upgrade enterprise application security with alteon ng · alteon ng is designed to provide...
TRANSCRIPT
Upgrade Enterprise Application Security with Alteon NGTMG Replacement - Whitepaper
SHARE THIS WHITEPAPER
TMG Replacement Whitepaper
Smart Network. Smart Business. 2
Table of Contents
Executive Summary .................................................................................................................................................................3
The Functions of Microsoft TMG .............................................................................................................................................3
Key Considerations When Replacing Microsoft TMG ............................................................................................................3
Alteon NG Enhancing Microsoft TMG .............................................................................................................................3
Why Should You Replace TMG with Alteon NG – Advantages and Benefits.........................................................................5
Conclusion ........................................................................................................................................................................6
Reference Technical Integration Guides .................................................................................................................................6
TMG Replacement Whitepaper
Smart Network. Smart Business. 3
Executive SummaryMicrosoft’s Forefront Threat Management Gateway (TMG) is a solution that provides enterprise customers with a variety of network and application security tools needed to protect Microsoft applications. It is a key component of several Microsoft application deployments including Exchange, SharePoint and Lync. As a result of the recent end of life announcement for Microsoft Forefront TMG, enterprise customers need to deploy a replacement solution that can provide, at minimal, the same level of functionality and protection for Microsoft applications in internet facing scenarios.
Alteon NG is designed to provide functionality replacement to the Forefront TMG but also enhance the protection provided to Microsoft applications and guarantee availability and performance while delivering extensive application performance visibility.
The Functions of Microsoft TMGTMG protects Microsoft applications and users from various cyber treats by integrating several security modules into one solution:
1. Routing: TMG can act as a router, an Internet gateway a proxy server and a NAT server. 2. Security: TMG can act as both a stateful network firewall and as a Web Application Firewall (WAF) for web content and email inspection. It can also filter out malware that attempts to exploit security vulnerabilities, and content that does not match a predefined security policy. 3. Network performance features: TMG compresses web traffic and cache content to improve communication speed. It can perform software-enabled SSL encryption and decryption by offloading these operations from the application servers.
Key Considerations When Replacing Microsoft TMGTo replace Microsoft TMG, enterprises need to consider several important factors that will help maintain the existing functionality provided by Microsoft TMG, while minimizing network and application configuration changes. Such considerations include:
1. Integrated functionality: the TMG replacement solution must provide the same, if not better, set of functionality, including routing, security and performance enhancement, in a simple package that can be managed centrally. 2. Scalability: a TMG replacement solution must provide simple and cost effective scalability to allow future expansion, both for traffic capacity and number of applications supported. It needs to minimize the amount of effort required to upgrade the solution. 3. Network topology: TMG protects both the front-end application servers typically located in the DMZ, as well as the backend servers that are typically deployed inside the organization’s private LAN. The security functionality needs to be provided at both ends of the network.
Alteon NG Enhances Microsoft TMG Alteon NG, a next generation application delivery controller (ADC), not only provides a complete replacement to TMG functionality, but also significant enhancements in every function currently provided by TMG. It provides better protection and significant performance optimization and scalability to web based applications. Alteon NG has also been tested and certified for all Microsoft applications such as Microsoft Lync, Exchange and SharePoint.
The next generation services, built into the Alteon NG ADC, add advanced load balancing and health checks with Layer 7 awareness, content and URL filtering, content rewrites, user programmable policies and traffic steering logic, web application firewall, network access control, authentication gateway, hardware SSL, and cutting edge web performance optimization with FastView. All of these capabilities are provided as an integrated solution, keeping it simple to deploy, maintain and scale.
TMG Replacement Whitepaper
4
Furthermore, in addition to the functionalities mentioned above, the virtualization technology embedded in the Alteon NG allows each application to receive its own virtual ADC (vADC) instance, while guaranteeing resources and performance per application.
Alteon NG was certified with various Microsoft applications. As a result a wizard which is based on the corresponding configuration template was created for each application (e.g. Lync, Exchange and SharePoint). This significantly simplified and expedited the new ADC services roll-out, while reducing R&D efforts and eliminating potential human errors.
Below are a few examples of how the Alteon NG’s capabilities enable seamless TMG replacement:
Feature Microsoft Forefront TMG Alteon NG
Load Balancing Basic clustering with simple round robin
Variety of methods, including load based (least connections), response time, weighted round robin and more.
Persistency Source IP or cookie based Cookie based, source/destination IP, Hash, SSL session, etc.
Health Checks Only one of 3 methods available HTTP get, Ping or TCP connection
User defined transactions, layer 7 and application level health checks, connection based health checks, all provisioned through a simple UI
Forward and Reverse Proxy
Standard connection termination
Full proxy support including user defined layer 7 aware connection termination, redirection and TCP connection multiplexing for server offloading and performance enhancements.
