2. secure web gateway
56
Secure Web Gateway
-
Upload
fabrizio-volpe -
Category
Technology
-
view
588 -
download
0
description
2. Secure Web Gateway Seminario TMG e UAG presso Microsoft (Roma)
Transcript of 2. secure web gateway
Secure Web Gateway
Contenuto della sessione
HTTPS inspectionURL filteringMalware protectionIntrusion prevention
Pericoli e difese
ThreatsApplication Layer Firewall
HTTPS Inspectio
n
Anti-malwar
eURL
Filtering NIS
Malware
Phishing
Liability
Data Leakage
Lost ProductivityLoss of Control
Full Partial Enabler
HTTPS Inspection
Pericoli e difese
ThreatsApplication Layer Firewall
HTTPS Inspectio
n
Anti-malwar
eURL
Filtering NIS
Malware
Phishing
Liability
Data Leakage
Lost ProductivityLoss of Control
Full Partial Enabler
Come funziona SSLWeb browser sends a CONNECT request to the Web proxy
CONNECT host_name:port HTTP/1.1Web proxy allows the request to be sent to the TCP port specified in the requestProxy informs the client that the connection is establishedClients sends encrypted packets directly to destination on specified port without proxy mediation
What lies within this encrypted
tunnel?
SSL Threats
TMG can separate the SSL session between the client and remote server into two distinct SSL session, and gains the ability to evaluate the unencrypted traffic sent between the
client and remote server
TMG provides the ability to spoof the remote server’s certificate to the client, but not until TMG is satisfied that the remote server is presenting an acceptable certificate
The answer is HTTPS inspection
A Web Proxy client creates an SSL session to a remote server -> the proxy is required to “go transparent” and thus ceases to evaluate the traffic . (It has to; it’s encrypted between
the client and remote server .)
conflict with the concurrent requirement of controlling the requests issued by the local proxy users
When HTTP proxies were first conceived, the need to allow direct connectivity between SSL-negotiating hosts was acknowledged
Anonymous public proxy servers
Prima di Configurare HTTPS Inspection 1. TMG creates cloned server certificates using the information gleaned from the certificate offered by the remote server . The organizations that own the service or certificates may not take
kindly to this behavior .
2. HTTPS inspection allows TMG to include the entire URL in the Web Proxy logs . Many Web administrators believe that because they’re using SSL to protect the data exchanged
between the user and server, they can include the user’s logon credentials
3. HTTPS inspection may allow TMG to cache the content retrieved from the server
4. Because TMG issues cloned certificates, all TMG array members must be recognized by the clients in the protected
networks as trusted Certificate Authorities
5. To prevent man-in-the-middle attacks, TMG is very strict about validating the server certificate it receives from the Web
server
Forefront TMG HTTPS Traffic Inspection
HTTPS Inspection terminates the SSL traffic at the proxy for both ends, and inspects the traffic against different threats
Trusted certificate generated by proxy matching the URL expected by the client
9
Internet
Contoso.com
SIGNED BY
VERISIGN
SSL
Contoso.com
SIGNED BY TMG
SSL SSL
URL Filtering
Malware Inspection
Network Inspection
System
10
Processo di abilitazione di HTTPS Traffic Inspection
Contoso.com
SIGNED BY TMG
Internet
Contoso.com
SIGNED BY
VERISIGN
Certificate deployment(via Active Directory® or
Import/Export)
Configure HTTPS Inspection:• Proxy certificate
generation/import and customization.
• Source and destination exclusions
• Validate only option• Notification
Client notifications about HTTPS inspection (via
Firewall client)Certificate
validation (revocation, trusted, expiration
validation, etc.)
