Forefront TMG 2010 has been Discontinued !!!

Finally it was announced and Microsoft has decided to discontinue some of its very popular products such as Forefront Threat Management Gateway 2010 together with some others listed below:

  • Forefront Protection 2010 for Exchange Server (FPE)
  • Forefront Protection 2010 for SharePoint (FPSP)
  • Forefront Security for Office Communications Server (FSOCS)
  • Forefront Threat Management Gateway 2010 (TMG)
  • Forefront Threat Management Gateway Web Protection Services (TMG WPS)

It also should be mentioned that among all of these, Forefront Protection 2010 for Exchange Server (FPE) will still be there but will be bound to Office365 and will be called Exchange Online Protection.

I still remember the rumor about a year ago about this decision but it was not confirmed then. Now that is is confirmed, there are still questions left on why Microsoft has made this strategic decision especially the decision to discontinue TMG which is a very popular product. It is now being used by a lot of companies as a gateway software for so many different purposes. It was the successor of popular Microsoft ISA Server 2006 and now all have been discontinued to be any further developed.

Continue reading

Detecting Common Attacks using TMG Intrusion Detection

Apart from those complicated and advanced-level attacks that are targeted against every network every once in a while, there are common attacks that could be really troublesome. A lot of time this happens when people believe that their network does not contain any important data to even go under attack and when the attack occurs, they panic because they don’t expect it and in fact they have nothing to even stop this type of attacks.

Forefront Threat Management Gateway 2010 has an IDS (Intrusion Detection System) inside as one of its features that can detect many of these attacks. To access and configure this feature in TMG you need to go to Intrusion Prevention System and then click on Behavioral Intrusion Detection and first click on Configure Detection Settings for Common Network Attacks:

Here you can see a list of different types of attacks that if checked will be detected and a log will be created for them in the Monitoring section of the TMG. For instance if you check the Port Scan, you can specify the number of ports to be scanned before the TMG considers the traffic as a port scanning attack and can log it.

In the other tab, we can also detect different types of attacks against the DNS service:

Coming back to the Behavioral Intrusion Detection tab in TMG, you can also click on Configure IP Options Filtering to filter specific IP options that may be included in the IP packet’s header. Most IP options in the packer header are harmless but there are some of them that could indicate malicious traffic and must be checked. They are shown below in the picture. If there is any traffic containing these options in the packet header, they will be dropped if you select Deny packets with the selected IP options.

Under the other tab called IP Fragment, you can block IP fragments to block the type of traffic generated from those applications that fragment the packets so that they will not be detected by the firewall but you have to keep in mind that if you enable blocking of IP fragments, you may also block other types of traffic such as L2TP which is pretty common in every network having remote users.

Again under Behavioral Intrusion Detection in TMG, if you click on Configure Flood Mitigation Settings, you will be able to detect and block flood attacks towards the TMG and facing the network. Using this feature you will be able to specify the number of allowed different types of connections to a host and if there are more requests than that, it will be detected as a flood attack and will be denied. You can click on Edit to configure the settings for any of the connection types:

After all this configuration, if there is any traffic detected as attack, it will be logged under the Monitoring section in TMG and will be visible under Alerts. After knowing the source of the attack you will be able to easily block it using the firewall feature if it is not by default blocked.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

Cheers

Joining Forefront TMG to a Domain or Workgroup…

It’s been always a big question whether the firewall protecting the network should be joined to the Active Directory domain or not? There are so many arguments going on around this topic. In this post, I am focusing more on Forefront Threat Management Gateway 2010 as our firewall and we are going to discuss the pros and cons of adding it to a domain or workgroup.

