Forefront Threat Management Gateway 2010 Introduction to Forefront TMG Forefront TMG Value Proposition Firewall – Control network policy access at the edge Comprehensive Secure Web Gateway – Protect users from Web browsing threats Secure E-mail Relay – Protect users from e-mail threats Integrated Remote Access Gateway – Enable users to remotely access corporate resources Intrusion Prevention – Protect desktops and servers from intrusion attempts Simplified Features Summary • VoIP traversal • Enhanced NAT • ISP link redundancy Firewall • NAP integration with client VPN • SSTP integration Remote Access • HTTP antivirus/ antispyware • URL filtering • HTTPS forward inspection Secure Web Access • Exchange Edge integration • Antivirus • Antispam E-mail Protection • Array management • Change tracking • Enhanced reporting • W2K8, native 64-bit Deployment and Management • Network inspection system Intrusion Prevention • Malware protection • URL filtering • Intrusion prevention Subscription Services Deployment Scenarios Networks DMZ Internal External DMZ External DMZ EXT Internet ISP 1 DMZ INT ISP 2 TMG LAN 1 Local Host VPN client VPN Clients LAN 2 Branch LAN 3 Internal 5 Deployment Scenarios Network Sets DMZ Networks DMZ EXT Internet ISP 1 DMZ INT ISP 2 TMG VPN client LAN 1 LAN 2 Branch LAN 3 Deployment Scenarios Single Adapter Local Host Internet TMG LAN 1 LAN 2 LAN 3 VPN Client VPN Clients Internal 7 Forefront TMG as a Secure Web Gateway Array Support, Load balancing Scalable Logging & Reporting Support New reports, log fields Competitive Feature Set URL Filtering, Malware Inspection, NIS Easily Manageable Web Access Wizard, Task Oriented Integrated Policy Management, Directory Services Integration, Licensing 8 Secure Web Gateway Layered Security Unifies inspection technologies to: Malware Inspection URL Filtering Application Layer Proxy Network Inspection System HTTPS Inspection Logging & Reporting Windows Server® 2008 / R2 Protect against multi-channel threats Simplify deployment Keeps security up to date with updates to: Web antimalware URL filtering Network Inspection System HTTPS Inspection How HTTPS Inspection Works Enable HTTPS inspection Generate trusted root certificate Install trusted root certificate on clients contoso.com https://contoso.com https://contoso.com SIGNED BY VERISIGN SIGNED BY TMG 1. 2. 3. 4. 5. 6. 7. 8. Contoso.com Contoso.com Intercept HTTPS traffic Validate contoso.com server certificate Generate contoso.com server proxy certificate on TMG Copy data from the original server certificate to the proxy certificate Sign the new certificate with TMG trusted root certificate [TMG manages a certificate cache to avoid redundant duplications] Pretend to be contoso.com for client Bridge HTTPS traffic between client and server 11 HTTPS Traffic Inspection Process URL Filtering Malware Inspection Network Inspection System Internet SIGNED BY VERISIGN SIGNED BY TMG Contoso.com Contoso.com HTTPS Inspection terminates the SSL traffic at the proxy for both ends, and inspects the traffic against different threats Trusted certificate generated by proxy matching the URL expected by the client 12 HTTPS Inspection Notifications Notification provided by Forefront TMG client Notify user of inspection History of recent notifications Management of Notification Exception List May be a legal requirement in some geographies 13 HTTPS Inspection Notification User Experience 14 URL Filtering URL Filtering Microsoft Reputation Service • 91 built-in categories • Predefined and administrator defined category sets • Integrates leading URL database providers • Subscription-based • Customizable, per-rule, deny messages URL DB Internet TMG • • • • URL category override URL category query Logging and reporting support Web Access Wizard integration URL Filtering Benefits Control user web access based on URL categories Protect users from known malicious sites Reduce liability risks Increase productivity Reduce bandwidth and Forefront TMG resource consumption Analyze Web usage Utilizes Microsoft Reputation Service How TMG Uses Microsoft Reputation Service Multiple Vendors Federated Query Combines with Telemetry Data MRS Telemetry Path (also SSL) SSL Cache Fetch URL Query (URL) Categorizer Policy • Cache: Feedback Fetch on cache •mechanism miss Persistent on • •Category SSL In-memory for auth overrides & •privacy Weighted TTL • No PII What Makes MRS Compelling? Existing URL filtering solutions Single vendor cant be expert in all categories Categorization response time MRS unique architecture MRS merges URL databases from multiple sources/vendors Multi-vendor AV analogy Based on Microsoft internal sources as well as collaboration with third party partners Scalable Ongoing collaborative effort Recently announced an agreement with Marshal8e6 More announcements to follow URL Filtering Categories Security Liability Productivity Per-rule Customization TMG administrator can customize denial message displayed to the user on a per-rule basis Add custom text or