View
219
Download
3
Embed Size (px)
Citation preview
Threat Management Gateway 2010Questo sconosciuto?…ancora per poco!
Manuela Polcaro
Security Advisor
Agenda
2
First session: Module 1 – Overview Module 2 – Setup & Deployments
Second session: Module 3 – URL filtering (URL-F) Module 4 – Edge Malware Protection (EMP)
Third session: Module 5 – HTTPS Inspections Module 6 – ISP Redundancy (ISP-R) Module 8 – NAT Enhancement
Threat Management Gateway 2010
Module 3 – URL Filtering
URL-F Introduction
URL Filtering allows controlling end-user access to Web sites and protecting the organization by denying access to known malicious sites and to sites displaying inappropriate or pornographic materials, based on predefined URL categories
The typical use case for this feature includes: Enhancing your security. Lowering liability risks. Improving the productivity of your organization. Saving network bandwidth.
BrightCloud
MRS – Microsoft Reputation Services
Aggregate reputation data from multiple vendors
Use telemetry in order to improve data accuracy
MRS
IE Security
iFilter Marshal 8e6
Telemetry
To improve data quality, a URL filtering telemetry mechanism was developed, built into the product and take place on an ongoing basis.
This mechanism allows the MRS team to review URL filtering data samples collected from participating Forefront TMG deployments.
With NIS and Malware Protection, enabling/disabling telemetry through TMG UI.
URL filtering telemetry data will be sent automatically when enabling the URL Filtering feature and stop when disabling it.
Use the registry to stop sending URLF telemetry without disabling this feature.
To help protect your privacy, Microsoft Telemetry Service reports are encrypted using Secure Sockets Layer (SSL).
URL Filtering
Microsoft Reputation Service (MRS) returns one of 80 “category” indications for each URL Including “Unknown”
Firewall rule:Allow category Sports after 5 PM only
www.soccer.com
Content
Request
Content
MRS
www.soccer.com ?
category = sports
+ in cache
URL category usage
URL category information is used for Rules (Allow/Deny rules according to category) Log EMP exclusion list HTTPS exclusion list
No reverse lookups.
10.ds.mrs.microsoft.com:433
Caching
Stored at ISA_INSTALL_DIR\UrlFiltering\ UrlfCache.bin
Read when service starts Persisted when service goes down If erased will start with empty cache Max size is 200 MB TTL for a categorization is decided by MRS
Unknown (not found in database) and security related categories have a short TTL – 30 minutes
Administration
« URL Denied » error message can be customized
Category query tool Available from the Web Protection Tasks
Allows the administrator to know the category of a URL and source of categorization (local cache, MRS, override)
URL category overrides
Available from the Web Protection Tasks Gives the possibility to assign a URL to a different
category that its default category (returned by MRS)
Licensing
URL Filtering is a subscription based service Per-user and per-year License must be valid for URL Filtering to work
System Rule
Traffic with MRS is SSL encrypted A system rule allows HTTPS between LocalHost
to Microsoft Reputation Service Sites domain name set
Troubleshooting miss categorization
If site is wrongly categorized Workaround is to manually override http://www.microsoft.com/security/portal/mrs/ Use UI query tool to see the categorization reason
New URL Filtering performance counters
DEMO!
Threat Management Gateway 2010
Module 4 – Edge Malware Protection
EMP - Motivation
Inspect web traffic on the edge to prevent any malware from infecting machines inside the organization
Easier to keep the edge updated with malware signatures rather then individual client machines
Unmanaged machines that might not have host AV up to date are also protected
Malware activity detected on the edge can be easily monitored thanks to logging and reporting
Challenges
Keep a good user experience while content is inspected on the Edge
Interoperability issues with browsers (more precisely with controls or scripts) and non-browser applications
Interoperability with others features (like http compression for instance)
“Non standard” usage of http (like streaming)
Scenario
Supported scenario : access download Unsupported scenarios :
Access upload Publishing download Publishing upload
Client Comforting
Accumulating an entire file and scanning it may take a significant amount of time
During this period of time, the client doesn't receive any data and as a result a software timeout can occur or the user can even cancel the download.
“Client comforting” defines a set of methods that guaranty a good user’s experience while content is inspected on the Edge
Comforting methods: Delayed Download HTML Progress Page Trickling:
Standard Fast
End User Scenarios – Delayed
site.com
request
1) User browses to site.com and attempts to download a file2) site.com responds with content3) TMG accumulates the content, timing the download and inspection
4) In case the content is downloaded and inspected in less than X seconds (Delivery Delay) TMG passes the whole file to the client
request
response response
End User Scenarios – Progress Page
site.com
requestrequest
response
End user will receive an HTML Progress Page if time for download and inspection exceeds X seconds (delivery delay) and if some others conditions are satisfied (see next slide)
progress page
End User Scenarios – Scanning completed
If content is safe (or successfully cleaned), the page informs the user that the content is ready and displays a button for downloading the content, otherwise the page notifies the user that a malware was detected. In that case, the file is purged immediately from the temporary storage.
Standard Trickling
site.com
request
User’s experience : download will start at a very low transfer rate and speeds up after inspection completion
request
response
• TMG will deliver content to the client using Trickling when Delayed download and Progress can’t apply. Trickling consists in sending very small chunk of data to the client until the whole file is inspected.
trickled response
• TMG will use this method if the client application is not a browser (not able to handle the dynamic code embedded in the Progress Page).
Fast Trickling
Similar to Standard Trickling Intended to be used for media files played by online players
(like YouTube) TMG delivers the data as fast as possible to the end user to
keep a good user experience. The tradeoff between user experience and inspection
performance is governed by the FastTricklingMode COM setting User experience degrades (but inspection performance improves)
when the EMP filter need more minimum bytes to perform a partial inspection so increasing buffering on TMG
Default value for FastTricklingMode is fpcGoodUserExperienceModeratePerformance
Summary
Any download starts as « delayed download ». If time for accumulation and inspection exceeds DeliveryDelay, TMG will use Progress Page, Std Trickling or Fast Trickling
IF ProgressPage is enabled AND if request meets Progress Page criterias THEN send progress page to client
ELSE IF Fast Trickling is enabled AND IF request meets Fast Trickling criteria, THEN start fast Trickling
ELSE use default method (could be Standard Trickling or Fast Trickling)
Administration
Malware inspection can be enabled or disabled at 3 different levels: Global level
Access rule level
Web chaining rule level
Administration (continued)
Some sources and destinations can be exempted from inspection
The primary usage for sources exclusion would be to define such exclusion on an upstream proxy when inspection is performed on the downstream proxy
Destinations like Microsoft domain names are added by default to the destinations exclusions list
DEMO!
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.