SlideShare a Scribd company logo

2. secure web gateway

Download as PPTX, PDF
Fabrizio Volpe
Fabrizio Volpe

2. Secure Web Gateway Seminario TMG e UAG presso Microsoft (Roma)

Technology
1 of 56
Secure Web Gateway
Contenuto della sessione HTTPS inspection URL filtering Malware protection Intrusion prevention
Pericoli e difese Application HTTPS Anti- URL Threats Layer NIS Inspection malware Filtering Firewall Malware Phishing Liability Data Leakage Lost Productivity Loss of Control Full Partial Enabler
HTTPS Inspection
Pericoli e difese Application HTTPS Anti- URL Threats Layer NIS Inspection malware Filtering Firewall Malware Phishing Liability Data Leakage Lost Productivity Loss of Control Full Partial Enabler
Come funziona SSL Web browser sends a CONNECT request to the Web proxy CONNECT host_name:port HTTP/1.1 Web proxy allows the request to be sent to the TCP port specified in the request Proxy informs the client that the connection is established Clients sends encrypted packets directly to destination on specified port without proxy mediation What lies within this encrypted tunnel?
SSL Threats Anonymous public proxy servers When HTTP proxies were first conceived, the need to allow direct connectivity between SSL-negotiating hosts was acknowledged conflict with the concurrent requirement of controlling the requests issued by the local proxy users A Web Proxy client creates an SSL session to a remote server -> the proxy is required to “go transparent” and thus ceases to evaluate the traffic . (It has to; it’s encrypted between the client and remote server .) The answer is HTTPS inspection TMG provides the ability to spoof the remote server’s certificate to the client, but not until TMG is satisfied that the remote server is presenting an acceptable certificate TMG can separate the SSL session between the client and remote server into two distinct SSL session, and gains the ability to evaluate the unencrypted traffic sent between the client and remote server
Prima di Configurare HTTPS Inspection 1. TMG creates cloned server certificates using the information gleaned from the certificate offered by the remote server . The organizations that own the service or certificates may not take kindly to this behavior . 2. HTTPS inspection allows TMG to include the entire URL in the Web Proxy logs . Many Web administrators believe that because they’re using SSL to protect the data exchanged between the user and server, they can include the user’s logon credentials 3. HTTPS inspection may allow TMG to cache the content retrieved from the server 4. Because TMG issues cloned certificates, all TMG array members must be recognized by the clients in the protected networks as trusted Certificate Authorities 5. To prevent man-in-the-middle attacks, TMG is very strict about validating the server certificate it receives from the Web server
Forefront TMG HTTPS Traffic Inspection Network Malware URL Filtering Inspection Inspection System Internet SIGNED BY SIGNED VERISIGN Contoso.com BY TMG Contoso.com HTTPS Inspection terminates the SSL traffic at the proxy for both ends, and inspects the traffic against different threats Trusted certificate generated by proxy matching the URL expected by the client 9
Processo di abilitazione di HTTPS Traffic Inspection Configure HTTPS Inspection: • Proxy certificate generation/import Certificate deployment and customization. (via Active Directory® or • Source and destination exclusions Import/Export) • Validate only option • Notification Internet SIGNED BY SIGNED VERISIGN Contoso.com BY TMG Contoso.com Client notifications about HTTPS inspection (via Firewall client) Certificate validation (revocation, trusted, expiration validation, etc.) 10
HTTPS Inspection Certificate The HTTPS inspection certificate can be either generated by Forefront TMG or issued by a trusted CA Administrators can customize the self generated certificate Commercial CAs will not typically issue HTTPS inspection certificates HTTPS inspection certificate stored in the configuration store Used by all array members
Distribuzione del HTTPS Inspection Certificate Two methods can be used to enable clients to trust the HTTPS Inspection Certificate Automatically through Active Directory (AD), will use AD trusted root store to configure trust for all clients in the AD forest Requires Forefront TMG to be deployed in a domain environment Will not work for browsers that do not use the Windows certificate store for trust Manually on each computer, using root certificate installation procedure required by the browser
HTTPS Inspection - Operazioni  Enable HTTPS inspection  Generate trusted root certificate Install trusted root certificate on clients contoso.com https://contoso.com https://contoso.com SIGNED SIGNED BY BY TMG VERISIGN Contoso.com Contoso.com 1. Intercept HTTPS traffic 2. Validate contoso.com server certificate 3. Generate contoso.com server proxy certificate on TMG 4. Copy data from the original server certificate to the proxy certificate 5. Sign the new certificate with TMG trusted root certificate 6. [TMG manages a certificate cache to avoid redundant duplications] 7. Pretend to be contoso.com for client 8. Bridge HTTPS traffic between client and server 13
Configurazione HTTPS Inspection 14
Configurazione HTTPS Inspection 15
Configurazione HTTPS Inspection 16
HTTPS Inspection - Notifiche Notification provided by Forefront TMG client Notify user of inspection History of recent notifications Management of Notification Exception List May be a legal requirement in some geographies 17
HTTPS Inspection - Notifiche User Experience 18
HTTPS Inspection – Errori Comuni HTTPS Inspection CA certificate errors • These are generally seen by the user as an “invalid certificate” message when the user attempts to reach a site that uses HTTPS Server Certificate errors • These errors will be seen as error pages generated by TMG due to specific server certificate validation failures . The user application will receive an HTTP 502 Bad Gateway response, with the error text providing the details of the failure, such as: • “The name on the SSL server certificate supplied by a destination server does not match the name of the host requested .” • “The SSL server certificate supplied by a destination server has expired .” • “The SSL server certificate supplied by a destination server has been revoked .” 19
URL Filtering
Pericoli e difese Application HTTPS Anti- URL Threats Layer NIS Inspection malware Filtering Firewall Malware Phishing Liability Data Leakage Lost Productivity Loss of Control Full Partial Enabler
Forefront TMG URL Filtering Microsoft Reputation • Integrates leading URL database Service providers • 91 built-in categories • Subscription-based • Predefined and administrator defined category sets • Customizable, per-rule, deny messages URL DB Internet TMG • URL category override • URL category query • Logging and reporting support • Web Access Wizard integration