HTML Redirect the user to a specific URL URL Category Override Administrator can override the categorization of a URL Feedback to MRS via Telemetry 22 User Experience User Experience HTML tags 24 24 Malware Inspection HTTP Malware Inspection MU or WSUS • Integrates Microsoft Antivirus engine • Signature and engine updates • Subscription-based Third party plug-ins can be used (native Malware inspection must be disabled) Content delivery methods by content type Signatures DB Internet TMG • Source and destination exceptions • Global and per-rule inspection options (encrypted files, nested archives, large files…) • Logging and reporting support • Web Access Wizard integration Content Trickling Firewall Service GET msrdp.cab 200 OK Web Proxy Malware Inspection Filter GET msrdp.cab 200 OK Request Context Accumulated Content Scanner 27 Malware Scanner Behavior High Normal Low • Partial inspection for Standard Trickling • Final inspection for files smaller than 1 MB when Progress Page is not used • Partial inspection for Fast Trickling • Final inspection for files larger than 1 MB but smaller than 50 MB when Progress Page is not used • Final inspection when Progress Page is used • Final inspection for files larger than 50 MB Low Priority Queue Normal Priority Queue High Priority Queue Antimalware Engine 28 Malware Inspection Per-rule Overrides 29 User Experience Content Blocked User Experience Progress Notification 31 Network Inspection System (NIS) Network Inspection System (NIS) Protocol decode-based traffic inspection system that uses signatures of known vulnerabilities Vulnerability-based signatures (vs. exploit-based signatures used by competing solutions) Detects and potentially block attacks on network resources NIS helps organizations reduce the vulnerability window Protect machines against known vulnerabilities until patch can be deployed Signatures can be released and deployed much faster than patches, concurrently with patch release, closing the vulnerability window Integrated into Forefront TMG Synergy with HTTPS Inspection 33 New Vulnerability Use Case Vulnerability is discovered Response team prepares and tests the vulnerability signature Signature released by Microsoft and deployed through distribution service, on security patch release All un-patched hosts behind Forefront TMG are protected Corporate Network Vulnerability Discovered Signature Authoring Team Signature Authoring Signature Distribution Service TMG Testing 34 Network Inspection System Architecture Design Time Protocol Parsers Signatures Microsoft Update Run Time NIS Engine Telemetry and Portal 35 NIS Response Process Threat Identification Signature Release Threat Research Targeting 4 hours Encyclopedia Write-up Signature Development Signature Testing Other Network Protection Mechanisms Common OS attack detection DNS attack filtering IP option filtering Flood mitigation 37 DNS Attack Filtering Enables the following checks in DNS traffic: DNS host name overflow – DNS response for a host name exceeding 255 bytes DNS length overflow – DNS response for an IPv4 address exceeding 4 bytes DNS zone transfer – DNS request to transfer zones from an internal DNS server 38 IP Options Filtering Forefront TMG can block IP packets based on the IP options set Deny all packets with any IP options Deny packets with the selected IP options Deny packets with all except selected IP options Forefront TMG can also block fragmented IP packets 39 Flood Mitigation Forefront TMG flood mitigation mechanism uses: Custom Limit Limit Connection limits that 600 6000 are used to identify and 160 400 block malicious traffic 80 Logging of flood mitigation 600 6000events 1000 Alerts that are triggered when a connection limit 160 is exceeded 600 400 TMG comes with default configuration settings Exceptions can be set per computer set 40 Forefront TMG 2010 vs. Forefront™ Unified Access Gateway (UAG) Product Positioning Forefront TMG 2010 Enables users to safely and productively use the Internet without worrying about malware and other threats Forefront UAG Comprehensive, secure remote access to corporate resources Forefront UAG is the preferred solution for providing remote access Forefront TMG 2010 still provides support for remote access features, but not the recommended solution Server Publishing Non-HTTP Server Publishing Allows map requests for non-Web servers in one of the TMG 2010 networks Clients can be either on the Internet or on a different internal network Can be used to publish most TCP and UDP protocol Behavior depends on whether non-Web server is behind a NAT relationship or not If behind NAT, clients will then connect to an IP address belonging to Forefront TMG If behind a route relationship, TMG 2010 listens for requests on the IP address of the non-Web server The published server should be configured as a SecureNAT client with a default gateway pointing to TMG 2010 Sample Server Publishing Scenario DNS Server Publishing 192.168.0.100 DG: 192.168.0.3 ` DNS Server 18.104.22.168 