50357 a enu-module02

Module 2: Secure Web Gateway

© 2009, Microsoft. All rights reserved. All other trademarks are the property of their respective owners.

Module Overview

Secure Web Gateway overview

HTTPS inspection

URL filtering

Malware protection

Intrusion prevention

Secure Web Gateway overview

HTTPS inspection

URL filtering

Malware protection

Intrusion prevention

Lesson 1 – Secure Web Gateway Overview

What is a Secure Web Gateway (SWG)?

“A SWG is a solution that filters unwanted software/malware from user-initiated

Web/Internet traffic and enforces corporate and regulatory policy compliance. To achieve this goal, SWGs must, at a minimum, include URL filtering, malicious code detection and

filtering, and application controls for popular Web-based applications, such as instant

messaging (IM) and Skype.”

Gartner Secure Web Gateway Magic Quadrant, August 2008

The Growing Market PotentialDedicated SWG vendors are the fastest-growing submarket, averaging 140% year-over-year growth

2008 2009 2010 2011 2012

0

500

1000

1500

2000

2500

3000

SaaSApplianceSoftware

Source: Gartner Secure Web Gateway Magic Quadrant, August 2008

The Competitive Landscape

19%

12%

6%

5%3%

54%

Websense

Trend

Microsoft

McAfee/Secure Computing

Blue Coat

Other

Forefront TMG as a Secure Web Gateway

7

Competitive Feature

Set

Easily Manageab

le

Integrated

Logging & Reporting Support

Scalable

URL Filtering, Malware

Inspection, NIS

Web Access Wizard,

Task Oriented

Policy Management,

Directory Services

Integration, Licensing

Array Support,

Load balancing

New reports, log fields

Windows Server® 2008 / R2

Logging & Reporting

Application Layer Proxy

Network Inspection

System

URL Filtering

HTTPS Inspection

Malware Inspection

Secure Web Gateway Layered Security

Unifies inspection technologies to:

Protect against multi-channel threatsSimplify deployment

Keeps security up to date with updates to:

Web antimalwareURL filteringNetwork Inspection System

Threats and Controls

ThreatsApplication Layer Firewall

HTTPS Inspectio

n

Anti-malwar

e

URLFiltering

NIS

Malware

Phishing

Liability

Data Leakage

Lost Productivity

Loss of Control

Full Partial Enabler

Lesson 2 – HTTPS Inspection

Threats and Controls

ThreatsApplication Layer Firewall

HTTPS Inspectio

n

Anti-malwar

e

URLFiltering

NIS

Malware

Phishing

Liability

Data Leakage

Lost Productivity

Loss of Control

Full Partial Enabler

Traditional SSL SecurityWeb browser sends a CONNECT request to the Web proxy

CONNECT host_name:port HTTP/1.1

Web proxy allows the request to be sent to the TCP port specified in the requestProxy informs the client that the connection is establishedClients sends encrypted packets directly to destination on specified port without proxy mediation

What lies within this encrypted

tunnel?

Forefront TMG HTTPS Traffic Inspection

HTTPS Inspection terminates the SSL traffic at the proxy for both ends, and inspects the traffic against different threats

Trusted certificate generated by proxy matching the URL expected by the client

13

Internet

Contoso.com

SIGNED BY

VERISIGN

SSL

Contoso.com

SIGNED BY TMG

SSL SSL

URL Filtering

Malware Inspection

Network Inspection

System

14

Enabling HTTPS Traffic Inspection

Contoso.com

SIGNED BY TMG

Internet

Contoso.com

SIGNED BY

VERISIGN

Certificate deployment(via Active Directory® or

Import/Export)

Configure HTTPS Inspection:• Proxy certificate

generation/import and customization.

• Source and destination exclusions

• Validate only option• Notification

Client notifications about HTTPS inspection (via

Firewall client)Certificate

validation (revocation, trusted, expiration

validation, etc.)

