Virtualization of Forefront Threat Management Gateway 2010

ESMAEIL SARABADANIMCT, MCSA/MCSE SECURITYREDYNAMICS ASIA SDN. BHD.

What will be covered …

Virtual Edge Security Concerns

The Story of The Parent …

Defining The Traffic Flow and The Traffic Profile

Deploying Forefront TMG as the Virtual Edge Firewall

Designing a Virtual perimeter network or DMZ

Tips For a Better Management and Performance

Deploying Forefront TMG as a Three-Legged and Back-to-Back Firewall

Why do we virtualize the edge?

Why do we virtualize the edge?

• Faster disaster recovery in case of edge failure

• Increasing the complexity of the network for hackers

• Suitable for small businesses

Virtualization of The Network edgeConcerns …

• Software is less secure than hardware• Hardware firewalls are all software-based but just come

in a hardware package

Virtualization of The Network edgeConcerns …

• More complicated network structure• More difficult to manage• The same old argument against Windows

security to be placed on the edge:• Exchange Server 2010 Edge Role• Office Communication Server 2007 Edge Role• ISA Server is 10 years old without any exploits

• Linux is more secure than Windows

OS Vulnerabilities in 2010

Windows 33

Linux 179Information from www.securityfocus.com

The story of the parent …Physical vs. Virtual

Hardware

Operating System

Application

Hardware

Parent Operating

System

Application

Child (Guest)Operating

System

Application

Hypervisor

Physical Virtual

TMG TMG TMG

√

The story of the parent …• If the parent is compromised, the whole

virtualized environment is compromised.

Parent with TMG

Guest OS

Internet

Virtual Networking Components

Virtual Networking Components

Guest OS

LAN

COMPROM

ISED

COMPROM

ISED

COMPROM

ISED

The story of the parent …

• DO NOT install TMG on the parent partition• Windows Server 2008 R2 Core on the parent• DO NOT use the parent as a workstation…

It’s a SERVER …• Restrict the management of the parent• Enable Bitlocker on the parent• Keep the parent OS up-to-date• Disconnect the parent from the internet

Configuring the parent partition

demo

TMG as an Edge Firewall

Internet

Parent OSGuest OS with

TMG

External virtual SwitchConnected to the internet

LAN

Physical NIC

Physical NIC

Hyp

er-

V

Virtual NIC 2

Virtual NIC 1

Disconnected from the internet

External virtual SwitchConnected to the LAN

Deploying TMG as an Edge Firewall

demo

Defining The Traffic Profile

Virtual Environments make the network structure complex for the attackers to penetrate

• Capture the network traffic on TMG host using Microsoft Network Monitor tool

• Avoid the use of Allow All rule• Restrict RPC and DCOM to specific ports

Defining a Traffic Profile

demo

Designing The Perimeter Network or DMZ

• What’s the DMZ?• DMZ (Demilitarized Zone) is a sub-network that

contains and exposes an organization’s external services to the internet.

• The Two Well-known DMZ Designs:

Internet

Front-end FWBack-end FWPerimeter NetworkLAN

Back-to-Back Firewall Design

Internet

Perimeter Network

LANThree-Legged FW

Three-Legged Firewall Design

TMG as a Three-Legged Firewall

Internet

Parent OSGuest OS with

TMG

Virtual NIC 1

LAN

Physical NIC

Physical NIC

Hyp

er-

V

Virtual NIC 2

Guest OS in DMZ

Virtual NICV

irtual N

IC

3

DMZ Virtual Switch

DMZ

External virtual SwitchConnected to the internet

External virtual SwitchConnected to the LAN

Disconnected from the internet

TMG as a Three-Legged Firewall

Internet

Parent OS

Guest OS with TMG

Virtual NIC 1

LAN

Physical NIC

Physical NIC

Hyper-

V

Virtual NIC 2

Guest OS in DMZVirtual NIC

Virtu

al N

IC

3

DMZ Virtual Switch

External virtual SwitchConnected to the internet

External virtual SwitchConnected to the LAN

Disconnected from the internet

DMZ

Physical NIC

Hyper-V

Physical Switch

Physi

cal

NIC

External Virtual Switch

Deploying TMG as a Three-Legged Firewall

demo

Designing The Three-Legged DMZ

• Guest OSs in DMZ are all connected to the same virtual switch.

Guest OS with TMG

External Virtual Switch

Connected to the LAN

Virtual NIC 1

Virtual NIC 2

DC

Virtual NIC

DMZ

File Server

Virtual NICVirtu

al N

IC

3

External Virtual SwitchConnected to the

internet

DMZ Virtual Switch

Designing The Three-Legged DMZ

• Guest OSs in DMZ are connected to different virtual switches.

Guest OS with TMG

External Virtual Switch

Connected to the LAN

Virtual NIC 1

Virtual NIC 2

DC

Virtual NIC

DMZ

File Server

Virtual NIC

Virtual NIC 3

External Virtual SwitchConnected to the

internet

DMZ Virtual Switch #1

Virtual NIC 4

DMZ Virtual Switch #2

Configuring The DMZ on Hyper-V

demo

Designing The Three-Legged DMZTips and Hints …

• The traffic must flow through TMG.

• Avoid connecting the Guest OSs to the virtual external switch.

• Connect servers with different security criteria to separate virtual switches.

• For every virtual switch that TMG is connecting to, there needs to be a virtual NIC on it.

A Back-to-Back TMG Firewall DesignIn

tern

et

Exte

rnal V

irtual S

witc

hC

on

necte

d to

the in

tern

et

LA

N

Physica

l N

IC

Hyper-v

Virtu

al N

IC

1

Back-End FWTMG

Virtu

al N

IC

2

Front-End FWTMG

Virtu

al N

IC

1

Guest OS in DMZ

Virtual NIC

Virtu

al N

IC

2

Physi

cal

NIC

DMZvirtual Switch

DMZ

Exte

rnal V

irtual S

witc

hC

on

necte

d to

the L

AN

Deploying The Back-to-Back TMG

demo

The Virtual Edge Management

• A dedicated physical interface connected to the management VLAN• Will have a different IP address range• Will be available even if the virtual infrastructure fails

and we still can manage• Access to the parent will be isolated

The Virtual Edge Performance

SQL Expr Logging 5-10% @# # @# #

Feature Added CPU RAM Disk Net

Web Cache 1% @ @ # (-)

URL Filtering 1% # 2% # # # (-)

HTTPS Inspection 5% # 1-5% @Net Insp System 5-10% # 5% # @ (+)

Compression 5-10% @# 5-10% @# # (-)

NLB (500Mb max) 5-10% # 5-8% @ 5% #

Malware Insp 5-20% # 5-10% # # # (+)

Variables@ TMG Configuration# Traffic Profile

Resources

• My Blog: http://esihere.wordpress.com/

• Microsoft Virtualization Technology www.microsoft.com/virtualization/

• Forefront Threat Management Gateway 2010 http://www.microsoft.com/forefront/threat-management-gateway/en/us/

• Technet Edge Videos: http://technet.microsoft.com/en-us/edge/default.aspx

• Technet for System Professionals: http://technet.microsoft.com/

• My E-Mail Address: e.sarabadani@gmail.com

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.