50357 a enu-module02
-
Upload
bo-su -
Category
Technology
-
view
624 -
download
0
description
Transcript of 50357 a enu-module02
![Page 1: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/1.jpg)
Module 2: Secure Web Gateway
© 2009, Microsoft. All rights reserved. All other trademarks are the property of their respective owners.
![Page 2: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/2.jpg)
Module Overview
Secure Web Gateway overview
HTTPS inspection
URL filtering
Malware protection
Intrusion prevention
Secure Web Gateway overview
HTTPS inspection
URL filtering
Malware protection
Intrusion prevention
![Page 3: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/3.jpg)
Lesson 1 – Secure Web Gateway Overview
![Page 4: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/4.jpg)
What is a Secure Web Gateway (SWG)?
“A SWG is a solution that filters unwanted software/malware from user-initiated
Web/Internet traffic and enforces corporate and regulatory policy compliance. To achieve this goal, SWGs must, at a minimum, include URL filtering, malicious code detection and
filtering, and application controls for popular Web-based applications, such as instant
messaging (IM) and Skype.”
Gartner Secure Web Gateway Magic Quadrant, August 2008
![Page 5: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/5.jpg)
The Growing Market PotentialDedicated SWG vendors are the fastest-growing submarket, averaging 140% year-over-year growth
2008 2009 2010 2011 2012
0
500
1000
1500
2000
2500
3000
SaaSApplianceSoftware
Source: Gartner Secure Web Gateway Magic Quadrant, August 2008
![Page 6: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/6.jpg)
The Competitive Landscape
19%
12%
6%
5%3%
54%
Websense
Trend
Microsoft
McAfee/Secure Computing
Blue Coat
Other
![Page 7: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/7.jpg)
Forefront TMG as a Secure Web Gateway
7
Competitive Feature
Set
Easily Manageab
le
Integrated
Logging & Reporting Support
Scalable
URL Filtering, Malware
Inspection, NIS
Web Access Wizard,
Task Oriented
Policy Management,
Directory Services
Integration, Licensing
Array Support,
Load balancing
New reports, log fields
![Page 8: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/8.jpg)
Windows Server® 2008 / R2
Logging & Reporting
Application Layer Proxy
Network Inspection
System
URL Filtering
HTTPS Inspection
Malware Inspection
Secure Web Gateway Layered Security
Unifies inspection technologies to:
Protect against multi-channel threatsSimplify deployment
Keeps security up to date with updates to:
Web antimalwareURL filteringNetwork Inspection System
![Page 9: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/9.jpg)
Threats and Controls
ThreatsApplication Layer Firewall
HTTPS Inspectio
n
Anti-malwar
e
URLFiltering
NIS
Malware
Phishing
Liability
Data Leakage
Lost Productivity
Loss of Control
Full Partial Enabler
![Page 10: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/10.jpg)
Lesson 2 – HTTPS Inspection
![Page 11: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/11.jpg)
Threats and Controls
ThreatsApplication Layer Firewall
HTTPS Inspectio
n
Anti-malwar
e
URLFiltering
NIS
Malware
Phishing
Liability
Data Leakage
Lost Productivity
Loss of Control
Full Partial Enabler
![Page 12: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/12.jpg)
Traditional SSL SecurityWeb browser sends a CONNECT request to the Web proxy
CONNECT host_name:port HTTP/1.1
Web proxy allows the request to be sent to the TCP port specified in the requestProxy informs the client that the connection is establishedClients sends encrypted packets directly to destination on specified port without proxy mediation
What lies within this encrypted
tunnel?
![Page 13: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/13.jpg)
Forefront TMG HTTPS Traffic Inspection
HTTPS Inspection terminates the SSL traffic at the proxy for both ends, and inspects the traffic against different threats
Trusted certificate generated by proxy matching the URL expected by the client
13
Internet
Contoso.com
SIGNED BY
VERISIGN
SSL
Contoso.com
SIGNED BY TMG
SSL SSL
URL Filtering
Malware Inspection
Network Inspection
System
![Page 14: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/14.jpg)
14
Enabling HTTPS Traffic Inspection
Contoso.com
SIGNED BY TMG
Internet
Contoso.com
SIGNED BY
VERISIGN
Certificate deployment(via Active Directory® or
Import/Export)
Configure HTTPS Inspection:• Proxy certificate
generation/import and customization.
• Source and destination exclusions
• Validate only option• Notification
Client notifications about HTTPS inspection (via
Firewall client)Certificate
validation (revocation, trusted, expiration
validation, etc.)
