Kako povečati varnost omrežja s Forefront TMG Jože Markič, Kompas Xnet d.o.o.
Agenda Kaj je TMG? TMG postavitve Primerjava z ISA Subscriptions Secure Web Gateway o HTTPS inspection o URL filtering o Malware protection o Intrusion prevention 2
Forefront Edge Security and Access Products BeforeNow Network Protection Network Access The Forefront Edge Security and Access products provide enhanced network edge protection and application-centric, policy-based access to corporate IT infrastructures Integrated and comprehensive protection from Internet-based threats Unified platform for all enterprise remote access needs
Forefront TMG Value Proposition Firewall – Control network policy access at the edge Secure Web Gateway – Protect users from Web browsing threats Secure Relay – Protect users from threats Remote Access Gateway – Enable users to remotely access corporate resources Intrusion Prevention – Protect desktops and servers from intrusion attempts ComprehensiveIntegrated Simplified
Forefront TMG Deployment Scenarios All-in-one solution for medium businesses Firewall, VPN, Web security, IPS, relay in a single box Unified Threat Management (UTM) Authenticating proxy with security Web antivirus and URL filtering Inspection of HTTP and HTTPS traffic Secure Web Gateway Secure Web publishing Dial-in VPN Site to site VPN Remote Access Gateway Antispam Antivirus filtering Secure Relay
Features Summary VoIP traversal Enhanced NAT ISP link redundancy Firewall HTTP antivirus/ antispyware URL filtering HTTPS forward inspection Secure Web Access Exchange Edge integration Antivirus Antispam Protection Network inspection system Intrusion Prevention NAP integration with client VPN SSTP integration Remote Access Array management Change tracking Enhanced reporting W2K8, native 64-bit Deployment and Management Malware protection URL filtering Intrusion prevention Subscription Services
Network layer firewall Application layer firewall Internet access protection (proxy) Basic OWA and SharePoint publishing IPSec VPN (remote and site-to-site) Web caching, HTTP compression Web antivirus, antimalware URL filtering antimalware, antispam Network intrusion prevention Features Summary Comparing with ISA Server 2006 ISA Server 2006 Forefront TMG New Enhanced UI, management, reporting New Exchange publishing (RPC over HTTP) Windows Server® 2008 R2, 64-bit (only) New
E E Forefront TMG Licensing Two editions and Two Client Access Licenses (CALs) Standard Edition Full UTM Enterprise Edition Scalability and management Web protection Web protection protection protection Subscriptions
Comparing Forefront TMG Editions
Subscriptions Subscription-based licenses o Sold as Client Access Licenses (CALs) o Charged per user/per year Protection Components o protection Antispam Antivirus o HTTP protection Antimalware URL filtering o Network Inspection System is free!
Single Adapter Scenario Forefront TMG supports using a single network adapter Supported scenarios o Secure Web Gateway (forward Web proxy and cache) o Web Publishing (reverse Web proxy and cache) o Remote client VPN access Unsupported scenarios o Application layer inspection (except for Web proxy) o Server publishing o Non-Web clients Firewall client Secure NAT o Site-to-site VPNs 11
Secure Web Gateway 12
Threats and Controls Threats Application Layer Firewall HTTPS Inspection Anti- malware URL Filtering NIS Malware Phishing Liability Data Leakage Lost Productivity Loss of Control FullPartialEnabler
Forefront TMG HTTPS Traffic Inspection HTTPS Inspection terminates the SSL traffic at the proxy for both ends, and inspects the traffic against different threats o Trusted certificate generated by proxy matching the URL expected by the client 14 URL Filtering Malware Inspection Network Inspection System
Enabling HTTPS Traffic Inspection 15 Certificate deployment (via Active Directory® or Import/Export) Configure HTTPS Inspection: Proxy certificate generation/import and customization. Source and destination exclusions Validate only option Notification Configure HTTPS Inspection: Proxy certificate generation/import and customization. Source and destination exclusions Validate only option Notification Client notifications about HTTPS inspection (via Firewall client) Certificate validation (revocation, trusted, expiration validation, etc.)
