Da Microsoft Farefrant Module 2: Secure Web Gateway served. Allother trademarks are the property of their respective owners Module Overview @ Secure Web Gateway overview @ HTTPS inspection ®@ URL filtering Malware protection Intrusion prevention@ This module introduces some of the concurrent technologies that work within Forefront TMG to protect users, information, and networks from malicious outside content. SRRy Microsoft < Forefront Lesson 1 - Secure Web Gateway Overview& This lesson explains the features of a Secure Web Gateway (SWG), and explains the features of Forefront TMG that support the SWG role. EEE ee What is a Secure Web Gateway (SWG)? “A SWG is a solution that filters unwanted software/malware from user-initiated Web/Internet traffic and enforces corporate and regulatory policy compliance. To achieve this goal, SWGs must, at a minimum, include URL filtering, malicious code detection and filtering, and application controls for popular Web-based applications, such as instant messaging (IM) and Skype.” Gartner Secure Web Gateway Magic Quadrant, August 2008@ An SWGis a product that filters unwanted software or malware from user-initiated Web/Internet traffic and enforces corporate and regulatory policy compliance. ®@ To achieve this goal, SWGs must, at a minimum, include URL filtering, as well as malicious code detection and filtering. Leading solutions will also be able to provide Web application-level controls for at least some of the more popular applications, including IM. SWGs should integrate with directories to provide authentication and authorization, along with group- and user-level policy enforcement. ‘An SWG must bring together all these functions, without compromising performance for end users, which has been a challenge for traditional antivirus Web filtering. —eEVEo=n7—— cd 2 ® cE QURL filtering includes the categorization of known Web sites into groups to enable comprehensive reporting as well as blocking some sites, for acceptable usage, productivity and security risks. There is also an increasing requirement for dynamic risk analysis of uncategorized sites and pages. Web reputation will be an area of differentiation as vendors invest in ways to better identify and classify Web sites and domains.O Malicious code filtering eliminates all malicious and potentially unwanted code from Web traffic. The most- common malware detection techniques are signature- based detection of known malware. However, as threats continue to evolve, we expect leading vendors to offer a cocktail of non-signature-based malware detection techniques to detect and block unknown and more- evasive threats. O Web application-level controls enable businesses to carefully manage adoption and use of public Internet- based applications, such as IM, Internet telephony, multiplayer games, Web storage, wikis, peer-to-peer, public VoIP, blogs, data-sharing portals, Web backup, remote PC access, Web conferencing, chat, and streaming media.The Growing Market Potential ® Dedicated SWG vendors are the fastest-growing submarket, averaging 140% year-over-year growth @ “The total [SWG] composite market exceeded $1 billion in 2007 and was growing at a rate of 44% year over year. Dedicated SWG vendors are the fastest-growing submarket, averaging 140% year-over-year growth. We expect average market growth rates to be in the 25% to 35% range for the next two years. ® This growth will be fueled by increased penetration of dedicated SWG devices, incremental feature revenue and the impact of appliance-based products replacing software.” Source: Gartner Group, 2008The Competitive Landscape a Websense la Trend Microsoft li McAfee/S Computin lw Blue Coat 6% 3% @ Other eae oe Forefront TMG as a Secure Web Gateway i URL Fitern Competitive ance Array Support, Feature Set Inspection, NIS Load balancing Scalable M Easily sar Flop Access Ward, Task Oriente Logging & Reporting Sunpors Intearated ey Polcy Mansgernor Tog feds eee Licensing oe —- 7@ Forefront TMG 2010 brings a competitive feature set to enter in the Secure Web Gateway market: Forefront TMG provides comprehensive protection against Web-based threats, providing URL filtering, malware inspection, and intrusion prevention capabilities to Web clients. Forefront TMG can easily scale out to handle organizations of any size, using array management and integrated load balancing. @ Forefront TMG improves the reporting capabilities of ISA Server by using SQL Reporting Services to create customizable reports, and allowing the use of a centralized report server that aggregates log data. ® 2 —eeeEGEGVUVUT mi @ Administrators can use the Web Access Wizard to easily configure Forefront TMG to enforce the organization’s Web access policy. Other wizards can be used for common configuration and operation tasks. @ Forefront TMG provides an enterprise-level management system for large-scale installations, and seamless integration with Active Directory for authentication, authorization, and client configuration.@ Unifies inspection technologies to @ Protect against multi-channel threats © Simplify deployment @ Keeps security up to date with updates to: , > Web antimalware Py Grre cy © URL filtering @ Network Inspection System ase) Pa One Rea PAG 3 The following new Forefront TMG features support the Secure Web Gateway role: > Web anti-malware is part of a Web Protection subscription service for Forefront TMG. Web antimalware scans Web pages for viruses, malware, and other threats. » URL filtering allows or denies access to Web sites based on URL categories (such as pornography, drug, hate, or shopping). Organizations can not only prevent employees from visiting sites with known malware, but also protect business productivity by limiting or blocking access to sites that are considered productivity distractions. URL filtering is also part of the Web Protection subscription service,@ Network Inspection System (NIS) enables traffic to be inspected for exploits of Microsoft vulnerabilities. Based on protocol analysis, NIS can block classes of attacks while minimizing false positives. Protections can be updated as needed. @ HTTPS Inspection enables HTTPS-encrypted sessions to be inspected for malware or exploits. Specific groups of sites, for example, banking sites, can be excluded from inspection for privacy reasons. Users of the Forefront TMG Client can be notified of the inspection. ® Logging and reporting are two additional features. Forefront TMG collects log information for traffic handled by the Microsoft Firewall service and by the Web Proxy filter, and generates reports that summarize and analyze log information. It also provides the ability to send runtime event alerts, both pre-defined system alerts and custom alerts. Malware e c- (| Phishing C 7 Liability > S ) Data Leakage 99°99¢ Lost Productivity > Loss of Control reee v).) © ull (Partial (Enabler@ A Secure Web Gateway should provide protection value against the following threats and concerns: @ Malware - Protect users from downloading and being infected by malware from external Web sites. ® Phishing ~ Block users from providing sensitive information to malicious web sites posing as legitimate ones. ®@ Liability — Ensure users do not engage in activities online that could result in legal liability to the company, such as downloading illegal media files. @ Data leakage — Block users from using Web sites and applications to leak sensitive company information to external parties. @ Lost productivity — Prevent users from spending time at work using sites not related to their business role, such as social networking sites. @ Loss of control - Ensure that the enterprise can monitor and audit Internet usage for legal or internal policy compliance reasons.@ Forefront TMG addresses these threats and concerns by providing features like HTTPS inspection, URL filtering, malware protection, and intrusion prevention (NIS). ® We'll explore each of these protection technologies in the following lessons of this module. SRRy Microsoft < Forefront Lesson 2 — HTTPS Inspection> This lesson describes the HTTPS Inspection process, and how Forefront TMG can be set up to inspect Web traffic and validate certificates. Malware Phishing Liability Data Leakage Lost Productivity Loss of Control © full OD Partial (Enabler@ HTTPS inspection is a new feature of Forefront TMG that allows TMG to decrypt and inspect outbound HTTPS. traffic. This protects an organization from security risks inherent to Secure Sockets Layer (SSL) tunnels, such as: @ Viruses and other malicious content that could infiltrate the organization undetected. ® Users who bypass the organization's access policy by using tunneling applications over a secure channel (for example, peer-to-peer applications). ® Note that HTTPS inspection is not a protection technology per se, but a technology that enables other protection technologies to address this type of Web traffic. = mac Traditional SSL Security ® Web browser sends a CONNECT request to the Web proxy © CONNECT host_nane:port HITP/ ®@ Web proxy allows the request to be sent to the TCP port specified in the request @ Proxy informs the client that the connection is established © Clients sends encrypted packets directly to destination on specified port without proxy mediation nection Sed ai® In order to understand how HTTPS Inspection works, let's first review how clients connect to SSL-protected Web sites over a Web proxy: The Web browser opens a HTTP connection to the Web proxy, using the specified TCP port (typically 80 or 8080). The Web browser then sends a CONNECT request to the Web proxy, providing the host name and TCP port (typically 443) that the Web Proxy should open a connection to. ® Note: By default, Forefront TMG (and ISA Server) will restrict outbound SSL connections