-------------------------------------------------------
ISAserver.org Monthly Newsletter of June 2012
Sponsored by: Wavecrest Computing
<http://www.wavecrest.net/products/cyfin/reporter/index.html?dt=1&utm_source=ISAorg&utm_medium=Newsletter&utm_campaign=Cyfin%2BReporter>
-------------------------------------------------------
Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org
1. Cloud Computing, Reperimeterization and TMG Firewalls
--------------------------------------------------------------
Tom recently delivered a presentation at TechEd North America 2012 where he and Yuri Diogenes talked about private cloud security. If you were in Orlando that week, you might have heard it. During that talk, they made it clear that private clouds don't really change the playing field in terms of what we currently know about network and datacenter security. However, there are some specific issues for private cloud that you need to pay extra attention to. One of these is the perception of trusted versus untrusted networks and where the cloud infrastructure belongs in relation to the rest of the network.
The discussion at TechEd focused on the topic of reperimeterization – a term that Microsoft Word doesn't even recognize as a valid word. The concept that the corporate network is trusted and non-corpnet networks are untrusted is no longer valid in today's cloudified world, and because of that, the location of your firewalls and network access control devices are going to need to change. Tom actually talked about this several years ago but he didn't seem to get a lot of traction on the subject back then. Like most prophets, he was ahead of his time :-). But now, with the advent and acceleration of interest in cloud computing, including private and hybrid clouds, the concept of reperimeterization is becoming more and more important and it's something that we can no longer avoid.
The new cloud-based infrastructure will need to allow access from both corpnet clients and clients that are located on other networks, such as partners or even customers, as well as connections that might be coming from public cloud deployments. This means that we need to force the private cloud infrastructure back behind its own firewalls and not enable direct unfettered connectivity from any client – not even so-called "trusted managed clients".
In addition to this, you'll likely want to put a DMZ network in front of the private cloud infrastructure – just like you used to at the edge of the corporate network. In fact, you may want to consider not even using a firewall at the network edge, since the corpnet clients are typically mobile. Given that they are mobile, they are exposed to a large number of untrusted and unmanaged networks, so why incur so much overhead at the network edge just to protect the clients? Either way, the clients will need to be protected via strong local security controls and continuous management by central IT to make sure they are as secure as possible.
This means that you can take your TMG firewalls and move them away from the edge of your network and put them in front of the private cloud infrastructure. Of course, if you want to take advantage of the TMG firewall's web protection for forward web proxy (including outbound SSL inspection), then you can configure a collection of single NIC TMG firewalls in an array on the client network to allow strong outbound access protection.
What do you think? Is now the time for reperimeterization? Was Tom right all along and now those deaf ears are listening because of the private cloud? Let me know! Send me a note at dshinder@isaserver.org and let's start a discussion.
See you next month! – Deb.
dshinder@isaserver.org
=======================
Quote of the Month - The less you talk, the more you're listened to. – Abigail Van Buren
=======================
2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------
Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.
Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.
3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------
* The TMG Firewall's VPN Server and Site to Site VPN Gateway Capabilities (Part 2)
http://www.isaserver.org/tutorials/TMG-Firewalls-VPN-Server-Site-to-Site-VPN-Gateway-Capabilities-Part2.html
* Win a Samsung Galaxy Tab 2 (10.1)!