Configuring HTTPS Inspection 16
Configuring HTTPS Inspection 17
Configuring HTTPS Inspection 18
HTTPS Inspection Notifications Notification provided by Forefront TMG client o Notify user of inspection o History of recent notifications o Management of Notification Exception List May be a legal requirement in some geographies 19
HTTPS Inspection Notification 20 User Experience
Forefront TMG URL Filtering 91 built-in categories Predefined and administrator defined category sets 91 built-in categories Predefined and administrator defined category sets Integrates leading URL database providers Subscription-based Integrates leading URL database providers Subscription-based URL category override URL category query Logging and reporting support Web Access Wizard integration URL category override URL category query Logging and reporting support Web Access Wizard integration Customizable, per-rule, deny messages TMG
URL Filtering Benefits Control user web access based on URL categories Protect users from known malicious sites Reduce liability risks Increase productivity Reduce bandwidth and Forefront TMG resource consumption Analyze Web usage
What Makes MRS Compelling? Existing URL filtering solutions o Single vendor cant be expert in all categories o Categorization response time MRS unique architecture o MRS merges URL databases from multiple sources/vendors Multi-vendor AV analogy o Based on Microsoft internal sources as well as collaboration with third party partners o Scalable Ongoing collaborative effort o Recently announced an agreement with Marshal8e6 o More announcements to follow
Feedback mechanism on Category overrides Fetch on cache miss SSL for auth & privacy No PII How Forefront TMG Leverages MRS Multiple Vendors MRS Query (URL) CategorizerCategorizer Fetch URL PolicyPolicy Cache SSL Telemetry Path (also SSL) Federated Query Cache: Persistent In-memory Weighted TTL Combines with Telemetry Data
URL Filtering Categories Liability Security Productivity
URL Filtering category precedence No.Category 1"Malicious" 2"Pornography" 3"Botnet" 4"Phishing" 5"Criminal Activities" 6"Hate/Discrimination„ … 75"Unknown" 26
Categories and Inheritance
URL Filtering Policy URL categories are standard network objects Administrator can create custom URL category sets
URL Filtering Policy 29
Contoso’s Web Access Policy Access rule allowing users in the Research group to access gambling and gambling-related sites 30 Access rule denying everyone access to Liability and Security sites
Per-rule Customization TMG administrator can customize denial message displayed to the user on a per- rule basis o Add custom text or HTML o Redirect the user to a specific URL
URL Filtering Configuration 32
Category Query Administrator can use the URL Filtering Settings dialog box to query the URL filtering database o Enter the URL or IP address as input o The result and its source are displayed on the tab
URL Category Override Administrator can override the categorization of a URL o Feedback to MRS via Telemetry 34
User Experience
36 HTML tags
Novost v SP1 37
38
HTTP Malware Inspection Third party plug-ins can be used (native Malware inspection must be disabled) Integrates Microsoft Antivirus engine Signature and engine updates Subscription-based Integrates Microsoft Antivirus engine Signature and engine updates Subscription-based Source and destination exceptions Global and per-rule inspection options (encrypted files, nested archives, large files…) Logging and reporting support Web Access Wizard integration Source and destination exceptions Global and per-rule inspection options (encrypted files, nested archives, large files…) Logging and reporting support Web Access Wizard integration Content delivery methods by content type TMG
Content Trickling 40 Firewall Service Web Proxy Malware Inspection Filter Request Context Scanner GET msrdp.cab 200 OK Accumulated Content 200 OK
Progress Notification 41 Firewall Service Web Proxy Malware Inspection Filter Primary Request Context Secondary Request Context Downloads Map Scanner GET setup.exe 200 OK (setup.exe) Accumulated Content 200 OK (HTML) GET GetDownloadStatus 200 OK (Retrieving) GET GetDownloadStatus 200 OK (Scanning) GET GetDownloadStatus 200 OK (Ready) GET FinalDownload 200 OK (setup.exe)
Enabling Malware Inspection Activate the Web Protection license Enable malware inspection on Web access rules o Web Access Policy Wizard or New Access Rule Wizard for new rules o Rule properties for existing rules 42
Malware Inspection Global Settings Administrator can configure malware blocking behavior: o Low, medium and high severity threats o Suspicious files o Corrupted files o Encrypted files o Archive bombs Too many depth levels or unpacked content too large o File size too large 43
Malware Inspection Per-rule Overrides 44
User Experience Content Blocked
User Experience Progress Notification 46
Network Inspection System (NIS) Protocol decode-based traffic inspection system that uses signatures of known vulnerabilities o Vulnerability-based signatures (vs. exploit-based signatures used by competing solutions) o Detects and potentially block attacks on network resources NIS helps organizations reduce the vulnerability window o Protect machines against known vulnerabilities until patch can be deployed o Signatures can be released and deployed much faster than patches, concurrently with patch release, closing the vulnerability window Integrated into Forefront TMG o Synergy with HTTPS Inspection 47
Vulnerability is discovered Response team prepares and tests the vulnerability signature Signature released by Microsoft and deployed through distribution service, on security patch release All un-patched hosts behind Forefront TMG are protected Corporate Network New Vulnerability Use Case 48 Signature Authoring Testing TMG Signature Distribution Service Vulnerability Discovered Signature Authoring Team
NIS Response Process Threat Identification Threat Research Signature Development Signature Testing Encyclopedia Write-up Signature Release Targeting 4 hours
Enabling and Configuring NIS
Client Types Web proxy client o CERN-compatible browsers/applications SecureNAT client o Any host supporting IP Forefront TMG client o Formerly ISA firewall client o Windows computers 51
Client Comparison
Web Proxy Client Configuration Generate configuration Discover configuration o Automatic configuration script o Web Proxy Auto Discovery (WPAD) o Static proxy configuration Enforce configuration o Manual o Group policy o Forefront TMG client 53
SecureNAT clients Only requires proper routing Clients perform DNS resolution Limitations: o No user information passed o No support for secondary connections (without application filter) Use for: o Non-Web protocols o Simple, unauthenticated protocols o Non-Windows systems
Forefront TMG Client Formerly known as ISA Firewall client Supports all WinSock-based applications o FwcWsp.dll registered with WinSock protocol stack o FwcWsp tracks all WinSock calls o All remote TCP calls sent to FWC listener (TCP 1745) o User information passed on all requests Use for: o User-based access authentication to non-Web protocols o Complex protocols with secondary connections 55
Forefront TMG Client Discovery Secure discovery using Active Directory, with fallback to DHCP and DNS o Secure discovery uses AD to store discovery information for domain members o Forefront TMG client and Web proxy discovery o Allows global and site-specific markers o Configured using TmgAdConfig.exe 56 TmgAdConfig add –site -type -url
Server-side Configuration Domains and Addresses tabs determine routing 57
? 58