1 / 52

Secure Endpoint: Advanced Protection from Dynamic Threats, a Microsoft Forefront Threat Management Gateway 2010 Deep Div

Required Slide. SESSION CODE: SIA308. Secure Endpoint: Advanced Protection from Dynamic Threats, a Microsoft Forefront Threat Management Gateway 2010 Deep Dive. Adwait Joshi Jim Harrison Sr. Product Manager Program Manager Microsoft Corporation. Agenda. Business Ready Security

rowdy
Download Presentation

Secure Endpoint: Advanced Protection from Dynamic Threats, a Microsoft Forefront Threat Management Gateway 2010 Deep Div

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Required Slide SESSION CODE: SIA308 Secure Endpoint: Advanced Protection from Dynamic Threats, a Microsoft Forefront Threat Management Gateway 2010 Deep Dive Adwait Joshi Jim Harrison Sr. Product Manager Program Manager Microsoft Corporation

  2. Agenda • Business Ready Security • TMG New Features - overview • Deep Dives with Troubleshooting • URL Filtering • Malware Inspection • Summary

  3. Forefront TMG Administrator’s Companion 20% off at the Tech Ed Bookstore!! ANNOUNCING

  4. Business Ready SecurityHelp securely enable business by managing risk and empowering people Across on-premises & cloud Access Protection Identity Protect everywhere, access anywhere Integrate and extend security across the enterprise Management Highly Secure & Interoperable Platform Simplify the security experience, manage compliance from: to: Block Enable Cost Value Siloed Seamless

  5. Secure Endpoint Solution Protect endpoints from emerging threats and information loss, while enabling more secure access from virtually anywhere PROTECT everywhere ACCESS anywhere INTEGRATE and EXTEND security SIMPLIFY security, MANAGE compliance • Provides unified administration for desktop management and protection • Increases visibility of potentially vulnerable desktops • Enables multi-layered antimalware protection • Protects critical data wherever it resides • Provides more secure always-on access • Uses existing System Center Configuration Manager infrastructure • Builds on and extends Windows security

  6. New Forefront Threat Management Gateway 2010

  7. TMG Enhancements

  8. TMG Deployment Scenarios

  9. URL Filtering

  10. URL Filtering DEMO

  11. WebSvr MRS Cache 10.10.0.1:8080 2 Firewall Service X 11 Web Proxy Engine 1 6 12 7 3 10 WWSAPI 5 8 127.0.0.1:8080 9 WinHTTP MRS 4

  12. Log filter = URL contains mrs.microsoft.com

  13. GET HTTP://my.kitty.cat.com/calico?gimmenow HTTP://my.kitty.cat.com/calico?gimmenow HTTP://kitty.cat.com/calico?gimmenow HTTP://cat.com/calico?gimmenow HTTP://com/calico?gimmenow MRS Cache In MRS Cache? Nope… WWSAPI SOAP Req to HTTPS://10.ds.mrs.microsoft.com

  14. WinHTTP WWSAPI POST HTTPS://10.ds.mrs.microsoft.com CONNECT 10.ds.mrs.microsoft.com:443 WinHTTP 200 OK SSL Tunnel SOAP Request WinHTTP SOAP Response WWSAPI WinHTTP SOAP Response

  15. WWSAPI URL Categories 403 12233 MRS Cache

  16. Firewall Policies (rule ordering) WPS License Expired Users Don’t Read The Error Page (12233.htm, 12233r.htm) CRL Validation Name Resolution Network WPAD Configuration WinHTTP Auto-Discovery WinHTTP Proxy Settings First TMG RFC was for URL Filtering (MRS Queries) Problem Areas

  17. A Real CSS Call Too Much MRS Traffic (~1GB/day)

  18. TMG logs verify the complaint LOTS of failed attempts to communicate with MRS LOTS of WPAD requests from TMG itself TMG tells WWSAPI to use localhost:8080 WWSAPI tells WinHTTP to use localhost:8080 What Did We Know?

  19. GET HTTP://my.kitty.cat.com/calico?gimmenow WWSAPI SOAP Req to HTTPS://10.ds.mrs.microsoft.com WinHTTP WWSAPI POST HTTPS://10.ds.mrs.microsoft.com WinHTTP POST HTTPS://10.ds.mrs.microsoft.com

  20. Web Services behavioral data (tracing) WinHTTP Proxy configuration (netsh winhttp sho pro) Behavioral data (tracing) NetCaps What Did We Need?

  21. Web Services Tracing • Requires Windows SDK: http://www.microsoft.com/downloads/details.aspx?FamilyID=c17ba869-9671-4330-a63e-1fd44e0e2505 • Use it like unto thusly: • Click Start, All Programs, Microsoft Windows SDK v7.0 • R-click CMD Shell and select “Run as Administrator” (elevated). • Run the following sequence of commands: • wstrace.bat create verbose • wstrace.bat on • create the repro • wstrace.bat dump > C:\Temp\wwstraces.csv

  22. WinHTTP Tracing • Requires Nothing Extra • ..so we have no link; sorry… • Use it like unto thusly: • Click Start, All Programs, Accessories • R-click Command Prompt and select “Run as Administrator” (elevated). • Run the following command: • netsh winhttp set tracing output=file level=verbose trace-file-prefix={c:\temp} state=enabled • create the repro • netsh winhttp set tracing state=disabled

