Embed Size (px)
Citation preview
Introductions
• Presenter – Ronald Beekelaar– MVP Security– MVP Virtual Machine Technology– E-mail: Beekelaar Consultancy BV
• Work– Security consultancy– Virtualization consultancy– Create many VM-based labs and demos– Software to optimize, manage and run VM
Session Objectives
• Main goal:– Make it easier for you to talk to customers about
Threat Management Gateway (TMG) 2010.– Or: implement TMG 2010 within your own
organization
– How to do that?• Focus on new features in TMG 2010
– As successor to ISA 2006
• Understand NIS• Explain Outbound SSL Inspection
– Sub goal:• Use the lab environment for demos
Demo and Lab Environment
• For study, testing, demo, POC, etc– Download from:
• http://go.microsoft.com/fwlink/?LinkId=190269
– Contains all Forefront products• Including FIM and AD FS
What's new in TMG?
• Malware Inspection (AM)– For HTTP and HTTPS– Email antivirus / antispam filtering
• Network Inspection System (NIS)– Intrusion Prevention System
• URL Filtering• HTTPS Inspection
• Web Access Policy• ISP Redundancy (ISP-R)
– Failover and load-balancing
• Enhanced NAT– For multiple outbound SMTP servers
TMG “Network Rules”• New Feature: Enhanced NAT– Eg. SMTP Sender Policy Framework
Malware Inspection
• Detects viruses in HTTP traffic• Uses MS AV engine– Same as FCS, FSE, FSSP, etc– Single engine – not multi-vendor
• Issue:– Scanning takes time – client may time out
• Solution:– Progress notification (for browser clients)– Content trickling + recall
• Send 50 bytes every 5 seconds
Network Inspection System (NIS)• Signature-based detection of malicious
network traffic– Based on MS Research GAPA project
• Generic Application Protocal Analyzer
– Signatures for vulnerabilities (MS08-33)• And some signatures for existing exploits
– Microsoft releases security bulletin+ security update (patch)+ NIS signature
• Protects unpatched computers behind TMG
URL Filtering
• Microsoft Reputation Service (MRS) returns one of 91 “category” indications for each URL– Including “Unknown”
Firewall rule:Allow category Sports after 5 PM only
www.soccer.com
Content
Request
Content
MRS
www.soccer.com ?
category = sports
+ in cache
URL Filtering – Walking the Path
URL Filtering Categories:- health.msn.com/kids-health/caffeine-use.htm - Not found- health.msn.com/kids-health – Not found- health.msn.com – Health category- msn.com – Internet Services category
Health category
Health category
Internet Services category
HTTPS InspectionOutbound traffic
• For Web publishing, inbound SSL Bridging is well-known (ISA Server 2000)
• Issue:– Cannot inspect outbound traffic in encrypted
tunnel (SSL)
• Solution:– Use “SSL Bridging” on outbound SSL
connections as well– Difference with Web publishing is that client can
go to many different Web sites
HTTPS InspectionMechanism
In Web browser:https://www.fabrikam.com
www.fabrikam.com
In TMG request:https://www.fabrikam.com
SSL
Request
Certificate
SSL
Request
Certificate
Signed by Verisign
www.fabrikam.com
Signed by”TMG CA”
