Configuring TMG as a Firewall 6NPS Session 6
Objectives Configure firewall settings Configure intrusion detection Configure IP options filtering Configure IP fragmentation settings Configure TMG to support a network topology Select appropriate templates Define networks Configure route relationships between networks
Network Interface Layer What Is a TCP/IP Packet? Network Interface Layer Destination Address: 0003FFD329B0 Source Address: 0003FFFDFFFF Physical payload Internet Layer Destination: 192.168.1.1 Source: 192.168.1.10 Protocol: TCP IP payload Transport Layer Destination Port: 80 Source Port: 1159 Sequence: 3837066872 Acknowledgment: 2982470625 TCP payload Application Layer HTTP Request Method: Get HTTP Protocol Version: =HTTP/1.1 HTTP Host: =www.contoso.com
What Is Packet Filtering? Packet filters control access to the network at the network layer It does this by inspecting and allowing or denying the IP Packets. Firewalls examine only information in the network and transport layer headers Packet-filtering firewalls can evaluate IP packets using: Destination address Source address IP Protocol and protocol number (TCP, UDP, ICMP), (TCP/6, PPTP/47) Direction (inbound, outbound, or both, for FTP, Receive only, send only or Both) Port Numbers (local and remote ports, fixed or dynamic)
What Is Packet Filtering? Advantages Inspects only network and transport layer headers, therefore very fast filtering Can block IP addresses, or allow IP addresses Can be used for ingress filtering (blocks source IP’s same as your local address) and egress filtering (prevents packets leaving your network with source different from local network) Disadvantages Cannot prevent IP address spoofing or source-routing attacks Cannot prevent IP-fragment attacks (only checks first fragment, others may contain malicious content) Not application aware.
What Is Packet Filtering? Is the … Source address allowed? Destination address allowed? Protocol allowed? Destination port allowed? Web Server Packet Filter TMG
What Is Stateful Filtering? Stateful filtering uses information about the TCP session to determine whether a packet should be blocked or allowed through the firewall. TCP uses three-way handshake This synchronizes the sequence number and acknowledgement number Advantages Ensures all network traffic forwarded by the firewall is part on an existing session, or matches the rules for creating a new session Implements dynamic filtering (opens a port to communicate with a web server) Disadvantages Does not block attacks at application level
What Is Stateful Filtering? Connection Rules Create connection rule Web Server Is packet part of a connection? Web Server TMG
What Is Application Filtering? Application-layer filtering inspects the application data in a TCP/IP packet for unacceptable commands and data Advantages Can stop attacks from sources such as viruses and worms
What Is Application Filtering? Get www.contoso.com Get method allowed? Respond to client Web Server TMG Does the response contain only allowed content and methods?
What is NIS? Network Inspection System Traffic analysis mechanism Able to discover invalid traffic based on static signatures TMG expands on this by evaluating 3 aspects of the network traffic: Protocol state The expected condition of the protocol at any point in time Message structure The validation of a message according to the protocol definition Message context The validation of a message in the context of the protocol state NIS operations are driven by signature definitions. created by Microsoft Malware Protection Centre (MMPC) A form of IPS (Intrusion Prevention System)
What is Intrusion Detection? Intrusion detection is a means of detecting when an attack against a network is attempted or in progress An IDS inspects all traffic in and out of the network and identifies patterns that may indicate a network or system attack IDS provide for configuring alerts or responses to intrusion attempts
What is Intrusion Detection? Alert the administrator Port scan limit exceeded All ports scan attack TMG
How TMG Filters Network Traffic 3 Application filtering Web Filters 2 Stateful and protocol filtering Web Proxy Filter Application Filters Rules Engine Firewall Service Firewall Engine 4 TCP/IP Kernel mode data pump Packet filtering 1
TMG Support for Multiple Networks TMG uses networks to define blocks of IP addresses that may be directly attached to the TMG computer or IP addresses that may be remote networks TMG uses these networks as components when you create access rules TMG supports unlimited networks
What is Multi-networking? Multi-networking means that you can configure multiple networks on TMG and configure network and access rules to inspect and filter all network traffic between all networks Allows for flexible options for network configurations Configurations include Three-legged firewall Two perimeter networks Two internal networks VPN client and VPN remote-site networks
Default Networks Enabled in TMG When TMG is installed with at least two network cards, it is configured with a default set of networks Local Host – Represents the TMG computer, traffic to and from TMG, not through External – All IP addresses that are not explicitly associated with any other network. Un-trusted Internal – All IP addresses that were specified as internal during the installation process VPN Clients – Addresses of currently connected VPN Clients Quarantined VPN Clients – Addresses of VPN clients that have not cleared quarantine Also see note on page 222, Network Sets, define groupings of networks. Default sets All Networks and All Protected Networks
How to Configure Network Rules When you enable networks or network objects on TMG, you can configure network rules that define how network packets will be passed between networks or between computers Network rules determine whether there is a relationship between two network entities and what type of relationship is defined Network relationships can be configured as; Route – client requests from the source network are directly routed to the destination network NAT – TMG replaces the IP address of the client on the source network with its own IP address. A NAT relationship is directional
How to Configure Network Rules Default network rules are; Local Host Access – defines a route relationship between Local Host network and all other networks VPN Clients to Internal Network – defines a route relationship among the Internal network and the Quarantined VPN Clients and the VPN Clients network Internet Access – defines a NAT relationship among the internal network, the Quarantined VPN Clients, and the VPN Clients networks and the External network.