Type of Installation

PROS

CONS

Domain-Member
  • More control for user access in forward and reverse proxy scenario.
  • Applying Group Policy settings on the TMG server from the central DC and therefore hardening the server running our firewall.
  • Using Kerberos authentication when publishing different servers and therefore increasing the security.
  • Support for authentication using client certificates as the main method of authentication.
  • In case the TMG server is in the perimeter network separated from the internal network by another firewall, there should be more ports open on that firewall to allow the communication between the DC and the TMG.
Workgroup-member
  • If the firewall is compromised, the directory services might not be affected.
  • Even if Active Directory is compromised, the firewall might not be compromised because it isn’t part of the domain.
  • Doesn’t give you the ability to use the domain users and accounts to be used in integration with the TMG.
  • Client certificates can not be used as the main method of authentication.
  • User accounts are created on the firewall itself to allow intra-server communication.
  • Doesn’t support Active Directory Group Policy.
  • TMG client authentication requires account mirroring on TMG

What mentioned above was just a pretty simple comparison which can be found everywhere. But now I want to extend this discussion by first clarifying whether the domain controller and our AD environment will be at risk if we add the TMG to the domain and make it a domain member server. I personally believe in a simple configuration, joining a TMG server to the domain could expose the network to some sort of security risks and depending on the knowledge of the attacker, there could be further attacks on the domain controller and also the other services.

This type of attack usually happens when there is only one layer of TMG firewall between the outside network and the internal network. In a two-level TMG firewall design, we will have more flexibility playing around with the rules inside TMG. In a two-level firewall or what we call as a back-to-back firewall design we can join the front-end TMG firewall to the domain so that we can make use of all the domain features for the clients connecting to the front-end TMG. We also can join our back-end TMG firewall to a workgroup. In this case even if the front-end TMG is owned by an attacker, there still will be a back-end TMG a head of the attacker to get to the main network and the DC.

The question that might come up here is that the back-end TMG still has some ports open so that the front-end TMG can communicate with the DC in the network and you might wonder whether having that back-end TMG is useful at all? And the answer is YES, it is useful since just opening a port on a firewall to let the authentication traffic through doesn’t expose any security risk to the network. A firewall can stop a lot of different types of attacks and therefore that back-end TMG can protect the whole network environment even if the front-end domain-member TMG is owned by the attacker.

In this post I just tried to give you some insights. I suggest whenever you are thinking of integrating any service or software or product with Active Directory, do not panic because of potential security risks but try to analyze the situation and what you want to implement and take every step very carefully and consider even very small risks, then maybe you will realize that the integration of services and products with AD is not that scary…

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book. 

To get more information about the book click on the book below:

1

Cheers


DMZ Design with Forefront TMG 2010

The DMZ or the Demilitarized Zone in a network refers to a segment of a network in which we place all the servers that need to be accessible from the internet. Theses servers could include anything such as IIS, Office Communications Server 2007, DNS Server, OWA or any other servers that need to be accessed by the outside users…

In my previous posts I talked about different implementations of a DMZ or perimeter network like a Three-Legged firewall and a back-to-back firewall scenario. In either of these scenarios, whether we have only one firewall in a three-legged design or we have two back-to-back firewalls in the other design, our DMZ is going to be placed behind only one firewall…

Some people call it logical because they believe DMZ is not going to be a very secure zone and even if it is, one firewall will do it.. But the question is what if there was a pretty critical server placed in the DMZ and we needed more than one layer of security in order to protect it? What if one of our firewalls which is placed in the front is a pretty old one and not capable of doing a very good logging and auditing of the kind of attacks on the DMZ?

In such cases, we need to come up with another design and combine the back-to-back and three-legged firewall designs to create something that satisfies our needs for better security of DMZ…

In this scenario let’s say both of our firewalls are Forefront TMG 2010 and one of them acts as the front-end firewall connecting from one side to the Internet and from the other side to the back-end TMG.

How about the back-end firewall? The back-end firewall is going to be a three-legged firewall with:

  • One leg connecting to the LAN
  • One leg connecting to the DMZ
  • One leg leg connecting to the front-end TMG

The picture below pretty well shows the type of design that I am talking about:

But what are the benefits of such a design:

  • The DMZ is placed behind two firewalls: The front-end TMG and the back-end TMG and if the user is going to reach the DMZ from the internet, he will have to pass through two firewalls
  • The LAN is also behind two firewalls and therefor better protected
  • If you need to do any kind of auditing for attacks on the DMZ and for any reason the front-end firewall is not capable of that (For example it is an old firewall and not very strong to take the load and also recognize all kinds of attacks), then the back-end firewall can take care of it…
  • Do you want to consider putting honeypots in your network? The network segment between the firewalls is the best place… The hackers expect the DMZ servers to be there.. right???

