail_Servers define the IP addresses and SMTP domains of the internal mail serversExternal_Mail_Servers define which mail is allowed to enter the organization and the external FQDN/IP address that will receive mail
Configure Spam FilteringDefines spam filtering policy
Connection-level filtering IP Allow List IP Allow List Providers IP Block List Block List Providers
Protocol-level filteringConfiguring Recipient Filtering Configuring Sender Filtering Configuring Sender ID Configuring Sender Reputation
Content-level filtering
Virus and Content FilteringConfigures antivirus, file attachment, and message body filtering
Virus filter – Engine selection policy and remediation actionsFile filters – Unwanted file attachments based on file type, filename, and prefixMessage body filters – Identify unwanted e-mail messages by applying keyword lists to the contents of the message body
72
Replicating Configuration to Exchange Server and FPE
Administrator
1. TMG UI
2. Store to DB
3. Array members load
new configuration
Exchange Edge Service
4. Configure services using PowerShell API
FPE Service
Design OptionsSingle purpose and location, no high availability
Forefront TMG 2010 Standard Edition
Single purpose and location, high availabilityForefront TMG 2010 Enterprise Edition in stand-alone array
Multiple purposes and/or locations, high availabilityEnterprise Management Server
74
Internet
Forefront TMG Standard Edition
Single Purpose and LocationForefront TMG 2010 Standard Edition (SE)
Light and medium trafficAll-in-one solutionNo high availabilityrequirements
75
Single Purpose and Location
Internet
Stand-aloneArray
Forefront TMG 2010 Enterprise Edition (EE):Stand-alone arrayShared configurationHigh traffic solution
Simple upgrade to EEData maintainedEE license key
Provides high availability and scale out
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Forefront, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.