Generating the HTTPS Inspection CertificateThe HTTPS inspection certificate can be either

generated by Forefront TMG or issued by a trusted CA

Administrators can customize the self generated certificateCommercial CAs will not typically issue HTTPS inspection certificates

HTTPS inspection certificate stored in the configuration store

Used by all array members

Deploying the HTTPS Inspection CertificateTwo methods can be used to enable clients to trust

the HTTPS Inspection CertificateAutomatically through Active Directory (AD), will use AD trusted root store to configure trust for all clients in the AD forest

Requires Forefront TMG to be deployed in a domain environmentWill not work for browsers that do not use the Windows certificate store for trust

Manually on each computer, using root certificate installation procedure required by the browser

How HTTPS Inspection Works

17

https://contoso.com

Enable HTTPS inspection Generate trusted root certificate

Install trusted root certificate on clients

https://contoso.com

1. Intercept HTTPS traffic2. Validate contoso.com server certificate3. Generate contoso.com server proxy certificate on TMG4. Copy data from the original server certificate to the proxy

certificate 5. Sign the new certificate with TMG trusted root certificate6. [TMG manages a certificate cache to avoid redundant

duplications]7. Pretend to be contoso.com for client8. Bridge HTTPS traffic between client and server

contoso.com

Contoso.com

SIGNED BY

VERISIGNContoso.com

SIGNED BY TMG

Scenario Walkthrough

18

Contoso Web Access Policy

No browsing to sites that pose security or liability risks, but...

Researchers need access to gambling sites

This includes access to encrypted archives

Malware Inspection should be enabled for all Web trafficHTTPS Inspection should be enabled, with user notifications

Deny all Web downloads larger than 500MB

19

Configuring HTTPS Inspection

20

Configuring HTTPS Inspection

21

Configuring HTTPS Inspection

22

HTTPS Inspection Notifications

Notification provided by Forefront TMG client

Notify user of inspectionHistory of recent notificationsManagement of Notification Exception List

May be a legal requirement in some geographies

23

HTTPS Inspection NotificationUser Experience

Lesson 3 – URL Filtering

Threats and Controls

ThreatsApplication Layer Firewall

HTTPS Inspectio

n

Anti-malwar

e

URLFiltering

NIS

Malware

Phishing

Liability

Data Leakage

Lost Productivity

Loss of Control

Full Partial Enabler

Forefront TMG URL Filtering

Internet

• 91 built-in categories• Predefined and

administrator defined category sets

• Integrates leading URL database providers• Subscription-based

• URL category override• URL category query• Logging and reporting support• Web Access Wizard integration

• Customizable, per-rule, deny messages

URL DB

Microsoft ReputationService

TMG

URL Filtering BenefitsControl user web access based on URL categoriesProtect users from known malicious sitesReduce liability risksIncrease productivityReduce bandwidth and Forefront TMG resource consumptionAnalyze Web usage

Microsoft Reputation Service

Microsoft

ReputationService

AccuracyComprehensive and flexible category taxonomy

Broad coverage through path inheritance

Overlapping and complementary URL metadata sources

Accuracy measured and tuned across providers (Weighting)

Telemetry-based error reporting and client data capture

Unknowns ranked and resolved based on prevalence

PerformanceFour-tier architecture

Protocol-level packaging

Bloom filters

AvailabilityGlobally-scaled, fault-tolerant architecture

Multi-layer dynamic caching (On-premise + Service)

What Makes MRS Compelling?Existing URL filtering solutions

Single vendor cant be expert in all categoriesCategorization response time

MRS unique architectureMRS merges URL databases from multiple sources/vendors

Multi-vendor AV analogy

Based on Microsoft internal sources as well as collaboration with third party partnersScalable

Ongoing collaborative effortRecently announced an agreement with Marshal8e6More announcements to follow

Feedback mechanism on Category overrides

• Fetch on cache miss• SSL for auth &

privacy• No PII

How Forefront TMG Leverages MRS

Multiple VendorsMicrosoft

Datacenters

MRS

Query (URL)

Categorizer

FetchURL

Policy

Cache

SSLTelemetry Path

(also SSL)

FederatedQuery

Cache:• Persistent• In-memory• Weighted TTL

Combines with

Telemetry Data

URL Filtering Categories

Liability

Security

Productivity

Categories and Inheritance

URL Filtering PolicyURL categories are standard network objectsAdministrator can create custom URL category sets

34

URL Filtering Policy

Scenario Walkthrough

35

Contoso Web Access PolicyNo browsing to sites that pose security or liability risks, but...