URL Filtering – Procedura User sends a request for a Web site TMG intercepts the request and determines whether URL categorization is needed TMG needs to determine the category to which this URL belongs to allow or deny this traffic based on the rules available If URL categorization is needed, name resolution is done for the URL and the URL is matched to a category When URL categorization is not needed, TMG marks the request as not categorized and logs the category to be used in case it needs to send a denial to the user The rule allowing the request is then matched and TMG determines whether the rule allows or denies the category If categorization is needed at the rule, a request marked as not categorized is blocked and a denial is sent to the user; otherwise, the rule verifies the category matched and then TMG allows or denies the action based on whether the rule allows that category
URL Filtering – Componenti Coinvolti URL categorization is only called if both of the following conditions are met: URL Filtering is enabled Categories are required by either policy rules or log URL Filtering operates as part of the Microsoft Firewall Service (wspsrv .exe) . The categorizer component has an important role in the whole URL Filtering process because it is responsible for interacting with the core TMG components involved in this process (rules engine, malware protection exception, HTTPS exception, category query, and deny page) The other component that plays an important role during the categorization is the MRS categorizer, which gathers information from the MRS Service provided by Microsoft using Windows Web Services API (WWSAPI) via calls to WinHTTP .
URL Filtering – Componenti Coinvolti
URL Filtering – Benefici Control user web access based on URL categories Protect users from known malicious sites Reduce liability risks Increase productivity Reduce bandwidth and Forefront TMG resource consumption Analyze Web usage
Utilizzo di Microsoft Reputation Services Multiple Vendors Federated MRS Query Combines with Telemetry Path SSL (also SSL) Telemetry Data Cache • Feedbackcache Cache:on Fetch • Persistent mechanism on miss • Category overrides • In-memory SSL for auth & Query (URL) Fetch • Weighted TTL privacy URL • No PII Categorizer Policy
URL Filtering Categorie Security Liability Productivity
URL Filtering Policy URL categories are standard network objects Administrator can create custom URL category sets
URL Filtering Policy 30
Personalizzazione per regola TMG administrator can customize denial message displayed to the user on a per-rule basis Add custom text or HTML Redirect the user to a specific URL
Configurazione di URL Filtering 32
Sapere a quale categoria appartiene un URL Administrator can use the URL Filtering Settings dialog box to query the URL filtering database Enter the URL or IP address as input The result and its source are displayed on the tab
Sovrascrivere l’appartenenza di un url ad una categoria Administrator can override the categorization of a URL Feedback to MRS via Telemetry 34
Personalizzare il messaggio da inviare all’utente HTML tags 35 35
URL Filtering Troubleshooting
Malware Protection
Pericoli e difese Application HTTPS Anti- URL Threats Layer NIS Inspection malware Filtering Firewall Malware Phishing Liability Data Leakage Lost Productivity Loss of Control Full Partial Enabler
HTTP Malware Inspection MU or WSUS • Integrates Microsoft Antivirus engine Third party plug-ins can be used • Signature and engine updates (native Malware inspection must • Subscription-based be disabled) Content delivery methods by content type Signatures DB Internet TMG • Source and destination exceptions • Global and per-rule inspection options (encrypted files, nested archives, large files…) • Logging and reporting support • Web Access Wizard integration
Abilitare Malware Inspection Activate the Web Protection license Enable malware inspection on Web access rules Web Access Policy Wizard or New Access Rule Wizard for new rules Rule properties for existing rules 40
Malware Inspection Impostazioni Generali 41
Malware Inspection Impostazioni Generali Administrator can configure malware blocking behavior: Low, medium and high severity threats Suspicious files Corrupted files Encrypted files Archive bombs Too many depth levels or unpacked content too large File size too large 42
Malware Inspection impostazioni per regola 43
Notifiche all’utente Content Blocked
Notifiche all’utente Progress Notification 45
Intrusion Prevention
Il problema in generale Un-patched vulnerabilities Average survival time of unpatched Windows® XP less than 20 minutes About two percent of Windows® machines are fully patched Vulnerability window Increasing number of zero days Attackers craft exploits faster than customers can deploy patches Encryption and protocol tunneling are a complicated problem for a defense technology (for example, HTTPS) 47
Network Inspection System (NIS) Protocol decode-based traffic inspection system that uses signatures of known vulnerabilities Vulnerability-based signatures (vs. exploit-based signatures used by competing solutions) Detects and potentially block attacks on network resources NIS helps organizations reduce the vulnerability window Protect machines against known vulnerabilities until patch can be deployed Signatures can be released and deployed much faster than patches, concurrently with patch release, closing the vulnerability window Integrated into Forefront TMG Synergy with HTTPS Inspection 48
NIS e Static Signatures NIS differs from many protocol analysis technologies . Although NIS is able to discover valid traffic based on static signatures (conceptually similar to the HTTP Filter), NIS expands on basic signature matching by evaluating three aspects of the network traffic: Protocol state The expected condition of the protocol at any point in time Message structure The validation of a message according to the protocol definition Message context The validation of a message in the context of the protocol state 49
Processo di difesa ad una vulnerabilità Vulnerability is discovered Response team prepares and tests the vulnerability signature Signature released by Microsoft and deployed through distribution service, on security patch release All un-patched hosts behind Forefront TMG are protected Corporate Network Signature Authoring Vulnerability Team Signature TMG Discovered Distribution Service Signature Testing Authoring 50
Altri meccanismi di protezione Common OS attack detection DNS attack filtering IP option filtering Flood mitigation 51
Abilitazione e configurazione del NIS
Attacchi comuni Inspects traffic for the following common attacks: WinNuke Land Ping of Death IP Half Scan Port Scan UDP Bomb Offending packets are dropped and an event generated triggering an Intrusion Detected alert 53
Filtri agli attacchi via DNS Enables the following checks in DNS traffic: DNS host name overflow – DNS response for a host name exceeding 255 bytes DNS length overflow – DNS response for an IPv4 address exceeding 4 bytes DNS zone transfer – DNS request to transfer zones from an internal DNS server 54
Filtri su IP Forefront TMG can block IP packets based on the IP options set Deny all packets with any IP options Deny packets with the selected IP options Deny packets with all except selected IP options Forefront TMG can also block fragmented IP packets 55
Difesa dagli attacchi “fiume”… Forefront TMG flood mitigation mechanism uses: Custom Limit Limit Connection limits that 600 used to identify and are 6000 160 400 block malicious traffic 80 Logging of flood 600 6000 mitigation events 1000Alerts that are triggered 160when a connection limit 600 exceeded is 400 TMG comes with default configuration settings Exceptions can be set per computer set 56

