forefront tmg 2010 virtualization
Post on 24-May-2015
5.971 Views
Preview:
TRANSCRIPT
Virtualization of Forefront Threat Management Gateway 2010
ESMAEIL SARABADANIMCT, MCSA/MCSE SECURITYREDYNAMICS ASIA SDN. BHD.
What will be covered …
Virtual Edge Security Concerns
The Story of The Parent …
Defining The Traffic Flow and The Traffic Profile
Deploying Forefront TMG as the Virtual Edge Firewall
Designing a Virtual perimeter network or DMZ
Tips For a Better Management and Performance
Deploying Forefront TMG as a Three-Legged and Back-to-Back Firewall
Why do we virtualize the edge?
Why do we virtualize the edge?
• Faster disaster recovery in case of edge failure
• Increasing the complexity of the network for hackers
• Suitable for small businesses
Virtualization of The Network edgeConcerns …
• Software is less secure than hardware• Hardware firewalls are all software-based but just come
in a hardware package
Virtualization of The Network edgeConcerns …
• More complicated network structure• More difficult to manage• The same old argument against Windows
security to be placed on the edge:• Exchange Server 2010 Edge Role• Office Communication Server 2007 Edge Role• ISA Server is 10 years old without any exploits
• Linux is more secure than Windows
OS Vulnerabilities in 2010
Windows 33
Linux 179Information from www.securityfocus.com
The story of the parent …Physical vs. Virtual
Hardware
Operating System
Application
Hardware
Parent Operating
System
Application
Child (Guest)Operating
System
Application
Hypervisor
Physical Virtual
TMG TMG TMG
√
The story of the parent …• If the parent is compromised, the whole
virtualized environment is compromised.
Parent with TMG
Guest OS
Internet
Virtual Networking Components
Virtual Networking Components
Guest OS
LAN
COMPROM
ISED
COMPROM
ISED
COMPROM
ISED
The story of the parent …
• DO NOT install TMG on the parent partition• Windows Server 2008 R2 Core on the parent• DO NOT use the parent as a workstation…
It’s a SERVER …• Restrict the management of the parent• Enable Bitlocker on the parent• Keep the parent OS up-to-date• Disconnect the parent from the internet
Configuring the parent partition
demo
TMG as an Edge Firewall
Internet
Parent OSGuest OS with
TMG
External virtual SwitchConnected to the internet
LAN
Physical NIC
Physical NIC
Hyp
er-
V
Virtual NIC 2
Virtual NIC 1
Disconnected from the internet
External virtual SwitchConnected to the LAN
Deploying TMG as an Edge Firewall
demo
Defining The Traffic Profile
Virtual Environments make the network structure complex for the attackers to penetrate
• Capture the network traffic on TMG host using Microsoft Network Monitor tool
• Avoid the use of Allow All rule• Restrict RPC and DCOM to specific ports
Defining a Traffic Profile
demo
Designing The Perimeter Network or DMZ
• What’s the DMZ?• DMZ (Demilitarized Zone) is a sub-network that
contains and exposes an organization’s external services to the internet.
• The Two Well-known DMZ Designs:
Internet
Front-end FWBack-end FWPerimeter NetworkLAN
Back-to-Back Firewall Design
Internet
Perimeter Network
LANThree-Legged FW
Three-Legged Firewall Design
TMG as a Three-Legged Firewall
Internet
Parent OSGuest OS with
TMG
Virtual NIC 1
LAN
Physical NIC
Physical NIC
Hyp
er-
V
Virtual NIC 2
Guest OS in DMZ
Virtual NICV
irtual N
IC
3
DMZ Virtual Switch
DMZ
External virtual SwitchConnected to the internet
External virtual SwitchConnected to the LAN
Disconnected from the internet
TMG as a Three-Legged Firewall
Internet
Parent OS
Guest OS with TMG
Virtual NIC 1
LAN
Physical NIC
Physical NIC
Hyper-
V
Virtual NIC 2
Guest OS in DMZVirtual NIC
Virtu
al N
IC
3
DMZ Virtual Switch
External virtual SwitchConnected to the internet
External virtual SwitchConnected to the LAN
Disconnected from the internet
DMZ
Physical NIC
Hyper-V
Physical Switch
Physi
cal
NIC
External Virtual Switch
Deploying TMG as a Three-Legged Firewall
demo
Designing The Three-Legged DMZ
• Guest OSs in DMZ are all connected to the same virtual switch.
Guest OS with TMG
External Virtual Switch
Connected to the LAN
Virtual NIC 1
Virtual NIC 2
DC
Virtual NIC
DMZ
File Server
Virtual NICVirtu
al N
IC
3
External Virtual SwitchConnected to the
internet
DMZ Virtual Switch
Designing The Three-Legged DMZ
• Guest OSs in DMZ are connected to different virtual switches.
Guest OS with TMG
External Virtual Switch
Connected to the LAN
Virtual NIC 1
Virtual NIC 2
DC
Virtual NIC
DMZ
File Server
Virtual NIC
Virtual NIC 3
External Virtual SwitchConnected to the
internet
DMZ Virtual Switch #1
Virtual NIC 4
DMZ Virtual Switch #2
Configuring The DMZ on Hyper-V
demo
Designing The Three-Legged DMZTips and Hints …
• The traffic must flow through TMG.
• Avoid connecting the Guest OSs to the virtual external switch.
• Connect servers with different security criteria to separate virtual switches.
• For every virtual switch that TMG is connecting to, there needs to be a virtual NIC on it.
A Back-to-Back TMG Firewall DesignIn
tern
et
Exte
rnal V
irtual S
witc
hC
on
necte
d to
the in
tern
et
LA
N
Physica
l N
IC
Hyper-v
Virtu
al N
IC
1
Back-End FWTMG
Virtu
al N
IC
2
Front-End FWTMG
Virtu
al N
IC
1
Guest OS in DMZ
Virtual NIC
Virtu
al N
IC
2
Physi
cal
NIC
DMZvirtual Switch
DMZ
Exte
rnal V
irtual S
witc
hC
on
necte
d to
the L
AN
Deploying The Back-to-Back TMG
demo
The Virtual Edge Management
• A dedicated physical interface connected to the management VLAN• Will have a different IP address range• Will be available even if the virtual infrastructure fails
and we still can manage• Access to the parent will be isolated
The Virtual Edge Performance
SQL Expr Logging 5-10% @# # @# #
Feature Added CPU RAM Disk Net
Web Cache 1% @ @ # (-)
URL Filtering 1% # 2% # # # (-)
HTTPS Inspection 5% # 1-5% @Net Insp System 5-10% # 5% # @ (+)
Compression 5-10% @# 5-10% @# # (-)
NLB (500Mb max) 5-10% # 5-8% @ 5% #
Malware Insp 5-20% # 5-10% # # # (+)
Variables@ TMG Configuration# Traffic Profile
Resources
• My Blog: http://esihere.wordpress.com/
• Microsoft Virtualization Technology www.microsoft.com/virtualization/
• Forefront Threat Management Gateway 2010 http://www.microsoft.com/forefront/threat-management-gateway/en/us/
• Technet Edge Videos: http://technet.microsoft.com/en-us/edge/default.aspx
• Technet for System Professionals: http://technet.microsoft.com/
• My E-Mail Address: e.sarabadani@gmail.com
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
top related