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

Cheers

Security in Hyper-V

Hyper-V is Microsoft’s virtualization technology running on Windows Server 2008 R2 now and is largely being used in so many networks nowadays. Hyper-V could support so many different applications that even now Microsoft Forefront TMG 2010 can be run on it; so we can completely virtualize the edge of the network in a very efficient design. I have written three articles for virtualization of Forefront TMG 2010 and you can access them from the links below:

Deploying the network edge on a virtualized environment – Part 1

Deploying the network edge on a virtualized environment – Part 2

Deploying the network edge on a virtualized environment – Part 3

Once we run so many different applications and servers on different virtual machines, we come to wonder whether it is really secure or we are just putting all the servers running on Hyper-V at risk of being hacked? The answer is Yes, it is really secure provided that we implement a good design.

So as you know Hyper-V includes a parent partition which is basically our main Windows Server 2008 R2 (64-Bit) on which we have installed the Hyper-V role and this is where all the Hyper-V management toolset is installed and can be accessed.

And there is one or more child partitions on which we could install another operating system as our virtual machine and make it operational to give or maybe even receive any kind of services.

Now imagine that Hyper-V is on the edge of your network and there is a very high possibility that some bad guy would attack it. Now what if the bad guy did attack your server and because of some security bug that one of your applications had, your parent partition got hacked and he penetrated into your parent partition. Now what? He has access to all the other VMs through the Hyper-V manager and can make any kind of modification on the other child partitions and operating systems.

So the first step is to think of disconnecting the parent partition from the internet while still giving internet access to the virtual machines. Is it possible? Yes, it is.

So let’s say that you have a network adapters that is connected to the Interent. You simply right click on that NIC (Physical NIC) and go to the properties and follow the configuration that you see in the picture below:

Then you will open up your Virtual Network Manager and create a New Virtual Network and call it WAN and make it an External Connection type and in the drop down menu right below External, choose the NIC that is connected to the Internet (The one you just saw its properties above). The next thing you need to know is that you need to uncheck “Allow management operating system to share this network adapter”.

Now you are done and if you test the parent partition you will see it is disconnected from the Internet; here was how you can disconnect the parent VM from the Internet. Now if you have another child virtual VM and if you want to connect it to the Internet, what will you do? Do you think now that you disconnect the parent from the internet it is still possible to give the child internet access? Yes it is…

Let’s say the child is a TMG server that you want to give it Internet access and then connect the rest of the network to the Internet through TMG. On your Hyper-V network manager console, right click on the child VM with TMG and then click on the settings and then click on the Network Adapter on the right. Then on the top of the window, connect it to the WAN network:

Now if you test network connectivity on your TMG child VM, you can see that it is connected to the internet. On the TMG VM still you need to add another Network adapter and connect it to the LAN physical network interface, because you need the LAN users to see your TMG and then connect through it to the Internet.

Remember that on the Hyper-V server you still need to install a third network adapter for the management purposes and connect it physically to a management switch. So if you did install one, go to the Virtual Network Manager and create a new Virtual Network called Management and make it an External network and then add that new Network adapter as the chosen network adapter and this time check “Allow management operating system to share this network adapter” to let the management users access the parent VM through this interface.

I hope it was useful 

To get more information about my book click on the book below:

1

Best of luck

Deploying the network edge on a virtual environment – Part 3

Now that you have some background knowledge on the concept of a virtualized network edge, we will go a little bit deeper and in this post I will try to illustrate different scenarios where we put TMG in our network:

1- TMG as an Edge Firewall

An edge firewall is a firewall placed on the edge of the network connecting the LAN to the Internet and is capable of inspecting any traffic that enters or exits the network.

As it is shown in the illustration, we will install the TMG on a Guest VM on Hyper-V and will disconnect the parent OS from the internet.

We need to create two virtual NICs on the Guest VM. One of the virtual NICs is connected to the physical server’s NIC linked to the LAN and the other virtual NIC is connected to the physical server’s NIC linked to the Internet.

Notes: The connection between the virtual NIC and the physical NIC is established through a Virtual Switch on each side. So keep in mind that in this scenario we will need to have two virtual switches.

2- TMG as a Three-Legged Firewall

A three-legged firewall is a type of firewall that is connected to three different network segments namely LAN, DMZ (Perimeter Network) and the Internet.

