Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forefront Threat Management Gateway 2010. Introduction to Forefront TMG.

Similar presentations


Presentation on theme: "Forefront Threat Management Gateway 2010. Introduction to Forefront TMG."— Presentation transcript:

1 Forefront Threat Management Gateway 2010

2 Introduction to Forefront TMG

3 Forefront TMG Value Proposition Firewall – Control network policy access at the edge Secure Web Gateway – Protect users from Web browsing threats Secure Relay – Protect users from threats Remote Access Gateway – Enable users to remotely access corporate resources Intrusion Prevention – Protect desktops and servers from intrusion attempts ComprehensiveIntegrated Simplified

4 Features Summary VoIP traversal Enhanced NAT ISP link redundancy Firewall HTTP antivirus/ antispyware URL filtering HTTPS forward inspection Secure Web Access Exchange Edge integration Antivirus Antispam Protection Network inspection system Intrusion Prevention NAP integration with client VPN SSTP integration Remote Access Array management Change tracking Enhanced reporting W2K8, native 64-bit Deployment and Management Malware protection URL filtering Intrusion prevention Subscription Services

5 Deployment Scenarios 5 Networks Internal External Local Host DMZ Internal DMZ External VPN Clients

6 Deployment Scenarios Network Sets DMZ Networks

7 Deployment Scenarios 7 Internal Local Host VPN Clients Single Adapter

8 Forefront TMG as a Secure Web Gateway 8 Competitive Feature Set Easily Manageable Integrated Logging & Reporting Support Scalable URL Filtering, Malware Inspection, NIS Web Access Wizard, Task Oriented Policy Management, Directory Services Integration, Licensing Array Support, Load balancing New reports, log fields

9 Windows Server® 2008 / R2 Logging & Reporting Application Layer Proxy Network Inspection System URL Filtering HTTPS Inspection Malware Inspection Secure Web Gateway Layered Security Unifies inspection technologies to: Protect against multi-channel threats Simplify deployment Keeps security up to date with updates to: Web antimalware URL filtering Network Inspection System

10 HTTPS Inspection

11 How HTTPS Inspection Works 11 https://contoso.com  Enable HTTPS inspection  Generate trusted root certificate Install trusted root certificate on clients https://contoso.com 1.Intercept HTTPS traffic 2.Validate contoso.com server certificate 3.Generate contoso.com server proxy certificate on TMG 4.Copy data from the original server certificate to the proxy certificate 5.Sign the new certificate with TMG trusted root certificate 6.[TMG manages a certificate cache to avoid redundant duplications] 7.Pretend to be contoso.com for client 8.Bridge HTTPS traffic between client and server contoso.com

12 HTTPS Traffic Inspection Process HTTPS Inspection terminates the SSL traffic at the proxy for both ends, and inspects the traffic against different threats Trusted certificate generated by proxy matching the URL expected by the client 12 URL Filtering Malware Inspection Network Inspection System

13 HTTPS Inspection Notifications Notification provided by Forefront TMG client Notify user of inspection History of recent notifications Management of Notification Exception List May be a legal requirement in some geographies 13

14 HTTPS Inspection Notification 14 User Experience

15 URL Filtering

16 91 built-in categories Predefined and administrator defined category sets 91 built-in categories Predefined and administrator defined category sets Integrates leading URL database providers Subscription-based Integrates leading URL database providers Subscription-based URL category override URL category query Logging and reporting support Web Access Wizard integration URL category override URL category query Logging and reporting support Web Access Wizard integration Customizable, per-rule, deny messages TMG

17 URL Filtering Benefits Control user web access based on URL categories Protect users from known malicious sites Reduce liability risks Increase productivity Reduce bandwidth and Forefront TMG resource consumption Analyze Web usage Utilizes Microsoft Reputation Service

18 Feedback mechanism on Category overrides Fetch on cache miss SSL for auth & privacy No PII How TMG Uses Microsoft Reputation Service Multiple Vendors MRS Query (URL) CategorizerCategorizer Fetch URL PolicyPolicy Cache SSL Telemetry Path (also SSL) Federated Query Cache: Persistent In-memory Weighted TTL Combines with Telemetry Data

19 What Makes MRS Compelling? Existing URL filtering solutions Single vendor cant be expert in all categories Categorization response time MRS unique architecture MRS merges URL databases from multiple sources/vendors Multi-vendor AV analogy Based on Microsoft internal sources as well as collaboration with third party partners Scalable Ongoing collaborative effort Recently announced an agreement with Marshal8e6 More announcements to follow

