Private Cloud Security via Forefront TMG 2010

Esmaeil Sarabadani
Systems and Security Consultant

Whats going to be covered

Overview of the Public and Private Cloud Public and Private Cloud Security Concerns Data Isolation in Microsoft Cloud The Geographical Location of Data An Overview on Forefront Threat Management Gateway 2010 Virtualization of TMG in the Cloud TMG Network Inspection System TMG HTTPS Inspection TMG Firewall Features Securing Remote Access to your Private Cloud

What is the cloud?!!

Its nothing supernatural. Its been with you for a long time. Even our grandparents are using it now Its used for social activities, entertainment, business and so more. It could be more secure than your own PCs.

What is the Cloud??!

a th e ur c se . Cs nP ow r ou ny

atural. thing supern Its no

e or m be uld o tc I

. time g a lon r u fo o ith y w been Its

Used for socia

Ev e no ur g ran dpa r

ent s ar eu sing it

now .

l activities, ent ertainment, bu

siness and so m ore.

Private Cloud

Public Cloud

Whatever

Public Cloud
Security Concerns

Where is my data located? Isolation of customers data from one another Denial of Service (DoS) attacks Exploitation of software vulnerabilities Authentication, Authorization or Auditing of access to cloud services

Public Cloud
Security Concerns

Choose where to store your data

Public Cloud
Data Isolation
h alt He y h alt He y h alt He

No Access

d cke Ha

Host VM

Guest VM

Guest VM

Guest VM

Hypervisor Physical Hardware

Public Cloud
Network Security
Differentiating between the legitimate and illegitimate traffic is quite challenging.

Hackers

Analysis Malicious Traffic ?!!

VM VM VM VM VM VM VM VM VM

Hypervisors

Microsoft Public Cloud

Private Cloud
Security Concerns

Isolation of VMs from one another You are the only one responsible for the security of the cloud Attacks from inside the cloud Huge attacks from the internet. Such as DoS or DDoS Authentication, Authorization or Auditing of access to cloud services

Forefront
Threat Management Gateway 2010
Network Inspection System Web Anti-malware HTTPS Inspection Builds on ISA Server 2006 Active Directory Integration Custom Reports Can be virtualized

Demo
An Overview on TMG

Software vs. Hardware

Are hardware firewalls more Secure than software firewalls?

Software vs. Hardware

Hardware firewalls are all software-based but only come in a hardware package.

Virtualization of TMG
Data transmission between the private and public clouds.

Internet

Private Cloud

Host VM

Guest VM

Guest VM

Guest TMG VM

Hypervisor The edge gateway and FW The only Guest connected to the Internet At least two virtual NIC

Not Connected to the Internet

Two Virtual NICs

Host VM

Guest VM

Guest VM

TMG

Hypervisor Physical Hardware

Private Cloud

Hypervisor

Hypervisor

Hypervisor

Data transmission inside the private cloud.

Demo
Virtualization of TMG

Virtualization of TMG
Best Practices
Always disconnect the Host VM from the Internet All the traffic to the Internet must pass through the VM with TMG If there are multiple hypervisors (Physical Servers), the traffic between the VMs in different physical servers should be filtered using TMG. The virtual Switch connecting the VMs in every physical server must be Private.

Network Inspection System

Inspects the traffic for exploits of vulnerabilities With the minimum number of false positives Has a repository to store signatures for different types of attacks and can update the repository Able to create inspection exception for some parts of the network

Demo
TMG Network Inspection System

HTTPS Inspection
It acts as a man-in-the-middle between the two SSL connection parties It can inspect inside SSL-Encrypted traffic It looks for possible malware or exploits inside an SSL connection

Demo
TMG HTTPS Inspection

TMG Firewall Features

Multi-Layer Firewall. It provides access control and protection on three layers: Packet filtering Stateful inspection Application layer filtering DoS Protection Supports so many protocols and new protocols can be defined. Granular HTTP Control: File Download Controls Signature Based Blocking HTTP Method Control

Demo
TMG Firewall Features

Securing Remote Access to your Private Cloud

Active Directory Integration for Authentication, Authorization, Auditing
VPN Client TMG

Private Cloud

Active Directory RODC

Outlook Web Access

Securing Remote Access to your Private Cloud

Remote Access VPN by PPTP, L2TP/IPSec and SSTP Inspection of VPN traffic Integration with Active Directory Integration with Network Access Protection and VPN Quarantine

Demo
TMG Secure Remote Access

Thank You Q&A

void contact() {
e-mail Address: e.sarabadani@gmail.com My Blog: http://esihere.wordpress.com/ Twitter: http://www.twitter.com/esmaeils