As precisely depicted in the illustration, everything looks and is configured the same as when we had an edge TMG firewall with the only difference that we need to have a new and third Virtual NIC on the Guest VM running TMG which is connected to the DMZ section of the network.

There goes to scenario here:

  • The DMZ is on the same Hyper-V Server. In this case we are going to have a specific virtual switch for our DMZ section. This switch is connected to the TMG on one side and to the virtual NICs of the Guest VMs from the other side. This way we can have a link between the TMG and the Guest VMs which are placed in DMZ.
  • The DMZ is not on the same Hyper-V server and is on another server or servers. The picture below can describe things a little bit better. In this scenario we still have the DMZ virtual switch but this virtual switch is not straight connected to the other DMZ Guest VMs; instead it is connected to them through the physical NIC of the server.

Notes: I don’t explain more on this scenario to avoid confusion; because I believe the picture is clearly showing what I am trying to say.

3- TMG as a Back-to-Back Firewall

In this scenario we have two TMGs both installed on two different Guest VMs. One of them is playing the role ofa frontier firewall connected to the Internet through a Virtual Switch; and the other TMG is playing the role of aback-end firewall connected to the LAN through another Virtual Switch.

Both of these Guest VMs running TMG, from the other side, are connected to a DMZ Virtual Switch. This virtual switch is also connected to the other VMs in the DMZ.

Notes: Again like the previous scenario, the DMZ section could be either on the same Hyper-V Server or on another server or servers. It totally depends on your design.

Here I just talked about the design and not the configuration on the TMG and VMs. Basically there are a number of things that need to be configured correctly if you want to get these scenarios up and running. In the next and most probably the last post of this series, I will talk about the configuration with all the details.

Some months ago I also had a deep dive session in Microsoft Virtualization and Security Summit 2010 and it was on deploying TMG on a virtualized environment. Below you can see my presentation slides shared for your use.

You want to learn more about this topic? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

Wish you all the best

Cheers

Static NAT on Forefront TMG 2010

Static NAT refers to a one to one network address translation process and it comes in handy in a lot of scenarios where you need to assign one specific valid IP address to one of the computers inside the LAN and do not want the other computers to use that valid IP address in order to have access to the internet.

The process explained above is called Static NAT and previously was not supported on Microsoft ISA Server 2006 or any other versions of ISA but with Forefront TMG it is now possible to assign one specific IP address to a specific host inside the LAN.

Now I am going to go ahead step by step on how to create a static NAT rule on TMG. Basically when you are going to do a static NAT, you will have a server inside your LAN; so before anything you need to create a computer object for that computer or server inside your LAN. So click on Firewall Policies on the left pane and then on the right you can see all the objects already existing inside your TMG. as shown in the picture click on new and choose computer :

Give a name to your server and enter the IP address of that server inside your LAN:

Then on the left pane, click on Networking and then on the page opened click on Network Rules tab. in order to create a new rule, click on Create a Network Rule on the right:

Give your new rule a name and then choose the source computer by clicking on Add and then choosing the server which you created just now:

Click Next and then click Add again to choose your destination network and if you want to NAT that server to the internet choose External and then click Next:

On the next window choose Network Address Translation and click Next again to see the window shown in the picture below. choose the second option (Use the specified IP Address) and then from the listed IP Addresses, choose the one which you want to assign to the server:

Note that if you want that valid IP Address to be listed here, you need to add the IP Address to the external network adapter of the TMG Server and then you will see the IP Address listed here.

Then click Next and then you are done. Finish it and as you can see in this picture the rule has been created and you are all done and well.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

Hope you liked it..

Cheers

Deploying the network edge on a virtual environment – Part 2

I would like to extend this discussion by talking about some of the concerns people might have when it comes to virtualization of the edge. There are a number of issues that might concern people that below is just a few:

-Software firewalls are less secure than firewall appliances (Hardware):

This is a totally wrong idea since on top of all those firewall appliances, there is always a software running using which the administrator is able to configure the firewall. The difference is that the appliance only comes in a box making it more expensive. So if you think you can set up a very good server with really efficient hardwares, then you could even get a better performance than an appliance.

