Module 2: Secure Web Gateway
© 2009, Microsoft. All rights reserved. All other trademarks are the property of their respective owners.
Module Overview
Secure Web Gateway overview
HTTPS inspection
URL filtering
Malware protection
Intrusion prevention
Secure Web Gateway overview
HTTPS inspection
URL filtering
Malware protection
Intrusion prevention
Lesson 1 – Secure Web Gateway Overview
What is a Secure Web Gateway (SWG)?
“A SWG is a solution that filters unwanted software/malware from user-initiated
Web/Internet traffic and enforces corporate and regulatory policy compliance. To achieve this goal, SWGs must, at a minimum, include URL filtering, malicious code detection and
filtering, and application controls for popular Web-based applications, such as instant
messaging (IM) and Skype.”
Gartner Secure Web Gateway Magic Quadrant, August 2008
The Growing Market PotentialDedicated SWG vendors are the fastest-growing submarket, averaging 140% year-over-year growth
2008 2009 2010 2011 2012
0
500
1000
1500
2000
2500
3000
SaaSApplianceSoftware
Source: Gartner Secure Web Gateway Magic Quadrant, August 2008
The Competitive Landscape
19%
12%
6%
5%3%
54%
Websense
Trend
Microsoft
McAfee/Secure Computing
Blue Coat
Other
Forefront TMG as a Secure Web Gateway
7
Competitive Feature
Set
Easily Manageab
le
Integrated
Logging & Reporting Support
Scalable
URL Filtering, Malware
Inspection, NIS
Web Access Wizard,
Task Oriented
Policy Management,
Directory Services
Integration, Licensing
Array Support,
Load balancing
New reports, log fields
Windows Server® 2008 / R2
Logging & Reporting
Application Layer Proxy
Network Inspection
System
URL Filtering
HTTPS Inspection
Malware Inspection
Secure Web Gateway Layered Security
Unifies inspection technologies to:
Protect against multi-channel threatsSimplify deployment
Keeps security up to date with updates to:
Web antimalwareURL filteringNetwork Inspection System
Threats and Controls
ThreatsApplication Layer Firewall
HTTPS Inspectio
n
Anti-malwar
e
URLFiltering
NIS
Malware
Phishing
Liability
Data Leakage
Lost Productivity
Loss of Control
Full Partial Enabler
Lesson 2 – HTTPS Inspection
Threats and Controls
ThreatsApplication Layer Firewall
HTTPS Inspectio
n
Anti-malwar
e
URLFiltering
NIS
Malware
Phishing
Liability
Data Leakage
Lost Productivity
Loss of Control
Full Partial Enabler
Traditional SSL SecurityWeb browser sends a CONNECT request to the Web proxy
CONNECT host_name:port HTTP/1.1
Web proxy allows the request to be sent to the TCP port specified in the requestProxy informs the client that the connection is establishedClients sends encrypted packets directly to destination on specified port without proxy mediation
What lies within this encrypted
tunnel?
Forefront TMG HTTPS Traffic Inspection
HTTPS Inspection terminates the SSL traffic at the proxy for both ends, and inspects the traffic against different threats
Trusted certificate generated by proxy matching the URL expected by the client
13
Internet
Contoso.com
SIGNED BY
VERISIGN
SSL
Contoso.com
SIGNED BY TMG
SSL SSL
URL Filtering
Malware Inspection
Network Inspection
System
14
Enabling HTTPS Traffic Inspection
Contoso.com
SIGNED BY TMG
Internet
Contoso.com
SIGNED BY
VERISIGN
Certificate deployment(via Active Directory® or
Import/Export)
Configure HTTPS Inspection:• Proxy certificate
generation/import and customization.
• Source and destination exclusions
• Validate only option• Notification
Client notifications about HTTPS inspection (via
Firewall client)Certificate
validation (revocation, trusted, expiration
validation, etc.)
