4. What is a Secure Web Gateway (SWG)?
“A SWG is a solution that filters unwanted
software/malware from user-initiated Web/Internet
traffic and enforces corporate and regulatory policy
compliance. To achieve this goal, SWGs must, at a
minimum, include URL filtering, malicious code
detection and filtering, and application controls for
popular Web-based applications, such as instant
messaging (IM) and Skype.”
Gartner Secure Web Gateway Magic Quadrant, August 2008
5. The Growing Market Potential
Dedicated SWG vendors are the fastest-growing
submarket, averaging 140% year-over-year growth
3000
2500
2000 SaaS
1500 Appliance
Software
1000
500
0
2008
2009
2010
2011
2012
Source: Gartner Secure Web Gateway Magic Quadrant, August 2008
6. The Competitive Landscape
Websense
Trend
20%
Microsoft
12%
54% McAfee/Secure
Computing
Blue Coat
6%
5%
3% Other
7. Forefront TMG as a Secure Web Gateway
URL Filtering,
Competitive Malware
Feature Set Inspection, NIS
Array Support,
Load balancing
Easily
Scalable
Manageable
Web Access
Wizard, Task
Logging & Oriented
Reporting
Support Integrated
New reports, Policy Management,
log fields Directory Services
Integration,
Licensing
7
8. Secure Web Gateway Layered Security
Unifies inspection
technologies to:
Malware Inspection Protect against
multi-channel threats
URL Filtering Simplify deployment
Keeps security up to date
Network
Application
Inspection with updates to:
Layer Proxy
System Web antimalware
HTTPS Inspection URL filtering
Network Inspection
Logging & Reporting System
Windows Server® 2008 / R2
9. Threats and Controls
Application
HTTPS Anti- URL
Threats Layer NIS
Inspection malware Filtering
Firewall
Malware
Phishing
Liability
Data Leakage
Lost Productivity
Loss of Control
Full Partial Enabler
11. Threats and Controls
Application
HTTPS Anti- URL
Threats Layer NIS
Inspection malware Filtering
Firewall
Malware
Phishing
Liability
Data Leakage
Lost Productivity
Loss of Control
Full Partial Enabler
12. Traditional SSL Security
Web browser sends a CONNECT request to the Web proxy
CONNECT host_name:port HTTP/1.1
Web proxy allows the request to be sent to the TCP port specified in
the request
Proxy informs the client that the connection is established
Clients sends encrypted packets directly to destination on specified
port without proxy mediation
What lies within
this encrypted
tunnel?
13. Forefront TMG HTTPS Traffic Inspection
Network
Malware
URL Filtering Inspection
Inspection
System
Internet
SIGNED
BY
SIGNED VERISIGN Contoso.com
BY TMG
Contoso.com
HTTPS Inspection terminates the SSL traffic at the proxy for both
ends, and inspects the traffic against different threats
Trusted certificate generated by proxy matching the URL expected by
the client
13
14. Enabling HTTPS Traffic Inspection
Configure HTTPS Inspection:
• Proxy certificate generation/import
Certificate deployment and customization.
(via Active Directory® or • Source and destination exclusions
Import/Export) • Validate only option
• Notification
Internet
SIGNED
BY
SIGNED VERISIGN Contoso.com
BY TMG
Contoso.com
Client notifications about HTTPS
inspection (via Firewall client)
Certificate validation (revocation,
trusted, expiration validation, etc.)
14
15. Generating the HTTPS Inspection Certificate
The HTTPS inspection certificate can be either generated
by Forefront TMG or issued by a trusted CA
Administrators can customize the self generated certificate
Commercial CAs will not typically issue HTTPS inspection
certificates
HTTPS inspection certificate stored in the configuration
store
Used by all array members
16. Deploying the HTTPS Inspection Certificate
Two methods can be used to enable clients to trust the
HTTPS Inspection Certificate
Automatically through Active Directory (AD), will use AD trusted
root store to configure trust for all clients in the AD forest
Requires Forefront TMG to be deployed in a domain environment
Will not work for browsers that do not use the Windows certificate
store for trust
Manually on each computer, using root certificate installation
procedure required by the browser
17. How HTTPS Inspection Works
Enable HTTPS inspection
Generate trusted root certificate
Install trusted root certificate
on clients
contoso.com
https://contoso.com https://contoso.com
SIGNED
SIGNED BY
BY TMG VERISIGN Contoso.com
Contoso.com
1. Intercept HTTPS traffic
2. Validate contoso.com server certificate
3. Generate contoso.com server proxy certificate on TMG
4. Copy data from the original server certificate to the proxy certificate
5. Sign the new certificate with TMG trusted root certificate
6. [TMG manages a certificate cache to avoid redundant duplications]
7. Pretend to be contoso.com for client
8. Bridge HTTPS traffic between client and server
17
18. Scenario Walkthrough
Contoso Web Access Policy
No browsing to sites that pose security or liability risks, but...