to port 443. To allow the configuration of additional port ranges, use the isa_tpr.s script available at http://www.isatools.org. r N —eeeEGEGVUVUT mi w . If the destination port is in the allowed port range, the Web proxy will open a TCP connection to the destination address and, if successful, reply to the client request with a 200 Connection Established response. From that point, the client can negotiate the SSL encryption parameters, and then send and receive encrypted data to and from the external Web site. s@ At this point, the Web proxy will forward the data from the Web browser to the external Web server and back, without inspecting or controlling the content in any way. ® This may be exploited by malware or unauthorized P2P applications, which could bypass the inspection control mechanisms implemented by the Web proxy. < anes IE Forefront TMG HTTPS Traffic Inspection SSL SSL cer Posen coed — Malware URL Filtering Inspection 6 ® HTTPS Inspection terminates the SSL traffic at the proxy for both ends, and inspects the traffic against different threats @ Trusted certificate generated by proxy matching the URL expected by the client ‘ a> $a® To close this loophole and be able to inspect outbound HTTPS. traffic, Forefront TMG HTTPS inspection acts as an intermediary, or a “man in the middle,” between the client computer that initiates the HTTPS connection, and the secure Web site. When a client computer initiates a connection to a secure Web site, Forefront TMG intercepts the request and does the following: . Establishes a secure connection (an SSL tunnel) to the requested Web site and validates the site's server certificate. . Copies the details of the Web site's certificate, creates a new SSL certificate with those details, and signs it with a Certification Authority certificate called the HTTPS Inspection certificate. . Presents the new certificate to the client computer, and establishes a separate SSL tunnel with it. ® cS B N w —eeeEGEGVUVUT mi 2 Because the HTTPS Inspection certificate was previously placed in the client computer's Trusted Root Certification Authorities certificate store, the computer trusts any certificate that is signed by this certificate. By cutting the connection and creating two secure tunnels, the Forefront TMG server can decrypt and inspect all communication between the client computer and the secure Web site during this session. 2Se open er eas 1nd customization Detter pe croree red Peed i Cee auc inspection (via Firewall client) Certificate validation (revocation, trusted, expiration validation, etc) > Enabling HTTPS traffic inspection consists of the following steps: . Enable and configure the HTTPS inspection feature on TMG. This includes selecting which certificate will be used by HTTPS inspection to generate the SSL certificates; defining source and destination exclusions; choosing whether to just validate the external SSL certificates or actually inspect the traffic; and defining whether or not users will be notified of the inspection. . If the certificate used for HTTPS inspection was generated by TMG itself, define how clients will be configured to trust this certificate. For domain-joined machines, this typically involves using Active Directory to configure trust, while for non-domain joined machines (and non-Microsoft browsers) this may require manual configurations steps. 3. If HTTPS inspection notification is enabled, the clients will need to install the Forefront TMG client. The client is responsible for displaying the notifications. KB ¢ NConsiderations for Enabling HTTPS Inspection @ When enabling HTTPS Inspection, consider the following: @ TMG has the option to validate site certificates without inspecting traffic. Select this option to only check the validity of secure Web site certificates. @ Some sources (e.g., top executives) and some destinations (eg,, financial institutions) may be excluded from HTTPS traffic. Extended Validation (EV) SSL is not supported with HTTPS Inspection. When Forefront TMG performs HTTPS Inspection on a site that uses an EV SSL certificate, the EV visibility that is offered by some Web browsers—such as Internet Explorer 7 causing the URL address bar to turn green—will not be displayed in users’ browsers. To maintain a site's EV visibility, you must exclude it from HTTPS Inspection. a aE ell HTTPS Inspection is incompatible with servers that require client certificate authentication. If you are aware of such a server, it is recommended that you exclude it from HTTPS Inspection. HTTPS Inspection does not support external Web sites using self-signed certificates. If you need to enable access to sites that use self-signed certificates, it is recommended that you exclude them from HTTPS Inspection. ® ®Generating the HTTPS Inspection Certificate @ The HTTPS inspection certificate can be either generated by Forefront TMG or issued by a trusted CA ® Administrators can customize the self generated certificate ® Commercial CAs will not typically issue HTTPS inspection certificates ® HTTPS inspection certificate stored in the configuration store © Used by all array members & Commercial CAs will not typically issue HTTPS Inspection certificates, as these certificates are themselves CA certificates and not end-entity ones. Organizations will either use their internal pts to issue these certificates or have Forefront TMG generate them, ® Forefront TMG provides the option to generate a self-signed certificate for HTTPS Inspection, which would then need to be trusted by all Web clients. If the organization however chooses to use a certificate issued by a PKI that is already trusted, it needs to make sure that the certificate is a CA-type certificate, e.g. have the CA attribute enabled in the Basic Constraints certificate attribute. End-entity certificates cannot be used to sign other certificates and as such are not suitable for HTTPS Inspection The HTTPS Inspection certificate is stored in the configuration storage, and array members can begin using the H Inspection certificate after synchronizing with the configuration storage. @ If the organization is using multiple arrays it will likely need multiple HTTPS Inspection certificates, one per array. ~ ee ® ccDeploying the HTTPS Inspection Certificate cd co Two methods can be used to enable clients to trust the HTTPS Inspection Certificate @ Automatically through Active Directory (AD), will use AD trusted root store to configure trust for all clients in the AD forest @ Requires Forefront TMG to be deployed in a domain environment ‘@ Will not work for browsers that do not use the Windows certificate store for trust @ Manually on each computer, using root certificate installation procedure required by the browser There are two methods by which you can import the HTTPS Inspection trusted root CA certificate to client computers: Automatically through Active Directory — Automatic deployment using Active Directory is the recommended method, because the certificate is stored in a secure location, and it saves administrators the overhead of manual deployment. Note: Automatic certificate deployment requires Forefront TMG to be deployed in a domain environment. Manually on each client computer — If you are not using Active Directory, the certificate must be installed manually on each client computer, and it must be placed in the local computer certificate store. Note that deployment through Active Directory will only work for browsers that use the Windows certificate store (IE, Opera, Chrome). Other browsers will need to be configured manually. ‘ >> $aHow HTTPS Inspection Works Q * Enable HTTPS inspection = Generate trusted root certificate Install trusted root certificate on clients 1. Intercept HTTPS traffic 2. Validate contoso.com server certificate 3, Generate contoso.com server proxy certificate on TMG: 4. Copy data from the original server certificate to the proxy certificate 5. Sign the new certificate with TMG trusted root certificate 6 [TMG manages a certificate cache to avoid redundant duplications} 7. Pretend to be contoso.com for client 8 Bridge HTTPS traffic between client and server —eEVEo=n7—— cE ® Forefront TMG HTTPS Inspection works in the following way: 1. Forefront TMG Web Proxy intercepts Web browser requests to connect to HTTPS Web sites, and opens a connection to the request site and port. . Forefront TMG receives the Web server certificate, and validates the certificate trust, validity period, purpose, and name. . If the Web server certificate is considered valid, Forefront TMG will generate a server proxy certificate matching the name expected by the client. To mitigate potential application compatibility issues, Forefront TMG copies all the original certificate data from the original Web server certificate (attributes and extensions) to the proxy certificate. N w > —eeeeEVGEGVEVGVy""~ cE6. Forefront TMG signs the proxy certificate with its HTTPS Inspection certificate, which is trusted by the client. To reduce CPU consumption, Forefront TMG will cache the proxy certificate generated for the external Web server for other client requests. Forefront TMG presents the proxy certificate to the Web browser, effectively impersonating the destination Web server. The Web browser establishes a HTTPS session with Forefront TMG, which is then able to decrypt and inspect the outbound traffic.