Generating the HTTPS Inspection CertificateThe HTTPS inspection certificate can be either
generated by Forefront TMG or issued by a trusted CA
Administrators can customize the self generated certificateCommercial CAs will not typically issue HTTPS inspection certificates
HTTPS inspection certificate stored in the configuration store
Used by all array members
Deploying the HTTPS Inspection CertificateTwo methods can be used to enable clients to trust
the HTTPS Inspection CertificateAutomatically through Active Directory (AD), will use AD trusted root store to configure trust for all clients in the AD forest
Requires Forefront TMG to be deployed in a domain environmentWill not work for browsers that do not use the Windows certificate store for trust
Manually on each computer, using root certificate installation procedure required by the browser
How HTTPS Inspection Works
17
https://contoso.com
Enable HTTPS inspection Generate trusted root certificate
Install trusted root certificate on clients
https://contoso.com
1. Intercept HTTPS traffic2. Validate contoso.com server certificate3. Generate contoso.com server proxy certificate on TMG4. Copy data from the original server certificate to the proxy
certificate 5. Sign the new certificate with TMG trusted root certificate6. [TMG manages a certificate cache to avoid redundant
duplications]7. Pretend to be contoso.com for client8. Bridge HTTPS traffic between client and server
contoso.com
Contoso.com
SIGNED BY
VERISIGNContoso.com
SIGNED BY TMG
Scenario Walkthrough
18
Contoso Web Access Policy
No browsing to sites that pose security or liability risks, but...
Researchers need access to gambling sites
This includes access to encrypted archives
Malware Inspection should be enabled for all Web trafficHTTPS Inspection should be enabled, with user notifications
Deny all Web downloads larger than 500MB
19
Configuring HTTPS Inspection
20
Configuring HTTPS Inspection
21
Configuring HTTPS Inspection
22
HTTPS Inspection Notifications
Notification provided by Forefront TMG client
Notify user of inspectionHistory of recent notificationsManagement of Notification Exception List
May be a legal requirement in some geographies
23
HTTPS Inspection NotificationUser Experience
Lesson 3 – URL Filtering
Threats and Controls
ThreatsApplication Layer Firewall
HTTPS Inspectio
n
Anti-malwar
e
URLFiltering
NIS
Malware
Phishing
Liability
Data Leakage
Lost Productivity
Loss of Control
Full Partial Enabler
Forefront TMG URL Filtering
Internet
• 91 built-in categories• Predefined and
administrator defined category sets
• Integrates leading URL database providers• Subscription-based
• URL category override• URL category query• Logging and reporting support• Web Access Wizard integration
• Customizable, per-rule, deny messages
URL DB
Microsoft ReputationService
TMG
URL Filtering BenefitsControl user web access based on URL categoriesProtect users from known malicious sitesReduce liability risksIncrease productivityReduce bandwidth and Forefront TMG resource consumptionAnalyze Web usage
Microsoft Reputation Service
Microsoft
ReputationService
AccuracyComprehensive and flexible category taxonomy
Broad coverage through path inheritance
Overlapping and complementary URL metadata sources
Accuracy measured and tuned across providers (Weighting)
Telemetry-based error reporting and client data capture
Unknowns ranked and resolved based on prevalence
PerformanceFour-tier architecture
Protocol-level packaging
Bloom filters
AvailabilityGlobally-scaled, fault-tolerant architecture
Multi-layer dynamic caching (On-premise + Service)
What Makes MRS Compelling?Existing URL filtering solutions
Single vendor cant be expert in all categoriesCategorization response time
MRS unique architectureMRS merges URL databases from multiple sources/vendors
Multi-vendor AV analogy
Based on Microsoft internal sources as well as collaboration with third party partnersScalable
Ongoing collaborative effortRecently announced an agreement with Marshal8e6More announcements to follow
Feedback mechanism on Category overrides
• Fetch on cache miss• SSL for auth &
privacy• No PII
How Forefront TMG Leverages MRS
Multiple VendorsMicrosoft
Datacenters
MRS
Query (URL)
Categorizer
FetchURL
Policy
Cache
SSLTelemetry Path
(also SSL)
FederatedQuery
Cache:• Persistent• In-memory• Weighted TTL
Combines with
Telemetry Data
URL Filtering Categories
Liability
Security
Productivity
Categories and Inheritance
URL Filtering PolicyURL categories are standard network objectsAdministrator can create custom URL category sets
34
URL Filtering Policy
Scenario Walkthrough
35
Contoso Web Access PolicyNo browsing to sites that pose security or liability risks, but...