Researchers need access to gambling sites
This includes access to encrypted archives
Malware Inspection should be enabled for all Web traffic
HTTPS Inspection should be enabled, with user notifications
Deny all Web downloads larger than 500MB
18
22. HTTPS Inspection Notifications
Notification provided by
Forefront TMG client
Notify user of inspection
History of recent
notifications
Management of Notification
Exception List
May be a legal
requirement in some
geographies
22
25. Threats and Controls
Application
HTTPS Anti- URL
Threats Layer NIS
Inspection malware Filtering
Firewall
Malware
Phishing
Liability
Data Leakage
Lost Productivity
Loss of Control
Full Partial Enabler
26. Forefront TMG URL Filtering
Microsoft Reputation • Integrates leading URL database
Service
providers
• 91 built-in categories • Subscription-based
• Predefined and administrator
defined category sets
• Customizable, per-rule,
deny messages
URL DB
Internet
TMG
• URL category override
• URL category query
• Logging and reporting support
• Web Access Wizard integration
27. URL Filtering Benefits
Control user web access based on URL categories
Protect users from known malicious sites
Reduce liability risks
Increase productivity
Reduce bandwidth and Forefront TMG resource
consumption
Analyze Web usage
28. Microsoft Reputation Service
Accuracy
Comprehensive and flexible category taxonomy
Broad coverage through path inheritance
Overlapping and complementary URL metadata
sources
Accuracy measured and tuned across providers
(Weighting)
Telemetry-based error reporting and client data
capture
Unknowns ranked and resolved based on
prevalence
Performance
Four-tier architecture
Protocol-level packaging
Bloom filters
Availability
Globally-scaled, fault-tolerant architecture
Multi-layer dynamic caching (On-premise + Service)
29. What Makes MRS Compelling?
Existing URL filtering solutions
Single vendor cant be expert in all categories
Categorization response time
MRS unique architecture
MRS merges URL databases from multiple sources/vendors
Multi-vendor AV analogy
Based on Microsoft internal sources as well as collaboration with
third party partners
Scalable
Ongoing collaborative effort
Recently announced an agreement with Marshal8e6
More announcements to follow
30. How Forefront TMG Leverages MRS
Multiple Vendors
Federated
MRS
Query
Combines with Telemetry Path
SSL (also SSL)
Telemetry Data
Cache
• Feedbackcache
Cache:on
Fetch
• Persistent
mechanism on
miss
• Category overrides
• In-memory
SSL for auth &
Query (URL)
Fetch • Weighted TTL
privacy
URL • No PII
Categorizer
Policy
35. Scenario Walkthrough
Contoso Web Access Policy
No browsing to sites that pose security or liability risks, but...
Researchers need access to gambling sites
This includes access to encrypted archives
Malware Inspection should be enabled for all Web traffic
HTTPS Inspection should be enabled, with user notifications
Deny all Web downloads larger than 500MB
35
36. Contoso’s Web Access Policy
Access rule denying Access rule allowing users
everyone access to in the Research group to
Liability and Security sites access gambling and
gambling-related sites
36
37. Per-rule Customization
TMG administrator can
customize denial
message displayed to
the user on a per-rule
basis
Add custom text or
HTML
Redirect the user to a
specific URL
39. Category Query
Administrator can use
the URL Filtering
Settings dialog box to
query the URL filtering
database
Enter the URL or IP
address as input
The result and its source
are displayed on the tab
40. URL Category Override
Administrator can override
the categorization of a URL
Feedback to MRS
via Telemetry
40
44. Threats and Controls
Application
HTTPS Anti- URL
Threats Layer NIS
Inspection malware Filtering
Firewall
Malware
Phishing
Liability
Data Leakage
Lost Productivity
Loss of Control
Full Partial Enabler
45. HTTP Malware Inspection
MU or WSUS
• Integrates Microsoft Antivirus engine
Third party plug-ins can be used
• Signature and engine updates
(native Malware inspection must
• Subscription-based
be disabled)
Content delivery methods
by content type
Signatures
DB
Internet
TMG
• Source and destination exceptions
• Global and per-rule inspection options
(encrypted files, nested archives, large
files…)
• Logging and reporting support
• Web Access Wizard integration
46. Content Trickling
Firewall Service
GET msrdp.cab GET msrdp.cab
Web Proxy
200 OK Malware Inspection 200 OK
Filter
Request Context
Accumulated Content
Scanner
46
47. Progress Notification
Firewall Service
GET
GET setup.exe GET FinalDownload
GET setup.exe
Web Proxy GetDownloadStatus
200 OK (setup.exe) Malware Inspection 200 OK (Retrieving)
200 OK (setup.exe)
200 OK (Scanning)
200 OK (Ready)
(HTML)
Filter
Primary Request
Context
Accumulated Content
Secondary Request Context
Downloads Map
Scanner
47
48. Malware Scanner Behavior
• Partial inspection for Standard Trickling
High • Final inspection for files smaller than 1 MB when
Progress Page is not used
• Partial inspection for Fast Trickling
Normal • Final inspection for files larger than 1 MB but
smaller than 50 MB when Progress Page is not used
• Final inspection when Progress Page is used
Low • Final inspection for files larger than 50 MB
Low Priority Queue Normal Priority Queue High Priority Queue
Antimalware Engine
48
49. Enabling Malware Inspection
Activate the Web
Protection license
Enable malware
inspection on Web
access rules
Web Access Policy
Wizard or New
Access Rule Wizard
for new rules
Rule properties for
existing rules
49
50. Scenario Walkthrough
Contoso Web Access Policy
No browsing to sites that pose security or liability risks, but...
