1. Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor

2. Agenda 2  First session:  Module 1 – Overview  Module 2 – Setup & Deployments  Second session:  Module 3 – URL filtering (URL-F)  Module 4 – Edge Malware Protection (EMP)  Third session:  Module 5 – HTTPS Inspections  Module 6 – ISP Redundancy (ISP-R)  Module 8 – NAT Enhancement

3. Threat Management Gateway 2010 Module 3 – URL Filtering

4. URL-F Introduction  URL Filtering allows controlling end-user access to Web sites and protecting the organization by denying access to known malicious sites and to sites displaying inappropriate or pornographic materials, based on predefined URL categories  The typical use case for this feature includes:  Enhancing your security.  Lowering liability risks.  Improving the productivity of your organization.  Saving network bandwidth.

5. BrightCl oud MRS – Microsoft Reputation Services  Aggregate reputation data from multiple vendors  Use telemetry in order to improve data accuracy MRS IE Security iFilter Marshal 8e6

6. Telemetry  To improve data quality, a URL filtering telemetry mechanism was developed, built into the product and take place on an ongoing basis.  This mechanism allows the MRS team to review URL filtering data samples collected from participating Forefront TMG deployments.  With NIS and Malware Protection, enabling/disabling telemetry through TMG UI.  URL filtering telemetry data will be sent automatically when enabling the URL Filtering feature and stop when disabling it.  Use the registry to stop sending URLF telemetry without disabling this feature.  To help protect your privacy, Microsoft Telemetry Service reports are encrypted using Secure Sockets Layer (SSL).

7. URL Filtering  Microsoft Reputation Service (MRS) returns one of 80 “category” indications for each URL  Including “Unknown” Firewall rule: Allow category Sports after 5 PM only www.soccer.com Content Request Content MRS www.soccer.com ? category = sports + in cache

8. URL category usage  URL category information is used for  Rules (Allow/Deny rules according to category)  Log  EMP exclusion list  HTTPS exclusion list  No reverse lookups.  10.ds.mrs.microsoft.com:433

9. Caching  Stored at ISA_INSTALL_DIR\UrlFiltering\ UrlfCache.bin  Read when service starts  Persisted when service goes down  If erased will start with empty cache  Max size is 200 MB  TTL for a categorization is decided by MRS  Unknown (not found in database) and security related categories have a short TTL – 30 minutes

10. Administration  « URL Denied » error message can be customized

11. Category query tool  Available from the Web Protection Tasks  Allows the administrator to know the category of a URL and source of categorization (local cache, MRS, override)

12. URL category overrides  Available from the Web Protection Tasks  Gives the possibility to assign a URL to a different category that its default category (returned by MRS)

13. Licensing  URL Filtering is a subscription based service  Per-user and per-year  License must be valid for URL Filtering to work

14. System Rule  Traffic with MRS is SSL encrypted  A system rule allows HTTPS between LocalHost to Microsoft Reputation Service Sites domain name set

15. Troubleshooting miss categorization  If site is wrongly categorized  Workaround is to manually override  http://www.microsoft.com/security/portal/mrs/  Use UI query tool to see the categorization reason  New URL Filtering performance counters

16. DEMO!

17. Threat Management Gateway 2010 Module 4 – Edge Malware Protection

18. EMP - Motivation EMP - Motivation  Inspect web traffic on the edge to prevent any malware from infecting machines inside the organization  Easier to keep the edge updated with malware signatures rather then individual client machines  Unmanaged machines that might not have host AV up to date are also protected  Malware activity detected on the edge can be easily monitored thanks to logging and reporting

19. Challenges Challenges  Keep a good user experience while content is inspected on the Edge  Interoperability issues with browsers (more precisely with controls or scripts) and non-browser applications  Interoperability with others features (like http compression for instance)  “Non standard” usage of http (like streaming)

20. Scenario  Supported scenario : access download  Unsupported scenarios :  Access upload  Publishing download  Publishing upload

21. Client Comforting Client Comforting  Accumulating an entire file and scanning it may take a significant amount of time  During this period of time, the client doesn't receive any data and as a result a software timeout can occur or the user can even cancel the download.  “Client comforting” defines a set of methods that guaranty a good user’s experience while content is inspected on the Edge  Comforting methods:  Delayed Download  HTML Progress Page  Trickling:  Standard  Fast

22. End User Scenarios – Delayed site.com request 1) User browses to site.com and attempts to download a file 2) site.com responds with content 3) TMG accumulates the content, timing the download and inspection 4) In case the content is downloaded and inspected in less than X seconds (Delivery Delay) TMG passes the whole file to the client request response

23. Delivery Delay Delivery Delay  Default value of delivery delay is 5 seconds (configurable via COM)  The delay for HTML comforting is increased by using the EMP_COMFORTING_DELIVERY_DELAY_FACTOR RAT flag (default is 2). As a result, a delay of 10 seconds (by default) will be observed before using HTML comforting with the client.

24. End User Scenarios – Progress Page site.com request response End user will receive an HTML Progress Page if time for download and inspection exceeds X seconds (delivery delay) and if some others conditions are satisfied (see next slide) progress page

25. End User Scenarios – Scanning completed If content is safe (or successfully cleaned), the page informs the user that the content is ready and displays a button for downloading the content, otherwise the page notifies the user that a malware was detected. In that case, the file is purged immediately from the temporary storage.

26. Standard Trickling site.com request User’s experience : download will start at a very low transfer rate and speeds up after inspection completion request response TMG will deliver content to the client using Trickling when Delayed download and Progress can’t apply. Trickling consists in sending very small chunk of data to the client until the whole file is inspected. trickled response TMG will use this method if the client application is not a browser (not able to handle the dynamic code embedded in the Progress Page).

27. Fast Trickling  Similar to Standard Trickling  Intended to be used for media files played by online players (like YouTube)  TMG delivers the data as fast as possible to the end user to keep a good user experience.  The tradeoff between user experience and inspection performance is governed by the FastTricklingMode COM setting  User experience degrades (but inspection performance improves) when the EMP filter need more minimum bytes to perform a partial inspection so increasing buffering on TMG  Default value for FastTricklingMode is fpcGoodUserExperienceModeratePerformance

28. Summary  Any download starts as « delayed download ». If time for accumulation and inspection exceeds DeliveryDelay, TMG will use Progress Page, Std Trickling or Fast Trickling  IF ProgressPage is enabled AND if request meets Progress Page criterias THEN send progress page to client  ELSE IF Fast Trickling is enabled AND IF request meets Fast Trickling criteria, THEN start fast Trickling  ELSE use default method (could be Standard Trickling or Fast Trickling)

29. Administration  Malware inspection can be enabled or disabled at 3 different levels:  Global level  Access rule level  Web chaining rule level

30. Administration (continued)  Some sources and destinations can be exempted from inspection  The primary usage for sources exclusion would be to define such exclusion on an upstream proxy when inspection is performed on the downstream proxy  Destinations like Microsoft domain names are added by default to the destinations exclusions list

31. DEMO!

32. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.