Extending Forefront beyond the limit TMG UAG ISA IAG Security Suite .
Forefront tmg 2010 virtualization
-
Upload
esmaeil-sarabadani -
Category
Technology
-
view
5.971 -
download
6
Transcript of Forefront tmg 2010 virtualization
![Page 1: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/1.jpg)
![Page 2: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/2.jpg)
Virtualization of Forefront Threat Management Gateway 2010
ESMAEIL SARABADANIMCT, MCSA/MCSE SECURITYREDYNAMICS ASIA SDN. BHD.
![Page 3: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/3.jpg)
What will be covered …
Virtual Edge Security Concerns
The Story of The Parent …
Defining The Traffic Flow and The Traffic Profile
Deploying Forefront TMG as the Virtual Edge Firewall
Designing a Virtual perimeter network or DMZ
Tips For a Better Management and Performance
Deploying Forefront TMG as a Three-Legged and Back-to-Back Firewall
Why do we virtualize the edge?
![Page 4: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/4.jpg)
Why do we virtualize the edge?
• Faster disaster recovery in case of edge failure
• Increasing the complexity of the network for hackers
• Suitable for small businesses
![Page 5: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/5.jpg)
Virtualization of The Network edgeConcerns …
• Software is less secure than hardware• Hardware firewalls are all software-based but just come
in a hardware package
![Page 6: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/6.jpg)
Virtualization of The Network edgeConcerns …
• More complicated network structure• More difficult to manage• The same old argument against Windows
security to be placed on the edge:• Exchange Server 2010 Edge Role• Office Communication Server 2007 Edge Role• ISA Server is 10 years old without any exploits
• Linux is more secure than Windows
OS Vulnerabilities in 2010
Windows 33
Linux 179Information from www.securityfocus.com
![Page 7: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/7.jpg)
The story of the parent …Physical vs. Virtual
Hardware
Operating System
Application
Hardware
Parent Operating
System
Application
Child (Guest)Operating
System
Application
Hypervisor
Physical Virtual
TMG TMG TMG
√
![Page 8: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/8.jpg)
The story of the parent …• If the parent is compromised, the whole
virtualized environment is compromised.
Parent with TMG
Guest OS
Internet
Virtual Networking Components
Virtual Networking Components
Guest OS
LAN
COMPROM
ISED
COMPROM
ISED
COMPROM
ISED
![Page 9: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/9.jpg)
The story of the parent …
• DO NOT install TMG on the parent partition• Windows Server 2008 R2 Core on the parent• DO NOT use the parent as a workstation…
It’s a SERVER …• Restrict the management of the parent• Enable Bitlocker on the parent• Keep the parent OS up-to-date• Disconnect the parent from the internet
![Page 10: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/10.jpg)
Configuring the parent partition
demo
![Page 11: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/11.jpg)
TMG as an Edge Firewall
Internet
Parent OSGuest OS with
TMG
External virtual SwitchConnected to the internet
LAN
Physical NIC
Physical NIC
Hyp
er-
V
Virtual NIC 2
Virtual NIC 1
Disconnected from the internet
External virtual SwitchConnected to the LAN
![Page 12: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/12.jpg)
Deploying TMG as an Edge Firewall
demo
![Page 13: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/13.jpg)
Defining The Traffic Profile
Virtual Environments make the network structure complex for the attackers to penetrate
• Capture the network traffic on TMG host using Microsoft Network Monitor tool
• Avoid the use of Allow All rule• Restrict RPC and DCOM to specific ports
![Page 14: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/14.jpg)
Defining a Traffic Profile
demo
![Page 15: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/15.jpg)
Designing The Perimeter Network or DMZ
• What’s the DMZ?• DMZ (Demilitarized Zone) is a sub-network that
contains and exposes an organization’s external services to the internet.