  23. Do It All Together • Click Start, All Programs, Microsoft Windows SDK v7.0 • R-click CMD Shell and select “Run as Administrator” (elevated). • Run the following commands: • netsh winhttp set tracing output=file level=verbose trace-file-prefix={c:\temp} state=enabled • wstrace.bat create verbose • wstrace.bat on • Create the repro • Run the following commands: • netsh winhttp set tracing state=disabled • wstrace.bat dump > C:\Temp\wwstraces.csv

  24. Real Case Discussion DEMO

  25. TelemetryAnother MRS Request • Same mechanism as MRS Lookups • FQDN is 10. s.mrs.microsoft.com • Amount of data sent depends on participation • Same problem areas as URLF except not (entirely) user-driven • Need to scan logs for problems t

  26. Update Center

  27. TMG Update Agent 1 9 WU Config WUA API 2 WSUS or MU ? 8 3 4 7 WinHTTP WinHTTP WPADSvc 6 5

  28. Computer Default • WSUS or MU (GP, Registry) • MS Updates • Default + MU

  29. WSUS Product Classifications for Forefront TMG • Anti-Malware • Network Inspection System

  30. Windows Automatic Update Agent Configuration (MSKB 328010) Behavioral data (logging) WinHTTP Configuration (netsh winhttp sho pro) Behavioral data (tracing) What Do We Need?

  31. WinHTTP Tracing • Requires Nothing Extra • ..so we have no link; sorry… • Use it like unto thusly: • Click Start, All Programs, Accessories • R-click Command Prompt and select “Run as Administrator” (elevated). • Run the following command: • netsh winhttp set tracing output=file level=verbose trace-file-prefix={c:\temp} state=enabled • create the repro • netsh winhttp set tracing state=disabled

  32. WAUA Logging / Configuration • Requires Nothing Extra MSKB 902093 describes it • Use it like unto thusly: • Press the Start and R keys simultaneously • In the Run dialog, type notepad %windir%\windowsupdate.log and hit <Enter>

  33. Update Center Configuration • http://blogs.technet.com/isablog/archive/2009/11/28/using-windows-server-update-service-for-the-tmg-update-center.aspx

  34. Anti-malware

  35. Anti-Malware DEMO

  36. Firewall Service Web Proxy Filter Malware Inspection Filter

  37. 502; 12210

  38. Trickling • Content-Type Exceptions

  39. Scanning Location • High R/W capacity • DO NOT mix with logging or OS

  40. Cleaning • Blocking • Threat level • Suspicious • Corrupted • Unscannable • Encrypted • Scan Time • Archive depth • Pre-, Post unpacked size

  41. Log type: Web Proxy (Forward) Status: 12210 An Internet Server API (ISAPI) filter has finished handling the request. Contact your system administrator. Rule: Allow Web Access for parent Source: Internal (10.10.255.1:49226) Destination: External (188.40.238.250:80) Request: GET http://www.eicar.org/download/eicar.com Filter information: Req ID: 09906bf2; Compression: client=No, server=Yes, compress rate=0% decompress rate=0% Protocol: http User: anonymous Additional information Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727) Object source: Internet (Source is the Internet. Object was added to the cache.) Cache info: 0x40800000 (Response includes the LAST-MODIFIED header. Response should not be cached.) Processing time: 390 MIME type: application/x-msdos-program TMG Log Summary

  42. TMG Log Details

  43. Update Center Configuration WPS License Expired WSUS / MU Configuration WinHTTP Auto-Discovery WinHTTP Proxy Settings Users Don’t Read The Error Page (12210.htm, 12210r.htm) No CSS cases (yet) Problem Areas

  44. Summary • Web usage increasingly provides an attack vector into the corporate network • Forefront Threat Management Gateway Provides: • Intelligent protection to enable employees to use the Web safely and productively • Simplifies Web security with a single solution that integrates into your Microsoft infrastructure • Troubleshooting WPS is (now) no more difficult than any other Web request Learn more & try our solutions at: www.microsoft.com/forefront

  45. Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content SIA320 |Business Ready Security: Protecting Endpoints from Advanced Threats with Microsoft's Secure Endpoint Solution SIA301 |Secure Endpoint: DirectAccess and Microsoft Forefront Unified Access Gateway 2010, the Complete Remote Access Solution SIA308 | Secure Endpoint: Advanced Protection from Dynamic Threats, a Microsoft Forefront Threat Management Gateway 2010 Deep Dive SIA309 |Secure Endpoint: What’s in Microsoft Forefront Endpoint Protection 2010 - A Deep Dive into the Features and Protection Technologies SIA325 | Secure Endpoint:  Virtualizing Microsoft Forefront Threat Management Gateway (TMG) SIA02-INT | Secure Endpoint: Planning DirectAccess Deployment with Microsoft Forefront Unified Access Gateway SIA07-INT | Secure Endpoint: Architecting Forefront Endpoint Protection 2010 on Microsoft System Center Configuration Manager • SIA05-HOL | Microsoft Forefront Threat Management Gateway Overview • SIA09-HOL | Secure Endpoint Solution: Business Ready Security with Microsoft Forefront and Active Directory • SIA11-HOL | Microsoft Forefront Unified Access Gateway (UAG) and Direct Access: Better Together Red SIA-3 | Microsoft Forefront Secure Endpoint Solution

  46. Track Resources Learn more about our solutions: http://www.microsoft.com/forefront Try our products: http://www.microsoft.com/forefront/trial

  47. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn

  48. Required Slide Complete an evaluation on CommNet and enter to win!

  49. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

More Related