® Let's walk through a sample scenario where Contoso's web access policy requires all HTTPS traffic to be inspected. ——— Configuring HTTPS Inspection er & [suas === Policy Editing Tasks 52 Configure:® You can enable and configure access to HTTPS sites using the Web Access Policy Wizard, or by editing the HTTPS. Inspection properties. @ The Web Access Policy Wizard helps you set up most aspects of HTTPS Inspection; however, some settings are available only via HTTPS Inspection properties. Configuring HTTPS Inspection Web Access te 7 ort alow ua acces wo Web ste wang HTTPS By "rs eeecin mate wcrdee wb cere ay 08 Heb about HTTPS neoconThe TMG administrator has four options @ Enable HTTPS Inspection @ Enable a “validate-only” policy where TMG will validate the server certificate but not actually inspect the traffic Disable HTTPS Inspection entirely Block users from connecting to HTTPS sites @ For the last three options, no certificate is required. @ The following table summarizes the certificate validation tasks that Forefront TMG performs when HTTPS Inspection is enabled. For sites that are excluded from HTTPS Inspection, you can select to exclude (with or without validation) when you configure destination exceptions. Poteet toe yon nS encod Re aC a ees ae Wale Eligible for server Yes Yes Yes authentication Expiration, Yes No No revocation Name mismatch, Yes Yes No trust® Note the following issues regarding certificate revocation: ® Because Forefront TMG caches certificates, if a certificate needs to be revoked, it will only be revoked once the caching timeout expires. @ If Forefront TMG is unable to connect to the certificate revocation list (CRL) service, and is therefore unable to check for revocation, it treats the certificate as valid. Configuring HTTPS Inspection SS LITTPS inspection Preferences serve scented © Use a certificate atomatcaly generated by Forefont TMS 7 Use a custom cerefcate. Thi option ets you stone he automaticaly generated cartiate lect on otemate cer thcate sete esting certicate Ven Certfcate Det eb about HTTPS hsoectonarefernces@ Administrators can choose to notify users that HTTPS traffic is being inspected. Organizations may need to notify users of legal or privacy concerns, since they may have an implicit or explicit expectation of privacy when connecting to an HTTPS Web site, & Note: In some geographies, it may be against the law to enable HTTPS Inspection to specific types of site, such as financial institution. If this is the case, you may need to exempt these sites from HTTPS Inspection. HTTPS Inspection certificates can be automatically generated by Forefront TMG, or an existing certificate can be used. This certificate needs to be a CA certificate (ie, it needs to have an indication that it is a CA certificate in its basic constraints), and should have been previously imported in the system. ® EE ce HTTPS Inspection Notifications ® Notification provided by Gere | Str | Web Bowe Store Comet acto | Forefront TMG client (een eii ncn aad ® Notify user of inspection @ History of recent notifications @ Management of Notification Exception List @ May be a legal ace aca ote dae requirement in some =H geographies@ To receive notifications of HTTPS Inspection, client computers must have the HTTPS Inspection trusted root CA certificate installed in the local computer Trusted Root Certification Authorities certificate store. ® If the certificate is not installed in this exact certificate store, the user will not receive balloon notifications of HTTPS Inspection. @ To enable HTTPS Inspection notifications on Forefront TMG server: 1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node. 2. In the Tasks pane, click Configure HTTPS Inspection. 3. On the Client Notification tab, click Notify users that HTTPS Inspection is being inspected, and then click OK. EE cc @ To enable HTTPS Inspection notification on the Forefront TMG Client: 1. On the Secure Connection Inspection tab, select Notify me when content sent to secure Web sites is inspected.HTTPS Inspection Notification User Experienc [Al rtcatenfrmation ——— @ Notifications are shown as a balloon by the Forefront TMG client. @ The user may also ask the browser to display the Web site certificate information, which will show that the certificate was issued by Forefront TMG.Microsoft > Forefront Lesson 3 — URL Filtering @ This lesson discusses URL filtering, one of the ways that Forefront TMG prevents users from accessing Web sites that could damage the organization.Malware OQ @ Phishing C “7 Liability (~~ ~ oO Data Leakage Lost Productivity ~- ) Loss of Control @ ull ~ a) Partial (> Enabler > URL filtering is one of the key features in the Secure Web Gateway role of Forefront TMG. It allows you to control end- user access to Web sites based on pre-defined URL categories. URL filtering protects the organization by denying access to sites that are known to be malicious sites, that display inappropriate or pornographic materials, or that would violate the organizational policy. @ The typical use case for this feature includes: @ Block users from connecting to known malware or phishing sites. ® Reduce liability risks by blocking access to sites that distribute illegal content. Reduce the risk of sensitive information leaking by restricting access to Web e-mail or blogging sites. > Improve the productivity of the organization by restricting time spent on social networking sites.@ URL filtering can also reduce network bandwidth and, by integrating it with TMG reports, help you understand the Web usage patterns in the organization. Forefront TMG URL Filtering providers +91 built-in categories * Subscription-based * Predefined and administrator fined category sts * Customizable, per-rule, deny messages URL category override = URL category query * Logging and reporting support * Web Access Wizard integration© ® 2 ® URL filtering identifies certain types of Web sites, such as known malicious sites and sites that display inappropriate or pornographic materials, and allows or blocks access to the sites based on predefined URL categories. The default categorization of a specific Web site is determined by the Microsoft Reputation Service (MRS) and can be edited by the Forefront TMG system administrator. When a request to access a Web site is received, Forefront TMG queries MRS to determine the categorization of the Web site. If the Web site has been categorized as a blocked URL category or category set, Forefront TMG blocks the request. ~ ee When users request access to a Web site to which access is blocked, they receive a denial notification that includes the denied request category. In some cases, users may contact the administrator to dispute the categorization of the Web site. In such a case, you can check whether the URL was categorized properly. If the Web site was not categorized correctly, you can create a custom setting for this URL. Forefront TMG features over 70 URL categories. A URL category is a collection of URLs that match a pre-defined criterion, such as malicious, anonymizers, or spam. Categories are grouped by category sets, which can be used to simplify the configuration of Forefront TMG policies. ‘ SEaE=eHn",— $aURL Filtering Benefits ® ® cS co Control user web access based on URL categories Protect users from known malicious sites Reduce liability risks Increase productivity Reduce bandwidth and Forefront TMG resource consumption Analyze Web usage The benefits of applying URL filtering include: Enhancing your security by preventing access to malicious sites, such as, phishing sites. Lowering liability risks by preventing access to sites that display inappropriate materials, such as, hate, criminal activities, or pornography sites. Improving the productivity of your organization by preventing access to non-productive sites, such as games or instant messaging. Using URL filtering related reports and log entries to learn about the Web usage in your organization, such as, what are the most browsed URL categories Excluding sites from inspection by the HTTPS and malware inspection mechanisms, such as excluding financial sites from HTTPS Inspection due to privacy considerations. —eeeeEVGEGVEVGVy""~ cE@ Forefront TMG leverages and utilizes MRS, a cloud-based object categorization system hosted in Microsoft data centers, to categorize the URLs that users request @ MRS is designed to provide comprehensive reputation content to enable core trust scenarios across Microsoft solutions, and maintains a database with tens of millions of unique URLs and their respective categories,What Makes MRS Compelling? @ Existing URL filtering solutions Single vendor cant be expert in all categories © Categorization response time @ MRS unique architecture @ MRS merges URL databases from multiple sources/vendors ‘@ Multi-vendor AV analogy @ Based on Microsoft internal sources as well as collaboration with third party partners @ Scalable ®@ Ongoing collaborative effort © Recently announced an agreement with Marshal8e6 @ More announcements to follow ® The MRS team wanted to confront an inherent problem with traditional URL filtering solutions: the problem domain is simply too large for any single vendor to provide a complete solution on its own: As a result, there are multiple vendors out there, each one specializing in a particular area of the solution. ®@ Vendor specialties include identifying malicious sites and spam URLs; productivity related categories; Web 2.0 style URLs; quick classification of previously unknown sites, etc. Some vendors use human-based classification; others use machine-based techniques. However, even those vendors who employ several classification techniques and cover multiple categories can’t deal with the huge and ever-expanding challenges of today’s Web. cd ® SS $a@ MRS leverages complementary capabilities of different vendors and sources to create a unified database. It utilizes a scalable architecture that incorporates multiple streams of data into a merged database. @ Each vendor or source brings its unique strengths to the table into a common solution which can handle all the challenges described above. @ MRS already integrates several data sources; others will be on-boarded in the following months. ® Some of these data sources are Microsoft internal, and others are the result of collaboration with third-party partners such as Marshall8e6. ® 2 Since it is a Web service, MRS uses its unique architecture to easily incorporate new databases with complete transparency to the customers. @ We expect the MRS unified database to expand over time and become the recognized industry leader. TMG customers will benefit naturally from this ongoing upgrade, through our Web security subscription services. 