IP v6 Support No support Full support, including NAT 64 /46, SLB 64/46, DNS 64, and end-to-end IP v6 support
Scalability Through clustering up to 6 TMG modules
Multi-dimension scalability: capacity – 5-80Gbps, vADC per application - up to 88 vADC per unit, next generation services per vADC/Application
Authentication Multiple methods – basic, form based, certificatesMultifactor authentication – form based, RSA secure ID And RADIUS
Supports various authentication protocols such as Radius, Active Directory, LDAP, RSA SecurID and various authentication methods such as Digest, form, certificate, secure ID, RSA token and SAML 2.0*
Firewall Negative security model, with hardcoded, protocol- specific application filters
ICSA certified embedded Web Application Firewall, with self-learning algorithm for fast and accurate application level protection against various attacks types such as SQL injection, defacement, data theft, XML and web services protection
DDoS Protection, IPS, Reputation Engine
Basic DDoS protection Embedded DDoS and ADoS protection with advanced signaling to Radware’s AMS, adding top of the line DDoS protection, IPS and reputation engine, blocking attacks at the network perimeter (instead of inside the datacenter)
Performance Monitoring
None Advanced application performance monitoring with datacenter and end-user visibility – available at a click of a button
Performance Optimization
Basic, including software based SSL offloading and local (static) caching
Hardware based SSL processing, cutting edge WPO, with 22 different acceleration techniques which include dynamic caching, preloading, object consolidation, image optimization and much more
Management and Automation
Centralized management for TMG clusters
Centralized management for all Alteon NG devices and virtual instances with provisioning and maintenance, complete visibility per module/domain – including security attack status, application performance, device performance, etc.
TMG Replacement Whitepaper
Smart Network. Smart Business. 5
Why You Should Replaced TMG with Alteon NG - Advantages and BenefitsWhile Alteon NG serves as a fully functional replacement for TMG, it also inherently provides various advantages that significantly increase the SLA of applications to the end-user. Alteon NG enables:
Increased availability through its advanced server load balancing algorithms, flexible health checks and global server load balancing capabilities. Alteon NG ensures user transactions are always routed to an available datacenter site and server instance within that site.
Tighter security through its patented, embedded WAF technology, Alteon NG creates and maintains enterprise network and application security policies for the widest security coverage. Due to its fully automated self-learning algorithm, Alteon NG’s WAF service delivers the lowest false positives with minimal operational effort and fastest time-to protection.
Accelerated performance with hardware-based SSL processing, efficient TCP connection termination and multiplexing, TCP optimization technology and above all, its embedded FastView Web Performance Optimization (WPO) technology. Alteon NG enables significant application performance acceleration and improved user experience, while reducing the load of the servers.
Simplified manageability, Alteon NG provides centralized management, overseeing device management, security monitoring and reports, application performance monitoring and reports. It also automates processes with wizards and templates for fast and accurate provisioning.
Cost effective scalability, whether you need to rollout new applications or scale capacity of existing applications, the Alteon NG solution allows you to scale resources per application and add new services. It does this without risking the performance of neighboring applications, thanks to its vADC per application approach, with flexible resource allocation per virtual instance/application.
ADC-VX™ Hypervisor
Credentials are interceptedby the integrated AppWall
service and sent to theauthentication server
User/Role info arestored in an encrypted
session cookie as aresult of successful login
Response credentialsare received andencapsulated asHTTP headers
User/Role info areforwarded to the
back end applicationin HTTP headers
HTTPS
New HTTPS
Login
Login Login
Login
LDAP
Alteon NG ClusterCAS Servers
Active Directory
AppWall VA
Clients
EncryptedSessionCookie
Login Info
Pass-through
TMG Replacement Whitepaper
Smart Network. Smart Business. 6
Advanced Application Monitoring ensures the application provides the designated quality of experience to the end user. Alteon NG provides an integrated tool for both measuring the SLA end users are experiencing and an advanced reporting engine with proactive alerts for real time troubleshooting and root cause analysis.
Conclusion Microsoft’s Forefront TMG was a key component in securing deployments of Microsoft applications, adding essential protection when publishing those applications over the Internet. Replacing TMG with an ADC solution requires a versatile platform which includes functionality from various domains. Alteon NG is a comprehensive replacement solution to TMG deployments. It provides significant added value in security and availability for Microsoft applications with performance acceleration, simplified manageability and improved end-user quality of experience while reducing the total cost of ownership of the solution.
Reference Technical Integration Guides • Optimizing the Delivery of Microsoft Exchange 2013 with Alteon Application Delivery Controller • Alteon Application Switch And Microsoft Exchange 2010 Integration Guide • Alteon Application Delivery Controller (ADC) Optimizing the Delivery of Microsoft Lync 2013 • Alteon Application Switch (AAS) optimizing the delivery of Microsoft Lync 2010 • Alteon Application Switch and Microsoft SharePoint 2013 • Alteon Application Switch And Microsoft SharePoint 2010 Integration Guide
© 2014 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners.
PRD-ALTEON-TMG-WP-01-2014/06-US
Internet Firewall Web/AppServers
AccessRouter
ADC-VX™ HypervisorVirtual IP