Private Cloud Security via Forefront TMG 2010 Esmaeil Sarabadani Systems and Security Consultant
What’s going to be covered…• Overview of the Public and Private Cloud• Public and Private Cloud Security Concerns• Data Isolation in Microsoft Cloud• The Geographical Location of Data• An Overview on Forefront Threat Management Gateway 2010• Virtualization of TMG in the Cloud• TMG Network Inspection System• TMG HTTPS Inspection• TMG Firewall Features• Securing Remote Access to your Private Cloud
What is the cloud?!! • It’s nothing supernatural. • It’s been with you for a long time. • Even our grandparents are using it now • It’s used for social activities, entertainment, business and so more. • It could be more secure than your own PCs.
Public CloudSecurity Concerns Choose where to store your data …
Public Cloud No AccessData Isolation Host VM Guest VM Guest VM Guest VM Hypervisor Physical Hardware
Public Cloud HackersNetwork Security Differentiating between the legitimate and illegitimate traffic is quite challenging. Analysis… Malicious Traffic ?!! VM VM VM VM VM VM VM VM VM Hypervisors Microsoft Public Cloud
Private CloudSecurity Concerns• Isolation of VMs from one another• You are the only one responsible for the security of the cloud• Attacks from inside the cloud• Huge attacks from the internet. Such as DoS or DDoS• Authentication, Authorization or Auditing of access to cloud services
ForefrontThreat Management Gateway 2010 • Network Inspection System • Web Anti-malware • HTTPS Inspection • Builds on ISA Server 2006 • Active Directory Integration • Custom Reports • Can be virtualized
Software vs. Hardware Are hardware firewalls more Secure than software firewalls?
Software vs. Hardware Hardware firewalls are all software-based but only come in a hardware package.
Virtualization of TMG Internet Data transmission between the private and public clouds. Private Cloud Host Guest Guest Guest VM VM VM TMG VM Hypervisor • The edge gateway and FW • The only Guest connectedNot Connected to to the Internetthe Internet • At least two virtual NIC
Two Virtual NICsHost VM Guest VM Guest VM TMG Hypervisor Physical Hardware
Private Cloud Hypervisor Hypervisor Hypervisor Data transmission inside the private cloud.
Virtualization of TMGBest Practices • Always disconnect the Host VM from the Internet • All the traffic to the Internet must pass through the VM with TMG • If there are multiple hypervisors (Physical Servers), the traffic between the VMs in different physical servers should be filtered using TMG. • The virtual Switch connecting the VMs in every physical server must be Private.
Network Inspection System • Inspects the traffic for exploits of vulnerabilities • With the minimum number of false positives • Has a repository to store signatures for different types of attacks and can update the repository • Able to create inspection exception for some parts of the network
HTTPS Inspection • It acts as a man-in-the-middle between the two SSL connection parties • It can inspect inside SSL-Encrypted traffic • It looks for possible malware or exploits inside an SSL connection
TMG Firewall Features • Multi-Layer Firewall. It provides access control and protection on three layers: • Packet filtering • Stateful inspection • Application layer filtering • DoS Protection • Supports so many protocols and new protocols can be defined. • Granular HTTP Control: • File Download Controls • Signature Based Blocking • HTTP Method Control
Securing Remote Access to your Private Cloud Active Directory Integration for Authentication, Authorization, Auditing VPN Client TMGPrivate Cloud Active Directory RODC Outlook Web Access
Securing Remote Access to your Private Cloud • Remote Access VPN by PPTP, L2TP/IPSec and SSTP • Inspection of VPN traffic • Integration with Active Directory • Integration with Network Access Protection and VPN Quarantine