Presentation is loading. Please wait.

Presentation is loading. Please wait.

Configuring TMG as a Firewall

Published byEdwina Sharp Modified over 5 years ago

Similar presentations

Presentation on theme: "Configuring TMG as a Firewall"— Presentation transcript:

1 Configuring TMG as a Firewall
6NPS Session 6

2 Objectives Configure firewall settings
Configure intrusion detection Configure IP options filtering Configure IP fragmentation settings Configure TMG to support a network topology Select appropriate templates Define networks Configure route relationships between networks

3 Network Interface Layer
What Is a TCP/IP Packet? Network Interface Layer Destination Address: 0003FFD329B0 Source Address: 0003FFFDFFFF Physical payload Internet Layer Destination: Source: Protocol: TCP IP payload Transport Layer Destination Port: 80 Source Port: 1159 Sequence: Acknowledgment: TCP payload Application Layer HTTP Request Method: Get HTTP Protocol Version: =HTTP/1.1 HTTP Host: =

4 What Is Packet Filtering?
Packet filters control access to the network at the network layer It does this by inspecting and allowing or denying the IP Packets. Firewalls examine only information in the network and transport layer headers Packet-filtering firewalls can evaluate IP packets using: Destination address Source address IP Protocol and protocol number (TCP, UDP, ICMP), (TCP/6, PPTP/47) Direction (inbound, outbound, or both, for FTP, Receive only, send only or Both) Port Numbers (local and remote ports, fixed or dynamic)

5 What Is Packet Filtering?
Advantages Inspects only network and transport layer headers, therefore very fast filtering Can block IP addresses, or allow IP addresses Can be used for ingress filtering (blocks source IP’s same as your local address) and egress filtering (prevents packets leaving your network with source different from local network) Disadvantages Cannot prevent IP address spoofing or source-routing attacks Cannot prevent IP-fragment attacks (only checks first fragment, others may contain malicious content) Not application aware.

6 What Is Packet Filtering?
Is the … Source address allowed? Destination address allowed? Protocol allowed? Destination port allowed? Web Server Packet Filter TMG

7 What Is Stateful Filtering?
Stateful filtering uses information about the TCP session to determine whether a packet should be blocked or allowed through the firewall. TCP uses three-way handshake This synchronizes the sequence number and acknowledgement number Advantages Ensures all network traffic forwarded by the firewall is part on an existing session, or matches the rules for creating a new session Implements dynamic filtering (opens a port to communicate with a web server) Disadvantages Does not block attacks at application level

8 What Is Stateful Filtering?
Connection Rules Create connection rule Web Server Is packet part of a connection? Web Server TMG

9 What Is Application Filtering?
Application-layer filtering inspects the application data in a TCP/IP packet for unacceptable commands and data Advantages Can stop attacks from sources such as viruses and worms

10 What Is Application Filtering?
Get Get method allowed? Respond to client Web Server TMG Does the response contain only allowed content and methods?

11 What is NIS? Network Inspection System Traffic analysis mechanism
Able to discover invalid traffic based on static signatures TMG expands on this by evaluating 3 aspects of the network traffic: Protocol state The expected condition of the protocol at any point in time Message structure The validation of a message according to the protocol definition Message context The validation of a message in the context of the protocol state NIS operations are driven by signature definitions. created by Microsoft Malware Protection Centre (MMPC) A form of IPS (Intrusion Prevention System)

12 What is Intrusion Detection?
Intrusion detection is a means of detecting when an attack against a network is attempted or in progress An IDS inspects all traffic in and out of the network and identifies patterns that may indicate a network or system attack IDS provide for configuring alerts or responses to intrusion attempts

13 What is Intrusion Detection?
Alert the administrator Port scan limit exceeded All ports scan attack TMG

14 How TMG Filters Network Traffic
3 Application filtering Web Filters 2 Stateful and protocol filtering Web Proxy Filter Application Filters Rules Engine Firewall Service Firewall Engine 4 TCP/IP Kernel mode data pump Packet filtering 1