• The Two Well-known DMZ Designs:
Internet
Front-end FWBack-end FWPerimeter NetworkLAN
Back-to-Back Firewall Design
Internet
Perimeter Network
LANThree-Legged FW
Three-Legged Firewall Design
![Page 16: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/16.jpg)
TMG as a Three-Legged Firewall
Internet
Parent OSGuest OS with
TMG
Virtual NIC 1
LAN
Physical NIC
Physical NIC
Hyp
er-
V
Virtual NIC 2
Guest OS in DMZ
Virtual NICV
irtual N
IC
3
DMZ Virtual Switch
DMZ
External virtual SwitchConnected to the internet
External virtual SwitchConnected to the LAN
Disconnected from the internet
![Page 17: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/17.jpg)
TMG as a Three-Legged Firewall
Internet
Parent OS
Guest OS with TMG
Virtual NIC 1
LAN
Physical NIC
Physical NIC
Hyper-
V
Virtual NIC 2
Guest OS in DMZVirtual NIC
Virtu
al N
IC
3
DMZ Virtual Switch
External virtual SwitchConnected to the internet
External virtual SwitchConnected to the LAN
Disconnected from the internet
DMZ
Physical NIC
Hyper-V
Physical Switch
Physi
cal
NIC
External Virtual Switch
![Page 18: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/18.jpg)
Deploying TMG as a Three-Legged Firewall
demo
![Page 19: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/19.jpg)
Designing The Three-Legged DMZ
• Guest OSs in DMZ are all connected to the same virtual switch.
Guest OS with TMG
External Virtual Switch
Connected to the LAN
Virtual NIC 1
Virtual NIC 2
DC
Virtual NIC
DMZ
File Server
Virtual NICVirtu
al N
IC
3
External Virtual SwitchConnected to the
internet
DMZ Virtual Switch
![Page 20: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/20.jpg)
Designing The Three-Legged DMZ
• Guest OSs in DMZ are connected to different virtual switches.
Guest OS with TMG
External Virtual Switch
Connected to the LAN
Virtual NIC 1
Virtual NIC 2
DC
Virtual NIC
DMZ
File Server
Virtual NIC
Virtual NIC 3
External Virtual SwitchConnected to the
internet
DMZ Virtual Switch #1
Virtual NIC 4
DMZ Virtual Switch #2
![Page 21: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/21.jpg)
Configuring The DMZ on Hyper-V
demo
![Page 22: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/22.jpg)
Designing The Three-Legged DMZTips and Hints …
• The traffic must flow through TMG.
• Avoid connecting the Guest OSs to the virtual external switch.
• Connect servers with different security criteria to separate virtual switches.
• For every virtual switch that TMG is connecting to, there needs to be a virtual NIC on it.
![Page 23: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/23.jpg)
A Back-to-Back TMG Firewall DesignIn
tern
et
Exte
rnal V
irtual S
witc
hC
on
necte
d to
the in
tern
et
LA
N
Physica
l N
IC
Hyper-v
Virtu
al N
IC
1
Back-End FWTMG
Virtu
al N
IC
2
Front-End FWTMG
Virtu
al N
IC
1
Guest OS in DMZ
Virtual NIC
Virtu
al N
IC
2
Physi
cal
NIC
DMZvirtual Switch
DMZ
Exte
rnal V
irtual S
witc
hC
on
necte
d to
the L
AN
![Page 24: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/24.jpg)
Deploying The Back-to-Back TMG
demo
![Page 25: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/25.jpg)
The Virtual Edge Management
• A dedicated physical interface connected to the management VLAN• Will have a different IP address range• Will be available even if the virtual infrastructure fails
and we still can manage• Access to the parent will be isolated
![Page 26: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/26.jpg)
The Virtual Edge Performance
SQL Expr Logging 5-10% @# # @# #
Feature Added CPU RAM Disk Net
Web Cache 1% @ @ # (-)
URL Filtering 1% # 2% # # # (-)
HTTPS Inspection 5% # 1-5% @Net Insp System 5-10% # 5% # @ (+)
Compression 5-10% @# 5-10% @# # (-)
NLB (500Mb max) 5-10% # 5-8% @ 5% #
Malware Insp 5-20% # 5-10% # # # (+)
Variables@ TMG Configuration# Traffic Profile
![Page 27: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/27.jpg)
Resources
• My Blog: http://esihere.wordpress.com/
• Microsoft Virtualization Technology www.microsoft.com/virtualization/
• Forefront Threat Management Gateway 2010 http://www.microsoft.com/forefront/threat-management-gateway/en/us/
• Technet Edge Videos: http://technet.microsoft.com/en-us/edge/default.aspx
• Technet for System Professionals: http://technet.microsoft.com/
• My E-Mail Address: [email protected]
![Page 28: Forefront tmg 2010 virtualization](https://reader035.fdocuments.in/reader035/viewer/2022062312/556163c9d8b42a87628b4d43/html5/thumbnails/28.jpg)
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.