Download presentation
Presentation is loading. Please wait.
1
Configuring TMG as a Firewall
6NPS Session 6
2
Objectives Configure firewall settings
Configure intrusion detection Configure IP options filtering Configure IP fragmentation settings Configure TMG to support a network topology Select appropriate templates Define networks Configure route relationships between networks
3
Network Interface Layer
What Is a TCP/IP Packet? Network Interface Layer Destination Address: 0003FFD329B0 Source Address: 0003FFFDFFFF Physical payload Internet Layer Destination: Source: Protocol: TCP IP payload Transport Layer Destination Port: 80 Source Port: 1159 Sequence: Acknowledgment: TCP payload Application Layer HTTP Request Method: Get HTTP Protocol Version: =HTTP/1.1 HTTP Host: =
4
What Is Packet Filtering?
Packet filters control access to the network at the network layer It does this by inspecting and allowing or denying the IP Packets. Firewalls examine only information in the network and transport layer headers Packet-filtering firewalls can evaluate IP packets using: Destination address Source address IP Protocol and protocol number (TCP, UDP, ICMP), (TCP/6, PPTP/47) Direction (inbound, outbound, or both, for FTP, Receive only, send only or Both) Port Numbers (local and remote ports, fixed or dynamic)
5
What Is Packet Filtering?
Advantages Inspects only network and transport layer headers, therefore very fast filtering Can block IP addresses, or allow IP addresses Can be used for ingress filtering (blocks source IP’s same as your local address) and egress filtering (prevents packets leaving your network with source different from local network) Disadvantages Cannot prevent IP address spoofing or source-routing attacks Cannot prevent IP-fragment attacks (only checks first fragment, others may contain malicious content) Not application aware.
6
What Is Packet Filtering?
Is the … Source address allowed? Destination address allowed? Protocol allowed? Destination port allowed? Web Server Packet Filter TMG
7
What Is Stateful Filtering?
Stateful filtering uses information about the TCP session to determine whether a packet should be blocked or allowed through the firewall. TCP uses three-way handshake This synchronizes the sequence number and acknowledgement number Advantages Ensures all network traffic forwarded by the firewall is part on an existing session, or matches the rules for creating a new session Implements dynamic filtering (opens a port to communicate with a web server) Disadvantages Does not block attacks at application level
8
What Is Stateful Filtering?
Connection Rules Create connection rule Web Server Is packet part of a connection? Web Server TMG
9
What Is Application Filtering?
Application-layer filtering inspects the application data in a TCP/IP packet for unacceptable commands and data Advantages Can stop attacks from sources such as viruses and worms
10
What Is Application Filtering?
Get Get method allowed? Respond to client Web Server TMG Does the response contain only allowed content and methods?
11
What is NIS? Network Inspection System Traffic analysis mechanism
Able to discover invalid traffic based on static signatures TMG expands on this by evaluating 3 aspects of the network traffic: Protocol state The expected condition of the protocol at any point in time Message structure The validation of a message according to the protocol definition Message context The validation of a message in the context of the protocol state NIS operations are driven by signature definitions. created by Microsoft Malware Protection Centre (MMPC) A form of IPS (Intrusion Prevention System)
12
What is Intrusion Detection?
Intrusion detection is a means of detecting when an attack against a network is attempted or in progress An IDS inspects all traffic in and out of the network and identifies patterns that may indicate a network or system attack IDS provide for configuring alerts or responses to intrusion attempts
13
What is Intrusion Detection?
Alert the administrator Port scan limit exceeded All ports scan attack TMG
14
How TMG Filters Network Traffic
3 Application filtering Web Filters 2 Stateful and protocol filtering Web Proxy Filter Application Filters Rules Engine Firewall Service Firewall Engine 4 TCP/IP Kernel mode data pump Packet filtering 1
15
TMG Support for Multiple Networks
TMG uses networks to define blocks of IP addresses that may be directly attached to the TMG computer or IP addresses that may be remote networks TMG uses these networks as components when you create access rules TMG supports unlimited networks
16
What is Multi-networking?
Multi-networking means that you can configure multiple networks on TMG and configure network and access rules to inspect and filter all network traffic between all networks Allows for flexible options for network configurations Configurations include Three-legged firewall Two perimeter networks Two internal networks VPN client and VPN remote-site networks
17
Default Networks Enabled in TMG
When TMG is installed with at least two network cards, it is configured with a default set of networks Local Host – Represents the TMG computer, traffic to and from TMG, not through External – All IP addresses that are not explicitly associated with any other network. Un-trusted Internal – All IP addresses that were specified as internal during the installation process VPN Clients – Addresses of currently connected VPN Clients Quarantined VPN Clients – Addresses of VPN clients that have not cleared quarantine Also see note on page 222, Network Sets, define groupings of networks. Default sets All Networks and All Protected Networks
18
How to Configure Network Rules
When you enable networks or network objects on TMG, you can configure network rules that define how network packets will be passed between networks or between computers Network rules determine whether there is a relationship between two network entities and what type of relationship is defined Network relationships can be configured as; Route – client requests from the source network are directly routed to the destination network NAT – TMG replaces the IP address of the client on the source network with its own IP address. A NAT relationship is directional
19
How to Configure Network Rules
Default network rules are; Local Host Access – defines a route relationship between Local Host network and all other networks VPN Clients to Internal Network – defines a route relationship among the Internal network and the Quarantined VPN Clients and the VPN Clients network Internet Access – defines a NAT relationship among the internal network, the Quarantined VPN Clients, and the VPN Clients networks and the External network.
20
What Are Perimeter Networks?
A perimeter network is a network that is separated from an internal network and the Internet Perimeter networks allow external users to gain access to specific servers that are located on the perimeter network while preventing direct access to the internal network
21
What Are Perimeter Networks?