15 TMG Support for Multiple Networks
TMG uses networks to define blocks of IP addresses that may be directly attached to the TMG computer or IP addresses that may be remote networks TMG uses these networks as components when you create access rules TMG supports unlimited networks

16 What is Multi-networking?
Multi-networking means that you can configure multiple networks on TMG and configure network and access rules to inspect and filter all network traffic between all networks Allows for flexible options for network configurations Configurations include Three-legged firewall Two perimeter networks Two internal networks VPN client and VPN remote-site networks

17 Default Networks Enabled in TMG
When TMG is installed with at least two network cards, it is configured with a default set of networks Local Host – Represents the TMG computer, traffic to and from TMG, not through External – All IP addresses that are not explicitly associated with any other network. Un-trusted Internal – All IP addresses that were specified as internal during the installation process VPN Clients – Addresses of currently connected VPN Clients Quarantined VPN Clients – Addresses of VPN clients that have not cleared quarantine Also see note on page 222, Network Sets, define groupings of networks. Default sets All Networks and All Protected Networks

18 How to Configure Network Rules
When you enable networks or network objects on TMG, you can configure network rules that define how network packets will be passed between networks or between computers Network rules determine whether there is a relationship between two network entities and what type of relationship is defined Network relationships can be configured as; Route – client requests from the source network are directly routed to the destination network NAT – TMG replaces the IP address of the client on the source network with its own IP address. A NAT relationship is directional

19 How to Configure Network Rules
Default network rules are; Local Host Access – defines a route relationship between Local Host network and all other networks VPN Clients to Internal Network – defines a route relationship among the Internal network and the Quarantined VPN Clients and the VPN Clients network Internet Access – defines a NAT relationship among the internal network, the Quarantined VPN Clients, and the VPN Clients networks and the External network.

20 What Are Perimeter Networks?
A perimeter network is a network that is separated from an internal network and the Internet Perimeter networks allow external users to gain access to specific servers that are located on the perimeter network while preventing direct access to the internal network

21 What Are Perimeter Networks?
Firewall Firewall Internet Internal Network

22 Benefits of Using a Perimeter Network?
A perimeter network provides an additional layer of security: Between the publicly accessible servers and the internal network Between the Internet and confidential data or critical applications stored on servers on the internal network Between potentially nonsecure networks such as wireless networks and the internal network Use defense in depth in addition to perimeter network security

23 Network Perimeter Configuration Options
Bastion host – only a single firewall between the Internet and the internal network Three-legged configuration – creates a perimeter network that gives users on the Internet limited access to network resources on the perimeter network while preventing unwanted traffic to computers on the local network Back-to-Back configuration – places the perimeter network between two firewalls.

24 Three-legged configuration Back-to-back configuration
Bastion host Three-legged configuration LAN Perimeter Network Web Server LAN Back-to-back configuration Perimeter Network LAN

25 Practice: Configuring Perimeter Network
Add Perimeter Network (Page 224) Create Network Rules (Page 226) Win7 www TMG Internet DC

26 How to Implement Network Templates
To implement a network template, run the Network Template Wizard as part of the getting started wizard Select the firewall access policy that best matches your corporate security guidelines

27 How to Implement Network Templates
Bastion host Three-legged configuration LAN Perimeter Network Web Server LAN Back-to-back configuration Deploy the 3-Leg Perimeter template Deploy the Edge Firewall template LAN Perimeter Network Deploy the Front-End or Back-End template Deploy the Single Network Adapter template for proxy and caching only

28 NIS (Network Inspection Systems)
NIS uses signatures of known vulnerabilities from the Microsoft Malware Protection Center to help detect and block malicious traffic. Before Forefront TMG can start blocking known vulnerability attacks, you must download the latest NIS signature set from either Microsoft Update or Windows Server Update Services (WSUS).