HTTPS Inspection CertificateThe HTTPS inspection certificate can be either generated by Forefront TMG or issued by a trusted CA
Administrators can customize the self generated certificateCommercial CAs will not typically issue HTTPS inspection certificates
HTTPS inspection certificate stored in the configuration store
Used by all array members
Distribuzione del HTTPS Inspection CertificateTwo methods can be used to enable clients to trust
the HTTPS Inspection CertificateAutomatically through Active Directory (AD), will use AD trusted root store to configure trust for all clients in the AD forest
Requires Forefront TMG to be deployed in a domain environmentWill not work for browsers that do not use the Windows certificate store for trust
Manually on each computer, using root certificate installation procedure required by the browser
HTTPS Inspection - Operazioni
13
https://contoso.com
Enable HTTPS inspection Generate trusted root certificate
Install trusted root certificate on clients
https://contoso.com
1. Intercept HTTPS traffic2. Validate contoso.com server certificate3. Generate contoso.com server proxy certificate on TMG4. Copy data from the original server certificate to the proxy
certificate 5. Sign the new certificate with TMG trusted root certificate6. [TMG manages a certificate cache to avoid redundant
duplications]7. Pretend to be contoso.com for client8. Bridge HTTPS traffic between client and server
contoso.com
Contoso.com
SIGNED BY
VERISIGNContoso.com
SIGNED BY TMG
14
Configurazione HTTPS Inspection
15
Configurazione HTTPS Inspection
16
Configurazione HTTPS Inspection
17
HTTPS Inspection - Notifiche
Notification provided by Forefront TMG client
Notify user of inspectionHistory of recent notificationsManagement of Notification Exception List
May be a legal requirement in some geographies
18
HTTPS Inspection - NotificheUser Experience
19
HTTPS Inspection – Errori Comuni
HTTPS Inspection CA certificate errors
• These are generally seen by the user as an “invalid certificate” message when the user attempts to reach a
site that uses HTTPS
Server Certificate errors
• These errors will be seen as error pages generated by TMG due to specific server certificate validation failures . The user application will receive an HTTP 502 Bad Gateway response, with the error text providing the details of the failure, such as: • “The name on the SSL server certificate supplied by a destination server does not match the name of the host
requested .”• “The SSL server certificate supplied by a destination server has expired .”
• “The SSL server certificate supplied by a destination server has been revoked .”
URL Filtering
Pericoli e difese
ThreatsApplication Layer Firewall
HTTPS Inspectio
n
Anti-malwar
eURL
Filtering NIS
Malware
Phishing
Liability
Data Leakage
Lost ProductivityLoss of Control
Full Partial Enabler
Forefront TMG URL Filtering
Internet
• 91 built-in categories• Predefined and
administrator defined category sets
• Integrates leading URL database providers• Subscription-based
• URL category override• URL category query• Logging and reporting support• Web Access Wizard integration
• Customizable, per-rule, deny messages
URL DB
Microsoft ReputationService
TMG
URL Filtering – Procedura
URL Filtering – Componenti Coinvolti
URL categorization is only called if both of the following conditions are met:
URL Filtering is enabledCategories are required by either policy rules or log
URL Filtering operates as part of the Microsoft Firewall Service (wspsrv .exe) . The categorizer component has an important role in the whole URL Filtering process because it is responsible for interacting with the core TMG components involved in this process (rules engine, malware protection exception, HTTPS exception, category query, and deny page)
The other component that plays an important role during the categorization is the MRS categorizer, which gathers information from the MRS Service provided by Microsoft using Windows Web Services API (WWSAPI) via calls to WinHTTP .
URL Filtering – Componenti Coinvolti
URL Filtering – Benefici
Control user web access based on URL categoriesProtect users from known malicious sitesReduce liability risksIncrease productivityReduce bandwidth and Forefront TMG resource consumptionAnalyze Web usage
Feedback mechanism on Category overrides
• Fetch on cache miss• SSL for auth &
privacy• No PII
Utilizzo di Microsoft Reputation ServicesMultiple Vendors
MicrosoftDatacenters
MRS
Query (URL)
Categorizer
FetchURL
Policy
Cache
SSL Telemetry Path(also SSL)
FederatedQuery
Cache:• Persistent• In-memory• Weighted TTL
Combines with
Telemetry Data
URL Filtering Categorie
Liability
Security
Productivity
URL Filtering PolicyURL categories are standard network objectsAdministrator can create custom URL category sets
30
URL Filtering Policy
Personalizzazione per regolaTMG administrator can customize denial message displayed to the user on a per-rule basis
Add custom text or HTMLRedirect the user to a specific URL
32
Configurazione di URL Filtering