2How Forefront TMG Leverages MRS Multiple Vendors) Federated Query Combines with Telemetry Data @ Forefront TMG leverages the Microsoft Reputation Service for URL filtering in the following way: 1, Whenever Forefront TMG receives a request to fetch an external URL, it will pass this URL to an internal Categorizer component. This component runs locally on the Forefront TMG server and is responsible for determining which categories apply to a particular URL. 2. The Categorizer first checks if there is a local override for the URL. Administrators can override the categories suggested by MRS with a locally-defined categorization.3. To improve bandwidth utilization and performance, Forefront TMG implements a local cache (residing on a TMG server) that stores the recently queried URLs and their respective categories. Cache entries are subject to a time- to-live value, allowing the entry to be refreshed periodically. TMG will query MRS only when a request cannot be served from the local cache. This local cache is expected to serve the overwhelming majority of user requests. The cache is persistent, so it doesn’t need to be refreshed after each reboot. 4. If there is no local override for the URL or it is not on the local cache, the local MRS client will query an MRS Web service on the cloud for the URL, using the Windows Web Services API (WWSAPI). This query contains a hash (SHA- 256) of the URL and is sent over SSL for security and privacy reasons. 5. The MRS Web service receives the query from the client and searches across the multiple vendor databases. This process happens transparently to the client. When the search is complete, MRS Web service returns a single response containing the categories that apply to the queried URL. 6. The response is received by the MRS client, which writes it in the local cache and informs the Categorizer.Microsoft Telemetry Service ® Forefront TMG also has the option to provide MRS the ability to review URL filtering data samples collected from the installations where the administrator chose to join the Microsoft Telemetry Service. ® Once the administrator opts in to the Microsoft Telemet Service (with either basic or advanced membership), Forefront TMG will collect and report to Microsoft information that includes: @ Random URL samples. The URLs are truncated to avoid disclosure of personal information. ® The local list of URL category overrides. ® A few statistical counters, such as the ratio of requests that MRS failed to categorize. ®@ Globally unique identifiers (GUIDs) to uniquely identify a Forefront TMG server for statistical analysis. The GUIDs are randomly generated during installation and do not contain any personal information or customer identity information. To help protect privacy and ensure the identity of the server, Microsoft Telemetry Service reports are encrypted using Secure Sockets Layer (SSL).URL Filtering Categories @ TMG features over 80 URL categories. These range from security-oriented selections (i.e., Phishing, Malicious, and Anonymizers) through productivity-oriented categories (i.e., Games, Instant Messaging), and ending with liability-oriented categories such as Criminal Activities and Pornography. @ Categories are also grouped into higher-level hierarchies called category sets, which can also be used in TMG policy to simplify configuration. Administrators can also create their own categories as necessary. @ In addition to being used for access policy, URL filtering categories are used in reports and log entries, and can be leveraged to exclude sites from being inspected by the HTTPS Traffic inspection and the Malware Inspection features. For instance, you may wish to exclude financial sites from HTTPS Inspection, due to legal considerations.Categories and Inheritance @ MRS uses an inheritance model when determining the applicable categories for a particular URL. ® MRS will not only query the entire URL for any applicable categories, but also upper-level folders and domains. The final result will consist of all categories found. @ For example, msn.com is included in the Portal Sites category, while health.msn.com is included in the Health category. ‘@ When MRS receives a query for http://health.msn.com/womens-health, it will report the URL to be in both the Health and Portal Sites categories.URL Filtering Policy @ URL categories are standard network objects ® Administrator can create custom URL category sets @ For policy purposes, URL categories are standard network objects that can be used as destinations in the web access policies. Categories are also grouped into a higher-level hierarchy called category sets, which can be used in TMG policy to simplify configuration.URL Filtering Policy @ Policies use URL categories as standard network objects in the Web access policy. @ Forefront dynamically associates the destination URL with the appropriate categories based on MRS categorization and local overrides.® Let's walk through a sample scenario. Contoso's Web access policy requires that no browsing should be allowed to sites that pose specific risks to the organization, but also defines an exception for a specific group of users and a specific category of Web site.Contoso’s Web Access Policy come oo oo Toes as | Boer a Saree nee ae beast be beers toe ae sa = sab security @ You can use the Web Access Policy wizard to create a comprehensive Web access policy for your organization. A Web access policy specifies the following: @ Which computers can access the Internet. For example, you can specify that a set of computers has no Internet access. ® Which users are allowed Internet access. For example, you can allow one set of users to access the Internet but block others. ® Which Internet sites are allowed or blocked. For example, you can block access to a specific site for everyone. Alternatively, you may want to allow only managers to access all sites and allow all other employees access to work-related sites only.® Times at which specific Web destinations are available. ®@ How Internet traffic is filtered and scanned. Forefront TMG filters and inspects HTTP traffic that passes through it. You can specify that HTTP traffic should be scanned for malware content, and you can configure application-layer HTTP filtering that examines HTTP commands and data. @ When defining the destinations in the Web policy access rules, you can use categories or category sets as well as specific URLs. Per-rule Customization Sehwdle Centr Typee | Male apetr Genel Acton | Prtcal | From | To | Ue © en © pew & Cay dente tose dd custom tet HTM. to notte pn) et Soom STs toc sgpes HIM. ONES IF dere reams caeaiy tortion, Ts tn (Sony ovals shen Peer nid ndrect nab dh tothe folning UR For exangl: i ats mot come te 1 Loprequss matting there @ TMG administrator can customize denial message displayed to the user on a per-rule basis @ Add custom text or HTML ® Redirect the user toa specific URL@ Forefront TMG allows the administrator to configure a per- rule denial notification message to the user, which can include custom text and HTML tags. ® Administrators also have the option to redirect the user to a particular URL. URL Filtering Configuration Fe #9isir Ba OOeOn FE TaAD Forefront ” ‘rest Management Gateway Policy Editing Tasks 42 Configure Malar Configure URL Fitering $2) Configure HTTPS®@ URL filtering is configured using the “Configure URL Filtering” task in the access policy task bar, or by using the Web Access Policy wizard. ®@ To configure Web access policy by running the Web Access Wizard, do the following: 1. In the Forefront TMG Management console, click the Web ‘Access Policy node. 2. On the Tasks tab, click Configure Web Access Policy. If you have already run the wizard, a message appears warning you that the changes you made to settings and rules when you previously ran the wizard will be discarded. Click Yes to confirm that the wizard should run again. On the Web Access Policy Type page, select the type of Web access policy that you want to apply to your organization. w > On the Web Protection page, click Yes, enable the malware inspection feature to turn on malware inspection globally. At this point you will have two choices: 0. Select Create a simple global access policy for all the clients in my organization to allow all users to visit all Web sites except those URLs that you specifically block. o Select Create customized Web access policies for users, groups and computers to specify that Web policy is controlled by authenticated user access, non-authenticated IP address access, or a mixture of both. Complete the Web policy configuration by specifying settings for the Web policy type you have selected. ww@ To manage the URL filtering global settings, in the Forefront TMG Management console, in the tree, click Web Access Policy node, and then in the Tasks pane, click Configure URL Filtering. Category Query @ Administrator can use erm Cason7 Gary si ctesry owe ikeweese| the URL Filtering Type sun. tolck ts eaten Settings dialog box to Eee ely the URL filtering database avctemy: Pata stes @ Enter the URL or IP eve tagcat se by st Sc address as input @ The result and its source are displayed on the tabLooking up a URL category @ The following procedure describes how to query the URL filtering database regarding the categorization of a URL or IP address. 