Forefront Threat Management Gateway

Présentation au sujet: "Forefront Threat Management Gateway"— Transcription de la présentation:

1 Forefront Threat Management Gateway
3/31/2017 1:22 AM Forefront Threat Management Gateway Stanislas Quastana, CISSP Architecte Infrastructure (et super fan d’ISA Server depuis Proxy 2.0 ) Microsoft France © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Agenda Présentation de la nouvelle génération ISA
3/31/2017 1:22 AM Agenda Présentation de la nouvelle génération ISA Introduction Nouvelles fonctionnalités Déploiement et administration Protection des clients Web Protection de la messagerie Prévention des intrusions Améliorations du pare-feu Forefront TMG et Forefront Stirling Synthèse Ressources utiles © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Agenda Présentation de la nouvelle génération ISA
3/31/2017 1:22 AM Agenda Présentation de la nouvelle génération ISA Introduction Nouvelles fonctionnalités Déploiement et administration Protection des clients Web Protection de la messagerie Prévention des intrusions Améliorations du pare-feu Forefront TMG et Forefront Stirling Synthèse Ressources utiles © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4

5 Un peu d’histoire 2004 2006 2007 2008 2009 Passerelle d’accès sécurisée Protection contre les menaces en ligne Plateforme universelle d’accès distants aux applications (Web et C/S)

6 Objectifs de Forefront TMG
Contrôler les accès entrant et sortant au niveau du périmètre de votre réseau Protéger les utilisateurs lors de la navigation sur le Web Protéger les infrastructures de messagerie Protéger les machines contre les exploits au travers du réseau Faciliter l’administration et le déploiement

7 Scénarios de déploiement
Passerelle sécurisée pour le Web Proxy authentifiant / pare-feu multicouches Anti-virus HTTP et filtrage d’URLs Inspection du trafic HTTP et HTTPS Passerelle d’accès distant VPN nomade VPN Site à site Publication Web sécurisée Relais de messagerie sécurisé Anti Spam Anti Virus Filtrage du contenu des courriers Unified Threat Management (UTM) Solution tout en 1 pour les moyennes entreprises ou les réseaux d’agences Pare-feu, VPN, Web sécurisé, NIS, relais SMTP sécurisé

8 Agenda Présentation de la nouvelle génération ISA
3/31/2017 1:22 AM Agenda Présentation de la nouvelle génération ISA Introduction Nouvelles fonctionnalités Déploiement et administration Protection des clients Web Protection de la messagerie Prévention des intrusions Améliorations du pare-feu Forefront TMG et Forefront Stirling Synthèse Ressources utiles © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Déploiement et administration
Pré-requis d’installation Windows Server bit PowerShell, .Net Framework 3.5, MSMQ Assistant de démarrage (configuration initiale) Interface orientée tâches Gestion centralisée de la configuration (groupe de serveurs) Amélioration de la journalisation et des rapports

10 Aperçu de la console Forefront TMG
3/31/2017 1:22 AM Administration demo Aperçu de la console Forefront TMG © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Protection des clients Web
Analyse anti logiciels malveillants Analyse des fichiers téléchargés Paramétrage de l’analyse global ou par règle Filtrage d’URLs Catégories d’URL et exclusions Inspection du trafic sortant HTTPS Filtrage d’URLs, analyse AV et protection IPS Zone d’administration dédiée au contrôle des accès Web sortants

12 Protection des clients Web Analyse anti-logiciels malveillants
Moteur antivirus de Microsoft 3 scénarios d’analyse Régulier : analyse du contenu avant délivrance Si le temps d’inspection prend moins de X secondes Si le temps d’inspection dépasse X secondes Page HTML avec barre de progression de l’analyse Pour les exécutables et certains types de fichiers Envoi de contenu partiel (Trickling) D’infimes morceaux de données (sains) sont envoyés au client jusqu’à ce que l’inspection complète du fichier soit finie

13 demo Accès Web sécurisés Analyse AV 3/31/2017 1:22 AM
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Protection des clients Web Le cas du trafic HTTPS sortant
Une fois la session SSL établie, les proxies ou les pare-feu sont incapables de voir les données échangées. De nombreuses logiciels utilisent cette solution Outlook 2003/2007 (RPC over HTTPS) Terminal Server (via la passerelle TS) Messageries instantanées Clients VPN SSL Logiciels P2P….

15 Pourquoi un simple pare-feu réseau est parfois inefficace ?
P2P MS RPC… HTTP(S) HTTP, https, FTP… IM, P2P, MS RPC… IM, P2P, MS RPC… http, https, FTP Internet Pare feu réseau Client

16 Protection des clients Web Inspection du trafic HTTPS sortant
Comment réduire le risque induit par ces échanges non contrôlés ? Limiter les accès HTTPS sortants via des listes blanches Bloquer les requêtes dans la phase de négociation Déchiffrer le SSL en sortie au niveau du proxy/pare feu (Man In The Middle). Concept intéressant en terme de sécurité mais pas vraiment en terme de confidentialité… … on va en discuter car Forefront TMG fonctionne sur ce modèle  

17 Forefront TMG et les flux SSL
Analyse HTTP (URL, entêtes, contenu, antivirus…) & Inspection SSL IM P2P MS RPC… HTTPS IM, P2P, MS RPC… Internet Forefront TMG Client