20 URL Filtering Categories Liability Security Productivity

21 Per-rule Customization TMG administrator can customize denial message displayed to the user on a per-rule basis Add custom text or HTML Redirect the user to a specific URL

22 URL Category Override Administrator can override the categorization of a URL Feedback to MRS via Telemetry 22

23 User Experience

24 24 HTML tags

25 Malware Inspection

26 HTTP Malware Inspection Third party plug-ins can be used (native Malware inspection must be disabled) Integrates Microsoft Antivirus engine Signature and engine updates Subscription-based Integrates Microsoft Antivirus engine Signature and engine updates Subscription-based Source and destination exceptions Global and per-rule inspection options (encrypted files, nested archives, large files…) Logging and reporting support Web Access Wizard integration Source and destination exceptions Global and per-rule inspection options (encrypted files, nested archives, large files…) Logging and reporting support Web Access Wizard integration Content delivery methods by content type TMG

27 Content Trickling 27 Firewall Service Web Proxy Malware Inspection Filter Request Context Scanner GET msrdp.cab 200 OK Accumulated Content 200 OK

28 Partial inspection for Standard Trickling Final inspection for files smaller than 1 MB when Progress Page is not used High Partial inspection for Fast Trickling Final inspection for files larger than 1 MB but smaller than 50 MB when Progress Page is not used Normal Final inspection when Progress Page is used Final inspection for files larger than 50 MB Low Malware Scanner Behavior 28 Low Priority QueueNormal Priority QueueHigh Priority Queue Antimalware Engine

29 Malware Inspection Per-rule Overrides 29

30 User Experience Content Blocked

31 User Experience Progress Notification 31

32 Network Inspection System (NIS)

33 Protocol decode-based traffic inspection system that uses signatures of known vulnerabilities Vulnerability-based signatures (vs. exploit-based signatures used by competing solutions) Detects and potentially block attacks on network resources NIS helps organizations reduce the vulnerability window Protect machines against known vulnerabilities until patch can be deployed Signatures can be released and deployed much faster than patches, concurrently with patch release, closing the vulnerability window Integrated into Forefront TMG Synergy with HTTPS Inspection 33

34 Vulnerability is discovered Response team prepares and tests the vulnerability signature Signature released by Microsoft and deployed through distribution service, on security patch release All un-patched hosts behind Forefront TMG are protected Corporate Network New Vulnerability Use Case 34 Signature Authoring Testing TMG Signature Distribution Service Vulnerability Discovered Signature Authoring Team

35 Network Inspection System Architecture 35 Design Time Run Time Protocol Parsers Signatures NIS Engine Microsoft Update Telemetry and Portal Telemetry and Portal

36 NIS Response Process Threat Identification Threat Research Signature Development Signature Testing Encyclopedia Write-up Signature Release Targeting 4 hours

37 Other Network Protection Mechanisms Common OS attack detection DNS attack filtering IP option filtering Flood mitigation 37

38 DNS Attack Filtering Enables the following checks in DNS traffic: DNS host name overflow – DNS response for a host name exceeding 255 bytes DNS length overflow – DNS response for an IPv4 address exceeding 4 bytes DNS zone transfer – DNS request to transfer zones from an internal DNS server 38

39 IP Options Filtering Forefront TMG can block IP packets based on the IP options set Deny all packets with any IP options Deny packets with the selected IP options Deny packets with all except selected IP options Forefront TMG can also block fragmented IP packets 39

40 Forefront TMG flood mitigation mechanism uses: Connection limits that are used to identify and block malicious traffic Logging of flood mitigation events Alerts that are triggered when a connection limit is exceeded TMG comes with default configuration settings Exceptions can be set per computer set Flood Mitigation Limit Custom Limit

41 Forefront TMG 2010 vs. Forefront™ Unified Access Gateway (UAG) Forefront TMG 2010 Enables users to safely and productively use the Internet without worrying about malware and other threats Forefront UAG Comprehensive, secure remote access to corporate resources Forefront UAG is the preferred solution for providing remote access Forefront TMG 2010 still provides support for remote access features, but not the recommended solution Product Positioning

