8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
1/30
Private Cloud Security via
Forefront TMG 2010Esmaeil Sarabadani
Systems and Security Consultant
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
2/30
Whats going to be covered
Overview of the Public and Private Cloud Public and Private Cloud Security Concerns
Data Isolation in Microsoft Cloud The Geographical Location of Data An Overview on Forefront Threat Management
Gateway 2010
Virtualization of TMG in the Cloud TMG Network Inspection System TMG HTTPS Inspection TMG Firewall Features
Securing Remote Access to your Private Cloud
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
3/30
What is the cloud?!! Its nothing supernatural.
Its been with you for along time. Even our grandparents
are using it now
Its used for socialactivities, entertainment,business and so more.
It could be more securethan your own PCs.
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
4/30
What is the Cloud??!
Itsbeenw
ithyouf
oralong
time.
Itsnothingsupernatura
l.
Evenourgrandparentsareusingitnow.
Usedforsocialactivities,entertainment,businessandsomore.
Itcouldbe
more
secu
retha
nyour
ownP
Cs.
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
5/30
Public CloudPrivate Cloud
Whatever
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
6/30
Public CloudSecurity Concerns
Where is my data located?
Isolation of customers data fromone another
Denial of Service (DoS) attacks
Exploitation of softwarevulnerabilities
Authentication, Authorization orAuditing of access to cloud
services
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
7/30
Public CloudSecurity Concerns
Choose where to store your data
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
8/30
Public CloudData Isolation
Physical Hardware
Hypervisor
Host VM Guest VM Guest VM Guest VM
No Access
Hacke
d
Health
y
Health
y
Health
y
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
9/30
Public CloudNetwork Security
Microsoft Public Cloud
Hackers
Hypervisors
VM
VM
VM
VM
VM
VM
VM
VM
VM
Differentiating between the
legitimate and illegitimate trafficis quite challenging.
Analysis
Malicious Traffic ?!!
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
10/30
Private CloudSecurity Concerns
Isolation of VMs from one another
You are the only one responsiblefor the security of the cloud
Attacks from inside the cloud
Huge attacks from the internet.
Such as DoS or DDoS Authentication, Authorization or
Auditing of access to cloudservices
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
11/30
Forefront
Threat Management Gateway 2010
Network Inspection System
Web Anti-malware
HTTPS Inspection
Builds on ISA Server 2006
Active Directory Integration
Custom Reports
Can be virtualized
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
12/30
DemoDemoAn Overview on TMGAn Overview on TMG
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
13/30
Software vs. Hardware
Are hardware firewalls more Secure than software firewalls?
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
14/30
Software vs. HardwareHardware firewalls are all software-based but only comein a hardware package.
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
15/30
Virtualization of TMG
Hypervisor
Host
VM
Guest
VM
Guest
VM
Guest
VM
PrivateC
loud
TMG
Not Connected to
the Internet
Internet
The edge gateway and FW
The only Guest connected
to the Internet
At least two virtual NIC
Data transmission between the private andData transmission between the private and
public clouds.public clouds.
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
16/30
Physical Hardware
Hypervisor
Host VM Guest VM Guest VM TMG
Two Virtual NICs
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
17/30
Private
Cloud
Hypervisor Hypervisor Hypervisor
Data transmission inside the private cloud.Data transmission inside the private cloud.
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
18/30
DemoDemoVirtualization of TMGVirtualization of TMG
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
19/30
Virtualization of TMGBest Practices
Always disconnect the Host VM from
the Internet All the traffic to the Internet must pass
through the VM with TMG
If there are multiple hypervisors (Physical
Servers), the traffic between the VMs indifferent physical servers should be filtered
using TMG.
The virtual Switch connecting the VMs in
every physical server must be Private.
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
20/30
Network Inspection System
Inspects the traffic for exploits ofvulnerabilities
With the minimum number of false
positives
Has a repository to store signatures fordifferent types of attacks and can update
the repository
Able to create inspection exception for
some parts of the network
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
21/30
DemoDemoTMG Network Inspection SystemTMG Network Inspection System
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
22/30
HTTPS Inspection
It acts as a man-in-the-middle
between the two SSL connectionparties It can inspect inside SSL-Encrypted
traffic It looks for possible malware or
exploits inside an SSL connection
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
23/30
DemoDemoTMG HTTPS InspectionTMG HTTPS Inspection
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
24/30
TMG Firewall Features
Multi-Layer Firewall. It
provides access control andprotection on three layers:
Packet filteringPacket filtering
Stateful inspectionStateful inspection Application layer filteringApplication layer filtering
DoS Protection
Supports so many protocols and
new protocols can be defined.
Granular HTTP Control:
File Download ControlsFile Download Controls Signature Based BlockingSignature Based Blocking
HTTP Method ControlHTTP Method Control
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
25/30
DemoDemoTMG Firewall FeaturesTMG Firewall Features
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
26/30
Securing Remote Access
to your Private Cloud
TMG
Active Directory
RODC
Outlook Web Access
VPN Client
Priva
te
Cloud
Active Directory Integration for
Authentication, Authorization, Auditing
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
27/30
Securing Remote Access
to your Private Cloud
Remote Access VPN byPPTP, L2TP/IPSec and SSTP Inspection of VPN traffic Integration with Active
Directory
Integration with NetworkAccess Protection and VPNQuarantine
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
28/30
DemoDemoTMG Secure Remote AccessTMG Secure Remote Access
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
29/30
Thank YouThank YouQ&AQ&A
8/3/2019 Private Cloud Security via Microsoft Forefront by Esmaeil Sara Bad Ani
30/30
void contact() {
}
e-mail Address: [email protected]
My Blog: http://esihere.wordpress.com/
Twitter: http://www.twitter.com/esmaeils