Researchers need access to gambling sites
This includes access to encrypted archives
Malware Inspection should be enabled for all Web traffic
HTTPS Inspection should be enabled, with user notifications
Deny all Web downloads larger than 500MB
36
Contoso’s Web Access Policy
Access rule allowing users in the Research group to access gambling and gambling-related sites
Access rule denying everyone access to Liability and Security sites
Per-rule CustomizationTMG administrator can customize denial message displayed to the user on a per-rule basis
Add custom text or HTMLRedirect the user to a specific URL
38
URL Filtering Configuration
Category QueryAdministrator can use the URL Filtering Settings dialog box to query the URL filtering database
Enter the URL or IP address as inputThe result and its source are displayed on the tab
40
URL Category Override
Administrator can override the categorization of a URL
Feedback to MRSvia Telemetry
User Experience
http://www.phishingsite.com
42
User Experience
42
HTML tags
Lesson 4 – Malware Protection
Threats and Controls
ThreatsApplication Layer Firewall
HTTPS Inspectio
n
Anti-malwar
e
URLFiltering
NIS
Malware
Phishing
Liability
Data Leakage
Lost Productivity
Loss of Control
Full Partial Enabler
HTTP Malware Inspection
Internet
Third party plug-ins can be used (native Malware inspection must be
disabled)
• Integrates Microsoft Antivirus engine
• Signature and engine updates• Subscription-based
• Source and destination exceptions• Global and per-rule inspection options
(encrypted files, nested archives, large files…)
• Logging and reporting support • Web Access Wizard integration
Content delivery methods by content type
SignaturesDB
MU or WSUS
TMG
Content Trickling
46
Firewall Service
Web Proxy
Malware Inspection Filter
Request Context
Scanner
GET msrdp.cabGET msrdp.cab
200 OK
Accumulated Content
Accumulated Content
Accumulated Content
Accumulated Content
Accumulated Content
200 OK
Progress Notification
47
Firewall Service
Web Proxy
Malware Inspection Filter
Primary Request Context
Secondary Request Context
Downloads Map
Scanner
GET setup.exeGET setup.exe
200 OK (setup.exe)
Accumulated Content
Accumulated Content
Accumulated Content
200 OK (HTML)
GET GetDownloadStatus
200 OK (Retrieving)
GET GetDownloadStatus
200 OK (Scanning)
GET GetDownloadStatus
200 OK (Ready)
GET FinalDownload
200 OK (setup.exe)
48
Malware Scanner Behavior
Low Priority Queue Normal Priority Queue
High Priority Queue
Antimalware Engine
• Partial inspection for Standard Trickling
• Final inspection for files smaller than 1 MB when Progress Page
is not usedHigh
• Partial inspection for Fast Trickling
• Final inspection for files larger than 1 MB but smaller than 50 MB when Progress Page is not
used
Normal
• Final inspection when Progress Page is used
• Final inspection for files larger than 50 MB
Low
49
Enabling Malware Inspection
Activate the Web Protection licenseEnable malware inspection on Web access rules
Web Access Policy Wizard or New Access Rule Wizard for new rulesRule properties for existing rules
Scenario Walkthrough
50
Contoso Web Access PolicyNo browsing to sites that pose security or liability risks, but...