Sapere a quale categoria appartiene un URL Administrator can
use the URL Filtering Settings dialog box to query the URL filtering database
Enter the URL or IP address as inputThe result and its source are displayed on the tab
34
Sovrascrivere l’appartenenza di un url ad una categoria
Administrator can override the categorization of a URL
Feedback to MRSvia Telemetry
35
Personalizzare il messaggio da inviare all’utente
35
HTML tags
URL Filtering Troubleshooting
Malware Protection
Pericoli e difese
ThreatsApplication Layer Firewall
HTTPS Inspectio
n
Anti-malwar
eURL
Filtering NIS
Malware
Phishing
Liability
Data Leakage
Lost ProductivityLoss of Control
Full Partial Enabler
HTTP Malware Inspection
Internet
Third party plug-ins can be used (native Malware inspection must be
disabled)
• Integrates Microsoft Antivirus engine
• Signature and engine updates• Subscription-based
• Source and destination exceptions• Global and per-rule inspection options
(encrypted files, nested archives, large files…)
• Logging and reporting support • Web Access Wizard integration
Content delivery methods by content type
SignaturesDB
MU or WSUS
TMG
40
Abilitare Malware InspectionActivate the Web Protection licenseEnable malware inspection on Web access rules
Web Access Policy Wizard or New Access Rule Wizard for new rulesRule properties for existing rules
41
Malware Inspection Impostazioni Generali
42
Malware Inspection Impostazioni GeneraliAdministrator can configure malware blocking behavior:
Low, medium and high severity threatsSuspicious filesCorrupted filesEncrypted filesArchive bombs
Too many depth levels or unpacked content too large
File size too large
43
Malware Inspection impostazioni per regola
Notifiche all’utenteContent Blocked
Notifiche all’utenteProgress Notification
45
Intrusion Prevention
47
Il problema in generaleUn-patched vulnerabilities
Average survival time of unpatched Windows® XP less than 20 minutesAbout two percent of Windows® machines are fully patched
Vulnerability windowIncreasing number of zero daysAttackers craft exploits faster than customers can deploy patches
Encryption and protocol tunneling are a complicated problem for a defense technology (for example, HTTPS)
Network Inspection System (NIS)Protocol decode-based traffic inspection system that uses signatures of known vulnerabilities
Vulnerability-based signatures (vs. exploit-based signatures used by competing solutions)Detects and potentially block attacks on network resources
NIS helps organizations reduce the vulnerability window
Protect machines against known vulnerabilities until patch can be deployedSignatures can be released and deployed much faster than patches, concurrently with patch release, closing the vulnerability window
Integrated into Forefront TMGSynergy with HTTPS Inspection
48
NIS e Static SignaturesNIS differs from many protocol analysis technologies . Although NIS is able to discover valid traffic based on static signatures (conceptually similar to the HTTP Filter), NIS expands on basic signature matching by evaluating three aspects of the network traffic:
Protocol state The expected condition of the protocol at any point in timeMessage structure The validation of a message according to the protocol definitionMessage context The validation of a message in the context of the protocol state
49
50
Vulnerability is discoveredResponse team prepares and tests the vulnerability signatureSignature released by Microsoft and deployed through distribution service, on security patch releaseAll un-patched hosts behind Forefront TMG are protected
Corporate Network
Processo di difesa ad una vulnerabilità
SignatureAuthoring Testing
TMGSignatureDistribution
Service
VulnerabilityDiscovered
Signature AuthoringTeam
51
Altri meccanismi di protezioneCommon OS attack detectionDNS attack filteringIP option filteringFlood mitigation
Abilitazione e configurazione del NIS
53
Inspects traffic for the following common attacks:
WinNukeLandPing of DeathIP Half ScanPort ScanUDP Bomb
Offending packets are dropped and an event generated triggering an Intrusion Detected alert
Attacchi comuni
54
Filtri agli attacchi via DNSEnables the following checks in DNS traffic:
DNS host name overflow – DNS response for a host name exceeding 255 bytesDNS length overflow – DNS response for an IPv4 address exceeding 4 bytesDNS zone transfer – DNS request to transfer zones from an internal DNS server
55
Filtri su IPForefront TMG can block IP packets based on the IP options set
Deny all packets with any IP optionsDeny packets with the selected IP optionsDeny packets with all except selected IP options
Forefront TMG can also block fragmented IP packets
56
Forefront TMG flood mitigation mechanism uses:
Connection limits that are used to identify and block malicious trafficLogging of flood mitigation eventsAlerts that are triggered when a connection limit is exceeded
TMG comes with default configuration settings
Exceptions can be set per computer set
Difesa dagli attacchi “fiume”…
60016080
6001000160600
LimitCusto
m Limit6000400
6000
400