42 Server Publishing

43 Non-HTTP Server Publishing Allows map requests for non-Web servers in one of the TMG 2010 networks Clients can be either on the Internet or on a different internal network Can be used to publish most TCP and UDP protocol Behavior depends on whether non-Web server is behind a NAT relationship or not If behind NAT, clients will then connect to an IP address belonging to Forefront TMG If behind a route relationship, TMG 2010 listens for requests on the IP address of the non-Web server The published server should be configured as a SecureNAT client with a default gateway pointing to TMG 2010

44 Sample Server Publishing Scenario DNS Server Publishing 1. DNS request > Check rule match

45 Check Publishing Rule Match 45

46 Non-HTTP Server Publishing Things to consider when planning Server Publishing No authentication support Access restriction by network elements only Networks, subnets, or IP addresses No support in single adapter configuration Client source IP address preserved Behavior can be changed using rule setting Application Layer Filter and NIS signature coverage SMTP, POP3, DNS, etc. 46

47 Web Publishing Provides secure access to Web content to users from the Internet Web content may be either on internal networks on in a DMZ Supports HTTP and HTTPS connections Forefront TMG 2010 Web Publishing features: Mapping requests to specific internal paths in specific servers Allows authentication and authorization of users at TMG level Allow delegation of user credentials after TMG authentication Caching of the published content (reverse caching) Inspection of incoming HTTPS requests using SSL bridging Load balancing of client requests among Web servers in a server farm

48 Accessing Web Resources Forefront TMG 2010 can publish multiple internal Web servers, using multiple external IP addresses and protocols

49 Securing SSL Traffic SSL Bridging: 1. Client on Internet encrypts communications 2. TMG 2010 decrypts and inspects traffic 3. TMG 2010 sends allowed traffic to published server, re-encrypting it if required

50 Authentication Process 1.Client credentials received 2&3. Credentials validated 4.Credentials delegated to internal server 5.Server send response 6.Response forwarded to client

51 Single Sign On 51 Sample Scenario – Two Published Web Sites requiring AuthN Without Single Signon: 1. User Prompted for authentication 2. User Clicks Link to SharePoint 3. User Prompted for authentication again With Single Signon 1. User Prompted for authentication 2. User Clicks Link to SharePoint 3. User NOT Prompted for authentication

52 Forefront TMG Virtual Private Networking (VPN)

53 TMG 2010 supports two types of VPNs: Remote Access VPN Site-to-site VPN TMG 2010 implements Windows Server® 2008 VPN technology Implements support for Secure Socket Tunneling Protocol (SSTP) Implements support for Network Access Protection (NAP)

54 Secure Socket Tunneling Protocol (SSTP) New SSL-based VPN protocol HTTP with SSL session (TCP 443) between VPN clients and servers to exchange encapsulated IPv4 or IPv6 packets Support for unauthenticated Web proxies Support for Network Access Protection (NAP) Client support in Windows Vista® SP1 No plans to backport SSTP to previous versions

55 Network Access Protection (NAP) Windows Policy Validation and Enforcement Platform Policy Validation Policy Validation Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed healthy. Network Restriction Network Restriction Restricts network access to computers based on their health. Remediation Provides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed. Ongoing Compliance Ongoing Compliance Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions.

56 NAP Support in Forefront TMG 2010 Enforces compliance and provides remediation for clients connecting remotely through Remote Access VPN Supports all VPN protocols, including SSTP Different solution than the Remote Access Quarantine Services (RQS) supported in ISA Server 2006 NAP validates health status of the remote client at connection time VPN network access limitation is done through IP packet filters applied to the VPN connection Access limited to resources on the restricted network

57 Network Policy Server Client Forefront TMG 2010 Remediation Servers Ongoing policy updates to Network Policy Server RADIUS Access-Accept According to policy, the client is not up to date. Quarantine client. Restrict client to /24 Corporate Network Restricted Network System Health Servers RADIUS Access-Accept According to policy, the client is up to date. Grant access – no filters NAP with Forefront TMG Walkthrough VPN QEC queries NAPAgent for SOHs EAP - Request/Identify EAP – Request/Start – Send SOH VPN Session Request EAP - Response/Identity PEAP Message State: Full Access SOH Responses Unhealthy SHA performs remediation against remediation servers Here is the fix you need. VPN QEC passes SoH Responses back to NAPAgent NAPAgent collects new SoH and passes to VPN QEC EAP messages Can I please have access to the network? EAP - Request/Identify EAP – Request/Start – Send SOH PEAP Message State: Quarantine SOH Responses PEAP messages Here is my SOH PEAP messages Here is my SOH