Researchers need access to gambling sites
This includes access to encrypted archives
Malware Inspection should be enabled for all Web traffic
HTTPS Inspection should be enabled, with user notifications
Deny all Web downloads larger than 500MB
50
52. Malware Inspection Global Settings
Administrator can
configure malware
blocking behavior:
Low, medium and high
severity threats
Suspicious files
Corrupted files
Encrypted files
Archive bombs
Too many depth levels or
unpacked content too
large
File size too large
52
57. The Problem
Un-patched vulnerabilities
Average survival time of unpatched Windows® XP
less than 20 minutes
About two percent of Windows® machines are fully patched
Vulnerability window
Increasing number of zero days
Attackers craft exploits faster than customers can deploy patches
Encryption and protocol tunneling are a complicated
problem for a defense technology (for example, HTTPS)
57
58. Defining a Intrusion Prevention System (IPS)
Allow Known Block Known Block Unknown
Good Bad Bad
Execution Application Resource Behavioral
Level Control Shielding Containment
Application Application and AV Application
Level System Inspection
Hardening Network Inspection System
Network Firewall Attack-Facing Vulnerability-
Level Network Facing Network
Inspection Inspection
Source: Host-Based Intrusion Prevention Systems (HIPS) Update – Gartner 2007
58
59. Network Inspection System (NIS)
Protocol decode-based traffic inspection system that uses
signatures of known vulnerabilities
Vulnerability-based signatures (vs. exploit-based signatures used
by competing solutions)
Detects and potentially block attacks on network resources
NIS helps organizations reduce the vulnerability window
Protect machines against known vulnerabilities until patch can be
deployed
Signatures can be released and deployed much faster than
patches, concurrently with patch release, closing the vulnerability
window
Integrated into Forefront TMG
Synergy with HTTPS Inspection
59
60. New Vulnerability Use Case
Vulnerability is discovered
Response team prepares and tests the vulnerability signature
Signature released by Microsoft and deployed through distribution
service, on security patch release
All un-patched hosts behind Forefront TMG are protected
Corporate Network
Signature Authoring
Vulnerability Team Signature
TMG
Discovered Distribution
Service
Signature
Testing
Authoring
60
61. Network Inspection System
Powered by GAPA
Generic Application Protocol Analyzer
A framework and platform for safe and fast low level protocol
parsing
Supports extensibility and layering
Enables creating parsing-based rules for checking and applying
specific conditions (for example, signatures)
GAPA technology powers Microsoft’s Network Inspection
System (NIS)
61
62. Network Inspection System Architecture
Design Time
Protocol Parsers
Signatures
Microsoft
Update
Run Time
NIS Engine Telemetry
and Portal
62
63. NIS Response Process
Threat
Identification
Signature Threat
Release Research
Targeting 4 hours
Encyclopedia Signature
Write-up Development
Signature
Testing
65. Other Network Protection Mechanisms
Common OS attack detection
DNS attack filtering
IP option filtering
Flood mitigation
65
66. Common OS Attack Detection
Inspects traffic for the
following common attacks:
WinNuke
Land
Ping of Death
IP Half Scan
Port Scan
UDP Bomb
Offending packets are dropped
and an event generated
triggering an Intrusion
Detected alert
66
67. DNS Attack Filtering
Enables the following
checks in DNS traffic:
DNS host name overflow –
DNS response for a host
name exceeding 255 bytes
DNS length overflow – DNS
response for an IPv4 address
exceeding 4 bytes
DNS zone transfer – DNS
request to transfer zones from
an internal DNS server
67
68. IP Options Filtering
Forefront TMG can
block IP packets based
on the IP options set
Deny all packets with any
IP options
Deny packets with the
selected IP options
Deny packets with all
except selected IP
options
Forefront TMG can also
block fragmented IP
packets
68
69. Flood Mitigation
Forefront TMG flood
mitigation mechanism
uses: Custom
Limit Limit
Connection limits that
600 used to identify and
are 6000
160 400
block malicious traffic
80
Logging of flood
600 6000
mitigation events
1000Alerts that are triggered
160when a connection limit
600 exceeded
is 400
TMG comes with
default configuration
settings
Exceptions can be set
per computer set
69
71. Lab 2: Secure Web Gateway
In this lab, you will:
Create web access policies for Contoso
users, including inspection of HTTPS
sessions
Modify web access policy to include
protection from malware
Investigate the Network Inspection System
(NIS)
Lab 2 - Exercises 3, 4, and 5
Estimated Completion Time: 60 min
“Introducing the Secure Web Gateway A SWG is a product that filters unwanted software or malware from user-initiated Web/Internet traffic and enforces corporate and regulatory policy compliance. To achieve this goal, SWGs must, at a minimum, include URL filtering, as well as malicious code detection and filtering. Leading solutions will also be able to provide Web application-level controls for at least some of the more popular applications, including IM. SWGs should integrate with directories to provide authentication and authorization, along with group- and user-level policy enforcement. An SWG must bring together all these functions, without compromising performance for end users, which has been a challenge for traditional antivirus Web filtering. URL filtering includes the categorization of known Web sites into groups to enable comprehensive reporting as well as blocking some sites, for acceptable usage, productivity and security risks. There is also an increasing requirement for dynamic risk analysis of uncategorized sites and pages. Web reputation will be an area of differentiation as vendors invest in ways to better identify and classify Web sites and domains.Malicious code filtering eliminates all malicious and potentially unwanted code from Web traffic. The most-common malware detection techniques are signature-based detection of known malware. However, as threats continue to evolve, we expect leading vendors to offer a cocktail of non-signature-based malware detection techniques to detect and block unknown and more-evasive threats. Web application-level controls enable businesses to carefully manage adoption and use of public Internet-based applications, such as IM, Internet telephony (for example, Skype), multiplayer games, Web storage, Wikis, peer-to-peer, public VoIP, blogs, data-sharing portals, Web backup, remote PC access, Web conferencing, chat and streaming media”.Gartner Group, “Introducing the Secure Web Gateway”, March 2007