1. In the Forefront TMG Management console, in the tree, click Web Access Policy. 2. In the Tasks pane, click Query for URL Category. 3. On the Category Query tab, type a URL or IP address, and then click Query. The result of the category is displayed on the tab, as well as some insight as to the source of the categorization, such as by override, IP address, or URL alias. ® This information can also be queried from the Microsoft Reputation Services Feedback and Error Reporting Portal at https://www.microsoft.com/security/portal/mrs/ default.aspx. @ The Reporting Portal can be used to suggest additional categories or to dispute an incorrect categorization.URL Category Override Cee 2 Deteton Unde Center | _Leare Dea Gonmal |Cage Qn UALCaegoy Ovens Override the default URL category for this URL pattern: URL caegtes a rdened Aida URL owt catego to ove waa www. phishingst fey ey Fences Example: wwrw.contoso.com/* Move URL pattern to this URL Category: Phishing ~ covet | ® Administrator can override the categorization of a URL [mes] aa ee @ Feedback to MRS via Telemetry verte dant te cteoaon a2 UL @ To change a domain's categorization, copy the URL or IP address to the computer's clipboard, and click the URL Category Override tab. @ Note: Some considerations applicable to URL category overrides: @ Each URL must include a host name and a path, and may include a query string and escaped characters (such as "%20" to represent a space). Wildcards (*) can be used when defining overrides. ® Do not include a protocol (such as HTTP://) with the URL. @ Forefront TMG does not support the use of Internationalized Domain Name (IDN) URLs.User Experience qa ery orien ee @ In this example, the user receives a phishing message with a hyperlink that leads to a known malicious URL.User Experience @ When the user clicks on the link, URL filtering identifies the link as malicious and blocks the user from connecting to the phishing site @ The administrator can customize the message displayed to the user, adding custom text or HTML to the notification. ® Optionally, the administrator can redirect the user to a specific URL where, for example, the organization's Web access policy can be read.Sy Microsott Forefront Lesson 4 — Malware Protection @ This lesson explains how Forefront TMG protects users and machines against malware.Malware CO @ Phishing C “7 Liability (~~ Data Leakage ‘PF 0e09 Lost Productivity Kh Loss of Control ~ @ ull @ Partial (Enabler 2 Web traffic may contain malware such as worms, viruses, and spyware. > Forefront TMG uses definitions of known viruses, worms, and other malware, which it downloads from Microsoft Update or Windows Server Update Services (WSUS), for malware inspection. The Forefront TMG Malware Inspection Filter scans Web pages and files that were requested by client computers, and either cleans harmful HTTP content or blocks it from entering the internal network.HTTP Malware Inspection ah No Third party plug-ins can be used (native Malware inspection must be disabled) tegrates Microsoft Antivirus engine Signature and engine updates * Subscription-based. Content delivery methods by content type ™G * Source and destination exceptions * Global and per-rule inspection options (encrypted files, nested archives large files.) * Logging and reporting support * Web Access Wizard integration @ Microsoft Forefront Threat Management Gateway includes malware inspection for scanning, cleaning, and blocking harmful HTTP content and files. ® When malware inspection is enabled, downloaded Web pages and files allowed by access rules may be inspected for malware. ® Malware inspection is performed by the Malware Inspection Filter (Web filter). Malware inspection applies to traffic that uses the HTTP protocol and does not involve the firewall client software. ® The body of all HTTP requests and responses is inspected, regardless of the HTTP verb in the header. ® If the body is compressed and the encoding scheme is not recognized, Forefront TMG cannot inspect the content. HTTP content compressed with gzip encoding can be decoded, inspected, and encoded in both directions.@ When a virus is detected in a file or an archive (for example, a .zip, .tar, or .cab file), Forefront TMG attempts to clean the file, rebuild the archive, and send a cleaned file to the client instead of the infected one. In cases where cleaning is not possible, the infected file is replaced with a text file containing a notification. Malware Definitions and Updates ® Forefront TMG uses the Microsoft Antivirus (MSAV) engine, which relies on definitions of known viruses, worms, and other malware for malware inspection. @ These definitions can be downloaded from the Microsoft Update Web site. Forefront TMG automatically checks for and downloads new and updated definitions for malware inspection, according to a user-defined updating schedule.@ At any time, you can also request Forefront TMG to check for new and updated malware definitions. The schedules for obtaining updates are accessed through the Update Center node in Forefront TMG Management. When this node is selected, the Details pane displays three items: @ The time when the last check for new updates was made. @ The time when the last update was downloaded and installed. @ The status of the last attempt to check for updates. ® Note: Unlike Forefront Protection 2010 for Exchange Server and Forefront Protection 2010 for SharePoint Server, Forefront TMG is only able to use a single engine (MSAV) for malware inspection. This is due to the specific performance and latency constraints of Web inspection, which do not apply to mail or document scanning. Forefront TMG has APIs that allow third-party plug-ins to be used instead of the built-in malware inspection functionality. Content Trickling ~ Firewall Service L i == |itaretespecton [ee s@ 1 Filter Request Context® Because malware inspection may cause some delay in the delivery of content from the server to the client, Forefront TMG enables you to shape the user experience while Web content is scanned for malware, by selecting one of two delivery methods for scanned content: trickling or progress notification. @ Trickling — With this delivery method, Forefront TMG sends portions of the content to the user as the files are inspected. This process helps prevent the client application from reaching a time-out limit before all the content has been downloaded and inspected. ® Note: Cleaning is possible only if the file is inspected before content is passed to the client. In the case of trickling, it is not possible to clean the file or replace it with a text notification. If an infection is detected in a file that is being trickled, Forefront TMG resets the connection and does not pass the remaining chunks to the client. Progress Notification Firewall Service A, — fe Web Prox S | u : 20 ox pean) Malwareinspection [290KGaupem) s@ 1 Filter LL Primary Request ] Context Secondary Request Context Downloads Map Scanner 3® Progress notification — Forefront TMG sends an HTML page to the client computer, informing the user that the requested content is being inspected, and displaying an indication of the download and inspection progress. After content has been downloaded to Forefront TMG and inspected, the page informs the user that the content is ready, and displays a button for downloading the content from the TMG server to the user. @ Note: The content delivery settings in Forefront TMG include enabling or disabling the sending of progress notifications for the specified types of content, and a list of the MIME content types and file name extensions for which progress notifications are used when progress notifications are enabled. Malware Scanner Behavior , + Paria inspection for Standard Tekling TETCIAMIM «Final inspection for fies smaller than 1 MB when Progress Page is not used — + Patial inspection for Fas cking + Final inspection for files larger than 1 MB but smaller than 50 MB when Progress Page isnot us + Final inspection when Progress Page is used ro + Final inspection for files larger than 50 MB [tow Pity Queue [ Normal Pioty Queue | High Priority QueveEnabling Malware Inspection Tercera ay asin 1 seckercrpied actives mare 29s) feet hte evant eS ey crt OQ ES Se eae inten nenonn ten @ Activate the Web Protection license ® Enable malware inspection on Web access rules @ Web Access Policy Wizard or New Access Rule Wizard for new rules @ Rule properties for existing rules @ In Forefront TMG, you enable malware inspection globally, and then on a per-rule basis. @ To enable malware inspection in Forefront TMG, you must: 1. Activate the Web Protection license. 2. Enable malware inspection on Web access rules.® To enable global malware inspection: 1. In the Forefront TMG Management console, in the tree, click the server name node. On the Tasks tab, click Launch Getting Started Wizard, and then click Define deployment options. Make a selection on the Microsoft Update Setup page, and click Next. N w 4. On the Forefront TMG Protection Features Settings page, do the following: .. Select one of the licenses to enable Web protection. b. Ifyou selected the Activate purchased license and enable Web Protection option, type the license activation code next to Key c. Verify that Enable malware inspection is selected 5. Continue advancing through the wizard, and then click Finish. »» After enabling malware inspection globally on Forefront TMG, you must enable it on specific access rules, as follows: If you are creating new access rules, you can enable inspection via the Web Access Policy Wizard, or the New Access Rule Wizard. ® If you already have a rule for which you want to apply malware inspection, you can edit the properties of the rule.