58 Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies. Quarantine Agent (QA) = Reports client health status, coordinates between SHA and QEC. NAP Components Network Policy Server Quarantine Server Client Quarantine Agent Health policy Updates Health Statements Network Access Requests System Health Servers Remediation Servers Health Components System Health Agents (SHA) = Declare health (patch state, virus signature, system configuration, etc.). System Health Validators (SHV) = Certify declarations made by health agents. Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state. Enforcement Components Quarantine Enforcement Clients (QEC) = Negotiate access with network access device(s); DHCP, VPN, 1X, IPSec QECs. Health Registration Authority = Issues certificates to clients that pass health checks. Platform Components System Health Servers = Define health requirements for system components on the client. Health Result Network Access Device (Forefront TMG 2010) Network Access Devices = Provide network access to healthy endpoints. SHA SHV QEC 1 QEC 2

59 Mail Protection

60 Mail Protection – Forefront Threat Management Gateway Full featured SMTP hygiene Exchange Edge Transport for SMTP stack Requires valid license Integrated with Microsoft® Forefront™ Protection 2010 for Exchange Server Antimalware Antispam Antiphishing Also supports generic SMTP mail servers

61 Threats ~98% of all is spam/malicious Over 400 billion unwanted s in H Estimated cost is $130 billion in 2009 Causes 90% of NDRs Risk of software vulnerabilities 61

62 The Solution Filter unwanted as early as possible 62 Percentage of incoming messages blocked by Forefront™ Protection for Exchange using edge-blocking and content filtering, 1H06-2H08

63 Protection Features Protection at the edge Protects mail at the edge of the organization with Forefront Protection 2010 for Exchange Server Advanced protection and premium antispam Multiple scan engines to protect against malware and provide a premium antispam solution Integrated management Easy management of Microsoft Exchange Server Edge role and Forefront Protection 2010 for Exchange Server through Forefront TMG Array deployment Support for managing and load balancing traffic among multiple servers

64 Solution Components 64 Microsoft Products Forefront Protection 2010 for Exchange Server Microsoft® Exchange Server® 2007 (or 2010) Edge Transport Forefront Threat Management Gateway Windows Server® 2008 x64

65 Mail Protection – Forefront Threat Management Gateway

66 Partner SMTP Server TLS encrypted connection Typical Deployment Topology 66 myorg.com Internal SMTP Server Any SMTP Servers Internet Internal Network Forefront TMG SMTP Traffic EdgeSync (Exchange Server Only) Array MX pointing to Forefront TMG external IP address

67 Configure SMTP Routes Defines how Forefront TMG routes traffic from and to the organization SMTP servers At least two routes required: Internal_Mail_Servers define the IP addresses and SMTP domains of the internal mail servers External_Mail_Servers define which mail is allowed to enter the organization and the external FQDN/IP address that will receive mail

68 Configure Spam Filtering Defines spam filtering policy Connection-level filtering IP Allow List IP Allow List Providers IP Block List Block List Providers Protocol-level filtering Configuring Recipient Filtering Configuring Sender Filtering Configuring Sender ID Configuring Sender Reputation Content-level filtering

69 Spam Filtering 69 Connection-level Filtering

70 Virus and Content Filtering Configures antivirus, file attachment, and message body filtering Virus filter – Engine selection policy and remediation actions File filters – Unwanted file attachments based on file type, filename, and prefix Message body filters – Identify unwanted messages by applying keyword lists to the contents of the message body

71 Virus and Content Filtering

72 Replicating Configuration to Exchange Server and FPE 72 Administrator 1. TMG UI 2. Store to DB 3. Array members load new configuration Exchange Edge Service 4. Configure services using PowerShell API FPE Service

73 Design Options Single purpose and location, no high availability Forefront TMG 2010 Standard Edition Single purpose and location, high availability Forefront TMG 2010 Enterprise Edition in stand-alone array Multiple purposes and/or locations, high availability Enterprise Management Server

74 Single Purpose and Location Forefront TMG 2010 Standard Edition (SE) Light and medium traffic All-in-one solution No high availability requirements 74

75 Single Purpose and Location 75 Forefront TMG 2010 Enterprise Edition (EE): Stand-alone array Shared configuration High traffic solution Simple upgrade to EE Data maintained EE license key Provides high availability and scale out

76 © 2009 Microsoft Corporation. All rights reserved. Microsoft, Forefront, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Download ppt "Forefront Threat Management Gateway 2010. Introduction to Forefront TMG."

Similar presentations


Ads by Google