“The total [SWG] composite market exceeded $1 billion in 2007 and was growing at a rate of 44% year over year. Dedicated SWG vendors are the fastest-growing submarket, averaging 140% year-over-year growth. We expect average market growth rates to be in the 25% to 35% range for the next two years. This growth will be fueled by increased penetration of dedicated SWG devices, incremental feature revenue and the impact of appliance-based products replacing software.” Gartner Group, 2008
The following new Forefront TMG features support the Secure Web Gateway role:Web antimalware is part of a Web Protection subscription service for Forefront TMG. Web antimalware scans Web pages for viruses, malware, and other threats. URL filtering allows or denies access to Web sites based on URL categories (such as pornography, drug, hate, or shopping). Organizations can not only prevent employees from visiting sites with known malware, but also protect business productivity by limiting or blocking access to sites that are considered productivity distractions. URL filtering is also part of the Web Protection subscription service.Network Inspection System (NIS) enables traffic to be inspected for exploits of Microsoft vulnerabilities. Based on protocol analysis, NIS can block classes of attacks while minimizing false positives. Protections can be updated as needed.HTTPS inspection enables HTTPS-encrypted sessions to be inspected for malware or exploits. Specific groups of sites (for example, banking sites) can be excluded from inspection for privacy reasons. Users of the Forefront TMG client can be notified of the inspection. Logging and reporting – Forefront TMG collects log information for traffic handled by the Microsoft Firewall service and by the Web Proxy filter, and generates reports that summarize and analyze log information. It also provides the ability to send runtime event alerts (both pre-defined system alerts and custom alerts).
To provide HTTPS protection, Forefront TMG acts as an intermediary between the client computer that initiates the HTTPS connection and the secure Web site. When a client computer initiates a connection to a secure Web site, Forefront TMG intercepts the request and does the following:Establishes a secure connection (an SSL tunnel) to the requested Web site and validates the site’s server certificate.Copies the details of the Web site's certificate, creates a new SSL certificate with those details, and signs it with a Certification Authority certificate called the HTTPS inspection certificate.Presents the new certificate to the client computer, and establishes a separate SSL tunnel with it.Because the HTTPS inspection certificate was previously placed in the client computer’s Trusted Root Certification Authorities certificate store, the computer trusts any certificate that is signed by this certificate. By cutting the connection and creating two secure tunnels, the Forefront TMG server can decrypt and inspect all communication between the client computer and the secure Web site during this session.
The certificate used for HTTPS inspection can be generated by Forefront TMG itself, or issued by a CA and then imported into Forefront TMG.Forefront TMG has the option to not inspect traffic, but validate site certificates.Select this option to check only the validity of secure Web site certificates. The certificate used by Forefront TMGfor HTTPS inspection has to be trusted by the clients. Active Directory can be used to do this for the domain joined machines.Some sources (for example, top executives) and some destinations (for example, financial institutions) may be excluded from HTTPS traffic.Clients can be notified that the HTTPS traffic is being inspected. This requires the use of the Forefront TMG client.
Commercial CAs will not typically issue HTTPS inspection certificates, because these certificates are themselves CA certificates, not end-entity certificates. Organizations will either use their internal PKIs to issue these certificates, or have Forefront TMG generate them.The HTTPS inspection certificate is stored to the configuration storage, and array members can begin using the HTTPS inspection certificate after synchronizing with the configuration storage.
There are two methods by which you can import the HTTPS inspection trusted root CA certificate to client computers: Automatically through Active Directory – Automatic deployment using Active Directory is the recommended method, because the certificate is stored in a secured location, and it saves administrators the overhead of manual deployment.Note: Automatic certificate deployment requires Forefront TMG to be deployed in a domain environment. Manually on each client computer – If you are not using Active Directory, the certificate must be installed manually on each client computer, and it must be placed in the local computer certificate store. Note that deployment through Active Directory will only work for browsers that use the Windows® certificate store (for example, Windows® Internet Explorer®, Opera, Chrome). Other browsers will need to be configured manually.
Let’s walk through a sample scenario where Contoso’s web access policy requires all HTTPS traffic to be inspected.
HTTPS inspection is configured using the Configure HTTPS Inspection task in the access policy task bar, or by using the Web Access Policy wizard.
The TMG administrator has the option to enable HTTPS inspection, to enable a validate-only policy where TMG will validate the server certificate but not actually inspect the traffic, or to disable it entirely. For the last two options, no certificate is required.