Recommended

Traditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation FirewallTraditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation Firewall美兰 曾
 
Firewall
FirewallFirewall
FirewallMuhammad Sohaib Afzaal
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
What is firewall
What is firewallWhat is firewall
What is firewallHarshana Jayarathna
 
Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 PresentationAmy McMullin
 
Data Privacy Compliance
Data Privacy ComplianceData Privacy Compliance
Data Privacy ComplianceFinancial Poise
 
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...CableLabs
 
Network security
Network securityNetwork security
Network securityfatimasaham
 

Recommended

Traditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation FirewallTraditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation Firewall美兰 曾
 
Firewall
FirewallFirewall
FirewallMuhammad Sohaib Afzaal
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
What is firewall
What is firewallWhat is firewall
What is firewallHarshana Jayarathna
 
Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 PresentationAmy McMullin
 
Data Privacy Compliance
Data Privacy ComplianceData Privacy Compliance
Data Privacy ComplianceFinancial Poise
 
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...CableLabs
 
Network security
Network securityNetwork security
Network securityfatimasaham
 
FireWall
FireWallFireWall
FireWallrubal_9
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust ModelYash
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesrahul kundu
 
Cyber security
Cyber securityCyber security
Cyber securityAman Pradhan
 
Wireless Network security
Wireless Network securityWireless Network security
Wireless Network securityFathima Rahaman
 
FIREWALL
FIREWALL FIREWALL
FIREWALL Akash R
 
Firewall PPT
Firewall PPTFirewall PPT
Firewall PPTMytec1
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purposeRohit Phulsunge
 
Vpn ppt
Vpn pptVpn ppt
Vpn pptNikhila Pothukuchi
 
Firewall
FirewallFirewall
Firewallreddivarihareesh
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscapeyohansurya2
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
Types of cyber attacks
Types of cyber attacksTypes of cyber attacks
Types of cyber attackskrishh sivakrishna
 
Pentest Çalışmalarında Kablosuz Ağ Güvenlik Testleri
Pentest Çalışmalarında Kablosuz Ağ Güvenlik TestleriPentest Çalışmalarında Kablosuz Ağ Güvenlik Testleri
Pentest Çalışmalarında Kablosuz Ağ Güvenlik TestleriBGA Cyber Security
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of ThingsForgeRock
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT SecurityCAS
 
Network security
Network securityNetwork security
Network securityAli Kamil
 
Data Security - English
Data Security - EnglishData Security - English
Data Security - EnglishData Security
 
Secure Web Gateway Ds Lr[1]
Secure Web Gateway Ds Lr[1]Secure Web Gateway Ds Lr[1]
Secure Web Gateway Ds Lr[1]DeepNines Technologies
 
M86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web GatewayM86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web GatewayINSPIRIT BRASIL
 

