Threat Management Gateway 2010Questo sconosciuto?…ancora per poco!

Manuela Polcaro

Security Advisor

Agenda

2

First session: Module 1 – Overview Module 2 – Setup & Deployments

Second session: Module 3 – URL filtering (URL-F) Module 4 – Edge Malware Protection (EMP)

Third session: Module 5 – HTTPS Inspections Module 6 – ISP Redundancy (ISP-R) Module 8 – NAT Enhancement

Threat Management Gateway 2010

Module 3 – URL Filtering

URL-F Introduction

URL Filtering allows controlling end-user access to Web sites and protecting the organization by denying access to known malicious sites and to sites displaying inappropriate or pornographic materials, based on predefined URL categories

The typical use case for this feature includes: Enhancing your security. Lowering liability risks. Improving the productivity of your organization. Saving network bandwidth.

BrightCloud

MRS – Microsoft Reputation Services

Aggregate reputation data from multiple vendors

Use telemetry in order to improve data accuracy

MRS

IE Security

iFilter Marshal 8e6

Telemetry

To improve data quality, a URL filtering telemetry mechanism was developed, built into the product and take place on an ongoing basis.

This mechanism allows the MRS team to review URL filtering data samples collected from participating Forefront TMG deployments.

With NIS and Malware Protection, enabling/disabling telemetry through TMG UI.

URL filtering telemetry data will be sent automatically when enabling the URL Filtering feature and stop when disabling it.

Use the registry to stop sending URLF telemetry without disabling this feature.

To help protect your privacy, Microsoft Telemetry Service reports are encrypted using Secure Sockets Layer (SSL).

URL Filtering

Microsoft Reputation Service (MRS) returns one of 80 “category” indications for each URL Including “Unknown”

Firewall rule:Allow category Sports after 5 PM only

www.soccer.com

Content

Request

Content

MRS

www.soccer.com ?

category = sports

+ in cache

URL category usage

URL category information is used for Rules (Allow/Deny rules according to category) Log EMP exclusion list HTTPS exclusion list

No reverse lookups.

10.ds.mrs.microsoft.com:433

Caching

Stored at ISA_INSTALL_DIR\UrlFiltering\ UrlfCache.bin

Read when service starts Persisted when service goes down If erased will start with empty cache Max size is 200 MB TTL for a categorization is decided by MRS

Unknown (not found in database) and security related categories have a short TTL – 30 minutes

Administration

« URL Denied » error message can be customized

Category query tool Available from the Web Protection Tasks

Allows the administrator to know the category of a URL and source of categorization (local cache, MRS, override)

URL category overrides

Available from the Web Protection Tasks Gives the possibility to assign a URL to a different

category that its default category (returned by MRS)

Licensing

URL Filtering is a subscription based service Per-user and per-year License must be valid for URL Filtering to work

System Rule

Traffic with MRS is SSL encrypted A system rule allows HTTPS between LocalHost

to Microsoft Reputation Service Sites domain name set

Troubleshooting miss categorization

If site is wrongly categorized Workaround is to manually override http://www.microsoft.com/security/portal/mrs/ Use UI query tool to see the categorization reason

New URL Filtering performance counters

DEMO!

Threat Management Gateway 2010

Module 4 – Edge Malware Protection

EMP - Motivation

Inspect web traffic on the edge to prevent any malware from infecting machines inside the organization

Easier to keep the edge updated with malware signatures rather then individual client machines

Unmanaged machines that might not have host AV up to date are also protected

Malware activity detected on the edge can be easily monitored thanks to logging and reporting

Challenges

Keep a good user experience while content is inspected on the Edge

Interoperability issues with browsers (more precisely with controls or scripts) and non-browser applications

Interoperability with others features (like http compression for instance)

“Non standard” usage of http (like streaming)

Scenario

Supported scenario : access download Unsupported scenarios :

Access upload Publishing download Publishing upload

Client Comforting

Accumulating an entire file and scanning it may take a significant amount of time

During this period of time, the client doesn't receive any data and as a result a software timeout can occur or the user can even cancel the download.

“Client comforting” defines a set of methods that guaranty a good user’s experience while content is inspected on the Edge

Comforting methods: Delayed Download HTML Progress Page Trickling:

Standard Fast

End User Scenarios – Delayed

site.com

request

1) User browses to site.com and attempts to download a file2) site.com responds with content3) TMG accumulates the content, timing the download and inspection

4) In case the content is downloaded and inspected in less than X seconds (Delivery Delay) TMG passes the whole file to the client

request

response response

End User Scenarios – Progress Page

site.com

requestrequest

response

End user will receive an HTML Progress Page if time for download and inspection exceeds X seconds (delivery delay) and if some others conditions are satisfied (see next slide)

progress page

End User Scenarios – Scanning completed

If content is safe (or successfully cleaned), the page informs the user that the content is ready and displays a button for downloading the content, otherwise the page notifies the user that a malware was detected. In that case, the file is purged immediately from the temporary storage.

Standard Trickling

site.com

request

User’s experience : download will start at a very low transfer rate and speeds up after inspection completion

request

response

• TMG will deliver content to the client using Trickling when Delayed download and Progress can’t apply. Trickling consists in sending very small chunk of data to the client until the whole file is inspected.

trickled response

• TMG will use this method if the client application is not a browser (not able to handle the dynamic code embedded in the Progress Page).

Fast Trickling

Similar to Standard Trickling Intended to be used for media files played by online players

(like YouTube) TMG delivers the data as fast as possible to the end user to

keep a good user experience. The tradeoff between user experience and inspection

performance is governed by the FastTricklingMode COM setting User experience degrades (but inspection performance improves)

when the EMP filter need more minimum bytes to perform a partial inspection so increasing buffering on TMG

Default value for FastTricklingMode is fpcGoodUserExperienceModeratePerformance

Summary

Any download starts as « delayed download ». If time for accumulation and inspection exceeds DeliveryDelay, TMG will use Progress Page, Std Trickling or Fast Trickling

IF ProgressPage is enabled AND if request meets Progress Page criterias THEN send progress page to client

ELSE IF Fast Trickling is enabled AND IF request meets Fast Trickling criteria, THEN start fast Trickling

ELSE use default method (could be Standard Trickling or Fast Trickling)

Administration

Malware inspection can be enabled or disabled at 3 different levels: Global level

Access rule level

Web chaining rule level

Administration (continued)

Some sources and destinations can be exempted from inspection

The primary usage for sources exclusion would be to define such exclusion on an upstream proxy when inspection is performed on the downstream proxy

Destinations like Microsoft domain names are added by default to the destinations exclusions list

DEMO!

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.