Administrators can choose to notify users that HTTPS traffic is being inspected.HTTPS Inspection certificates can be automatically generated by Forefront TMG or an existing certificate can be used. This certificate needs to be a CA certificate (that is, it needs to have an indication that it is a CA certificate in its Basic Constraints).
To receive notifications of HTTPS inspection, client computers must have the HTTPS inspection trusted root certification authority (CA) certificate installed in the local computer’s Trusted Root Certification Authorities certificate store. If the certificate is not installed in this specific certificate store, the user will not receive balloon notifications of HTTPS inspection.To enable HTTPS inspection notifications on Forefront TMG serverIn the Forefront TMG Management console, in the tree, click the Web Access Policy node.In the Tasks pane, click Configure HTTPS Inspection. On the Client Notification tab, click Notify users that HTTPS inspection is being inspected, and then click OK. To enable HTTPS inspection notification on Forefront TMG Client1. On the Secure Connection Inspection tab, select Notify me when content sent to secure Web sites is inspected.
Notifications are shown as a balloon by the Forefront TMG client.The user may also ask the browser to display the web site certificate information, which will be shown as issued by Forefront TMG.
URL filtering identifies certain types of Web sites (for example, known malicious sites and sites that display inappropriate or pornographic materials) and allows or blocks access to the sites based on predefined URL categories. The default categorization of a specific Web site is determined by the Microsoft Reputation Service (MRS) and can be edited by the Forefront TMG system administrator. When a request to access a Web site is received, Forefront TMG queries MRS to determine the categorization of the Web site. If the Web site has been categorized as a blocked URL category or category set, Forefront TMG blocks the request.When users request access to a Web site to which access is blocked, they receive a denial notification that includes the denied request category. In some cases, users may contact the administrator to dispute the categorization of the Web site. In such a case, you can check whether the URL was categorized properly. If the Web site was not categorized correctly, you can create a custom setting for this URL. For moreinformation, see the Microsoft TechNet article Introduction to managing URL filtering (http://technet.microsoft.com/en-us/library/dd897045.aspx).Forefront TMG features over 70 URL categories. A URL category is a collection of URLs that match a pre-defined criterion, such as, malicious, anonymizers, or illegal drugs. Categories are grouped by category sets, which can be used to simplify the configuration of Forefront TMG policies.Forefront TMG uses Microsoft Reputation Service (MRS), a cloud-based object categorization system hosted in Microsoft data centers, to categorize the URLs that users request. MRS is designed to provide comprehensive reputation content to enable core trust scenarios across Microsoft solutions. MRS maintains a database with tens of millions of unique URLs and their respective categories.
The benefits of applying URL filtering include:Enhancing your security by preventing access to malicious sites (such as phishing sites).Lowering liability risks by preventing access to sites that display inappropriate materials (such as, hate, criminal activities, or pornography sites).Improving the productivity of your organization, by preventing access to non-productive sites (such as games or instant messaging).Using URL filtering related reports and log entries to learn about the Web usage in your organization (such as the most commonly browsed URL categories).Excluding sites from inspection by the HTTPS and malware inspection mechanisms (such as excluding financial sites from HTTPS inspection because of privacy considerations).
The Microsoft Reputation Service (MRS) team wanted to confront an inherent problem with traditional URL filtering solutions: the problem domain is simply too large for any single vendor to provide a complete solution on its own. As a result, there are multiple vendors, each one specializing in a specific area of the solution.Some vendors specialize in identifying malicious sites and spam URLs, while others are rich with productivity related categories. Some specialize in covering the Internet's long tail(see http://en.wikipedia.org/wiki/The_Long_Tail), while others provide quick classification of previously unknown sites. Some use human-based classification, and others use machine-based techniques. Some are great with Web2.0 style URLs, and the list goes on. Even those vendors who employ several classification techniques and cover multiple categories can't deal with the huge and ever-expanding challenges of today's Web.MRS team's idea was simple: Let's leverage complementary capabilities of different vendors/sources to create a unified database that is best suited to deal with the challenges described above. And so, they have implemented a scalable architecture that allows incorporation of multiple streams of data into a merged database. In this way, each vendor and source brings its unique strengths to create a common solution.MRS already integrates several data sources and others will be on-boarded in the following months. Some of these data sources are internal to Microsoft, and others are the result of collaboration with third party partners. One such agreement, announced during RSA, is an agreement with Marshal8e6. (see this link for more information: http://www.marshal8e6.com/i/Marshal8e6-to-Provide-Web-Security-Library-to-Microsoft-,news.960~.asp)But the real benefit of MRS is that because it is a Web service, and because of its unique architecture, MRS can easily incorporate new databases in a way that is completely transparent to its customers. We expect the MRS unified database to expand over time and become the recognized industry leader. Forefront TMG customers will benefit naturally from this ongoing upgrade, through our Web security subscription services.
For policy purposes, URL Categories are standard network objects that can be used as destinations in Web access policies. Categories are also grouped into a higher-level hierarchy called Category Sets. Category Sets can also be used in Forefront TMG policy to simplify configuration.
Policies use URL categories as standard network objects in the Web access policy.
Let’s walk through a sample scenario where Contoso’s Web access policy requires that no browsing should be allowed to sites that pose specific risks to the organization, but also defines an exception to a specific group of users and a specific category of Web site.