More Related Content

What's hot

FireWall
FireWallFireWall
FireWallrubal_9
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust ModelYash
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesrahul kundu
 
Wireless Network security
Wireless Network securityWireless Network security
Wireless Network securityFathima Rahaman
 
FIREWALL
FIREWALL FIREWALL
FIREWALL Akash R
 
Firewall PPT
Firewall PPTFirewall PPT
Firewall PPTMytec1
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purposeRohit Phulsunge
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscapeyohansurya2
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer SecurityVibrant Event
 
Pentest Çalışmalarında Kablosuz Ağ Güvenlik Testleri
Pentest Çalışmalarında Kablosuz Ağ Güvenlik TestleriPentest Çalışmalarında Kablosuz Ağ Güvenlik Testleri
Pentest Çalışmalarında Kablosuz Ağ Güvenlik TestleriBGA Cyber Security
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of ThingsForgeRock
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT SecurityCAS
 
Network security
Network securityNetwork security
Network securityAli Kamil
 
Data Security - English
Data Security - EnglishData Security - English
Data Security - EnglishData Security
 

What's hot (20)

FireWall
FireWallFireWall
FireWall
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust Model
 
The information security audit
The information security auditThe information security audit
The information security audit
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
 
Cyber security
Cyber securityCyber security
Cyber security
 
Wireless Network security
Wireless Network securityWireless Network security
Wireless Network security
 
FIREWALL
FIREWALL FIREWALL
FIREWALL
 
Firewall PPT
Firewall PPTFirewall PPT
Firewall PPT
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purpose
 
Vpn ppt
Vpn pptVpn ppt
Vpn ppt
 
Firewall
FirewallFirewall
Firewall
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
 
Types of cyber attacks
Types of cyber attacksTypes of cyber attacks
Types of cyber attacks
 
Pentest Çalışmalarında Kablosuz Ağ Güvenlik Testleri
Pentest Çalışmalarında Kablosuz Ağ Güvenlik TestleriPentest Çalışmalarında Kablosuz Ağ Güvenlik Testleri
Pentest Çalışmalarında Kablosuz Ağ Güvenlik Testleri
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of Things
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
 
Network security
Network securityNetwork security
Network security
 
Data Security - English
Data Security - EnglishData Security - English
Data Security - English
 

Viewers also liked

M86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web GatewayM86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web GatewayINSPIRIT BRASIL
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Pathshibaehed
 
Introduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkIntroduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkEng. Mohammed Ahmed Siddiqui
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationAmandeep Kaur
 

Viewers also liked (7)

Secure Web Gateway Ds Lr[1]
Secure Web Gateway Ds Lr[1]Secure Web Gateway Ds Lr[1]
Secure Web Gateway Ds Lr[1]
 
M86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web GatewayM86 Security apresenta Secure Web Gateway
M86 Security apresenta Secure Web Gateway
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 
OSI Layer Security
OSI Layer SecurityOSI Layer Security
OSI Layer Security
 
Introduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkIntroduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for network
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 

Similar to 2. secure web gateway

50357 a enu-module02
50357 a enu-module0250357 a enu-module02
50357 a enu-module02Bố Su
 
Certification authority
Certification authorityCertification authority
Certification authorityproser tech
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02G Prachi
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...Peter LaFond
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...petarvucetin
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...petarvucetin2
 
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Siena Perry
 
Threat Management Gateway 2010 - Forefront Community launch 2010
Threat Management Gateway 2010 - Forefront Community launch 2010Threat Management Gateway 2010 - Forefront Community launch 2010
Threat Management Gateway 2010 - Forefront Community launch 2010Krzysztof Binkowski
 
Deploying an Extranet on SharePoint
Deploying an Extranet on SharePointDeploying an Extranet on SharePoint
Deploying an Extranet on SharePointAlan Marshall
 
Blockchain PoC For Education
Blockchain PoC For EducationBlockchain PoC For Education
Blockchain PoC For EducationSanjeev Raman
 
Comodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyComodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyJayHicks
 
Magento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceMagento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceRitwik Das
 
Ssl
SslSsl
Sslhuia
 
Multifactor Authentication on the Blockchain
Multifactor Authentication on the BlockchainMultifactor Authentication on the Blockchain
Multifactor Authentication on the BlockchainReza Ismail
 

Similar to 2. secure web gateway (20)

50357 a enu-module02
50357 a enu-module0250357 a enu-module02
50357 a enu-module02
 
Web services security_in_wse_3_ppt
Web services security_in_wse_3_pptWeb services security_in_wse_3_ppt
Web services security_in_wse_3_ppt
 
Certification authority
Certification authorityCertification authority
Certification authority
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
 
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
Petar Vucetin Soa312 Building Secure Web Services Using Windows Communica...
 
