Download
1 / 23
230 likes | 488 Views
Threat Management Gateway 2010 Questo sconosciuto ? … ancora per poco ! . Manuela Polcaro Security Advisor. Agenda. First session: Module 1 – Overview Module 2 – Setup & Deployments Second session: Module 3 – URL filtering (URL-F) Module 4 – Edge Malware Protection (EMP)
E N D
Threat Management Gateway 2010Questosconosciuto?…ancora per poco! Manuela Polcaro Security Advisor
Agenda • First session: • Module 1 – Overview • Module 2 – Setup & Deployments • Second session: • Module 3 – URL filtering (URL-F) • Module 4 – Edge Malware Protection (EMP) • Third session: • Module 5 – HTTPS Inspections • Module 6 – ISP Redundancy (ISP-R) • Module 8 – NAT Enhancement
HTTPS Inspection - Motivation • Today more and more web traffic is https. Some of this traffic is legitimate; some isn’t and might contain malicious traffic. • We have lot of tools for http protection (antimalware, NIS ..), but no for https protection as this traffic is tunneled through the Proxy. • This feature will enable the TMG administrator to inspect outgoing https traffic on the edge and will prevent the end user from downloading malicious software (malware) that could infect the entire organization.
HTTPS Traffic Inspection Microsoft Confidential
Motivation • In order to be able to inspect outgoing https traffic, TMG will break HTTPS connections using a man in the middle mechanism (doing sort of “bridging”)
Typical Flow between Client and TMG • Client sends a request for https://www.somesite.com to TMG • TMG connects to the HTTPS site, creates an SSL tunnel between TMG and the site. • TMG validates the certificate received from Server (make sure it is not expired, trusted, etc…) • TMG duplicates certificate on the fly, signs it with its CA certificate, and sends it to the client • Client accepts (thanks to the trust chain) the certificate generated by TMG on behalf of the web server, and agrees to open a secure connection with TMG • Client is notified about inspection (if enabled by TMG administrator) by the TMG client • TMG relays the user/server data between the two open SSL tunnels, inspecting the traffic
HTTPS InspectionMechanism Signed by”TMG CA” Signed by Verisign www.fabrikam.com www.fabrikam.com Request Request Certificate Certificate SSL SSL In Web browser: https://www.fabrikam.com In TMG request: https://www.fabrikam.com
Client certificateisrequired • This is not a supported scenario
TMG CA Certificate not installed on client • The CA certificate (e.g. self signed certificate) used by TMG must be deployed on the client, otherwise the client won’t trust the certificate issued by TMG on behalf of the web server (user won’t receive the inspection notifications in that case) • If the client does not have the CA certificate used by TMG, it will receive the error below when accessing an SSL web site if https inspection is enabled.
CA Certificategeneration and deployment • The CA certificate used by TMG to issue the certificate can be of two types: • a generated self signed certificate • an existing trusted certificate authority
CA Certificategeneration and deployment • This CA certificate must then be deployed on the client computers (under “Trusted Root Certification Authorities” of the Local computer certificates store), otherwise the client won’t trust the server certificate received from TMG • Two possible deployment methods for the CA certificate:
User notifications • Client must have TMG Client to receive notification of inspection and CA Certificate must beproperlydeployed on client
ISP-R – Introduction • New feature introduced in TMG that allows the coexistence of 2 ISP connections • With this feature TMG ensures Internet connectivity is not lost even when one Internet service provider (ISP) is down
Feature Overview Two different scenarios: • High Availability of Internet connectivity • TMG will use a backup line in case the primary is down (Failover) • Load balancing between ISP providers /connections • TMG will use 2 concurrent ISP connections
Scenarios • 2 network adapters’ scenario: TMG is configured with 2 NICs on the external network. Each NIC has a different subnet and is connected to a different ISP. • Single network adapter scenario: TMG is configured with single NIC on the external network with 2 different subnets – one for each ISP. • Note that Windows will display a warning when the administrator defines more than one default gateway on the system. In our case we can ignore this warning.
FeatureComponents • Configuration • Organization signs up with two different ISP links • Administrator identifies the two ISP gateways • TMG Server uses the ISP subnet information to direct traffic to each of the ISPs • Connectivity Validation • Periodic connectivity test to root DNS servers (or custom DNS servers) on the internet enable us to identify an ISP link availability
Threat Management Gateway 2010 RTMModule 9 – NAT Enhancement
NAT EnhancementFeatureOverview • ‘Small’ enhancement for NAT network rule definition to enable specifying the NAT address which should be used. • Targets scenarios in which the NAT address is important: • Publishing multiple SMTP servers (not via Edge Protection) • Highly asked by many customers
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