What Are Perimeter Networks? A perimeter network is a network that is separated from an internal network and the Internet Perimeter networks allow external users to gain access to specific servers that are located on the perimeter network while preventing direct access to the internal network
What Are Perimeter Networks? Firewall Firewall Internet Internal Network
Benefits of Using a Perimeter Network? A perimeter network provides an additional layer of security: Between the publicly accessible servers and the internal network Between the Internet and confidential data or critical applications stored on servers on the internal network Between potentially nonsecure networks such as wireless networks and the internal network Use defense in depth in addition to perimeter network security
Network Perimeter Configuration Options Bastion host – only a single firewall between the Internet and the internal network Three-legged configuration – creates a perimeter network that gives users on the Internet limited access to network resources on the perimeter network while preventing unwanted traffic to computers on the local network Back-to-Back configuration – places the perimeter network between two firewalls.
Three-legged configuration Back-to-back configuration Bastion host Three-legged configuration LAN Perimeter Network Web Server LAN Back-to-back configuration Perimeter Network LAN
Practice: Configuring Perimeter Network Add Perimeter Network (Page 224) Create Network Rules (Page 226) Win7 www TMG Internet DC
How to Implement Network Templates To implement a network template, run the Network Template Wizard as part of the getting started wizard Select the firewall access policy that best matches your corporate security guidelines
How to Implement Network Templates Bastion host Three-legged configuration LAN Perimeter Network Web Server LAN Back-to-back configuration Deploy the 3-Leg Perimeter template Deploy the Edge Firewall template LAN Perimeter Network Deploy the Front-End or Back-End template Deploy the Single Network Adapter template for proxy and caching only
NIS (Network Inspection Systems) NIS uses signatures of known vulnerabilities from the Microsoft Malware Protection Center to help detect and block malicious traffic. Before Forefront TMG can start blocking known vulnerability attacks, you must download the latest NIS signature set from either Microsoft Update or Windows Server Update Services (WSUS).
Practice: Configuring NIS Configure NIS (Network Inspection System) (page 311) Test NIS Win7 www TMG Internet DC
Intrusion Detection Options Intrusion detection on TMG: Compares network traffic and log entries to well-known attack methods and raises an alert when an attack is detected Detects well-known IP attacks Includes application filters for DNS and POP that detect intrusion attempts at the application level
How to Configure Intrusion Detection
IP Preferences Configuration Options IP preferences are used to: Block or enable network traffic that has an IP option flag set You can block all packets with IP options, or selected packets Block or enable network traffic where the IP packet has been split into multiple IP fragments Blocking IP fragments may affect streaming audio and video, and L2TP over IPSec traffic Enable or disable IP routing With IP routing enabled, TMG forwards IP packets between networks without recreating the packet
How to Configure IP Preferences
Practice: Configuring Intrusion Detection Modify the default intrusion detection configuration (page 324) Test intrusion detection Win7 www TMG Internet DC
What Are Application Filters? Application filters can: Enable firewall traversal for complex protocols Enable protocol-level intrusion detection Enable protocol-level content filtering Generate alerts and log events Application Server TMG
What Are Web Filters? Web filters can: Scan and modify HTTP requests Scan and modify HTTP responses Block specified responses Log and analyze traffic Encrypt and compress data Implement custom authentication schemes Web Server TMG
Why Use Application and Web Filters? Application and Web filters provide: Protection against malicious code by blocking packets that have worm or virus characteristics Protection against user actions by blocking the download of harmful programs or ensuring that some types of data do not leave the network Protection against specific network connections by blocking connection attempts by specific applications Integration with third-party or custom filters that have been developed using the application filter API or the Web filter API
Application and Web Filter Architecture Filters 3 Web Filter API Web Proxy Filter 2 Application Filters Rules Engine Application Filter API Firewall Service 4 1 Firewall Engine
How the HTTP Web Filter Works Use HTTP filtering to: HTTP filtering is rule specific so you can configure different filters for each access or publishing rule Filter traffic from internal clients to other networks Filter traffic from Internet clients to internal Web servers HTTP filters enable filtering of HTTP packets based on several criteria
How to Configure HTTP Web Filter Configure maximum header length Configure maximum payload length Configure maximum URL and query length
How to Configure HTTP Web Filter Methods Configure allowed or blocked methods
How to Configure HTTP Web Filter Extensions Configure allowed or blocked extensions
How to Configure HTTP Web Filter Headers Configure headers that will be blocked Configure server header settings Configure Via header settings
How to Configure HTTP Web Filter Signatures Configure blocked signatures
How to Identify an HTTP Application Signature HTTP Request Request Header GET.http://www.contoso.com/.HTTP/1.0. .Accept:.image/gif,.image/x-xbitmap, .image/jpeg,.image/pjpeg, .application/vnd.ms-excel, .application/vnd.ms-powerpoint, .application/msword,.*/*. .Accept-Language:.en-us. .If-Modified-Since:.Fri,.11.Oct.2002.20:30:04.GMT. .If-None-Match:."06ee8fa6471c21:428". .User-Agent:.Mozilla/4.0.(compatible;.MSIE.6.0; .Windows.NT.5.1). .Host:.www.contoso.com. .Proxy-Connection:.Keep-Alive... HTTP Header Signature
Best Practice: HTTP Filter Configuration for Web Publishing To configure a baseline HTTP filter: Configure maximum header, payload, URL and query lengths Verify normalization and do not block high-bit characters Allow only GET, HEAD, and POST Block executable and server side includes extensions Block potentially malicious signatures Use the httpfilterconfig.vbs script from the TMG CD to import and export HTTP filter configurations
Practice: Configuring HTTP Filtering Testing HTTP Connections with Default HTTP Filter Importing and Testing Sample HTTP Filter Settings Modifying HTTP Filter Settings External Web Intranet Web Server TMG Internet DC