Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kako povečati varnost omrežja s Forefront TMG Jože Markič, Kompas Xnet d.o.o.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Kako povečati varnost omrežja s Forefront TMG Jože Markič, Kompas Xnet d.o.o."— Presentation transcript:

1 Kako povečati varnost omrežja s Forefront TMG Jože Markič, Kompas Xnet d.o.o. joze.markic@kompas-xnet.si

2 Agenda Kaj je TMG? TMG postavitve Primerjava z ISA Subscriptions Secure Web Gateway o HTTPS inspection o URL filtering o Malware protection o Intrusion prevention 2

3 Forefront Edge Security and Access Products BeforeNow Network Protection Network Access The Forefront Edge Security and Access products provide enhanced network edge protection and application-centric, policy-based access to corporate IT infrastructures Integrated and comprehensive protection from Internet-based threats Unified platform for all enterprise remote access needs

4 Forefront TMG Value Proposition Firewall – Control network policy access at the edge Secure Web Gateway – Protect users from Web browsing threats Secure E-mail Relay – Protect users from e-mail threats Remote Access Gateway – Enable users to remotely access corporate resources Intrusion Prevention – Protect desktops and servers from intrusion attempts ComprehensiveIntegrated Simplified

5 Forefront TMG Deployment Scenarios All-in-one solution for medium businesses Firewall, VPN, Web security, IPS, e-mail relay in a single box Unified Threat Management (UTM) Authenticating proxy with security Web antivirus and URL filtering Inspection of HTTP and HTTPS traffic Secure Web Gateway Secure Web publishing Dial-in VPN Site to site VPN Remote Access Gateway Antispam Antivirus E-mail filtering Secure E-mail Relay

6 Features Summary VoIP traversal Enhanced NAT ISP link redundancy Firewall HTTP antivirus/ antispyware URL filtering HTTPS forward inspection Secure Web Access Exchange Edge integration Antivirus Antispam E-mail Protection Network inspection system Intrusion Prevention NAP integration with client VPN SSTP integration Remote Access Array management Change tracking Enhanced reporting W2K8, native 64-bit Deployment and Management Malware protection URL filtering Intrusion prevention Subscription Services

7 Network layer firewall Application layer firewall Internet access protection (proxy) Basic OWA and SharePoint publishing IPSec VPN (remote and site-to-site) Web caching, HTTP compression Web antivirus, antimalware URL filtering E-mail antimalware, antispam Network intrusion prevention Features Summary Comparing with ISA Server 2006 ISA Server 2006 Forefront TMG New Enhanced UI, management, reporting New Exchange publishing (RPC over HTTP) Windows Server® 2008 R2, 64-bit (only) New

8 E E Forefront TMG Licensing Two editions and Two Client Access Licenses (CALs) Standard Edition Full UTM Enterprise Edition Scalability and management Web protection Web protection E-mail protection E-mail protection Subscriptions

9 Comparing Forefront TMG Editions

10 Subscriptions Subscription-based licenses o Sold as Client Access Licenses (CALs) o Charged per user/per year Protection Components o E-mail protection Antispam Antivirus o HTTP protection Antimalware URL filtering o Network Inspection System is free!

11 Single Adapter Scenario Forefront TMG supports using a single network adapter Supported scenarios o Secure Web Gateway (forward Web proxy and cache) o Web Publishing (reverse Web proxy and cache) o Remote client VPN access Unsupported scenarios o Application layer inspection (except for Web proxy) o Server publishing o Non-Web clients Firewall client Secure NAT o Site-to-site VPNs 11

12 Secure Web Gateway 12

13 Threats and Controls Threats Application Layer Firewall HTTPS Inspection Anti- malware URL Filtering NIS Malware Phishing Liability Data Leakage Lost Productivity Loss of Control FullPartialEnabler

14 Forefront TMG HTTPS Traffic Inspection HTTPS Inspection terminates the SSL traffic at the proxy for both ends, and inspects the traffic against different threats o Trusted certificate generated by proxy matching the URL expected by the client 14 URL Filtering Malware Inspection Network Inspection System

15 Enabling HTTPS Traffic Inspection 15 Certificate deployment (via Active Directory® or Import/Export) Configure HTTPS Inspection: Proxy certificate generation/import and customization. Source and destination exclusions Validate only option Notification Configure HTTPS Inspection: Proxy certificate generation/import and customization. Source and destination exclusions Validate only option Notification Client notifications about HTTPS inspection (via Firewall client) Certificate validation (revocation, trusted, expiration validation, etc.)

