private cloud security via forefront tmg 2010

Private Cloud Security via

Forefront TMG 2010Esmaeil SarabadaniSystems and Security Consultant

What’s going to be covered…

• Overview of the Public and Private Cloud• Public and Private Cloud Security Concerns• Data Isolation in Microsoft Cloud• The Geographical Location of Data• An Overview on Forefront Threat Management

Gateway 2010• Virtualization of TMG in the Cloud• TMG Network Inspection System• TMG HTTPS Inspection• TMG Firewall Features• Securing Remote Access to your Private Cloud

What is the cloud?!!

• It’s nothing supernatural.

• It’s been with you for a long time.

• Even our grandparents are using it now

• It’s used for social activities, entertainment, business and so more.

• It could be more secure than your own PCs.

Public CloudPrivate Cloud

Whatever…

Public CloudSecurity Concerns

Choose where to store your data …

Public CloudData Isolation

Physical Hardware

Hypervisor

Host VM Guest VM Guest VM Guest VM

No Access

HackedHealthy

HealthyHealthy

Public CloudNetwork Security

Microsoft Public Cloud

Hackers

Hypervisors

VM VM VM VM VM VM VM VM VM

Differentiating between the legitimate and illegitimate traffic is quite challenging.

Analysis…Malicious Traffic ?!!

Private CloudSecurity Concerns

• Isolation of VMs from one another• You are the only one responsible

for the security of the cloud• Attacks from inside the cloud• Huge attacks from the internet.

Such as DoS or DDoS• Authentication, Authorization or

Auditing of access to cloud services

Forefront Threat Management Gateway 2010

• Network Inspection System• Web Anti-malware• HTTPS Inspection• Builds on ISA Server 2006• Active Directory Integration• Custom Reports• Can be virtualized

DemoAn Overview on TMG

Software vs. Hardware

Are hardware firewalls more Secure than software firewalls?

Software vs. Hardware

Hardware firewalls are all software-based but only come in a hardware package.

Virtualization of TMG

Hypervisor

Host VM

Guest VM

Guest VM

Guest VM

Pri

vate

Clo

ud

TMG

Not Connected to the Internet

Internet

• The edge gateway and FW• The only Guest connected to the Internet • At least two virtual NIC

Data transmission between the private and public clouds.

Physical Hardware

Hypervisor

Host VM Guest VM Guest VM TMG

Two Virtual NICs

Pri

vate

Clo

ud

Hypervisor Hypervisor Hypervisor

Data transmission inside the private cloud.

DemoVirtualization of TMG

Virtualization of TMGBest Practices

• Always disconnect the Host VM from the Internet

• All the traffic to the Internet must pass through the VM with TMG

• If there are multiple hypervisors (Physical Servers), the traffic between the VMs in different physical servers should be filtered using TMG.

• The virtual Switch connecting the VMs in every physical server must be Private.

Network Inspection System

• Inspects the traffic for exploits of vulnerabilities

• With the minimum number of false positives

• Has a repository to store signatures for different types of attacks and can update the repository

• Able to create inspection exception for some parts of the network

DemoTMG Network Inspection System

HTTPS Inspection

• It acts as a man-in-the-middle between the two SSL connection parties

• It can inspect inside SSL-Encrypted traffic

• It looks for possible malware or exploits inside an SSL connection

DemoTMG HTTPS Inspection

TMG Firewall Features

• Multi-Layer Firewall. It provides access control and protection on three layers:

• Packet filtering• Stateful inspection• Application layer

filtering• DoS Protection• Supports so many protocols and

new protocols can be defined.• Granular HTTP Control:

• File Download Controls• Signature Based Blocking• HTTP Method Control

DemoTMG Firewall Features

Securing Remote Accessto your Private Cloud

TMG

Active DirectoryRODC

Outlook Web Access

VPN Client

Pri

vate

Clo

ud

Active Directory Integration forAuthentication, Authorization, Auditing

Securing Remote Accessto your Private Cloud

• Remote Access VPN by PPTP, L2TP/IPSec and SSTP

• Inspection of VPN traffic• Integration with Active

Directory • Integration with

Network Access Protection and VPN Quarantine

DemoTMG Secure Remote Access

Thank YouQ&A

void contact() {

}

e-mail Address: e.sarabadani@gmail.com

My Blog: http://esihere.wordpress.com/

Twitter: http://www.twitter.com/esmaeils