Digital certificate
Digital certificateDigital certificate
Digital certificate
 
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
 
Threat Management Gateway 2010 - Forefront Community launch 2010
Threat Management Gateway 2010 - Forefront Community launch 2010Threat Management Gateway 2010 - Forefront Community launch 2010
Threat Management Gateway 2010 - Forefront Community launch 2010
 
Https
HttpsHttps
Https
 
Blockchain Poc for Certificates and Degrees
Blockchain Poc for Certificates and DegreesBlockchain Poc for Certificates and Degrees
Blockchain Poc for Certificates and Degrees
 
Deploying an Extranet on SharePoint
Deploying an Extranet on SharePointDeploying an Extranet on SharePoint
Deploying an Extranet on SharePoint
 
Blockchain PoC For Education
Blockchain PoC For EducationBlockchain PoC For Education
Blockchain PoC For Education
 
Comodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyComodo Overview Presentation Read Only
Comodo Overview Presentation Read Only
 
1. introduzione a TMG
1. introduzione a TMG1. introduzione a TMG
1. introduzione a TMG
 
Final ppt ecommerce
Final ppt ecommerceFinal ppt ecommerce
Final ppt ecommerce
 
Magento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceMagento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci compliance
 
Ssl
SslSsl
Ssl
 
Multifactor Authentication on the Blockchain
Multifactor Authentication on the BlockchainMultifactor Authentication on the Blockchain
Multifactor Authentication on the Blockchain
 

More from Fabrizio Volpe

Skype for business mobility
Skype for business mobilitySkype for business mobility
Skype for business mobilityFabrizio Volpe
 
Skype for business understanding what is new, preview or unchanged
Skype for business understanding what is new, preview or unchangedSkype for business understanding what is new, preview or unchanged
Skype for business understanding what is new, preview or unchangedFabrizio Volpe
 
Deploying lync evaluating costs and complexities
Deploying lync evaluating costs and complexitiesDeploying lync evaluating costs and complexities
Deploying lync evaluating costs and complexitiesFabrizio Volpe
 
Hybrid Clouds: “Silver Bullet” of the Cloud Computing?
Hybrid Clouds: “Silver Bullet” of the Cloud Computing?Hybrid Clouds: “Silver Bullet” of the Cloud Computing?
Hybrid Clouds: “Silver Bullet” of the Cloud Computing?Fabrizio Volpe
 
Forefront Unified Access Gateway 2010: An Introduction To Enterprise Features
Forefront Unified Access Gateway 2010: An Introduction To Enterprise FeaturesForefront Unified Access Gateway 2010: An Introduction To Enterprise Features
Forefront Unified Access Gateway 2010: An Introduction To Enterprise FeaturesFabrizio Volpe
 
Lync server overview (Inroduction) US English
Lync server overview (Inroduction) US EnglishLync server overview (Inroduction) US English
Lync server overview (Inroduction) US EnglishFabrizio Volpe
 
Planning, deploying and managing a microsoft vdi infrastructure (slides tra...
Planning, deploying and managing a microsoft vdi infrastructure (slides tra...Planning, deploying and managing a microsoft vdi infrastructure (slides tra...
Planning, deploying and managing a microsoft vdi infrastructure (slides tra...Fabrizio Volpe
 
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpe
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpePrivate cloud infrastructure configure and deploy 24 hiapc fabrizio volpe
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpeFabrizio Volpe
 
Infrastructure components configure and deploy 24 hiapc fabrizio volpe
Infrastructure components configure and deploy 24 hiapc fabrizio volpeInfrastructure components configure and deploy 24 hiapc fabrizio volpe
Infrastructure components configure and deploy 24 hiapc fabrizio volpeFabrizio Volpe
 
Lync Server 2010: High Availability [I3004]
Lync Server 2010: High Availability [I3004] Lync Server 2010: High Availability [I3004]
Lync Server 2010: High Availability [I3004] Fabrizio Volpe
 
Lync Server 2010: Introduzione [I2001]
Lync Server 2010: Introduzione [I2001]Lync Server 2010: Introduzione [I2001]
Lync Server 2010: Introduzione [I2001]Fabrizio Volpe
 
Lync server 2010 overview
Lync server 2010 overviewLync server 2010 overview
Lync server 2010 overviewFabrizio Volpe
 
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 20104. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010Fabrizio Volpe
 
System center virtual machine manager self service portal 2.0
System center virtual machine manager self service portal 2.0System center virtual machine manager self service portal 2.0
System center virtual machine manager self service portal 2.0Fabrizio Volpe
 
Pianificare, realizzare e gestire una infrastruttura Microsoft VDI
Pianificare, realizzare e gestire una infrastruttura Microsoft VDIPianificare, realizzare e gestire una infrastruttura Microsoft VDI
Pianificare, realizzare e gestire una infrastruttura Microsoft VDIFabrizio Volpe
 
Community Days 2012 - Tecnologie di desktop virtualization
Community Days 2012 - Tecnologie di desktop virtualization Community Days 2012 - Tecnologie di desktop virtualization
Community Days 2012 - Tecnologie di desktop virtualization Fabrizio Volpe
 

More from Fabrizio Volpe (17)

Skype for business mobility
Skype for business mobilitySkype for business mobility
Skype for business mobility
 
Skype for business understanding what is new, preview or unchanged
Skype for business understanding what is new, preview or unchangedSkype for business understanding what is new, preview or unchanged
Skype for business understanding what is new, preview or unchanged
 
Deploying lync evaluating costs and complexities
Deploying lync evaluating costs and complexitiesDeploying lync evaluating costs and complexities
Deploying lync evaluating costs and complexities
 
Hybrid Clouds: “Silver Bullet” of the Cloud Computing?
Hybrid Clouds: “Silver Bullet” of the Cloud Computing?Hybrid Clouds: “Silver Bullet” of the Cloud Computing?
Hybrid Clouds: “Silver Bullet” of the Cloud Computing?
 