Researchers need access to gambling sites

This includes access to encrypted archives

Malware Inspection should be enabled for all Web traffic

HTTPS Inspection should be enabled, with user notifications

Deny all Web downloads larger than 500MB

36

Contoso’s Web Access Policy

Access rule allowing users in the Research group to access gambling and gambling-related sites

Access rule denying everyone access to Liability and Security sites

Per-rule CustomizationTMG administrator can customize denial message displayed to the user on a per-rule basis

Add custom text or HTMLRedirect the user to a specific URL

38

URL Filtering Configuration

Category QueryAdministrator can use the URL Filtering Settings dialog box to query the URL filtering database

Enter the URL or IP address as inputThe result and its source are displayed on the tab

40

URL Category Override

Administrator can override the categorization of a URL

Feedback to MRSvia Telemetry

User Experience

http://www.phishingsite.com

42

User Experience

42

HTML tags

Lesson 4 – Malware Protection

Threats and Controls

ThreatsApplication Layer Firewall

HTTPS Inspectio

n

Anti-malwar

e

URLFiltering

NIS

Malware

Phishing

Liability

Data Leakage

Lost Productivity

Loss of Control

Full Partial Enabler

HTTP Malware Inspection

Internet

Third party plug-ins can be used (native Malware inspection must be

disabled)

• Integrates Microsoft Antivirus engine

• Signature and engine updates• Subscription-based

• Source and destination exceptions• Global and per-rule inspection options

(encrypted files, nested archives, large files…)

• Logging and reporting support • Web Access Wizard integration

Content delivery methods by content type

SignaturesDB

MU or WSUS

TMG

Content Trickling

46

Firewall Service

Web Proxy

Malware Inspection Filter

Request Context

Scanner

GET msrdp.cabGET msrdp.cab

200 OK

Accumulated Content

Accumulated Content

Accumulated Content

Accumulated Content

Accumulated Content

200 OK

Progress Notification

47

Firewall Service

Web Proxy

Malware Inspection Filter

Primary Request Context

Secondary Request Context

Downloads Map

Scanner

GET setup.exeGET setup.exe

200 OK (setup.exe)

Accumulated Content

Accumulated Content

Accumulated Content

200 OK (HTML)

GET GetDownloadStatus

200 OK (Retrieving)

GET GetDownloadStatus

200 OK (Scanning)

GET GetDownloadStatus

200 OK (Ready)

GET FinalDownload

200 OK (setup.exe)

48

Malware Scanner Behavior

Low Priority Queue Normal Priority Queue

High Priority Queue

Antimalware Engine

• Partial inspection for Standard Trickling

• Final inspection for files smaller than 1 MB when Progress Page

is not usedHigh

• Partial inspection for Fast Trickling

• Final inspection for files larger than 1 MB but smaller than 50 MB when Progress Page is not

used

Normal

• Final inspection when Progress Page is used

• Final inspection for files larger than 50 MB

Low

49

Enabling Malware Inspection

Activate the Web Protection licenseEnable malware inspection on Web access rules

Web Access Policy Wizard or New Access Rule Wizard for new rulesRule properties for existing rules

Scenario Walkthrough

50

Contoso Web Access PolicyNo browsing to sites that pose security or liability risks, but...