18 demo Accès Web sécurisés Inspection SSL 3/31/2017 1:22 AM
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Protection de la messagerie électronique
Hygiène complète des flux SMTP Anti-virus multi moteurs (5 à choisir parmi 8) Anti-spam/ Anti-Phishing Filtrage de contenu Grâce à l’intégration de Exchange Server 2007 en rôle Edge Forefront Security for Exchange Protège tout type de serveur SMTP

20 Protection de la messagerie
demo Paramétrage © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Prévention des intrusions réseaux
Détection et prévention des attaques sur des vulnérabilités connues Permet de “fermer la fenêtre” le temps nécessaire aux tests et au déploiement des correctifs de sécurité Forefront Network Inspection System (NIS) Basé sur GAPA provenant de Microsoft Research Generic Application Level Protocol Analyzer Basé sur des signatures de vulnérabilités Mise à jour via Microsoft Update

22 Intrusion Prevention System
3/31/2017 1:22 AM Intrusion Prevention System demo © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 Améliorations du pare-feu
Filtrage SIP Redondance des connexions Internet (2 FAI) NAT « avancé »  Nouveau client pare-feu Découverte automatique et sécurisée avec utilisation Active Directory

24 Améliorations du pare-feu Filtrage SIP
Local IP PBX support SIP messages quota protection Support de SIP trunk

25 Améliorations du pare-feu Redondance des connexions FAI
2 options d’utilisation : Tolérance de panne Agrégation de liens Uniquement pour le trafic sortant Trafic réseau « NATé » par Forefront TMG pour le réseau Externe

26 Redondance / Aggrégation FAI
3/31/2017 1:22 AM Redondance / Aggrégation FAI démo Ou presque ;-) © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42 Améliorations du VPN nomade
Support de Network Access Protection Mise en conformité et quarantaine Support des nouveaux algorithmes (AES…) Support de SSTP Avec un peu de chance, on peut espérer celui de IKEv2 (VPN Reconnect) disponible dans Windows Server 2008 R2 combiné à Windows 7  si ce n’est pas dans la version RTM de Forefront TMG, ça pourrait arriver avec le premier Service Pack

43 Agenda Présentation de la nouvelle génération ISA
3/31/2017 1:22 AM Agenda Présentation de la nouvelle génération ISA Introduction Nouvelles fonctionnalités Déploiement et administration Protection des clients Web Protection de la messagerie Prévention des intrusions Améliorations du pare-feu Forefront TMG et Forefront Stirling Synthèse Ressources utiles © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44 Forefront Stirling Administration / Supervision Remontée et partage
d’informations Réponse dynamique Protection des postes et serveurs Protection des applications serveurs Protection du périmètre « v2 »

45 Intégration de TMG avec Stirling
Intégration à la suite de sécurité Supervision au travers de System Center Operation Manager Remontée des incidents Participation dynamique à la protection globale Stratégies de réponse et de remède

46 Agenda Présentation de la nouvelle génération ISA
3/31/2017 1:22 AM Agenda Présentation de la nouvelle génération ISA Introduction Nouvelles fonctionnalités Déploiement et administration Protection des clients Web Protection de la messagerie Prévention des intrusions Améliorations du Pare-feu Forefront TMG et Forefront Stirling Synthèse Ressources utiles © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

47 Tableau récapitulatif des fonctions
ISA 2006 TMG dans EBS* Forefront TMG * “EBS” = Windows Essential Business Server Pare feu réseau    Pare- feu applicatif    Protection des accès Internet (Proxy)    Publication basique Web    Exchange publishing (RPC over HTTP)    IPSec VPN (remote & site-to-site)       Web caching, HTTP compression Windows Server 2008, 64-Bit (only)   Nouveau Web anti-virus, anti malware   Nouveau Nouveau URL filtering  Nouveau anti-malware, anti-spam  Nouveau Network intrusion prevention  Nouveau Integration with codename “Stirling”  Nouveau Enhanced UI, management, reporting  Nouveau  Nouveau

48 Synthèse des nouveautés
Pare-feu VoIP traversal (SIP) NAT « avancé » Redondance des connexions FAI Accès Web sécurisés Anti-virus/spyware HTTP(s) Filtrage d’URLs Inspection https sortant Protection messagerie Intégration d’Exchange Edge/FSE Anti-virus Anti-spam Prévention des intrusions Intrusion Prevention System Security Assessment and Response (SAS) Accès distants VPN avec support de Network Access Protection (NAP) SSTP Déploiement et admin. W2K8, 64-bit natif Assistants adaptés aux scénarios Amélioration des journaux et des rapports Abonnement Services Update Center : HTTP: AV+ Filtrage d’URLs AV+Anti-Spam Signatures NIS

49 Ressources utiles Blog de Stanislas http://blogs.technet.com/stanislas
Dans ce blog, cliquez Forefront TMG / Threat Management Gateway dans la zone de tags pour accéder à toutes les informations complémentaires et les liens vers les documents de références.

50 Save the date for tech·days next year!
3/31/2017 1:22 AM Save the date for tech·days next year! 14 – 15 avril 2010, CICG © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

51 Premium Sponsoring Partners
3/31/2017 1:22 AM Premium Sponsoring Partners Classic Sponsoring Partners © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

52 3/31/2017 1:22 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.