URL Filtering is configured using the Configure URL Filtering task in the access policy task bar, or by using the Web Access Policy wizard.
Looking up a URL categoryThe following procedure describes how to query the URL filtering database regarding the categorization of a URL or IP address. In the Forefront TMG Management Console, in the tree, click Web Access Policy.In the Tasks pane, click Query for URL Category.On the Category Query tab, type a URL or IP address, and then click Query. The result of the category is displayed on the tab, as well as some insight as to the source of the categorization (for example, by override, IP address, or URL alias).
To change a domain's categorization, copy the URL or IP address, and click the URL Category Override tab. For more information, see the Microsoft TechNet article Overriding URL categorization (http://technet.microsoft.com/en-us/library/dd897110.aspx).
In this example, the user receives a phishing message that persuades the user to click on a link to http://www.phishingsite.com.
URL filtering identifies the link as a known phishing site and blocks the user from connecting to it.The Forefront TMG administrator can customize the message displayed to the user by adding custom text or HTML. Or the administrator can redirect the user to a specific URL (for example, a page displaying the organization’s web access policy).
Web traffic may contain malicious software (commonly called malware) such as worms, viruses, and spyware. Forefront TMG uses definitions of known viruses, worms, and other malware, which it downloads from Microsoft Update or Windows Server Update Services (WSUS), for malware inspection. The Forefront TMG Malware Inspection Filter scans Web pages and files that were requested by client computers, and either cleans it of harmful HTTP content, or blocks it from entering the internal network.
Because malware inspection may cause some delay in the delivery of content from the server to the client, Forefront TMG enables you to shape the user experience while Web content is scanned for malware, by selecting one of the following delivery methods for scanned content:TricklingForefront TMG sends portions of the content to the user as the files are inspected. This process helps prevent the client application from reaching a time-out limit before the entire content is downloaded and inspected.
Progress notificationForefront TMG sends an HTML page to the client computer, which informs the user that the requested content is being inspected, and displays an summary of the download and inspection progress. After download and inspection of the content are completed, the page informs the user that the content is ready, and providesa button that the user can click to download the content.
This topic describes how to enable malware inspection for HTTP traffic in outbound requests. In Forefront TMG, you enable malware inspection globally, and then on a per rule basis. To enable malware inspection in Forefront TMG, you must:Activate the Web Protection license.Enable malware inspection on Web access rules.To enable global malware inspectionIn the Forefront TMG Management Console, in the tree, click the server name node.On the Tasks tab, click Launch Getting Started Wizard, and then click Define deployment options.Make a selection on the Microsoft Update Setup page, and click Next.On the Forefront TMG Protection Features Settings page, do the following: Select one of the licenses to enable Web protection.If you selected the Activate purchased license and enable Web Protection option, type the license activation code next to Key.Verify that Enable malware inspection is selected.Continue advancing through the wizard, and then click Finish. After enabling malware inspection globally on Forefront TMG, you must enable it on specific access rules, as follows: If you are creating new access rules, you can enable inspection via the Web Access Policy Wizard, or the New Access Rule Wizard. If you already have a rule on which you want to apply malware inspection, you can edit the properties of the rule.
Let’s walk through a sample scenario where Contoso’s web access policy requires that:All Web traffic should be inspected against malware.No files larger than 500MB should be downloaded from the Web.
Global malware inspection settings are configured by clicking on Configure Malware Inspection under Policy Editing Tasks in the Web Access Policy. These settings will apply to all web access rules, unless explicitly overridden.
Low severity threat– Potentially unwanted software that might collect information about you or your computer or change how your computer works, but is operating in agreement with licensing terms displayed when you installed the software.Medium severity threat– Programs that might affect your privacy or make changes to your computer that could negatively impact your computing experience, for example, by collecting personal information or changing settings.High sensitivity threat – Programs that might collect your personal information and negatively affect your privacy or damage your computer, for example, by collecting information or changing settings, typically without your knowledge or consent.Suspicious files– Suspicious files may display one of more characteristics or behaviors associated with known malware. Files reported as suspicious are often detected proactively and may not have been previously seen by analysts. Files detected as suspicious are quarantined, and users may be prompted to submit these files for further analysis, so that specific detection may be added if required.Corrupted files– Corrupted files are those that have been modified in some way and may no longer function as intended.Detection of these files can be configured by the Forefront TMG administrator. Encrypted files– Encrypted files are those that have been transformed using encryption into an unreadable format for the purposes of secrecy. Once encrypted, the data cannot be interpreted (either by humans or machines) until it is decrypted. Malware may use encryption in order to make its code unreadable, which may hinder its detection and removal from the affected computer.
The Forefront TMG administrator can override the general malware inspection settings on a per Web access rule basis.
Progress notificationForefront TMG sends an HTML page to the client computer, that informs the user that the requested content is being inspected, and displays a summary of the download and inspection progress. After the content has been download and inspected, the page informs the user that the content is ready, and displays a button that the user can click to download the content.