10.0.0.3 192.168.0.254 192.168.0.3 TMG 1. DNS request 22.214.171.124 > 10.0.0.3 2. Check rule match 192.168.0.101 DG: 192.168.0.254 FTP Server Check Publishing Rule Match 45 Non-HTTP Server Publishing Things to consider when planning Server Publishing No authentication support Access restriction by network elements only Networks, subnets, or IP addresses No support in single adapter configuration Client source IP address preserved Behavior can be changed using rule setting Application Layer Filter and NIS signature coverage SMTP, POP3, DNS, etc. 46 Web Publishing Provides secure access to Web content to users from the Internet Web content may be either on internal networks on in a DMZ Supports HTTP and HTTPS connections Forefront TMG 2010 Web Publishing features: Mapping requests to specific internal paths in specific servers Allows authentication and authorization of users at TMG level Allow delegation of user credentials after TMG authentication Caching of the published content (reverse caching) Inspection of incoming HTTPS requests using SSL bridging Load balancing of client requests among Web servers in a server farm Accessing Web Resources OWA RPC/HTTP(S) ActiveSync HTTPS Exchange Server HTTPS ` HTTP HTTPS HTTP Internet Web Server HTTP SharePoint Server Forefront TMG 2010 can publish multiple internal Web servers, using multiple external IP addresses and protocols Securing SSL Traffic SSL Bridging: 1. Client on Internet encrypts communications 2. TMG 2010 decrypts and inspects traffic 3. TMG 2010 sends allowed traffic to published server, re-encrypting it if required Authentication Process 1. Client credentials received 2&3. Credentials validated 4. Credentials delegated to internal server 5. Server send response 6. Response forwarded to client Single Sign On Sample Scenario – Two Published Web Sites requiring AuthN With Single Signon Without Single Signon: 1. User Prompted for authentication 2. User Clicks Link to SharePoint 3. User NOT Prompted for authentication Prompted for authentication again Exchange.Company.Com FBA SharePoint.Company.Com ` 51 Forefront TMG Virtual Private Networking (VPN) Forefront TMG Virtual Private Networking (VPN) TMG 2010 supports two types of VPNs: Remote Access VPN Site-to-site VPN TMG 2010 implements Windows Server® 2008 VPN technology Implements support for Secure Socket Tunneling Protocol (SSTP) Implements support for Network Access Protection (NAP) Secure Socket Tunneling Protocol (SSTP) New SSL-based VPN protocol HTTP with SSL session (TCP 443) between VPN clients and servers to exchange encapsulated IPv4 or IPv6 packets Support for unauthenticated Web proxies Support for Network Access Protection (NAP) Client support in Windows Vista® SP1 No plans to backport SSTP to previous versions Network Access Protection (NAP) Windows Policy Validation and Enforcement Platform Policy Validation Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed healthy. Network Restriction Restricts network access to computers based on their health. Remediation Provides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed. Ongoing Compliance Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions. NAP Support in Forefront TMG 2010 Enforces compliance and provides remediation for clients connecting remotely through Remote Access VPN Supports all VPN protocols, including SSTP Different solution than the Remote Access Quarantine Services (RQS) supported in ISA Server 2006 NAP validates health status of the remote client at connection time VPN network access limitation is done through IP packet filters applied to the VPN connection Access limited to resources on the restricted network NAP with Forefront TMG Walkthrough Restricted Network Remediation Servers Corporate Network System Health Servers Unhealthy SHA performs remediation against remediation servers VPN QEC SoH VPNpasses QEC queries NAPAgent collects Responses back to NAPAgent for SOHs new SoH and passes NAPAgent to VPN QEC Ongoing policy updates to Network Policy Server Here is the fix you need. EAP messages PEAP Can I pleaseHere haveisaccess to the network? my SOH VPNPEAP Session Request messages EAP -Here Response/Identity is my SOH Client PEAP PEAP Message Message EAP - Request/Identify State: State: Full Access – Send SOH EAP –Quarantine Request/Start SOH SOH Responses Responses Forefront TMG 2010 EAP - Request/Identify RADIUS Access-Accept EAP – Request/Start – Send According to policy, the clientSOH is not up to date. up toQuarantine date. client. Restrict Grantclient access to –10.10.10.0/24 no filters Network Policy Server NAP Components Platform Components Enforcement Components Health Components System Health Agents = Declare (patch state, virusnetwork signature, system configuration, Quarantine Agent (QA)(SHA) =Clients Reports client health status, coordinates between SHA and QEC. Quarantine Enforcement (QEC) =health Negotiate access with access device(s); etc.). DHCP, VPN, 1X, IPSec QECs. Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies. System Health Validators (SHV) = Certify declarations made byendpoints. health agents. Network Access Devices = Provide network access to healthy System Health Servers = Define health certificates requirements for system on the client. Health Registration Authority = Issues to clients that components pass health checks. Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state. Remediation Servers System Health Servers Health policy Updates Client Health Statements SHA<n> Quarantine Agent QEC 1 QEC 2 Network Access Requests Health Result Network Policy Server SHV<n> Network Access Device (Forefront TMG 2010) Quarantine Server Mail Protection Mail Protection – Forefront Threat Management Gateway Full featured SMTP hygiene Exchange Edge Transport for SMTP stack Requires valid license Integrated with Microsoft® Forefront™ Protection 2010 for Exchange Server Antimalware Antispam Antiphishing Also supports generic SMTP mail servers E-mail Threats ~98% of all e-mail is spam/malicious Over 400 billion unwanted e-mails in H2 2008 Estimated cost is $130 billion in 2009 Causes 90% of NDRs Risk of software vulnerabilities Percentage of incoming messages filtered by Forefront Online Protection for Exchange, 1H06-2H08 100% 80% 60% 40% 20% 0% 1H06 2H06 1H07 2H07 1H08 2H08 61 The Solution Filter unwanted e-mail as early as possible 100% 80% 60% 40% 20% 0% 1H06 Edge Filtered 2H06 1H07 Content Filtered 2H07 1H08 Unfiltered 2H08 Percentage of incoming messages blocked by Forefront™ Protection for Exchange using edge-blocking and content filtering, 1H06-2H08 62 E-mail Protection Features Protection at the edge Protects mail at the edge of the organization with Forefront Protection 2010 for Exchange Server Advanced protection and premium antispam Multiple scan engines to protect against malware and provide a premium antispam solution Integrated management Easy management of Microsoft Exchange Server Edge role and Forefront Protection 2010 for Exchange Server through Forefront TMG Array deployment Support for managing and load balancing traffic among multiple servers Solution Components Microsoft Products Forefront Protection 2010 for Exchange Server Microsoft® Exchange Server® 2007 (or 2010) Edge Transport Forefront Threat Management Gateway Windows Server® 2008 x64 64 Mail Protection – Forefront Threat Management Gateway Anti-virus Engines Forefront Security for Exchange (FSE) Multi-layer Filters Multi-layer Filters Exchange Edge Role Receive Connector Send Connector Network Inspection System (NIS) TMG Filter Driver Internal Network External Network `` Typical Deployment Topology Any SMTP Servers Forefront TMG Array myorg.com Internal SMTP Server Internal Network SMTP Traffic Internet Partner SMTP Server MX pointing to Forefront TMG external IP address SMTP Traffic EdgeSync (Exchange Server Only) 66 Configure SMTP Routes Defines how Forefront TMG routes traffic from and to the organization SMTP servers At least two routes required: Internal_Mail_Servers define the IP addresses and SMTP domains of the internal mail servers External_Mail_Servers define which mail is allowed to enter the organization and the external FQDN/IP address that will receive mail Configure Spam Filtering Defines spam filtering policy Connection-level filtering IP Allow List IP Allow List Providers IP Block List Block List Providers Protocol-level filtering Configuring Recipient Filtering Configuring Sender Filtering Configuring Sender ID Configuring Sender Reputation Content-level filtering Spam Filtering Connection-level Filtering 69 Virus and Content Filtering Configures antivirus, file attachment, and message body filtering Virus filter – Engine selection policy and remediation actions File filters – Unwanted file attachments based on file type, filename, and prefix Message body filters – Identify unwanted e-mail messages by applying keyword lists to the contents of the message body Virus and Content Filtering Replicating Configuration to Exchange Server and FPE FPE Service 1. TMG UI 4. Configure services using PowerShell API Administrator 2. Store to DB 3. Array members load new configuration Exchange Edge Service 72 Design Options Single purpose and location, no high availability Forefront TMG 2010 Standard Edition Single purpose and location, high availability Forefront TMG 2010 Enterprise Edition in stand-alone array Multiple purposes and/or locations, high availability Enterprise Management Server Single Purpose and Location Forefront TMG 2010 Standard Edition (SE) Light and medium traffic All-in-one solution No high availability requirements Internet Forefront TMG Standard Edition 74 Single Purpose and Location Forefront TMG 2010 Enterprise Edition (EE): Stand-alone array Shared configuration High traffic solution Simple upgrade to EE Data maintained EE license key Provides high availability and scale out Internet Stand-alone Array 75 © 2009 Microsoft Corporation. All rights reserved. Microsoft, Forefront, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.