Transcript (TMG) 2010.
What's new in
Threat Management Gateway (TMG) 2010
Ronald Beekelaar
[email protected]
Introductions
• Presenter – Ronald Beekelaar
– MVP Security
– MVP Virtual Machine Technology
– E-mail: Beekelaar Consultancy BV
[email protected]
• Work
–
–
–
–
Security consultancy
Virtualization consultancy
Create many VM-based labs and demos
Software to optimize, manage and run VM
Session Objectives
• Main goal:
– Make it easier for you to talk to customers about
Threat Management Gateway (TMG) 2010.
– Or: implement TMG 2010 within your own organization
– How to do that?
• Focus on new features in TMG 2010
– As successor to ISA 2006
• Understand NIS
• Explain Outbound SSL Inspection
– Sub goal:
• Use the lab environment for demos
Demo and Lab Environment
• For study, testing, demo, POC, etc
– Download from:
• http://go.microsoft.com/fwlink/?LinkId=190269
– Contains all Forefront products
• Including FIM and AD FS
What's new in TMG?
• Malware Inspection (AM)
– For HTTP and HTTPS
– Email antivirus / antispam filtering
• Network Inspection System (NIS)
– Intrusion Prevention System
• URL Filtering
• HTTPS Inspection
• Web Access Policy
• ISP Redundancy (ISP-R)
– Failover and load-balancing
• Enhanced NAT
– For multiple outbound SMTP servers
TMG “Network Rules”
• New Feature: Enhanced NAT
– Eg. SMTP Sender Policy Framework
Malware Inspection
• Detects viruses in HTTP traffic
• Uses MS AV engine
– Same as FCS, FSE, FSSP, etc
– Single engine – not multi-vendor
• Issue:
– Scanning takes time – client may time out
• Solution:
– Progress notification (for browser clients)
– Content trickling + recall
• Send 50 bytes every 5 seconds
Network Inspection System (NIS)
• Signature-based detection of malicious network
traffic
– Based on MS Research GAPA project
• Generic Application Protocal Analyzer
– Signatures for vulnerabilities (MS08-33)
• And some signatures for existing exploits
– Microsoft releases security bulletin
+ security update (patch)
+ NIS signature
• Protects unpatched computers behind TMG
URL Filtering
• Microsoft Reputation Service (MRS) returns one
of 91 “category” indications for each URL
– Including “Unknown”
MRS
www.soccer.com ?
category = sports
+ in cache
www.soccer.com
Request
Content
Content
Firewall rule:
Allow category Sports after 5 PM only
URL Filtering – Walking the Path
Internet Services
Health
Health
Not found
Not found
Health
Internet Services
HTTPS Inspection
Outbound traffic
• For Web publishing, inbound SSL Bridging is
well-known (ISA Server 2000)
• Issue:
– Cannot inspect outbound traffic in encrypted tunnel
(SSL)
• Solution:
– Use “SSL Bridging” on outbound SSL connections as
well
– Difference with Web publishing is that client can go to
many different Web sites
HTTPS Inspection
Mechanism
Request
In Web browser:
https://www.fabrikam.com
Signed by”TMG CA”
Signed by Verisign
www.fabrikam.com
www.fabrikam.com
Request
Certificate
Certificate
SSL
SSL
In TMG request:
https://www.fabrikam.com