Researchers need access to gambling sites

This includes access to encrypted archives

Malware Inspection should be enabled for all Web traffic

HTTPS Inspection should be enabled, with user notifications

Deny all Web downloads larger than 500MB

51

Malware Inspection Global Settings

52

Malware Inspection Global SettingsAdministrator can configure malware blocking behavior:

Low, medium and high severity threatsSuspicious filesCorrupted filesEncrypted filesArchive bombs

Too many depth levels or unpacked content too large

File size too large

53

Malware Inspection Per-rule Overrides

User ExperienceContent Blocked

User ExperienceProgress Notification

55

Lesson 5 – Intrusion Prevention

57

The ProblemUn-patched vulnerabilities

Average survival time of unpatched Windows® XP less than 20 minutesAbout two percent of Windows® machines are fully patched

Vulnerability windowIncreasing number of zero daysAttackers craft exploits faster than customers can deploy patches

Encryption and protocol tunneling are a complicated problem for a defense technology (for example, HTTPS)

Defining a Intrusion Prevention System (IPS)

58

Allow Known Good

Block Known Bad

Block UnknownBad

Execution Level

Application Control

Resource Shielding

Behavioral Containment

Application Level

Application and System Hardening

AV Application Inspection

Network Level

Firewall Attack-Facing Network Inspection

Vulnerability-Facing Network Inspection

Network Inspection System

Source: Host-Based Intrusion Prevention Systems (HIPS) Update – Gartner 2007

Network Inspection System (NIS)

Protocol decode-based traffic inspection system that uses signatures of known vulnerabilities

Vulnerability-based signatures (vs. exploit-based signatures used by competing solutions)Detects and potentially block attacks on network resources

NIS helps organizations reduce the vulnerability window

Protect machines against known vulnerabilities until patch can be deployedSignatures can be released and deployed much faster than patches, concurrently with patch release, closing the vulnerability window

Integrated into Forefront TMGSynergy with HTTPS Inspection

59

60

Vulnerability is discoveredResponse team prepares and tests the vulnerability signatureSignature released by Microsoft and deployed through distribution service, on security patch releaseAll un-patched hosts behind Forefront TMG are protected

Corporate Network

New Vulnerability Use Case

SignatureAuthoring Testing

TMGSignature

DistributionService

VulnerabilityDiscovered

Signature AuthoringTeam

61

Network Inspection System

Generic Application Protocol AnalyzerA framework and platform for safe and fast low level protocol parsingSupports extensibility and layeringEnables creating parsing-based rules for checking and applying specific conditions (for example, signatures)

GAPA technology powers Microsoft’s Network Inspection System (NIS)

Powered by GAPA

Network Inspection System Architecture

62

Design Time

GAPA Language

Compiler

Run Time

Protocol Parsers

Signatures

NIS Engine

Microsoft Update

Network Interception

Signatures & Protocol Parsers

Telemetry

and Portal

NIS Response Process

Threat Identificati

on

Threat Research

Signature Developme

nt

Signature Testing

Encyclopedia Write-up

Signature Release

Targeting 4 hours

Enabling and Configuring NIS

65

Other Network Protection MechanismsCommon OS attack detectionDNS attack filteringIP option filteringFlood mitigation

66

Inspects traffic for the following common attacks:

WinNukeLandPing of DeathIP Half ScanPort ScanUDP Bomb

Offending packets are dropped and an event generated triggering an Intrusion Detected alert

Common OS Attack Detection

67

DNS Attack FilteringEnables the following checks in DNS traffic:

DNS host name overflow – DNS response for a host name exceeding 255 bytesDNS length overflow – DNS response for an IPv4 address exceeding 4 bytesDNS zone transfer – DNS request to transfer zones from an internal DNS server

68

IP Options FilteringForefront TMG can block IP packets based on the IP options set

Deny all packets with any IP optionsDeny packets with the selected IP optionsDeny packets with all except selected IP options

Forefront TMG can also block fragmented IP packets

69

Forefront TMG flood mitigation mechanism uses:

Connection limits that are used to identify and block malicious trafficLogging of flood mitigation eventsAlerts that are triggered when a connection limit is exceeded

TMG comes with default configuration settings

Exceptions can be set per computer set

Flood Mitigation

600160

80600

1000160600

LimitCusto

m Limit6000400

6000

400

Questions

Lab 2: Secure Web Gateway

In this lab, you will:

Create web access policies for Contoso users, including inspection of HTTPS sessionsModify web access policy to include protection from malwareInvestigate the Network Inspection System (NIS)

Lab 2 - Exercises 3, 4, and 5Estimated Completion Time: 60 min

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Forefront, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.