® Let's walk through a sample scenario where Contoso’s web access policy requires that all Web traffic should be inspected against malware, and that no files larger than 500MB should be downloaded from the Web. Malware Inspection Global Settings Forefront® Global malware inspection settings are configured by clicking on the Configure Malware Inspection task under Policy Editing Tasks in the Web Access Policy. ® These settings will apply to all Web access rules unless explicitly overridden. Malware Inspection Global Settings @ Administrator can Sei abe dense’ configure malware Deeton Ute Coniston | care ale 1 ‘i Genus | Darton Beeston | Souce caps torent — blocking behavior: ern '® Low, medium and high I meertts deer rte ee | Block ties wth iow and medi severty treats Figher level treats 2 severity threats sions) Suspicious files F feck tee , ——— © Corrupted files TF Beckie tut cuvclbecved . . © Encrypted files | Bock fies f scanning tme exceeds (seconds) '@ Archive bombs Too many depth levels or unpacked content too large © File size too large IF Bock aciefie freaked corte ager =@ Administrators have several options for configuring malware blocking behavior: @ Low severity threats are potentially unwanted programs that might collect information about you or change how your computer works, but operate in agreement with licensing terms displayed when you installed the software. @ Medium severity threats are programs that could impact your computing experience, for example, by collecting information or changing settings. @ High severity threats are programs that are very likely to affect your privacy or damage your computer. Examples include collecting personal information or changing critical system settings, typically without your knowledge or consent. @ Suspicious files may display one of more characteristics or behaviors associated with known malware. Files reported as suspicious are often detected proactively and may not have been previously seen by our analysts. Files detected as suspicious are quarantined and users may be prompted to submit these files to us for further analysis, so that specific detection may be added if required. © Corrupted files have been modified in some way and may no longer function as intended. Configurable by the Forefront TMG administrator. ®@ Encrypted files have been transformed using encryption into an unreadable format for the purposes of secrecy. Once encrypted, such data cannot be interpreted (either by humans or machines) until it is decrypted. Malware may use encryption in order to make its code unreadable, a tactic which could prevent its detection and removal from the affected computer.@ Administrators can also use the malware inspection global settings to define a maximum size allowed for files downloaded by users. ® In the case of archive files, a maximum size can be set for the unpacked content. Malware Inspection Per-rule Overrides e922 BI OOe® Forefront@ Administrators can override the general malware inspection settings on a per-rule Web Access Policy rule basis. @ For instance, the administrator can define that a specific set of users will be able to download larger files. User Experience t wi© The slide above shows an example of what an end user might see when a file is blocked by malware inspection. @ In this example, the user is shown a Web page containing the name of the file and the reason it was blocked, including the name of the malware if applicable. User Experience® Progress notification — Forefront TMG sends an HTML page to the client computer, informing the user that the requested content is being inspected, and displaying an indication of the download and inspection progress. After download and inspection of the content are completed, the page informs the user that the content is ready, and displays a button for downloading the content. Sy Microsott < Forefront Lesson 5 — Intrusion Prevention@ This lesson provides a detailed overview of how Forefront TMG protects networks. The Problem @ Un-patched vulnerabilities @ Average survival time of unpatched Windows® XP less than 20 minutes ® About two percent of Windows® machines are fully patched @ Vulnerability window @ Increasing number of zero days @ Attackers craft exploits faster than customers can deploy patches @ Encryption and protocol tunneling are a complicated problem for a defense technology (for example, HTTPS)@ As the number of zero-day attacks at the network and application layer increases, we are constantly looking for ways to protect hosts and networks against exploitation of the discovered vulnerabilities. ® One of the key problems is that attackers can usually develop and use exploits for the disclosed vulnerabilities faster than software vendors can develop patches and customers can deploy the patches. ® Reviewing past vulnerabilities shows that it can take up to a month from the initial attacks reports to develop and release patches, and another one to two weeks after release for the customer to deploy the patch across the vulnerable computers. ® This leaves a potential month-long window in which computers are vulnerable to attacks and exploitation. Defining a Intrusion Prevention System (IPS) Allow Known — Block Known —_ Block Unknown. Good Bad Bad Execution Application Resource Behavioral Level Control Shielding Containment Application Application and AV Application Level System Inspection Hardening Network Inspection System Network Firewall Attack-Facing Vulnerability Level Network Facing Network Inspection Inspection ‘Source: Host-Based Intrusion Prevention Systems (HIPS) Update ~ Gartner 2007,What is the motivation behind Network Inspection System (NIS)? ® As information workers find it more difficult to achieve anytime-anywhere access in a re-perimeterized world, ubiquitous and comprehensive protection for the outbound access scenario is paramount. ® Outbound access is defined as user-initiated network access whether it is the Internet or corporate network regardless of application or protocol. @ End users predominately access the Internet using a Web browser, which creates an easy attack surface for malicious hackers. @ The nature of the Web demands unique protections around protocol vulnerabilities, including HTTP and HTTPS as well as RPC, SMB, and the different mail protocols. ® A network intrusion prevention system (IPS) uses advanced traffic analysis and pattern matching techniques to identify malicious known vulnerabilities being exploited over the network, and then block such attacks. This provides a level of protection for systems in the corporate network against these vulnerabilities being exploited, particularly if those systems have not been patched yet and are still running vulnerable code. ® Intrusion preventions systems can also detect and block anomalies in network traffic, such as communications not following the standard behavior expected in a particular protocol. This provides a degree of protection against unknown (0-day) vulnerabilities for which the system does not have signatures yet, but also raises the chance of false positives.@ Forefront Network Inspection System (NIS) is Microsoft's response to this new and growing IT concern. @ In its first release, NIS is integrated with Forefront TMG as a component of its IPS offering. @ NIS uses signatures to detect known vulnerabilities being exploited over the network, and can also be configured to detect anomalies in commonly used network protocols. Network Inspection System (NIS) ® Protocol decode-based traffic inspection system that uses signatures of known vulnerabilities @ Vulnerability-based signatures (vs. exploit-based signatures used by competing solutions) @ Detects and potentially block attacks on network resources @ NIS helps organizations reduce the vulnerability window © Protect machines against known vulnerabilities until patch can be deployed © Signatures can be released and deployed much faster than patches, concurrently with patch release, closing the vulnerability window @ Integrated into Forefront TMG @ Synergy with HTTPS Inspection© NIS is a protocol decode-based traffic inspection system that uses signatures of known vulnerabilities, to detect and potentially block attacks on network resources. @ Forefront TMG is the first release in which NIS provides comprehensive protection for network vulnerabilities, and was researched and developed by the NIS Response Team at the Microsoft Malware Protection Center, as well as an operational signature distribution channel which enables dynamic signature snapshot distribution. ®@ The main differentiator of NIS is signature quality (minimum false positives and false negatives) on Microsoft-focused vulnerabilities. NIS vulnerability signatures cover all flavors of exploit attacks, leveraging vulnerability in contrast to exploit specific detections which are susceptible to evasion. NIS Value Proposition @ NIS offers organizations the ability to protect internal systems against known vulnerabilities being exploited over its Internet connection, even if those systems are not yet patched against the vulnerabilities. ®@ Based on its signatures, NIS detects and blocks the exploit attempt before it reaches the internal systems. @ The turnaround time for a NIS signature is typically a matter of hours, compared to days or weeks that it may take for a software company to release an update that fixes a security vulnerability and the organization to deploy it. By using NIS, organizations can reduce this time window in which their systems are vulnerable to a publicly known security issue. @ NIS integrates with other Secure Web Gateway features like HTTPS Inspection to provide comprehensive protection against Web threats.une Use Case s"tiscovered ¥ Pilon prepares and tests the vulnerability signature ure released by Microsoft and deployed through distribution El srvice, on security patch release {ll un-patched hosts behind Forefront TMG are protected | 7. i B Vulnerability Signature Discovered a Distribution Service @ To understand the value provided by NIS, let's assume the following hypothetical scenario: 1. Working with law enforcement and other companies in the Security industry, Microsoft learns that a previously unknown Internet Explorer vulnerability is being actively used on the Internet to infect machines with malware. . Microsoft Malware Protection Center (MMPC) reviews the vulnerability and writes an NIS signature that is able to detect attempts to exploit it. The signature is tested and validated to ensure it can effectively block the vulnerability and for potential false positives. N w4. After validation, the signature is distributed by Microsoft Update and WSUS servers to Forefront TMG, which receives and activates the NIS signature. 