View
1.031
Download
3
Category
Tags:
Preview:
DESCRIPTION
This
Citation preview
Private Cloud Security via
Forefront TMG 2010Esmaeil SarabadaniSystems and Security Consultant
What’s going to be covered…
• Overview of the Public and Private Cloud• Public and Private Cloud Security Concerns• Data Isolation in Microsoft Cloud• The Geographical Location of Data• An Overview on Forefront Threat Management
Gateway 2010• Virtualization of TMG in the Cloud• TMG Network Inspection System• TMG HTTPS Inspection• TMG Firewall Features• Securing Remote Access to your Private Cloud
What is the cloud?!!
• It’s nothing supernatural.
• It’s been with you for a long time.
• Even our grandparents are using it now
• It’s used for social activities, entertainment, business and so more.
• It could be more secure than your own PCs.
Public CloudPrivate Cloud
Whatever…
Public CloudSecurity Concerns
Choose where to store your data …
Public CloudData Isolation
Physical Hardware
Hypervisor
Host VM Guest VM Guest VM Guest VM
No Access
HackedHealthy
HealthyHealthy
Public CloudNetwork Security
Microsoft Public Cloud
Hackers
Hypervisors
VM VM VM VM VM VM VM VM VM
Differentiating between the legitimate and illegitimate traffic is quite challenging.
Analysis…Malicious Traffic ?!!
Private CloudSecurity Concerns
• Isolation of VMs from one another• You are the only one responsible
for the security of the cloud• Attacks from inside the cloud• Huge attacks from the internet.
Such as DoS or DDoS• Authentication, Authorization or
Auditing of access to cloud services
Forefront Threat Management Gateway 2010
• Network Inspection System• Web Anti-malware• HTTPS Inspection• Builds on ISA Server 2006• Active Directory Integration• Custom Reports• Can be virtualized
DemoAn Overview on TMG
Software vs. Hardware
Are hardware firewalls more Secure than software firewalls?
Software vs. Hardware
Hardware firewalls are all software-based but only come in a hardware package.
Virtualization of TMG
Hypervisor
Host VM
Guest VM
Guest VM
Guest VM
Pri
vate
Clo
ud
TMG
Not Connected to the Internet
Internet
• The edge gateway and FW• The only Guest connected to the Internet • At least two virtual NIC
Data transmission between the private and public clouds.
Physical Hardware
Hypervisor
Host VM Guest VM Guest VM TMG
Two Virtual NICs
Pri
vate
Clo
ud
Hypervisor Hypervisor Hypervisor
Data transmission inside the private cloud.
DemoVirtualization of TMG
Virtualization of TMGBest Practices
• Always disconnect the Host VM from the Internet
• All the traffic to the Internet must pass through the VM with TMG
• If there are multiple hypervisors (Physical Servers), the traffic between the VMs in different physical servers should be filtered using TMG.
• The virtual Switch connecting the VMs in every physical server must be Private.
Network Inspection System
• Inspects the traffic for exploits of vulnerabilities
• With the minimum number of false positives
• Has a repository to store signatures for different types of attacks and can update the repository
• Able to create inspection exception for some parts of the network
DemoTMG Network Inspection System
HTTPS Inspection
• It acts as a man-in-the-middle between the two SSL connection parties
• It can inspect inside SSL-Encrypted traffic
• It looks for possible malware or exploits inside an SSL connection
DemoTMG HTTPS Inspection
TMG Firewall Features
• Multi-Layer Firewall. It provides access control and protection on three layers:
• Packet filtering• Stateful inspection• Application layer
filtering• DoS Protection• Supports so many protocols and
new protocols can be defined.• Granular HTTP Control:
• File Download Controls• Signature Based Blocking• HTTP Method Control
DemoTMG Firewall Features
Securing Remote Accessto your Private Cloud
TMG
Active DirectoryRODC
Outlook Web Access
VPN Client
Pri
vate
Clo
ud
Active Directory Integration forAuthentication, Authorization, Auditing
Securing Remote Accessto your Private Cloud
• Remote Access VPN by PPTP, L2TP/IPSec and SSTP
• Inspection of VPN traffic• Integration with Active
Directory • Integration with
Network Access Protection and VPN Quarantine
DemoTMG Secure Remote Access
Thank YouQ&A
void contact() {
}
e-mail Address: e.sarabadani@gmail.com
My Blog: http://esihere.wordpress.com/
Twitter: http://www.twitter.com/esmaeils
Recommended