Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani

8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani

1/30

Private Cloud Security via

Forefront TMG 2010Esmaeil Sarabadani

Systems and Security Consultant


2/30

Whats going to be covered

Overview of the Public and Private Cloud Public and Private Cloud Security Concerns

Data Isolation in Microsoft Cloud The Geographical Location of Data An Overview on Forefront Threat Management

Gateway 2010

Virtualization of TMG in the Cloud TMG Network Inspection System TMG HTTPS Inspection TMG Firewall Features

Securing Remote Access to your Private Cloud


3/30

What is the cloud?!! Its nothing supernatural.

Its been with you for along time. Even our grandparents

are using it now

Its used for socialactivities, entertainment,business and so more.

It could be more securethan your own PCs.


4/30

What is the Cloud??!

Itsbeenw

ithyouf

oralong

time.

Itsnothingsupernatura

l.

Evenourgrandparentsareusingitnow.

Usedforsocialactivities,entertainment,businessandsomore.

Itcouldbe

more

secu

retha

nyour

ownP

Cs.


5/30

Public CloudPrivate Cloud

Whatever


6/30

Public CloudSecurity Concerns

Where is my data located?

Isolation of customers data fromone another

Denial of Service (DoS) attacks

Exploitation of softwarevulnerabilities

Authentication, Authorization orAuditing of access to cloud

services


7/30

Public CloudSecurity Concerns

Choose where to store your data


8/30

Public CloudData Isolation

Physical Hardware

Hypervisor

Host VM Guest VM Guest VM Guest VM

No Access

Hacke

d

Health

y

Health

y

Health

y


9/30

Public CloudNetwork Security

Microsoft Public Cloud

Hackers

Hypervisors

VM

VM

VM

VM

VM

VM

VM

VM

VM

Differentiating between the

legitimate and illegitimate trafficis quite challenging.

Analysis

Malicious Traffic ?!!


10/30

Private CloudSecurity Concerns

Isolation of VMs from one another

You are the only one responsiblefor the security of the cloud

Attacks from inside the cloud

Huge attacks from the internet.

Such as DoS or DDoS Authentication, Authorization or

Auditing of access to cloudservices


11/30

Forefront

Threat Management Gateway 2010

Network Inspection System

Web Anti-malware

HTTPS Inspection

Builds on ISA Server 2006

Active Directory Integration

Custom Reports

Can be virtualized


12/30

DemoDemoAn Overview on TMGAn Overview on TMG


13/30

Software vs. Hardware

Are hardware firewalls more Secure than software firewalls?


14/30

Software vs. HardwareHardware firewalls are all software-based but only comein a hardware package.


15/30

Virtualization of TMG

Hypervisor

Host

VM

Guest

VM

Guest

VM

Guest

VM

PrivateC

loud

TMG

Not Connected to

the Internet

Internet

The edge gateway and FW

The only Guest connected

to the Internet

At least two virtual NIC

Data transmission between the private andData transmission between the private and

public clouds.public clouds.


16/30

Physical Hardware

Hypervisor

Host VM Guest VM Guest VM TMG

Two Virtual NICs


17/30

Private

Cloud

Hypervisor Hypervisor Hypervisor

Data transmission inside the private cloud.Data transmission inside the private cloud.


18/30

DemoDemoVirtualization of TMGVirtualization of TMG


19/30

Virtualization of TMGBest Practices

Always disconnect the Host VM from

the Internet All the traffic to the Internet must pass

through the VM with TMG

If there are multiple hypervisors (Physical

Servers), the traffic between the VMs indifferent physical servers should be filtered

using TMG.

The virtual Switch connecting the VMs in

every physical server must be Private.


20/30

Network Inspection System

Inspects the traffic for exploits ofvulnerabilities

With the minimum number of false

positives

Has a repository to store signatures fordifferent types of attacks and can update

the repository

Able to create inspection exception for

some parts of the network


21/30

DemoDemoTMG Network Inspection SystemTMG Network Inspection System


22/30

HTTPS Inspection

It acts as a man-in-the-middle

between the two SSL connectionparties It can inspect inside SSL-Encrypted

traffic It looks for possible malware or

exploits inside an SSL connection


23/30

DemoDemoTMG HTTPS InspectionTMG HTTPS Inspection


24/30

TMG Firewall Features

Multi-Layer Firewall. It

provides access control andprotection on three layers:

Packet filteringPacket filtering

Stateful inspectionStateful inspection Application layer filteringApplication layer filtering

DoS Protection

Supports so many protocols and

new protocols can be defined.

Granular HTTP Control:

File Download ControlsFile Download Controls Signature Based BlockingSignature Based Blocking

HTTP Method ControlHTTP Method Control


25/30

DemoDemoTMG Firewall FeaturesTMG Firewall Features


26/30

Securing Remote Access

to your Private Cloud

TMG

Active Directory

RODC

Outlook Web Access

VPN Client

Priva

te

Cloud

Active Directory Integration for

Authentication, Authorization, Auditing


27/30

Securing Remote Access

to your Private Cloud

Remote Access VPN byPPTP, L2TP/IPSec and SSTP Inspection of VPN traffic Integration with Active

Directory

Integration with NetworkAccess Protection and VPNQuarantine


28/30

DemoDemoTMG Secure Remote AccessTMG Secure Remote Access


29/30

Thank YouThank YouQ&AQ&A


30/30

void contact() {

}

e-mail Address: [email protected]

My Blog: http://esihere.wordpress.com/

Twitter: http://www.twitter.com/esmaeils

Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani

Documents