Because there are increasing numbers of zero-day attacks at the network and application layer, we are constantly looking for ways to protect hosts and networks against exploitation of the discovered vulnerabilities. One of the key problems is that attackers can usually develop and use exploits for the disclosed vulnerabilities faster than patches can be developed and deployed. A review of past vulnerabilities shows that it can take up to a month to develop and release patches after the initial attacks reports, and then another one to two weeks for the customer to deploy the patch across the vulnerable computers. This leaves computers vulnerable to attacks and exploitationfor over a month.
What is the motivation behind Network Inspection System (NIS)?Because information worker users increasingly find it more difficult to achieve anytime anywhere access in a re-perimeterized world, ubiquitous and comprehensive protection for the outbound access scenario is paramount. Outbound access is defined as user-initiated network access—whether on the Internet or corporate network, and regardless of application or protocol. End users are predominately accessing the Internet using a Web browser, which creates an easy attack surface for malicious hackers. The nature of the Web demands unique protections around protocol vulnerabilities, including the frequently used HTTP and HTTPs protocols as well as other protocols such as RPC, SMB, and the different mail protocols. NIS is Microsoft’s response to this new and growing IT concern. In its first release, NIS is integrated with Forefront TMG as a component of the Intrusion Prevention System (IPS).
NIS is a protocol decode-based traffic inspection system that uses signatures of known vulnerabilities to detect and potentially block attacks on network resources. NIS provides comprehensive protection for Microsoft network vulnerabilities (researched and developed by Microsoft Malware Protection Center - NIS Response Team) in addition to an operational signature distribution channel which enables dynamic signature snapshot distribution. For more information, see the Microsoft Malware Protection Center Threat Research & Response Blog (http://blogs.technet.com/mmpc/)The main differentiator in NIS is Signature Quality (minimum false positive and false negative) on Microsoft-focused vulnerabilities. NIS vulnerability signatures (versus exploit-based) cover all typesof exploit attacks which exploit vulnerability in contrast to attacks that exploit specific detections (which are susceptible to evasion).
Motivated by the large number of application-level protocols and new ones constantly emerging, Microsoft Research (MSR) have architected a Generic Application-level Protocol Analyzer (GAPA), that includes a protocol specification language (GAPAL) and an analysis engine that operates on network streams and traces. GAPA allows rapid creation of protocol analyzers, greatly reducing the development time needed (See the MSR research paper: http://research.microsoft.com/pubs/70223/tr-2005-133.pdf ). In Forefront TMG, NIS is based on the GAPA research as a signature-based Intrusion Prevention System (IPS).
Aim of Telemetry:Understand current malware landscapeImprove signature qualityTMG sends:Signature MatchesProtocol Parse ErrorsNo PII in Basic ModeEncourage customers to use it.
The Microsoft Malware Protection Center (MMPC) identify threats based on information received from various sources, including Microsoft Telemetry Service. When Malware Protection or NIS identifies an attack or potential malware, it reports information to Microsoft about the potential attack. This information is stored and analyzed by Microsoft to help identify attack patterns and improve precision and efficiency of threat mitigations.Based on this information, the MMPC develops a NIS signature for the vulnerability. This signature is tested to confirm that it properly identifies the threat and does not cause false positives, and then it is released through Microsoft Update.
Forefront TMG also includes other network protection mechanisms in addition to NIS:
Detection of common attacksCommon attacks include the following:Windows out-of-band (WinNuke) attack – An attacker launches an out-of-band denial-of-service (DoS) attack against a host protected by Forefront TMG. If the attack is successful, it causes the computer to fail or creates a loss of network connectivity on vulnerable computers.Land attack – An attacker sends a TCP SYN packet with a spoofed source IP address that matches the IP address of the targeted computer, and with a port number that is allowed by the Forefront TMG policy rules, so that the targeted computer tries to establish a TCP session with itself. If the attack is successful, some TCP implementations could go into a loop, which would cause the computer to fail.Ping of death – An attacker attaches a large amount of information (exceeding the maximum IP packet size) to an Internet Control Message Protocol (ICMP) echo (ping) request. If the attack is successful, a kernel buffer overflows, causing the computer to fail.IP half scan – An attacker repeatedly attempts to connect to a targeted computer, but does not send ACK packets in response to SYN/ACK packets. During a normal TCP connection, the source initiates the connection by sending a SYN packet to a port on the destination system. If a service is listening on that port, the service responds with a SYN/ACK packet. The client that initiates the connection then responds with an ACK packet, and the connection is established. If the destination host is not waiting for a connection on the specified port, it responds with an RST packet. Most system logs do not log completed connections until the final ACK packet is received from the source. Sending other types of packets that do not follow this sequence can elicit useful responses from the target host, without causing a connection to be logged. UDP bomb – An attacker attempts to send a User Datagram Protocol (UDP) datagram, with illegal values in certain fields, which could cause some older operating systems to fail when the datagram is received. By default, no alert is configured for this type of attack.Port scan – An attacker attempts to count the services that are running on a computer by probing each port for a response. You can specify the number of ports that can be scanned before an event is generated.When Forefront TMG intrusion detection is enabled and offending packets are detected, they are dropped and an event that triggers an Intrusion Detected alert is generated. By default, the Intrusion Detected alert is reset automatically after one minute, during which time Forefront TMG continues to block offending packets but without issuing an alert. You can configure this alert to send you an e-mail notification when it is triggered. You can also enable logging of the dropped packets.The name of each type of detected attack corresponds to an additional condition in the definition of the Intrusion Detected event. For each additional condition (type of attack), you can define and enable an alert which specifies the actions to be taken in response to the event, and is issued by the Microsoft Firewall service, when all the conditions specified in the alert are met. The actions that can be triggered by an alert include: sending an e-mail message, invoking a command, writing to a log, and starting or stopping Forefront TMG services.