Forefront Unified Access Gateway 2010: An Introduction To Enterprise Features
Forefront Unified Access Gateway 2010: An Introduction To Enterprise FeaturesForefront Unified Access Gateway 2010: An Introduction To Enterprise Features
Forefront Unified Access Gateway 2010: An Introduction To Enterprise Features
 
Lync server overview (Inroduction) US English
Lync server overview (Inroduction) US EnglishLync server overview (Inroduction) US English
Lync server overview (Inroduction) US English
 
Planning, deploying and managing a microsoft vdi infrastructure (slides tra...
Planning, deploying and managing a microsoft vdi infrastructure (slides tra...Planning, deploying and managing a microsoft vdi infrastructure (slides tra...
Planning, deploying and managing a microsoft vdi infrastructure (slides tra...
 
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpe
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpePrivate cloud infrastructure configure and deploy 24 hiapc fabrizio volpe
Private cloud infrastructure configure and deploy 24 hiapc fabrizio volpe
 
Infrastructure components configure and deploy 24 hiapc fabrizio volpe
Infrastructure components configure and deploy 24 hiapc fabrizio volpeInfrastructure components configure and deploy 24 hiapc fabrizio volpe
Infrastructure components configure and deploy 24 hiapc fabrizio volpe
 
Lync Server 2010: High Availability [I3004]
Lync Server 2010: High Availability [I3004] Lync Server 2010: High Availability [I3004]
Lync Server 2010: High Availability [I3004]
 
Lync Server 2010: Introduzione [I2001]
Lync Server 2010: Introduzione [I2001]Lync Server 2010: Introduzione [I2001]
Lync Server 2010: Introduzione [I2001]
 
Lync server 2010 overview
Lync server 2010 overviewLync server 2010 overview
Lync server 2010 overview
 
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 20104. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
 
3. email relay fpe
3. email relay fpe3. email relay fpe
3. email relay fpe
 
System center virtual machine manager self service portal 2.0
System center virtual machine manager self service portal 2.0System center virtual machine manager self service portal 2.0
System center virtual machine manager self service portal 2.0
 
Pianificare, realizzare e gestire una infrastruttura Microsoft VDI
Pianificare, realizzare e gestire una infrastruttura Microsoft VDIPianificare, realizzare e gestire una infrastruttura Microsoft VDI
Pianificare, realizzare e gestire una infrastruttura Microsoft VDI
 
Community Days 2012 - Tecnologie di desktop virtualization
Community Days 2012 - Tecnologie di desktop virtualization Community Days 2012 - Tecnologie di desktop virtualization
Community Days 2012 - Tecnologie di desktop virtualization
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 