![Page 15: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/15.jpg)
Generating the HTTPS Inspection CertificateThe HTTPS inspection certificate can be either
generated by Forefront TMG or issued by a trusted CA
Administrators can customize the self generated certificateCommercial CAs will not typically issue HTTPS inspection certificates
HTTPS inspection certificate stored in the configuration store
Used by all array members
![Page 16: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/16.jpg)
Deploying the HTTPS Inspection CertificateTwo methods can be used to enable clients to trust
the HTTPS Inspection CertificateAutomatically through Active Directory (AD), will use AD trusted root store to configure trust for all clients in the AD forest
Requires Forefront TMG to be deployed in a domain environmentWill not work for browsers that do not use the Windows certificate store for trust
Manually on each computer, using root certificate installation procedure required by the browser
![Page 17: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/17.jpg)
How HTTPS Inspection Works
17
https://contoso.com
Enable HTTPS inspection Generate trusted root certificate
Install trusted root certificate on clients
https://contoso.com
1. Intercept HTTPS traffic2. Validate contoso.com server certificate3. Generate contoso.com server proxy certificate on TMG4. Copy data from the original server certificate to the proxy
certificate 5. Sign the new certificate with TMG trusted root certificate6. [TMG manages a certificate cache to avoid redundant
duplications]7. Pretend to be contoso.com for client8. Bridge HTTPS traffic between client and server
contoso.com
Contoso.com
SIGNED BY
VERISIGNContoso.com
SIGNED BY TMG
![Page 18: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/18.jpg)
Scenario Walkthrough
18
Contoso Web Access Policy
No browsing to sites that pose security or liability risks, but...
Researchers need access to gambling sites
This includes access to encrypted archives
Malware Inspection should be enabled for all Web trafficHTTPS Inspection should be enabled, with user notifications
Deny all Web downloads larger than 500MB
![Page 19: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/19.jpg)
19
Configuring HTTPS Inspection
![Page 20: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/20.jpg)
20
Configuring HTTPS Inspection
![Page 21: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/21.jpg)
21
Configuring HTTPS Inspection
![Page 22: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/22.jpg)
22
HTTPS Inspection Notifications
Notification provided by Forefront TMG client
Notify user of inspectionHistory of recent notificationsManagement of Notification Exception List
May be a legal requirement in some geographies
![Page 23: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/23.jpg)
23
HTTPS Inspection NotificationUser Experience
![Page 24: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/24.jpg)
Lesson 3 – URL Filtering
![Page 25: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/25.jpg)
Threats and Controls
ThreatsApplication Layer Firewall
HTTPS Inspectio
n
Anti-malwar
e
URLFiltering
NIS
Malware
Phishing
Liability
Data Leakage
Lost Productivity
Loss of Control
Full Partial Enabler
![Page 26: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/26.jpg)
Forefront TMG URL Filtering
Internet
• 91 built-in categories• Predefined and
administrator defined category sets
• Integrates leading URL database providers• Subscription-based
• URL category override• URL category query• Logging and reporting support• Web Access Wizard integration
• Customizable, per-rule, deny messages
URL DB
Microsoft ReputationService
TMG
![Page 27: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/27.jpg)
URL Filtering BenefitsControl user web access based on URL categoriesProtect users from known malicious sitesReduce liability risksIncrease productivityReduce bandwidth and Forefront TMG resource consumptionAnalyze Web usage
![Page 28: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/28.jpg)
Microsoft Reputation Service
Microsoft
ReputationService
AccuracyComprehensive and flexible category taxonomy
Broad coverage through path inheritance
Overlapping and complementary URL metadata sources
Accuracy measured and tuned across providers (Weighting)
Telemetry-based error reporting and client data capture
Unknowns ranked and resolved based on prevalence
PerformanceFour-tier architecture
Protocol-level packaging
Bloom filters
AvailabilityGlobally-scaled, fault-tolerant architecture
Multi-layer dynamic caching (On-premise + Service)
![Page 29: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/29.jpg)
What Makes MRS Compelling?Existing URL filtering solutions
Single vendor cant be expert in all categoriesCategorization response time
MRS unique architectureMRS merges URL databases from multiple sources/vendors
Multi-vendor AV analogy
Based on Microsoft internal sources as well as collaboration with third party partnersScalable
Ongoing collaborative effortRecently announced an agreement with Marshal8e6More announcements to follow
![Page 30: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/30.jpg)
Feedback mechanism on Category overrides
• Fetch on cache miss• SSL for auth &
privacy• No PII
How Forefront TMG Leverages MRS
Multiple VendorsMicrosoft
Datacenters
MRS
Query (URL)
Categorizer
FetchURL
Policy
Cache
SSLTelemetry Path
(also SSL)
FederatedQuery
Cache:• Persistent• In-memory• Weighted TTL
Combines with
Telemetry Data
![Page 31: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/31.jpg)
URL Filtering Categories
Liability
Security
Productivity
![Page 32: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/32.jpg)
Categories and Inheritance
![Page 33: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/33.jpg)
URL Filtering PolicyURL categories are standard network objectsAdministrator can create custom URL category sets
![Page 34: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/34.jpg)
34
URL Filtering Policy
![Page 35: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/35.jpg)
Scenario Walkthrough
35
Contoso Web Access PolicyNo browsing to sites that pose security or liability risks, but...