Firewall Firewall Internet Internal Network
22
Benefits of Using a Perimeter Network?
A perimeter network provides an additional layer of security: Between the publicly accessible servers and the internal network Between the Internet and confidential data or critical applications stored on servers on the internal network Between potentially nonsecure networks such as wireless networks and the internal network Use defense in depth in addition to perimeter network security
23
Network Perimeter Configuration Options
Bastion host – only a single firewall between the Internet and the internal network Three-legged configuration – creates a perimeter network that gives users on the Internet limited access to network resources on the perimeter network while preventing unwanted traffic to computers on the local network Back-to-Back configuration – places the perimeter network between two firewalls.
24
Three-legged configuration Back-to-back configuration
Bastion host Three-legged configuration LAN Perimeter Network Web Server LAN Back-to-back configuration Perimeter Network LAN
25
Practice: Configuring Perimeter Network
Add Perimeter Network (Page 224) Create Network Rules (Page 226) Win7 www TMG Internet DC
26
How to Implement Network Templates
To implement a network template, run the Network Template Wizard as part of the getting started wizard Select the firewall access policy that best matches your corporate security guidelines
27
How to Implement Network Templates
Bastion host Three-legged configuration LAN Perimeter Network Web Server LAN Back-to-back configuration Deploy the 3-Leg Perimeter template Deploy the Edge Firewall template LAN Perimeter Network Deploy the Front-End or Back-End template Deploy the Single Network Adapter template for proxy and caching only
28
NIS (Network Inspection Systems)
NIS uses signatures of known vulnerabilities from the Microsoft Malware Protection Center to help detect and block malicious traffic. Before Forefront TMG can start blocking known vulnerability attacks, you must download the latest NIS signature set from either Microsoft Update or Windows Server Update Services (WSUS).
29
Practice: Configuring NIS
Configure NIS (Network Inspection System) (page 311) Test NIS Win7 www TMG Internet DC
30
Intrusion Detection Options
Intrusion detection on TMG: Compares network traffic and log entries to well-known attack methods and raises an alert when an attack is detected Detects well-known IP attacks Includes application filters for DNS and POP that detect intrusion attempts at the application level
31
How to Configure Intrusion Detection
32
IP Preferences Configuration Options
IP preferences are used to: Block or enable network traffic that has an IP option flag set You can block all packets with IP options, or selected packets Block or enable network traffic where the IP packet has been split into multiple IP fragments Blocking IP fragments may affect streaming audio and video, and L2TP over IPSec traffic Enable or disable IP routing With IP routing enabled, TMG forwards IP packets between networks without recreating the packet
33
How to Configure IP Preferences
34
Practice: Configuring Intrusion Detection
Modify the default intrusion detection configuration (page 324) Test intrusion detection Win7 www TMG Internet DC
35
What Are Application Filters?
Application filters can: Enable firewall traversal for complex protocols Enable protocol-level intrusion detection Enable protocol-level content filtering Generate alerts and log events Application Server TMG
36
What Are Web Filters? Web filters can: Scan and modify HTTP requests
Scan and modify HTTP responses Block specified responses Log and analyze traffic Encrypt and compress data Implement custom authentication schemes Web Server TMG
37
Why Use Application and Web Filters?
Application and Web filters provide: Protection against malicious code by blocking packets that have worm or virus characteristics Protection against user actions by blocking the download of harmful programs or ensuring that some types of data do not leave the network Protection against specific network connections by blocking connection attempts by specific applications Integration with third-party or custom filters that have been developed using the application filter API or the Web filter API
38
Application and Web Filter Architecture
Filters 3 Web Filter API Web Proxy Filter 2 Application Filters Rules Engine Application Filter API Firewall Service 4 1 Firewall Engine
39
How the HTTP Web Filter Works
Use HTTP filtering to: HTTP filtering is rule specific so you can configure different filters for each access or publishing rule Filter traffic from internal clients to other networks Filter traffic from Internet clients to internal Web servers HTTP filters enable filtering of HTTP packets based on several criteria
40
How to Configure HTTP Web Filter
Configure maximum header length Configure maximum payload length Configure maximum URL and query length
41
How to Configure HTTP Web Filter Methods
Configure allowed or blocked methods
42
How to Configure HTTP Web Filter Extensions
Configure allowed or blocked extensions
43
How to Configure HTTP Web Filter Headers
Configure headers that will be blocked Configure server header settings Configure Via header settings
44
How to Configure HTTP Web Filter Signatures
Configure blocked signatures
45
How to Identify an HTTP Application Signature
HTTP Request Request Header GET. .Accept:.image/gif,.image/x-xbitmap, .image/jpeg,.image/pjpeg, .application/vnd.ms-excel, .application/vnd.ms-powerpoint, .application/msword,.*/*. .Accept-Language:.en-us. .If-Modified-Since:.Fri,.11.Oct :30:04.GMT. .If-None-Match:."06ee8fa6471c21:428". .User-Agent:.Mozilla/4.0.(compatible;.MSIE.6.0; .Windows.NT.5.1). .Host:. .Proxy-Connection:.Keep-Alive... HTTP Header Signature
46
Best Practice: HTTP Filter Configuration for Web Publishing
To configure a baseline HTTP filter: Configure maximum header, payload, URL and query lengths Verify normalization and do not block high-bit characters Allow only GET, HEAD, and POST Block executable and server side includes extensions Block potentially malicious signatures Use the httpfilterconfig.vbs script from the TMG CD to import and export HTTP filter configurations
47
Practice: Configuring HTTP Filtering
Testing HTTP Connections with Default HTTP Filter Importing and Testing Sample HTTP Filter Settings Modifying HTTP Filter Settings External Web Intranet Web Server TMG Internet DC
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.