Recently uploaded (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 

2. secure web gateway

  • 2. Contenuto della sessione HTTPS inspection URL filtering Malware protection Intrusion prevention
  • 3. Pericoli e difese Application HTTPS Anti- URL Threats Layer NIS Inspection malware Filtering Firewall Malware Phishing Liability Data Leakage Lost Productivity Loss of Control Full Partial Enabler
  • 5. Pericoli e difese Application HTTPS Anti- URL Threats Layer NIS Inspection malware Filtering Firewall Malware Phishing Liability Data Leakage Lost Productivity Loss of Control Full Partial Enabler
  • 6. Come funziona SSL Web browser sends a CONNECT request to the Web proxy CONNECT host_name:port HTTP/1.1 Web proxy allows the request to be sent to the TCP port specified in the request Proxy informs the client that the connection is established Clients sends encrypted packets directly to destination on specified port without proxy mediation What lies within this encrypted tunnel?
  • 7. SSL Threats Anonymous public proxy servers When HTTP proxies were first conceived, the need to allow direct connectivity between SSL-negotiating hosts was acknowledged conflict with the concurrent requirement of controlling the requests issued by the local proxy users A Web Proxy client creates an SSL session to a remote server -> the proxy is required to “go transparent” and thus ceases to evaluate the traffic . (It has to; it’s encrypted between the client and remote server .) The answer is HTTPS inspection TMG provides the ability to spoof the remote server’s certificate to the client, but not until TMG is satisfied that the remote server is presenting an acceptable certificate TMG can separate the SSL session between the client and remote server into two distinct SSL session, and gains the ability to evaluate the unencrypted traffic sent between the client and remote server
  • 8. Prima di Configurare HTTPS Inspection 1. TMG creates cloned server certificates using the information gleaned from the certificate offered by the remote server . The organizations that own the service or certificates may not take kindly to this behavior . 2. HTTPS inspection allows TMG to include the entire URL in the Web Proxy logs . Many Web administrators believe that because they’re using SSL to protect the data exchanged between the user and server, they can include the user’s logon credentials 3. HTTPS inspection may allow TMG to cache the content retrieved from the server 4. Because TMG issues cloned certificates, all TMG array members must be recognized by the clients in the protected networks as trusted Certificate Authorities 5. To prevent man-in-the-middle attacks, TMG is very strict about validating the server certificate it receives from the Web server
  • 9. Forefront TMG HTTPS Traffic Inspection Network Malware URL Filtering Inspection Inspection System Internet SIGNED BY SIGNED VERISIGN Contoso.com BY TMG Contoso.com HTTPS Inspection terminates the SSL traffic at the proxy for both ends, and inspects the traffic against different threats Trusted certificate generated by proxy matching the URL expected by the client 9
  • 10. Processo di abilitazione di HTTPS Traffic Inspection Configure HTTPS Inspection: • Proxy certificate generation/import Certificate deployment and customization. (via Active Directory® or • Source and destination exclusions Import/Export) • Validate only option • Notification Internet SIGNED BY SIGNED VERISIGN Contoso.com BY TMG Contoso.com Client notifications about HTTPS inspection (via Firewall client) Certificate validation (revocation, trusted, expiration validation, etc.) 10
  • 11. HTTPS Inspection Certificate The HTTPS inspection certificate can be either generated by Forefront TMG or issued by a trusted CA Administrators can customize the self generated certificate Commercial CAs will not typically issue HTTPS inspection certificates HTTPS inspection certificate stored in the configuration store Used by all array members
  • 12. Distribuzione del HTTPS Inspection Certificate Two methods can be used to enable clients to trust the HTTPS Inspection Certificate Automatically through Active Directory (AD), will use AD trusted root store to configure trust for all clients in the AD forest Requires Forefront TMG to be deployed in a domain environment Will not work for browsers that do not use the Windows certificate store for trust Manually on each computer, using root certificate installation procedure required by the browser
  • 13. HTTPS Inspection - Operazioni  Enable HTTPS inspection  Generate trusted root certificate Install trusted root certificate on clients contoso.com https://contoso.com https://contoso.com SIGNED SIGNED BY BY TMG VERISIGN Contoso.com Contoso.com 1. Intercept HTTPS traffic 2. Validate contoso.com server certificate 3. Generate contoso.com server proxy certificate on TMG 4. Copy data from the original server certificate to the proxy certificate 5. Sign the new certificate with TMG trusted root certificate 6. [TMG manages a certificate cache to avoid redundant duplications] 7. Pretend to be contoso.com for client 8. Bridge HTTPS traffic between client and server 13
  • 17. HTTPS Inspection - Notifiche Notification provided by Forefront TMG client Notify user of inspection History of recent notifications Management of Notification Exception List May be a legal requirement in some geographies 17
  • 18. HTTPS Inspection - Notifiche User Experience 18
  • 19. HTTPS Inspection – Errori Comuni HTTPS Inspection CA certificate errors • These are generally seen by the user as an “invalid certificate” message when the user attempts to reach a site that uses HTTPS Server Certificate errors • These errors will be seen as error pages generated by TMG due to specific server certificate validation failures . The user application will receive an HTTP 502 Bad Gateway response, with the error text providing the details of the failure, such as: • “The name on the SSL server certificate supplied by a destination server does not match the name of the host requested .” • “The SSL server certificate supplied by a destination server has expired .” • “The SSL server certificate supplied by a destination server has been revoked .” 19
  • 21. Pericoli e difese Application HTTPS Anti- URL Threats Layer NIS Inspection malware Filtering Firewall Malware Phishing Liability Data Leakage Lost Productivity Loss of Control Full Partial Enabler
  • 22. Forefront TMG URL Filtering Microsoft Reputation • Integrates leading URL database Service providers • 91 built-in categories • Subscription-based • Predefined and administrator defined category sets • Customizable, per-rule, deny messages URL DB Internet TMG • URL category override • URL category query • Logging and reporting support • Web Access Wizard integration
  • 23. URL Filtering – Procedura User sends a request for a Web site TMG intercepts the request and determines whether URL categorization is needed TMG needs to determine the category to which this URL belongs to allow or deny this traffic based on the rules available If URL categorization is needed, name resolution is done for the URL and the URL is matched to a category When URL categorization is not needed, TMG marks the request as not categorized and logs the category to be used in case it needs to send a denial to the user The rule allowing the request is then matched and TMG determines whether the rule allows or denies the category If categorization is needed at the rule, a request marked as not categorized is blocked and a denial is sent to the user; otherwise, the rule verifies the category matched and then TMG allows or denies the action based on whether the rule allows that category