Researchers need access to gambling sites
This includes access to encrypted archives
Malware Inspection should be enabled for all Web traffic
HTTPS Inspection should be enabled, with user notifications
Deny all Web downloads larger than 500MB
![Page 36: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/36.jpg)
36
Contoso’s Web Access Policy
Access rule allowing users in the Research group to access gambling and gambling-related sites
Access rule denying everyone access to Liability and Security sites
![Page 37: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/37.jpg)
Per-rule CustomizationTMG administrator can customize denial message displayed to the user on a per-rule basis
Add custom text or HTMLRedirect the user to a specific URL
![Page 38: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/38.jpg)
38
URL Filtering Configuration
![Page 39: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/39.jpg)
Category QueryAdministrator can use the URL Filtering Settings dialog box to query the URL filtering database
Enter the URL or IP address as inputThe result and its source are displayed on the tab
![Page 40: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/40.jpg)
40
URL Category Override
Administrator can override the categorization of a URL
Feedback to MRSvia Telemetry
![Page 41: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/41.jpg)
User Experience
http://www.phishingsite.com
![Page 42: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/42.jpg)
42
User Experience
42
HTML tags
![Page 43: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/43.jpg)
Lesson 4 – Malware Protection
![Page 44: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/44.jpg)
Threats and Controls
ThreatsApplication Layer Firewall
HTTPS Inspectio
n
Anti-malwar
e
URLFiltering
NIS
Malware
Phishing
Liability
Data Leakage
Lost Productivity
Loss of Control
Full Partial Enabler
![Page 45: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/45.jpg)
HTTP Malware Inspection
Internet
Third party plug-ins can be used (native Malware inspection must be
disabled)
• Integrates Microsoft Antivirus engine
• Signature and engine updates• Subscription-based
• Source and destination exceptions• Global and per-rule inspection options
(encrypted files, nested archives, large files…)
• Logging and reporting support • Web Access Wizard integration
Content delivery methods by content type
SignaturesDB
MU or WSUS
TMG
![Page 46: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/46.jpg)
Content Trickling
46
Firewall Service
Web Proxy
Malware Inspection Filter
Request Context
Scanner
GET msrdp.cabGET msrdp.cab
200 OK
Accumulated Content
Accumulated Content
Accumulated Content
Accumulated Content
Accumulated Content
200 OK
![Page 47: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/47.jpg)
Progress Notification
47
Firewall Service
Web Proxy
Malware Inspection Filter
Primary Request Context
Secondary Request Context
Downloads Map
Scanner
GET setup.exeGET setup.exe
200 OK (setup.exe)
Accumulated Content
Accumulated Content
Accumulated Content
200 OK (HTML)
GET GetDownloadStatus
200 OK (Retrieving)
GET GetDownloadStatus
200 OK (Scanning)
GET GetDownloadStatus
200 OK (Ready)
GET FinalDownload
200 OK (setup.exe)
![Page 48: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/48.jpg)
48
Malware Scanner Behavior
Low Priority Queue Normal Priority Queue
High Priority Queue
Antimalware Engine
• Partial inspection for Standard Trickling
• Final inspection for files smaller than 1 MB when Progress Page
is not usedHigh
• Partial inspection for Fast Trickling
• Final inspection for files larger than 1 MB but smaller than 50 MB when Progress Page is not
used
Normal
• Final inspection when Progress Page is used
• Final inspection for files larger than 50 MB
Low
![Page 49: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/49.jpg)
49
Enabling Malware Inspection
Activate the Web Protection licenseEnable malware inspection on Web access rules
Web Access Policy Wizard or New Access Rule Wizard for new rulesRule properties for existing rules
![Page 50: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/50.jpg)
Scenario Walkthrough
50
Contoso Web Access PolicyNo browsing to sites that pose security or liability risks, but...