5. When a user in the corporate network connects to a malicious Web site that tries to exploit the vulnerability, NIS detects and blocks the exploit traffic. The user desktop is not compromised, even though it does not have yet an update to fix the vulnerability. Network Inspection System Powered by GAPA ® Generic Application Protocol Analyzer ® A framework and platform for safe and fast low level protocol parsing © Supports extensibility and layering © Enables creating parsing-based rules for checking and applying specific conditions (for example, signatures) @ GAPA technology powers Microsoft's Network Inspection System (NIS)® Motivated by the large number of application-level protocols and new ones constantly emerging, Microsoft Research (MSR) have architected a Generic Application- level Protocol Analyzer (GAPA), consisting of a protocol specification language (GAPAL) and an analysis engine that operates on network streams and traces. ® GAPA allows rapid creation of protocol analyzers, greatly reducing the development time needed. g Microsoft has implemented NIS based on GAPA research as a signature-based IPS. ® Note: For more information on GAPA, please read the MSR research paper at: http://research.microsoft.com/pubs/70223/tr-2005-133.pdf EEE ee Network Inspection System Architecture Design Time e GAPA Language Signatures & Protocol Parser: L _/!> | \ r = a Run Time Network InterceptionNIS sianatures are developed by using the GAPA Language. GAPAL is a domain specific language that allows MMPC to rapidly and reliably develop protocol parsers that can detect anomalies as vel as signatures for vulnerabilities and exploits GAPAL is then compiled into intermediate code, which ships as an NIS signature and is distributed by Microsoft Update and WSUS servers. The GAPAL-generated intermediate code is processed by a GAPA run time engine, which receives and inspects network traffic intercepted by Forefront TMG. The run time engine uses the code to parse the traffic and detect anomalies and known vulnerabilities being exploited. If the administrator has configured Forefront TMG to join the Microsoft Telemetry Service, TMG will report back signature matches and protocol parse errors to Microsoft. This has two overall aims: to understand the current malware landscape, and to improve NIS signature quality. 3- Microsoft Telemetry Service is an optional service that administrators can opt into during Forefront TMG installation. Targeting 4 hours@ The Microsoft Malware Protection Center identifies threats based on information received from various sources, including Microsoft Telemetry Service. @ When Malware Protection or NIS identifies potential malware or an attack it reports to Microsoft information about the potential attack identified. ® This information is stored by Microsoft and analyzed to help identify attack patterns and improve precision and efficiency of threat mitigations. @ Based on this information, the MMPC developed an NIS signature for the vulnerability. ® This signature is tested to confirm that it properly identifies the threat and does not cause false positives, and is released through Microsoft Update. MMPC targets a four-hour turnaround time for this process. Enabling and Configuring NIS [Serb Roms) Sma@ NIS can be enabled as part of the Forefront TMG initial configuration as part of the Getting Started Wizard, or by using the Intrusion Prevention System node in the Forefront TMG console. @ In addition to enabling the NIS feature, the administrator also has to configure how Forefront TMG will download the NIS signatures from Microsoft. Enabling the Network Inspection System 1 In the Forefront TMG Management console, in the tree, click the server name node. . On the Tasks tab, click Launch Getting Started Wizard. . Make a selection on the Microsoft Update Setup page, and click Next. On the Forefront TMG Protection Features Settings page, verify that the license for NIS is set to Activate complementary license and enable Network Inspection System.5. On the NIS Signature Update Configuration page, note the following: a. If you want to automatically install new signature sets, ensure that Check for and install updates (recommended) is selected, b. The Automatic polling frequency setting applies to NIS only. The polling frequency settings for other protections are located in the Update Center. c. The Effective response policy for new signatures setting applies to newly downloaded and installed signatures only. The setting is applied to each set of signatures that is downloaded. Any signature that is not set to the Microsoft default response is flagged as requiring attention on the Network Inspection System tab, which is located on the Intrusion Prevention System details pane. Managing Signatures @ Before you can use Forefront TMG to block attacks on known vulnerabilities, you must download the latest NIS signature set. NIS signatures are created by the Microsoft Malware Protection Center (MMPC) and downloaded from Microsoft Update or Windows Server Update Services (WSUS). ®@ Note: NIS does not currently allow administrators or ISVs to create their own signatures. @ Administrators can see the list of signatures downloaded by Forefront TMG by clicking on the Intrusion Prevention System node in the Forefront TMG console. The list will be displayed in the details pane of the Network Inspection System, and can be grouped by properties like protocol, severity, date published, and response type.© Every signature contains a recommended policy defined by the Microsoft Malware Protection Center, which defines whether the signature should be enabled or disabled, and the action taken by NIS when if finds a match to the signature: ® Block — NIS will detect and block attempts to exploit the vulnerability. @ Detect only — Exploit attempts are detected and logged by NIS, but are not blocked. This setting is typically used to evaluate a signature against false positives. @ Administrators can override the recommend NIS response policy for an individual signature, for groups of signatures, or for the entire system, by using the Tasks tab in Intrusion Prevention System node. Configuring the Network Inspection System @ Administrators can configure NIS by selecting the Define Exceptions task on the Tasks tab. This will open the Network Inspection System (NIS) Properties window with the following tabs: @ General — Provides the option to enable or disable NIS on the system. @ Exceptions — Defines networks, computers, or site URLs whose traffic will be excluded from NIS protection.@ Det ion Updates — Defines how frequently Forefront TMG will poll Microsoft for NIS signature updates, and how NIS will respond to new signatures. Administrators can choose to follow the recommendation provided by Microsoft, to use a detect-only response, or to disable the new signature until an administrator enables it. @ Protocol Anomalies Policy — Administrators can use this tab to enable NIS to block any anomalies (non- standard protocol behavior) detected on the network. This option helps protects organizations against unknown exploits, but increases the risk of false positives. This option is disabled by default. Other Network Protection Mechanisms @ Common OS attack detection ® DNS attack filtering @ IP option filtering @ Flood mitigation® Forefront TMG also includes other network protection mechanisms in addition to NIS: ® Common OS attack detection @ DNS attack filtering @ IP option filtering @ Flood mitigation Common OS Attack Detection conan atc one atc | 1 ena nba deter nate detecton of fe sect atc 1 wndows ott bane Hr) ne ergot deat & pratsan urbe perc ered scat ‘cokers hese acsDetection of Common Attacks @ Common attacks include the following: O Windows out-of-band (WinNuke) attack ® An attacker launches an out-of-band denial-of-service (DoS) attack against a host protected by Forefront TMG. @ If the attack is successful, it causes the computer to fail or a loss of network connectivity on vulnerable computers.OLand attack @ An attacker sends a TCP SYN packet with a spoofed source IP address that matches the IP address of the targeted computer, and with a port number that is allowed by the Forefront TMG policy rules, so that the targeted computer tries to establish a TCP session with itself. @ If the attack is successful, some TCP implementations could go into a loop causing the computer to fail. O Ping of death ®@ An attacker attaches a large amount of information, that exceeds the maximum IP packet size, to an Internet Control Message Protocol (ICMP) echo (ping) request. ® If the attack is successful, a kernel buffer overflows, causing the computer to fail.OIP half scan @ An attacker repeatedly attempts to connect to a targeted computer, but does not send ACK packets in response to SYN/ACK