Forefront TMG Advanced Web Protection Overview
Forefront Threat Management Gateway (TMG) 2010 is an integrated edge security gateway that functions as an enterprise-class firewall, caching proxy (forward and reverse), and VPN (remote access and site-to-site) server. It can be deployed in all of these roles or any subset of them. When deployed as a forward proxy server, the TMG firewall can significantly improve your organization’s overall security posture by performing advanced network and application layer traffic inspection and enforcing strong user and group-based authentication. In this article we will examine how URL filtering, malware inspection, intrusion detection/prevention, and HTTPS inspection can enhance and complement your existing endpoint protection strategy.
With integrated URL filtering capabilities, TMG firewall administrators now have the ability to apply reputation-based access controls to web-based traffic. URL filtering is the first line of defense in a modern secure web gateway, and by assessing the reputation of web sites being accessed the administrator can prevent users from accessing known malicious sites. Web site categorization is handled by Microsoft Reputation Services (MRS). MRS is a cloud-based categorization service that the TMG firewall leverages to determine what category a particular web site belongs to. Once the site has been categorized, firewall policy processing will determine if the request is allowed or denied.
To enable URL filtering, highlight the Web Access Policy node in the navigation tree and click Configure Web Access Policy in the Tasks pane. The Web Access Policy wizard will guide you step-by-step through enabling URL filtering and configuring a default web access policy using recommended URL categories.
In addition, the Web Access Policy wizard will also enable and configure malware inspection, HTTPS inspection, and content caching.
Since no URL filtering solution is 100% effective (it is impossible to categorize every web site on the Internet) it is inevitable that users will visit a site that contains malicious software. To address this, TMG includes a gateway-integrated scanning engine to prevent virus and malicious software downloads. The scanning engine included with TMG is the Microsoft anti-malware scanning engine included in many Forefront protection technologies such as Forefront Protection for Exchange (FPE), Forefront Protection for SharePoint (FPSP), and Forefront Endpoint Protection (FEP), just to name a few. It is also the same scanning used in Microsoft Security Essentials (MSE). The scanning engine is fast and accurate, producing few false positives.
To enable virus and malicious software scanning, highlight the Web Access Policy node in the navigation tree, click Configure Malware Inspectionin the Tasks pane, and then select Enable Malware Inspection.
Virus and malware scanning is highly configurable in TMG, giving the administrator granular control over the type of content to be scanned as well as the method in which content is scanned. Here the administrator can also configure exemptions to scanning policy based on source or destination, and specify where signature updates are obtained and how they are applied.
URL filtering and malware scanning require the Web Protection Service subscription license. One license enables both features. More information regarding licensing can be found here.
Network Inspection System
Malicious software authors will often attempt to exploit vulnerabilities that might exist in Microsoft operating systems, applications, or networking protocols. To address this, the TMG firewall includes the Network Inspection System (NIS). NIS is a new vulnerability-based intrusion detection and prevention system that performs low-level protocol inspection to detect and prevent attacks against these vulnerabilities. Signatures are developed by the Microsoft Malware Protection Center (MMPC) and are released concurrently with security updates or in response to zero-day vulnerabilities. When enabled, NIS prevents these vulnerabilities from being exploited remotely and dramatically reduces the exposure window on Patch Tuesday.
To enable NIS, highlight the Intrusion Prevention System node in the navigation tree and click Configure Properties in the Tasks pane, then select the option to Enable NIS.
NIS inspects network traffic and can identify when a protocol does not conform to standards. These protocol anomalies can either be allowed or denied. In addition, NIS can be configured to exempt specific trusted sites from inspection, if required.
HTTPS communication presents a special challenge to many firewalls. Often referred to as the “universal firewall bypass protocol”, HTTPS encrypts application layer data which prevents even the most advanced application layer firewalls from inspecting this communication. For many years, virus and malware authors have used HTTPS as a way to move malicious or infected payloads through secure web gateways without being detected. Malicious users have been using HTTPS as a channel to circumvent access control with proxy avoidance software.
HTTPS inspection closes this loophole. With HTTPS inspection enabled, the TMG firewall copies the originally requested SSL certificate and issues the user a duplicate. The TMG firewall can now terminate the SSL session at the Internal network interface and decrypt and inspect all outbound HTTPS communication. With HTTPS inspection enabled the TMG firewall has access to unencrypted application layer data which has many positive effects. The TMG firewall now has access to the full request path, not just the IP address of the site. With this additional information it can more accurately enforce URL filtering. The TMG firewall can now also enforce HTTP policy and inspect content for viruses and malicious software.
To enable HTTPS inspection, highlight the Web Access Policy node in the navigation tree and click Configure HTTPS Inspection in the Tasks pane. Select Enable HTTPS Inspection and choose the option to Inspect traffic and validate site certificates.
HTTPS inspection requires that a server certificate be configured on the TMG firewall. Generate a self-signed certificate by selecting the option Use Forefront TMG to generate a certificate and clicking the Generate… button. Alternatively you can import a certificate from your existing internal PKI by selection the option to Import a certificate and clicking the Import… button.
Once enabled, the TMG administrator can exempt certain requests by specifying source and destination exceptions. When combined with URL filtering, destination exceptions can be URL categories or URL category sets (e.g. Financial or Health). Certificate validation options and client notification can also be configured.
When deployed as a secure web gateway, the Forefront Threat Management Gateway (TMG) 2010 firewall is a multi-layered perimeter defense system that provides a high level of protection for its clients. URL filtering ensures that clients cannot connect to known malicious sites. Integrated virus and malicious software scanning prevents users from downloading infected files, and the Network Inspection System prevents attacks on software vulnerabilities in any Microsoft operating system or application. HTTPS inspection significantly enhances all of these protection mechanisms by enabling the inspection of outbound encrypted communication.Since these advanced protection mechanisms are enforced at the gateway they provide protection not only for managed clients, but for non-managed clients as well.