310 likes | 577 Views
Threat Management Gateway 2010 Questo sconosciuto ? … ancora per poco ! . Manuela Polcaro Security Advisor. Agenda. First session: Module 1 – Overview Module 2 – Setup & Deployments Second session: Module 3 – URL filtering (URL-F) Module 4 – Edge Malware Protection (EMP)
E N D
Threat Management Gateway 2010Questosconosciuto?…ancora per poco! Manuela Polcaro Security Advisor
Agenda • First session: • Module 1 – Overview • Module 2 – Setup & Deployments • Second session: • Module 3 – URL filtering (URL-F) • Module 4 – Edge Malware Protection (EMP) • Third session: • Module 5 – HTTPS Inspections • Module 6 – ISP Redundancy (ISP-R) • Module 8 – NAT Enhancement
URL-F Introduction • URL Filtering allows controlling end-user access to Web sites and protecting the organization by denying access to known malicious sites and to sites displaying inappropriate or pornographic materials, based on predefined URL categories • The typical use case for this feature includes: • Enhancing your security. • Lowering liability risks. • Improving the productivity of your organization. • Saving network bandwidth.
MRS – Microsoft Reputation Services • Aggregate reputation data from multiple vendors • Use telemetry in order to improve data accuracy • iFilter • BrightCloud • Marshal 8e6 • IE Security • MRS
Telemetry • To improve data quality, a URL filtering telemetry mechanism was developed, built into the product and take place on an ongoing basis. • This mechanism allows the MRS team to review URL filtering data samples collected from participating Forefront TMG deployments. • With NIS and Malware Protection, enabling/disabling telemetry through TMG UI. • URL filtering telemetry data will be sent automatically when enabling the URL Filtering feature and stop when disabling it. • Use the registry to stop sending URLF telemetry without disabling this feature. • To help protect your privacy, Microsoft Telemetry Service reports are encrypted using Secure Sockets Layer (SSL).
URL Filtering • Microsoft Reputation Service (MRS) returns one of 80 “category” indications for each URL • Including “Unknown” MRS Request www.soccer.com ? category = sports + in cache www.soccer.com Content Content Firewall rule:Allow category Sports after 5 PM only
URL category usage • URL category information is used for • Rules (Allow/Deny rules according to category) • Log • EMP exclusion list • HTTPS exclusion list • No reverse lookups. • 10.ds.mrs.microsoft.com:433
Caching • Stored at ISA_INSTALL_DIR\UrlFiltering\ UrlfCache.bin • Read when service starts • Persisted when service goes down • If erased will start with empty cache • Max size is 200 MB • TTL for a categorization is decided by MRS • Unknown (not found in database) and security related categories have a short TTL – 30 minutes
Administration • « URL Denied » error message canbecustomized
Category query tool • Availablefrom the Web Protection Tasks • Allows the administrator to know the category of a URL and source of categorization (local cache, MRS, override)
URL category overrides • Availablefrom the Web Protection Tasks • Gives the possibility to assign a URL to a differentcategorythatits default category (returned by MRS)
Licensing • URL Filteringis a subscriptionbased service • Per-user and per-year • License must bevalid for URL Filtering to work
System Rule • Trafficwith MRS is SSL encrypted • A system ruleallows HTTPS betweenLocalHost to Microsoft Reputation Service Sitesdomainname set
Troubleshooting miss categorization • If site is wrongly categorized • Workaround is to manually override • http://www.microsoft.com/security/portal/mrs/ • Use UI query tool to see the categorization reason • New URL Filtering performance counters
Threat Management Gateway 2010Module 4 – Edge Malware Protection
EMP - Motivation • Inspect web traffic on the edge to preventany malware frominfecting machines inside the organization • Easier to keep the edgeupdatedwith malware signatures ratherthenindividual client machines • Unmanaged machines thatmight not have host AV up to date are alsoprotected • Malware activitydetected on the edgecanbeeasilymonitoredthanks to logging and reporting
Challenges • Keep a good user experience while content is inspected on the Edge • Interoperability issues with browsers (more precisely with controls or scripts) and non-browser applications • Interoperability with others features (like http compression for instance) • “Non standard” usage of http (like streaming)
Scenario • Supported scenario : accessdownload • Unsupported scenarios : • Access upload • Publishingdownload • Publishingupload
Client Comforting • Accumulating an entire file and scanning itmaytake a significantamount of time • During this period of time, the client doesn't receive any data and as a result a software timeout can occur or the user can even cancel the download. • “Client comforting” defines a set of methods that guaranty a good user’s experience while content is inspected on the Edge • Comforting methods: • Delayed Download • HTML Progress Page • Trickling: • Standard • Fast
End User Scenarios – Delayed 1) User browses to site.com and attempts to download a file 2) site.com responds with content 3) TMG accumulates the content, timing the download and inspection site.com request request response response 4) In case the content is downloaded and inspected in less than X seconds (Delivery Delay) TMG passes the whole file to the client
End User Scenarios – Progress Page End user will receive an HTML Progress Page if time for download and inspection exceeds X seconds (delivery delay) and if some others conditions are satisfied (see next slide) site.com request request response progress page
End User Scenarios – Scanning completed If content is safe (or successfully cleaned), the page informs the user that the content is ready and displays a button for downloading the content, otherwise the page notifies the user that a malware was detected. In that case, the file is purged immediately from the temporary storage.
Standard Trickling • TMG will use this method if the client application is not a browser (not able to handle the dynamic code embedded in the Progress Page). • TMG will deliver content to the client using Trickling when Delayed download and Progress can’t apply. Trickling consists in sending very small chunk of data to the client until the whole file is inspected. site.com request request response trickled response User’s experience : download will start at a very low transfer rate and speeds up after inspection completion
Fast Trickling • Similar to Standard Trickling • Intended to beused for media files played by online players (likeYouTube) • TMG delivers the data as fast as possible to the end user to keep a good user experience. • The tradeoffbetween user experience and inspection performance isgoverned by the FastTricklingMode COM setting • User experiencedegrades (but inspection performance improves) when the EMP filterneed more minimum bytes to perform a partial inspection soincreasingbuffering on TMG • Default value for FastTricklingModeisfpcGoodUserExperienceModeratePerformance
Summary • Anydownloadstarts as « delayeddownload ». If time for accumulation and inspection exceedsDeliveryDelay, TMG will use Progress Page, StdTrickling or FastTrickling • IF ProgressPageisenabled AND if requestmeets Progress Page criterias THEN sendprogress page to client • ELSE IF FastTricklingisenabled AND IF requestmeetsFastTricklingcriteria, THEN startfastTrickling • ELSE use default method (couldbe Standard Trickling or FastTrickling)
Administration • Malware inspection canbeenabled or disabledat 3 differentlevels: • Global level • Access rulelevel • Web chainingrulelevel
Administration (continued) • Some sources and destinations canbeexemptedfrom inspection • The primary usage for sources exclusion would be to define such exclusion on an upstream proxy when inspection is performed on the downstream proxy • Destinations like Microsoft domainnames are added by default to the destinations exclusions list
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.