Researchers need access to gambling sites
This includes access to encrypted archives
Malware Inspection should be enabled for all Web traffic
HTTPS Inspection should be enabled, with user notifications
Deny all Web downloads larger than 500MB
51
Malware Inspection Global Settings
52
Malware Inspection Global SettingsAdministrator can configure malware blocking behavior:
Low, medium and high severity threatsSuspicious filesCorrupted filesEncrypted filesArchive bombs
Too many depth levels or unpacked content too large
File size too large
53
Malware Inspection Per-rule Overrides
User ExperienceContent Blocked
User ExperienceProgress Notification
55
Lesson 5 – Intrusion Prevention
57
The ProblemUn-patched vulnerabilities
Average survival time of unpatched Windows® XP less than 20 minutesAbout two percent of Windows® machines are fully patched
Vulnerability windowIncreasing number of zero daysAttackers craft exploits faster than customers can deploy patches
Encryption and protocol tunneling are a complicated problem for a defense technology (for example, HTTPS)
Defining a Intrusion Prevention System (IPS)
58
Allow Known Good
Block Known Bad
Block UnknownBad
Execution Level
Application Control
Resource Shielding
Behavioral Containment
Application Level
Application and System Hardening
AV Application Inspection
Network Level
Firewall Attack-Facing Network Inspection
Vulnerability-Facing Network Inspection
Network Inspection System
Source: Host-Based Intrusion Prevention Systems (HIPS) Update – Gartner 2007
Network Inspection System (NIS)
Protocol decode-based traffic inspection system that uses signatures of known vulnerabilities
Vulnerability-based signatures (vs. exploit-based signatures used by competing solutions)Detects and potentially block attacks on network resources
NIS helps organizations reduce the vulnerability window
Protect machines against known vulnerabilities until patch can be deployedSignatures can be released and deployed much faster than patches, concurrently with patch release, closing the vulnerability window
Integrated into Forefront TMGSynergy with HTTPS Inspection
59
60
Vulnerability is discoveredResponse team prepares and tests the vulnerability signatureSignature released by Microsoft and deployed through distribution service, on security patch releaseAll un-patched hosts behind Forefront TMG are protected
Corporate Network
New Vulnerability Use Case
SignatureAuthoring Testing
TMGSignature
DistributionService
VulnerabilityDiscovered
Signature AuthoringTeam
61
Network Inspection System
Generic Application Protocol AnalyzerA framework and platform for safe and fast low level protocol parsingSupports extensibility and layeringEnables creating parsing-based rules for checking and applying specific conditions (for example, signatures)
GAPA technology powers Microsoft’s Network Inspection System (NIS)
Powered by GAPA
Network Inspection System Architecture
62
Design Time
GAPA Language
Compiler
Run Time
Protocol Parsers
Signatures
NIS Engine
Microsoft Update
Network Interception
Signatures & Protocol Parsers
Telemetry
and Portal
NIS Response Process
Threat Identificati
on
Threat Research
Signature Developme
nt
Signature Testing
Encyclopedia Write-up
Signature Release
Targeting 4 hours
Enabling and Configuring NIS
65
Other Network Protection MechanismsCommon OS attack detectionDNS attack filteringIP option filteringFlood mitigation
66
Inspects traffic for the following common attacks:
WinNukeLandPing of DeathIP Half ScanPort ScanUDP Bomb
Offending packets are dropped and an event generated triggering an Intrusion Detected alert
Common OS Attack Detection
67
DNS Attack FilteringEnables the following checks in DNS traffic:
DNS host name overflow – DNS response for a host name exceeding 255 bytesDNS length overflow – DNS response for an IPv4 address exceeding 4 bytesDNS zone transfer – DNS request to transfer zones from an internal DNS server
68
IP Options FilteringForefront TMG can block IP packets based on the IP options set
Deny all packets with any IP optionsDeny packets with the selected IP optionsDeny packets with all except selected IP options
Forefront TMG can also block fragmented IP packets
69
Forefront TMG flood mitigation mechanism uses:
Connection limits that are used to identify and block malicious trafficLogging of flood mitigation eventsAlerts that are triggered when a connection limit is exceeded
TMG comes with default configuration settings
Exceptions can be set per computer set
Flood Mitigation
600160
80600
1000160600
LimitCusto
m Limit6000400
6000
400
Questions
Lab 2: Secure Web Gateway
In this lab, you will:
Create web access policies for Contoso users, including inspection of HTTPS sessionsModify web access policy to include protection from malwareInvestigate the Network Inspection System (NIS)
Lab 2 - Exercises 3, 4, and 5Estimated Completion Time: 60 min
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Forefront, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.