The Forefront TMG Domain Name System (DNS) filter intercepts and analyzes all inbound DNS traffic that is destined for the internal network and other protected networks. If DNS attack detection is enabled, you can specify that the DNS filter checks for the following types of suspicious activity:DNS host name overflow – When a DNS response for a host name exceeds 255 bytes, applications that do not check host name length may overflow internal buffers when copying this host name, allowing a remote attacker to execute arbitrary commands on a targeted computer.DNS length overflow – When a DNS response for an IP address exceeds 4 bytes, some applications executing DNS lookups will overflow internal buffers, allowing a remote attacker to execute arbitrary commands on a targeted computer. Forefront TMG also checks that the value of RDLength does not exceed the size of the rest of the DNS response.DNS zone transfer – A client system uses a DNS client application to transfer zones from an internal DNS server.When offending packets are detected, they are dropped and an event that triggers a DNS Intrusion alert is generated. You can configure the alerts to notify you that an attack was detected. When the DNS Intrusion event is generated five times during one second for DNS zone transfer, a DNS Zone Transfer Intrusion alert is triggered. By default, after the applicable predefined alerts are triggered, they are not triggered again until they are reset manually
Forefront TMG can drop all IP packets with any IP option in their header, all IP packets that have any of a list of selected IP options in their header, or all IP packets whose header contains any IP option that is not in the list of selected IP options. Forefront TMG can also drop all IP fragments. This topic includes procedures for enabling IP options filtering and IP fragment filtering. For more information about IP options filtering and IP fragment filtering, see the Microsoft TechNet article Overview of intrusion detection (http://technet.microsoft.com/en-us/library/cc995155.aspx).
The Forefront TMG flood mitigation mechanism uses:Connection limits that identify and block malicious traffic.Logging of flood mitigation events.Alerts that are triggered when a connection limit is exceeded.The default configuration settings for flood mitigation help ensure that Forefront TMG continues to function under a flood attack. Forefront TMGclassifies the traffic and provides different levels of service to different types of traffic. Traffic that is considered malicious (with intent to cause a flood attack) can be denied, and meanwhile Forefront TMG will continue to serve all other traffic.The Forefront TMG flood mitigation mechanism helps to identify various types of flood attacks, including the following:Worm propagation – An infected host scans a network for vulnerable hosts by sending TCP connect requests to randomly selected IP addresses and a specific port. Resources are depleted at an accelerated rate, if there are policy rules based on Domain Name system (DNS) names, which require a reverse DNS lookup for each IP address.TCP flood attacks – An offending host establishes numerous TCP connections with a Forefront TMG server or other servers that are protected by Forefront TMG. In some cases, the attacker sequentially opens and immediately closes many TCP connections, in an attempt to elude the counters. This consumes a large amount of resources.SYN attacks – An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server without completing the TCP handshake, leaving the TCP connections half-open.HTTP denial of service attacks – A single offending host or a small number of hosts send a huge number of HTTP requests to a Forefront TMG server. In some cases, the attacker sends HTTP requests at a high rate over a persistent (keep-alive) TCP connection. Because the Forefront TMG Web proxy authenticates every request, this consumes a large amount of resources.Non-TCP distributed denial of service (DDoS) attacks – A large number of offending hosts send requests to a Forefront TMG server. Although the total amount of traffic sent to the victim is enormous, the amount of traffic sent from each offending host can be small.UDP flood attacks – An offending host opens numerous concurrent UDP sessions with a Forefront TMG server.Connection LimitsForefront TMG provides a quota mechanism that imposes connection limits for TCP and non-TCP traffic, handled by the Microsoft Firewall service. Connection limits are applied to requests from internal client computers configured as SecureNAT clients, Firewall clients, Web proxy clients in forward proxy scenarios, and to requests from external clients handled by Web publishing and server publishing rules in reverse proxy scenarios. The mechanism helps prevent flood attacks from specific IP addresses, and helps administrators identify IP addresses that generate excessive traffic, which might be a symptom of a worm or other malware infection.A connection limit policy can be configured for an array or a standalone Forefront TMG server. A connection limit policy includes the following categories of connection limits:Connection limits that establish how many TCP connect requests and HTTP requests are allowed from a single IP address, that is not included in the list of IP address exceptions during one minute.Connection limits that establish how many concurrent transport-layer protocol connections may be accepted from a single IP address, that is not included in the list of IP address exceptions. These include connection limits for TCP connections, UDP sessions, and ICMP and other raw IP connections. Custom connection limits that establish how many connect requests and how many concurrent transport-layer protocol connections may be accepted from a single special IP address, that is included in the list of IP address exceptions. IP address exceptions might include published servers, chained proxy servers, and network address translation (NAT) devices (routers), which would require many more connections than most other IP addresses. Custom connection limits are applied to TCP connections, UDP sessions, and ICMP and other raw IP connections.