16 Configuring HTTPS Inspection 16

17 Configuring HTTPS Inspection 17

18 Configuring HTTPS Inspection 18

19 HTTPS Inspection Notifications Notification provided by Forefront TMG client o Notify user of inspection o History of recent notifications o Management of Notification Exception List May be a legal requirement in some geographies 19

20 HTTPS Inspection Notification 20 User Experience

21 Forefront TMG URL Filtering 91 built-in categories Predefined and administrator defined category sets 91 built-in categories Predefined and administrator defined category sets Integrates leading URL database providers Subscription-based Integrates leading URL database providers Subscription-based URL category override URL category query Logging and reporting support Web Access Wizard integration URL category override URL category query Logging and reporting support Web Access Wizard integration Customizable, per-rule, deny messages TMG

22 URL Filtering Benefits Control user web access based on URL categories Protect users from known malicious sites Reduce liability risks Increase productivity Reduce bandwidth and Forefront TMG resource consumption Analyze Web usage

23 What Makes MRS Compelling? Existing URL filtering solutions o Single vendor cant be expert in all categories o Categorization response time MRS unique architecture o MRS merges URL databases from multiple sources/vendors Multi-vendor AV analogy o Based on Microsoft internal sources as well as collaboration with third party partners o Scalable Ongoing collaborative effort o Recently announced an agreement with Marshal8e6 o More announcements to follow

24 Feedback mechanism on Category overrides Fetch on cache miss SSL for auth & privacy No PII How Forefront TMG Leverages MRS Multiple Vendors MRS Query (URL) CategorizerCategorizer Fetch URL PolicyPolicy Cache SSL Telemetry Path (also SSL) Federated Query Cache: Persistent In-memory Weighted TTL Combines with Telemetry Data

25 URL Filtering Categories Liability Security Productivity

26 URL Filtering category precedence No.Category 1"Malicious" 2"Pornography" 3"Botnet" 4"Phishing" 5"Criminal Activities" 6"Hate/Discrimination„ … 75"Unknown" http://www.microsoft.com/security/portal/mrs/ 26

27 Categories and Inheritance

28 URL Filtering Policy URL categories are standard network objects Administrator can create custom URL category sets

29 URL Filtering Policy 29

30 Contoso’s Web Access Policy Access rule allowing users in the Research group to access gambling and gambling-related sites 30 Access rule denying everyone access to Liability and Security sites

31 Per-rule Customization TMG administrator can customize denial message displayed to the user on a per- rule basis o Add custom text or HTML o Redirect the user to a specific URL

32 URL Filtering Configuration 32

33 Category Query Administrator can use the URL Filtering Settings dialog box to query the URL filtering database o Enter the URL or IP address as input o The result and its source are displayed on the tab

34 URL Category Override Administrator can override the categorization of a URL o Feedback to MRS via Telemetry 34

35 User Experience

36 36 HTML tags

37 Novost v SP1 37

38 38

39 HTTP Malware Inspection Third party plug-ins can be used (native Malware inspection must be disabled) Integrates Microsoft Antivirus engine Signature and engine updates Subscription-based Integrates Microsoft Antivirus engine Signature and engine updates Subscription-based Source and destination exceptions Global and per-rule inspection options (encrypted files, nested archives, large files…) Logging and reporting support Web Access Wizard integration Source and destination exceptions Global and per-rule inspection options (encrypted files, nested archives, large files…) Logging and reporting support Web Access Wizard integration Content delivery methods by content type TMG

40 Content Trickling 40 Firewall Service Web Proxy Malware Inspection Filter Request Context Scanner GET msrdp.cab 200 OK Accumulated Content 200 OK

41 Progress Notification 41 Firewall Service Web Proxy Malware Inspection Filter Primary Request Context Secondary Request Context Downloads Map Scanner GET setup.exe 200 OK (setup.exe) Accumulated Content 200 OK (HTML) GET GetDownloadStatus 200 OK (Retrieving) GET GetDownloadStatus 200 OK (Scanning) GET GetDownloadStatus 200 OK (Ready) GET FinalDownload 200 OK (setup.exe)