Researchers need access to gambling sites
This includes access to encrypted archives
Malware Inspection should be enabled for all Web traffic
HTTPS Inspection should be enabled, with user notifications
Deny all Web downloads larger than 500MB
![Page 51: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/51.jpg)
51
Malware Inspection Global Settings
![Page 52: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/52.jpg)
52
Malware Inspection Global SettingsAdministrator can configure malware blocking behavior:
Low, medium and high severity threatsSuspicious filesCorrupted filesEncrypted filesArchive bombs
Too many depth levels or unpacked content too large
File size too large
![Page 53: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/53.jpg)
53
Malware Inspection Per-rule Overrides
![Page 54: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/54.jpg)
User ExperienceContent Blocked
![Page 55: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/55.jpg)
User ExperienceProgress Notification
55
![Page 56: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/56.jpg)
Lesson 5 – Intrusion Prevention
![Page 57: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/57.jpg)
57
The ProblemUn-patched vulnerabilities
Average survival time of unpatched Windows® XP less than 20 minutesAbout two percent of Windows® machines are fully patched
Vulnerability windowIncreasing number of zero daysAttackers craft exploits faster than customers can deploy patches
Encryption and protocol tunneling are a complicated problem for a defense technology (for example, HTTPS)
![Page 58: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/58.jpg)
Defining a Intrusion Prevention System (IPS)
58
Allow Known Good
Block Known Bad
Block UnknownBad
Execution Level
Application Control
Resource Shielding
Behavioral Containment
Application Level
Application and System Hardening
AV Application Inspection
Network Level
Firewall Attack-Facing Network Inspection
Vulnerability-Facing Network Inspection
Network Inspection System
Source: Host-Based Intrusion Prevention Systems (HIPS) Update – Gartner 2007
![Page 59: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/59.jpg)
Network Inspection System (NIS)
Protocol decode-based traffic inspection system that uses signatures of known vulnerabilities
Vulnerability-based signatures (vs. exploit-based signatures used by competing solutions)Detects and potentially block attacks on network resources
NIS helps organizations reduce the vulnerability window
Protect machines against known vulnerabilities until patch can be deployedSignatures can be released and deployed much faster than patches, concurrently with patch release, closing the vulnerability window
Integrated into Forefront TMGSynergy with HTTPS Inspection
59
![Page 60: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/60.jpg)
60
Vulnerability is discoveredResponse team prepares and tests the vulnerability signatureSignature released by Microsoft and deployed through distribution service, on security patch releaseAll un-patched hosts behind Forefront TMG are protected
Corporate Network
New Vulnerability Use Case
SignatureAuthoring Testing
TMGSignature
DistributionService
VulnerabilityDiscovered
Signature AuthoringTeam
![Page 61: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/61.jpg)
61
Network Inspection System
Generic Application Protocol AnalyzerA framework and platform for safe and fast low level protocol parsingSupports extensibility and layeringEnables creating parsing-based rules for checking and applying specific conditions (for example, signatures)
GAPA technology powers Microsoft’s Network Inspection System (NIS)
Powered by GAPA
![Page 62: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/62.jpg)
Network Inspection System Architecture
62
Design Time
GAPA Language
Compiler
Run Time
Protocol Parsers
Signatures
NIS Engine
Microsoft Update
Network Interception
Signatures & Protocol Parsers
Telemetry
and Portal
![Page 63: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/63.jpg)
NIS Response Process
Threat Identificati
on
Threat Research
Signature Developme
nt
Signature Testing
Encyclopedia Write-up
Signature Release
Targeting 4 hours
![Page 64: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/64.jpg)
Enabling and Configuring NIS
![Page 65: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/65.jpg)
65
Other Network Protection MechanismsCommon OS attack detectionDNS attack filteringIP option filteringFlood mitigation
![Page 66: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/66.jpg)
66
Inspects traffic for the following common attacks:
WinNukeLandPing of DeathIP Half ScanPort ScanUDP Bomb
Offending packets are dropped and an event generated triggering an Intrusion Detected alert
Common OS Attack Detection
![Page 67: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/67.jpg)
67
DNS Attack FilteringEnables the following checks in DNS traffic:
DNS host name overflow – DNS response for a host name exceeding 255 bytesDNS length overflow – DNS response for an IPv4 address exceeding 4 bytesDNS zone transfer – DNS request to transfer zones from an internal DNS server
![Page 68: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/68.jpg)
68
IP Options FilteringForefront TMG can block IP packets based on the IP options set
Deny all packets with any IP optionsDeny packets with the selected IP optionsDeny packets with all except selected IP options
Forefront TMG can also block fragmented IP packets
![Page 69: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/69.jpg)
69
Forefront TMG flood mitigation mechanism uses:
Connection limits that are used to identify and block malicious trafficLogging of flood mitigation eventsAlerts that are triggered when a connection limit is exceeded
TMG comes with default configuration settings
Exceptions can be set per computer set
Flood Mitigation
600160
80600
1000160600
LimitCusto
m Limit6000400
6000
400
![Page 70: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/70.jpg)
Questions
![Page 71: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/71.jpg)
Lab 2: Secure Web Gateway
In this lab, you will:
Create web access policies for Contoso users, including inspection of HTTPS sessionsModify web access policy to include protection from malwareInvestigate the Network Inspection System (NIS)
Lab 2 - Exercises 3, 4, and 5Estimated Completion Time: 60 min
![Page 72: 50357 a enu-module02](https://reader035.fdocuments.us/reader035/viewer/2022062614/54661f52af79597e338b4f79/html5/thumbnails/72.jpg)
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Forefront, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.