http://www.isaserver.org/news/Win-Samsung-Galaxy-Tab-2.html
* Product Review: AGAT Software Solutions' ActiveSync Shield
http://www.isaserver.org/tutorials/Product-Review-AGAT-Software-Solutions-ActiveSync-Shield.html
* Microsoft Forefront UAG - Creating a portal with Forefront UA
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-Creating-portal-Forefront-UAG.html
* The TMG Firewall's VPN Server and Site to Site VPN Gateway Capabilities (Part 1)
http://www.isaserver.org/tutorials/TMG-Firewalls-VPN-Server-Site-to-Site-VPN-Gateway-Capabilities-Part1.html
* Measuring System Performance on a Forefront Threat Management Gateway (TMG) 2010 Firewall (Part 1)
http://www.isaserver.org/tutorials/Measuring-System-Performance-Forefront-Threat-Management-Gateway-TMG-2010-Firewall-Part1.html
* Microsoft Forefront TMG - Installing Forefront TMG on a RODC
http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Installing-Forefront-TMG-RODC.html
* Understanding TMG Web Caching Concepts and Architectures
http://www.isaserver.org/tutorials/Understanding-TMG-Web-Caching-Concepts-Architectures.html
4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------
One of the more challenging configuration scenarios for the TMG firewall is the publishing ActiveSync feature in Exchange Server. There are a lot of moving parts and if you get one of the parts wrong, the publishing won't work and it's pretty difficult to troubleshoot. This article in the Microsoft TechNet library should help you with Exchange ActiveSync Publishing http://technet.microsoft.com/en-us/library/cc995186
5. Tip of the Month
--------------------------------------------------------------
You might have noticed that when you turn malware inspection on, you're no longer able to download large files. What's up with that? I've run into this problem myself several times before I figured out what the problem is. Turns out that there are some storage limits that you might run up against. This blog post on the TMG firewall team's blog will help you figure out how to fix the problem http://blogs.technet.com/b/isablog/archive/2010/09/28/unable-to-download-files-through-forefront-tmg-2010-when-malware-inspection-is-enabled.aspx
6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------
The TMG firewall has very limited support for IPv6. One thing you can't do is enable the TMG firewall to be connected to a public IPv6 network – sorry; that just won't work. But the TMG firewall does have limited support for using IPv6 on the internal networks because it needs to be able to support DirectAccess. For more information on the TMG firewall's IPv6 behavior and how to enable support for protocols other than default IPv6 protocols, check out http://technet.microsoft.com/en-us/library/gg274286.aspx
7. Blog Posts
--------------------------------------------------------------
* Win a Samsung Galaxy Tab 2 (10.1)
http://blogs.isaserver.org/shinder/2012/06/08/win-a-samsung-galaxy-tab-2-101/
* Rollup 2 for TMG SP2
http://blogs.isaserver.org/shinder/2012/05/11/rollup-2-for-tmg-sp2/
* New Antimalware Engine for Forefront
http://blogs.isaserver.org/shinder/2012/05/11/new-antimalware-engine-for-forefront/
* TMG Reporter v2.0 released
http://blogs.isaserver.org/shinder/2012/05/11/tmg-reporter-v20-released/
* Cross site single sign-on not working between two UAG servers
http://blogs.isaserver.org/shinder/2012/05/08/cross-site-single-sign-on-not-working-between-two-uag-servers/
8. Ask Sgt Deb
--------------------------------------------------------------
QUESTION:
Hi Deb,
I'm interested in performance testing and baselining for the TMG firewall. Do you know of any resources that I can use to learn about this and how to implement a performance testing and baselining plan?
Thanks! –Allan.
ANSWER:
Hi Allan,
I have a couple of great articles that you can use to get started. First, there is a great article by our very own Richard Hicks, who has completed part 1 of a multipart series on performance evaluation for the TMG firewall. You can read Measuring System Performance on a Forefront Threat Management Gateway (TMG) 2010 Firewall on ISAserver.org.
http://www.isaserver.org/tutorials/Measuring-System-Performance-Forefront-Threat-Management-Gateway-TMG-2010-Firewall-Part1.html
Microsoft also has a good article on Monitoring Performance Counters on the TMG firewall, which includes a comprehensive list of the performance counters available with the TMG firewall and provides some insights into how to use these counters. Check out that article over at
http://technet.microsoft.com/en-us/library/cc441524.aspx
Deb.
Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.
TechGenix Sites
--------------------------------------------------------------
MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WServerNews.com <http://www.wservernews.com/>
--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2012. All rights reserved.
No comments:
Post a Comment