42 Enabling Malware Inspection Activate the Web Protection license Enable malware inspection on Web access rules o Web Access Policy Wizard or New Access Rule Wizard for new rules o Rule properties for existing rules 42

43 Malware Inspection Global Settings Administrator can configure malware blocking behavior: o Low, medium and high severity threats o Suspicious files o Corrupted files o Encrypted files o Archive bombs Too many depth levels or unpacked content too large o File size too large 43

44 Malware Inspection Per-rule Overrides 44

45 User Experience Content Blocked

46 User Experience Progress Notification 46

47 Network Inspection System (NIS) Protocol decode-based traffic inspection system that uses signatures of known vulnerabilities o Vulnerability-based signatures (vs. exploit-based signatures used by competing solutions) o Detects and potentially block attacks on network resources NIS helps organizations reduce the vulnerability window o Protect machines against known vulnerabilities until patch can be deployed o Signatures can be released and deployed much faster than patches, concurrently with patch release, closing the vulnerability window Integrated into Forefront TMG o Synergy with HTTPS Inspection 47

48 Vulnerability is discovered Response team prepares and tests the vulnerability signature Signature released by Microsoft and deployed through distribution service, on security patch release All un-patched hosts behind Forefront TMG are protected Corporate Network New Vulnerability Use Case 48 Signature Authoring Testing TMG Signature Distribution Service Vulnerability Discovered Signature Authoring Team

49 NIS Response Process Threat Identification Threat Research Signature Development Signature Testing Encyclopedia Write-up Signature Release Targeting 4 hours

50 Enabling and Configuring NIS

51 Client Types Web proxy client o CERN-compatible browsers/applications SecureNAT client o Any host supporting IP Forefront TMG client o Formerly ISA firewall client o Windows computers 51

52 Client Comparison

53 Web Proxy Client Configuration Generate configuration Discover configuration o Automatic configuration script o Web Proxy Auto Discovery (WPAD) o Static proxy configuration Enforce configuration o Manual o Group policy o Forefront TMG client 53

54 SecureNAT clients Only requires proper routing Clients perform DNS resolution Limitations: o No user information passed o No support for secondary connections (without application filter) Use for: o Non-Web protocols o Simple, unauthenticated protocols o Non-Windows systems

55 Forefront TMG Client Formerly known as ISA Firewall client Supports all WinSock-based applications o FwcWsp.dll registered with WinSock protocol stack o FwcWsp tracks all WinSock calls o All remote TCP calls sent to FWC listener (TCP 1745) o User information passed on all requests Use for: o User-based access authentication to non-Web protocols o Complex protocols with secondary connections 55

56 Forefront TMG Client Discovery Secure discovery using Active Directory, with fallback to DHCP and DNS o Secure discovery uses AD to store discovery information for domain members o Forefront TMG client and Web proxy discovery o Allows global and site-specific markers o Configured using TmgAdConfig.exe 56 TmgAdConfig add –site -type -url

57 Server-side Configuration Domains and Addresses tabs determine routing 57

58 ? 58

Download ppt "Kako povečati varnost omrežja s Forefront TMG Jože Markič, Kompas Xnet d.o.o."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Forefront Threat Management Gateway 2010

Forefront Threat Management Gateway 2010
Adwait JoshiJim Harrison Sr. Product ManagerProgram Manager Microsoft Corporation SESSION CODE: SIA308.

Adwait JoshiJim Harrison Sr. Product ManagerProgram Manager Microsoft Corporation SESSION CODE: SIA308.
What's new in Threat Management Gateway (TMG) 2010 Ronald Beekelaar

What's new in Threat Management Gateway (TMG) 2010 Ronald Beekelaar
David B. Cross Product Unit Manager Microsoft Corporation Session Code: SIA403 Donny Rose Senior Program Manager.

David B. Cross Product Unit Manager Microsoft Corporation Session Code: SIA403 Donny Rose Senior Program Manager.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Winter 2005-2006 Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.

Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.

Similar presentations

Ads by Google