Transcript (TMG) 2010.
What's new in Threat Management Gateway (TMG) 2010 Ronald Beekelaar [email protected] Introductions • Presenter – Ronald Beekelaar – MVP Security – MVP Virtual Machine Technology – E-mail: Beekelaar Consultancy BV [email protected] • Work – – – – Security consultancy Virtualization consultancy Create many VM-based labs and demos Software to optimize, manage and run VM Session Objectives • Main goal: – Make it easier for you to talk to customers about Threat Management Gateway (TMG) 2010. – Or: implement TMG 2010 within your own organization – How to do that? • Focus on new features in TMG 2010 – As successor to ISA 2006 • Understand NIS • Explain Outbound SSL Inspection – Sub goal: • Use the lab environment for demos Demo and Lab Environment • For study, testing, demo, POC, etc – Download from: • http://go.microsoft.com/fwlink/?LinkId=190269 – Contains all Forefront products • Including FIM and AD FS What's new in TMG? • Malware Inspection (AM) – For HTTP and HTTPS – Email antivirus / antispam filtering • Network Inspection System (NIS) – Intrusion Prevention System • URL Filtering • HTTPS Inspection • Web Access Policy • ISP Redundancy (ISP-R) – Failover and load-balancing • Enhanced NAT – For multiple outbound SMTP servers TMG “Network Rules” • New Feature: Enhanced NAT – Eg. SMTP Sender Policy Framework Malware Inspection • Detects viruses in HTTP traffic • Uses MS AV engine – Same as FCS, FSE, FSSP, etc – Single engine – not multi-vendor • Issue: – Scanning takes time – client may time out • Solution: – Progress notification (for browser clients) – Content trickling + recall • Send 50 bytes every 5 seconds Network Inspection System (NIS) • Signature-based detection of malicious network traffic – Based on MS Research GAPA project • Generic Application Protocal Analyzer – Signatures for vulnerabilities (MS08-33) • And some signatures for existing exploits – Microsoft releases security bulletin + security update (patch) + NIS signature • Protects unpatched computers behind TMG URL Filtering • Microsoft Reputation Service (MRS) returns one of 91 “category” indications for each URL – Including “Unknown” MRS www.soccer.com ? category = sports + in cache www.soccer.com Request Content Content Firewall rule: Allow category Sports after 5 PM only URL Filtering – Walking the Path Internet Services Health Health Not found Not found Health Internet Services HTTPS Inspection Outbound traffic • For Web publishing, inbound SSL Bridging is well-known (ISA Server 2000) • Issue: – Cannot inspect outbound traffic in encrypted tunnel (SSL) • Solution: – Use “SSL Bridging” on outbound SSL connections as well – Difference with Web publishing is that client can go to many different Web sites HTTPS Inspection Mechanism Request In Web browser: https://www.fabrikam.com Signed by”TMG CA” Signed by Verisign www.fabrikam.com www.fabrikam.com Request Certificate Certificate SSL SSL In TMG request: https://www.fabrikam.com