  • 24. URL Filtering – Componenti Coinvolti URL categorization is only called if both of the following conditions are met: URL Filtering is enabled Categories are required by either policy rules or log URL Filtering operates as part of the Microsoft Firewall Service (wspsrv .exe) . The categorizer component has an important role in the whole URL Filtering process because it is responsible for interacting with the core TMG components involved in this process (rules engine, malware protection exception, HTTPS exception, category query, and deny page) The other component that plays an important role during the categorization is the MRS categorizer, which gathers information from the MRS Service provided by Microsoft using Windows Web Services API (WWSAPI) via calls to WinHTTP .
  • 25. URL Filtering – Componenti Coinvolti
  • 26. URL Filtering – Benefici Control user web access based on URL categories Protect users from known malicious sites Reduce liability risks Increase productivity Reduce bandwidth and Forefront TMG resource consumption Analyze Web usage
  • 27. Utilizzo di Microsoft Reputation Services Multiple Vendors Federated MRS Query Combines with Telemetry Path SSL (also SSL) Telemetry Data Cache • Feedbackcache Cache:on Fetch • Persistent mechanism on miss • Category overrides • In-memory SSL for auth & Query (URL) Fetch • Weighted TTL privacy URL • No PII Categorizer Policy
  • 28. URL Filtering Categorie Security Liability Productivity
  • 29. URL Filtering Policy URL categories are standard network objects Administrator can create custom URL category sets
  • 31. Personalizzazione per regola TMG administrator can customize denial message displayed to the user on a per-rule basis Add custom text or HTML Redirect the user to a specific URL
  • 32. Configurazione di URL Filtering 32
  • 33. Sapere a quale categoria appartiene un URL Administrator can use the URL Filtering Settings dialog box to query the URL filtering database Enter the URL or IP address as input The result and its source are displayed on the tab
  • 34. Sovrascrivere l’appartenenza di un url ad una categoria Administrator can override the categorization of a URL Feedback to MRS via Telemetry 34
  • 35. Personalizzare il messaggio da inviare all’utente HTML tags 35 35
  • 38. Pericoli e difese Application HTTPS Anti- URL Threats Layer NIS Inspection malware Filtering Firewall Malware Phishing Liability Data Leakage Lost Productivity Loss of Control Full Partial Enabler
  • 39. HTTP Malware Inspection MU or WSUS • Integrates Microsoft Antivirus engine Third party plug-ins can be used • Signature and engine updates (native Malware inspection must • Subscription-based be disabled) Content delivery methods by content type Signatures DB Internet TMG • Source and destination exceptions • Global and per-rule inspection options (encrypted files, nested archives, large files…) • Logging and reporting support • Web Access Wizard integration
  • 40. Abilitare Malware Inspection Activate the Web Protection license Enable malware inspection on Web access rules Web Access Policy Wizard or New Access Rule Wizard for new rules Rule properties for existing rules 40
  • 42. Malware Inspection Impostazioni Generali Administrator can configure malware blocking behavior: Low, medium and high severity threats Suspicious files Corrupted files Encrypted files Archive bombs Too many depth levels or unpacked content too large File size too large 42
  • 47. Il problema in generale Un-patched vulnerabilities Average survival time of unpatched Windows® XP less than 20 minutes About two percent of Windows® machines are fully patched Vulnerability window Increasing number of zero days Attackers craft exploits faster than customers can deploy patches Encryption and protocol tunneling are a complicated problem for a defense technology (for example, HTTPS) 47
  • 48. Network Inspection System (NIS) Protocol decode-based traffic inspection system that uses signatures of known vulnerabilities Vulnerability-based signatures (vs. exploit-based signatures used by competing solutions) Detects and potentially block attacks on network resources NIS helps organizations reduce the vulnerability window Protect machines against known vulnerabilities until patch can be deployed Signatures can be released and deployed much faster than patches, concurrently with patch release, closing the vulnerability window Integrated into Forefront TMG Synergy with HTTPS Inspection 48
  • 49. NIS e Static Signatures NIS differs from many protocol analysis technologies . Although NIS is able to discover valid traffic based on static signatures (conceptually similar to the HTTP Filter), NIS expands on basic signature matching by evaluating three aspects of the network traffic: Protocol state The expected condition of the protocol at any point in time Message structure The validation of a message according to the protocol definition Message context The validation of a message in the context of the protocol state 49
  • 50. Processo di difesa ad una vulnerabilità Vulnerability is discovered Response team prepares and tests the vulnerability signature Signature released by Microsoft and deployed through distribution service, on security patch release All un-patched hosts behind Forefront TMG are protected Corporate Network Signature Authoring Vulnerability Team Signature TMG Discovered Distribution Service Signature Testing Authoring 50
  • 51. Altri meccanismi di protezione Common OS attack detection DNS attack filtering IP option filtering Flood mitigation 51
  • 53. Attacchi comuni Inspects traffic for the following common attacks: WinNuke Land Ping of Death IP Half Scan Port Scan UDP Bomb Offending packets are dropped and an event generated triggering an Intrusion Detected alert 53
  • 54. Filtri agli attacchi via DNS Enables the following checks in DNS traffic: DNS host name overflow – DNS response for a host name exceeding 255 bytes DNS length overflow – DNS response for an IPv4 address exceeding 4 bytes DNS zone transfer – DNS request to transfer zones from an internal DNS server 54
  • 55. Filtri su IP Forefront TMG can block IP packets based on the IP options set Deny all packets with any IP options Deny packets with the selected IP options Deny packets with all except selected IP options Forefront TMG can also block fragmented IP packets 55
  • 56. Difesa dagli attacchi “fiume”… Forefront TMG flood mitigation mechanism uses: Custom Limit Limit Connection limits that 600 used to identify and are 6000 160 400 block malicious traffic 80 Logging of flood 600 6000 mitigation events 1000Alerts that are triggered 160when a connection limit 600 exceeded is 400 TMG comes with default configuration settings Exceptions can be set per computer set 56

Editor's Notes

  1. Policies use URL categories as standard network objects in the Web access policy.
  2. .