packets. During a normal TCP connection, the source initiates the connection by sending a SYN packet to a port on the destination system. If a service is listening on that port, the service responds with a SYN/ACK packet. The client that initiates the connection then responds with an ACK packet, and the connection is established. If the destination host is not waiting for a connection on the specified port, it responds with an RST packet. Most system logs do not log completed connections until the final ACK packet is received from the source. Sending other types of packets that do not follow this sequence can elicit useful responses from the target host, without causing a connection to be logged. Oupp bomb ®@ An attacker attempts to send a User Datagram Protocol (UDP) datagram, with illegal values in certain fields, which could cause some older operating systems to fail when the datagram is received. By default, no alert is configured for this type of attack.OPort scan ®@ An attacker attempts to count the services that are running on a computer by probing each port for a response. You can specify the number of ports that can be scanned before an event is generated. ‘@ When Forefront TMG intrusion detection is enabled and offending packets are detected, they are dropped, and an event that triggers an Intrusion Detected alert is generated. By default, the Intrusion Detected alert is reset automatically after one minute, during which time Forefront TMG continues to block offending packets but without issuing an alert. You can configure this alert to send you an e-mail notification when it is triggered. You can also enable logging of the dropped packets. @ The name of each type of detected attack corresponds to an additional condition in the definition of the Intrusion Detected event. For each additional condition (type of attack), you can define and enable an alert which specifies the actions to be taken in response to the event, and is issued by the Microsoft Firewall service, when all the conditions specified in the alert are met. The actions that can be triggered by an alert include sending an e-mail message, invoking a command, writing to a log, and starting or stopping Forefront TMG services. @DNS Attack Filtering [oor & Enables the following common ats OS Acs | checks in DNS traffic: 1 fre ctr re Os ®@ DNS host name overflow - fe cameg vse eg DNS response for a host a name exceeding 255 bytes repre rate @ DNS length overflow - DNS response for an IPv4 address exceeding 4 bytes @ DNS zone transfer ~ DNS request to transfer zones from © Stas an internal DNS server thot ats ®@ The Forefront TMG Domain Name System (DNS) filter intercepts and analyzes all inbound DNS traffic that is destined for the internal network, and other protected networks. If DNS attack detection is enabled, you can specify that the DNS filter checks for the following types of suspicious activity: ® DNS host name overflow — When a DNS response for a host name exceeds 255 bytes, applications that do not check host name length may overflow internal buffers when copying this host name, allowing a remote attacker to execute arbitrary commands on a targeted computer. ® DNS length overflow — When a DNS response for an IP. address exceeds 4 bytes, some applications executing DNS lookups will overflow internal bulters, allowing a remote attacker to execute arbitrary commands on a targeted computer. Forefront TMG also checks that the value of RDLength does not exceed the size of the rest of the DNS response. @ DNS zone transfer — A client system uses a DNS client application to transfer zones from an internal DNS server.@ When offending packets are detected, they are dropped, and an event that triggers a DNS Intrusion alert is generated. ® You can configure the alerts to notify you that an attack was detected. @ When the DNS Intrusion event is generated five times during one second for DNS zone transfer, a DNS Zone Transfer Intrusion alert is triggered. ® By default, after the applicable predefined alerts are triggered, they are not triggered again until they are reset manually. IP Options Filtering @ Forefront TMG can 1 Optere | Fagnerts | 16 | block IP packets based nei get selec he alowed ontons. on the IP options set aia. © Deny all packets with any [Devos wets sancedesore IP options @ Deny packets with the aan selected IP options — @ Deny packets with all ed except selected IP San options Sos Sogee Rowe ® Forefront TMG can also block fragmented IP 1 Somer sets ators packets@ Microsoft Forefront Threat Management Gateway can drop all IP packets with any IP option in their header, all IP packets that have any of a list of selected IP options in their header, or all IP packets whose header contains any IP option that is not in the list of selected IP options. @ Forefront TMG can also drop all IP fragments. Flood Mitigation Precsrwcston FoodMtasten | exentrs | suo | Compute ses: 1 ga Wi acs ac nr agate (ete gabon its fo these potent tacks rum TO comec reer pe mauese Pete sna enaant TC cnt pe eat. en asm al gpen TO canectons ve wae = ayn conver 0 sessons per IP eat. ware ate Confgrabon Storage servers Spefrnow many depots 996 an ea. sor © og taftcloked by food mga etnge@ The Forefront TMG flood mitigation mechanism uses: ® Connection limits that are used to identify and block malicious traffic. ® Logging of flood mitigation events. @ Alerts that are triggered when a connection limit is exceeded. @ The default configuration settings for flood mitigation help ensure that Forefront TMG continues to function under a flood attack. @ Forefront TMG classifies the traffic and provides different levels of service to different types of traffic. @ Traffic that is considered malicious (with intent to cause a flood attack) can be denied, while Forefront TMG continues to serve all other traffic.@ The Forefront TMG flood mitigation mechanism helps to identify various types of flood attacks, including the following: @ Worm propagation — An infected host scans a network for vulnerable hosts by sending TCP connect requests to randomly selected IP addresses and a specific port. Resources are depleted at an accelerated rate, if there are policy rules based on Domain Name system (DNS) names, which require a reverse DNS lookup for each IP address. @ TCP flood attacks — An offending host establishes numerous TCP connections with a Forefront TMG server or victim servers, protected by Forefront TMG. In some cases, the attacker sequentially opens and immediately closes many TCP connections, in an attempt to elude the counters. This consumes a large amount of resources. @ SYN attacks — An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server without completing the TCP handshake, leaving the TCP connections half-open. @ HTTP denial of service attacks — A single offending host or a small number of hosts send a huge number of HTTP requests to a Forefront TMG server. In some cases, the attacker sends HTTP requests at a high rate over a persistent (keep-alive) TCP connection. Because the Forefront TMG Web proxy authenticates every request, this consumes a large amount of resources from Forefront TMG.@ Non-TCP distributed denial of service (DDoS) attacks — A large number of offending hosts send requests to a Forefront TMG server. Although the total amount of traffic sent to the victim is enormous, the amount of traffic sent from each offending host can be small. @ UDP flood attacks — An offending host opens numerous concurrent UDP sessions with a Forefront TMG server. Connection Limits @ Forefront TMG provides a quota mechanism that imposes connection limits for TCP, and non-TCP traffic, handled by the Microsoft Firewall service. @ Connection limits are applied to requests from internal client computers configured as SecureNAT clients, Firewall clients, Web Proxy clients in forward proxy scenarios, and to requests from external clients handled by Web publishing and server publishing rules in reverse proxy scenarios. ® The mechanism helps prevent flood attacks from specific IP addresses, and helps administrators identify IP addresses that generate excessive traffic, which might be a symptom of a worm or other malware infection.@ A connection limit policy can be configured for an array or a standalone Forefront TMG server. A connection limit policy includes the following categories of connection limits: @ Connection limits that establish how many TCP connect requests and HTTP requests are allowed from a single IP address that is not included in the list of IP address exceptions during one minute. @ Connection limits that establish how many concurrent transport-layer protocol connections may be accepted from a single IP address, that is not included in the list of IP address exceptions. These include connection limits for TCP connections, UDP sessions, and ICMP and other raw IP connections. @ Custom connection limits that establish how many connect requests and how many concurrent transport- layer protocol connections may be accepted from a single special IP address, that is included in the list of IP address exceptions. IP address exceptions might include published servers, chained proxy servers, and network address translation (NAT) devices (routers), which would require many more connections than most other IP addresses. Custom connection limits are applied to TCP connections, UDP sessions, and ICMP and other raw IP connections.SBRy Microsoft ~ Forefront Questions Lab 2: Secure Web Gateway In this lab, you will: @ Create web access policies for Contoso users, including inspection of HTTPS sessions ® Modify web access policy to include protection from malware ® Investigate the Network Inspection System (NIS) Lab 2 - Exercises 3, 4, and 5 Estimated Completion Time: 60 minMicrosoft Yaur notential Our nassi