-A more complicated infrastructure and therefore more difficult to manage:

Well, that is somehow true but you should bare in mind that the complication would also exist in a physical environment where you have no documentation about the configuration and of course the design. So keep in mind that for every implementation whether physical or virtual, documentation is the first approach to be taken.

-Windows is not secure enough to be placed on the edge:

While some might believe Windows Server is not secure enough to be on the network edge, I totally disagree since there has not been any serious security vulnerabilities to exploit on Windows Server (Especially 2008 R2) as in 2010 there were only 33 vulnerabilities found on this OS which none of them was called critical while Linux had over 179 vulnerabilities which many of them were found on its kernel making it so vulnerable to attacks. To support my opinion on the security of Windows below is three edge products by Microsoft installed on Windows Server with no vulnerabilities over years:

-Exchange Server 2010 Edge role

-Office Communication Server 2007 Edge Role

-ISA Server (It has had 10 years without any exploits)

Now that you have found relief about some of your concerns, we can talk about virtualizaiton of Forefront TMG 2010 which is to be done on Hyper-V on top of Windows Server 2008 R2.

When it comes to the implementation of an application, the first thing to think of is where to install it. On the Hyper-V, well the question is a bit more clear… Should I install it on the Guest OS or the parent OS?

The answer is the Guest OS will be where TMG must be installed. If you install it on the parent partition, then you have exposed you whole virtualized environment to the internet. Remember that the network edge is the part of your network more than the others exposed to the internet and therefore there is a higher possibility to go under attack. So we could say that if in any ways the the parent OS (With TMG) is compromised then the whole virtualized environment is going to be compromised.

Imagine a hacker having access to the Hyper-V console on the parent partition, you could guess what he would be capable of doing…

But if you install TMG on the Guest OS, just in case the server is hacked, only and only that Guest OS is compromised and not the whole virtual environment. That is why…

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below:

1

Deploying the network edge on a virtual environment – Part 3

Deploying the network edge on a virtual environment – Part 1

It was a while I had not posted anything here until today I decided to write a two- or three-part article (I am not still sure how many parts it is going to be composed of) on virtualization of the edge using Microsoft technologies.

With a rapid growth in the area of virtualization, one might think of virtualizing parts of the network that seemed and of course still seems pretty critical in every environment. One of those parts is the edge of the network where the internet meets the LAN or at least the perimeter network.

There is always a high number of reasons behind taking the network infrastructure all on a virtual platform but specifically for the network edge, the reasons must be strong enough to assure security because this is the part of the network which is more than the others exposed to the outside (The internet so to speak) and therefor could be affected by a number of potential attacks.

Talking about reasons, helping the environment and of course developing more Green technologies would be the most common reason behind any virtualizaion solution but here for the edge below is the answers to all those WHYs:

-Faster disaster recovery: As a systems engineer I have seen it many times when the devices sitting at the edge of the network responsible for all kinds of NATing and routing happen to fail and shut down as a result of hacking attacks, DDoS attacks or simply for no reason. In such situations, the first thing to do will be recovery and of course if the infrastructure is a ll virtualized, it will only be a matter of restoring the old Virtual Hard Disk files (VHD) and then booting up the OS again. It’s really fast and efficient really well suiting the requirement of an edge solution.

-Increasing Complexity for hackers: Who wouldn’t like to create a very complex environment for a hacker who gets terribly confused even if he gets the chance to penetrate in. As an administrator or a systems engineer you would also get lost if you are not familiar with the whole infrastructure that you are dealing with and just in case you do not have the documentation (Which is a must for every virtualized environment) you will be like Alice in wonderland.

-A Cost-effective solution for small businesses: Not all the businesses have big data centers with hundreds of servers installed in the racks. There are businesses with only one or two servers and of course a number of applications. For such businesses, installing an edge application like ISA Server or Forefront TMG 2010 on a separate server is a huge cost since servers are not that cheap to afford. By taking TMG and of course other applications all virtual on one or two servers, there will be a great save in costs.

For the time being, I just wanted to clarify things over all the questions of WHY??? In the next parts I will more discuss different scenarios in detail. In our exercises we are going to make use of Forefornt TMG 2010 as the edge application running on Hyper-v in a Guest VM.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below:

1

Cheers