29 Practice: Configuring NIS
Configure NIS (Network Inspection System) (page 311) Test NIS Win7 www TMG Internet DC

30 Intrusion Detection Options
Intrusion detection on TMG: Compares network traffic and log entries to well-known attack methods and raises an alert when an attack is detected Detects well-known IP attacks Includes application filters for DNS and POP that detect intrusion attempts at the application level

31 How to Configure Intrusion Detection

32 IP Preferences Configuration Options
IP preferences are used to: Block or enable network traffic that has an IP option flag set You can block all packets with IP options, or selected packets Block or enable network traffic where the IP packet has been split into multiple IP fragments Blocking IP fragments may affect streaming audio and video, and L2TP over IPSec traffic Enable or disable IP routing With IP routing enabled, TMG forwards IP packets between networks without recreating the packet

33 How to Configure IP Preferences

34 Practice: Configuring Intrusion Detection
Modify the default intrusion detection configuration (page 324) Test intrusion detection Win7 www TMG Internet DC

35 What Are Application Filters?
Application filters can: Enable firewall traversal for complex protocols Enable protocol-level intrusion detection Enable protocol-level content filtering Generate alerts and log events Application Server TMG

36 What Are Web Filters? Web filters can: Scan and modify HTTP requests
Scan and modify HTTP responses Block specified responses Log and analyze traffic Encrypt and compress data Implement custom authentication schemes Web Server TMG

37 Why Use Application and Web Filters?
Application and Web filters provide: Protection against malicious code by blocking packets that have worm or virus characteristics Protection against user actions by blocking the download of harmful programs or ensuring that some types of data do not leave the network Protection against specific network connections by blocking connection attempts by specific applications Integration with third-party or custom filters that have been developed using the application filter API or the Web filter API

38 Application and Web Filter Architecture
Filters 3 Web Filter API Web Proxy Filter 2 Application Filters Rules Engine Application Filter API Firewall Service 4 1 Firewall Engine

39 How the HTTP Web Filter Works
Use HTTP filtering to: HTTP filtering is rule specific so you can configure different filters for each access or publishing rule Filter traffic from internal clients to other networks Filter traffic from Internet clients to internal Web servers HTTP filters enable filtering of HTTP packets based on several criteria

40 How to Configure HTTP Web Filter
Configure maximum header length Configure maximum payload length Configure maximum URL and query length

41 How to Configure HTTP Web Filter Methods
Configure allowed or blocked methods

42 How to Configure HTTP Web Filter Extensions
Configure allowed or blocked extensions

43 How to Configure HTTP Web Filter Headers
Configure headers that will be blocked Configure server header settings Configure Via header settings

44 How to Configure HTTP Web Filter Signatures
Configure blocked signatures

45 How to Identify an HTTP Application Signature
HTTP Request Request Header GET. .Accept:.image/gif,.image/x-xbitmap, .image/jpeg,.image/pjpeg, .application/vnd.ms-excel, .application/vnd.ms-powerpoint, .application/msword,.*/*. .Accept-Language:.en-us. .If-Modified-Since:.Fri,.11.Oct :30:04.GMT. .If-None-Match:."06ee8fa6471c21:428". .User-Agent:.Mozilla/4.0.(compatible;.MSIE.6.0; .Windows.NT.5.1). .Host:. .Proxy-Connection:.Keep-Alive... HTTP Header Signature

46 Best Practice: HTTP Filter Configuration for Web Publishing
To configure a baseline HTTP filter: Configure maximum header, payload, URL and query lengths Verify normalization and do not block high-bit characters Allow only GET, HEAD, and POST Block executable and server side includes extensions Block potentially malicious signatures Use the httpfilterconfig.vbs script from the TMG CD to import and export HTTP filter configurations

47 Practice: Configuring HTTP Filtering
Testing HTTP Connections with Default HTTP Filter Importing and Testing Sample HTTP Filter Settings Modifying HTTP Filter Settings External Web Intranet Web Server TMG Internet DC

Download ppt "Configuring TMG as a Firewall"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Chapter 13 – Network Security

Chapter 13 – Network Security

Similar presentations

Ads by Google