Wednesday, November 27, 2013

ISAserver.org - Monthly Newsletter - November 2013

ISAserver.org - Monthly Newsletter - November 2013

Hi Security World,

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. TMG Replacement Considerations: High Performance
-----------------------------------------------------------

The need for speed: it just never quits, does it? I remember back in the late 1990s when we were connecting to the Internet at what we thought were high speeds over our shiny new ISDN line, and dreaming of the day when we could afford a super-speedy T-1 for our business. My, how things change.

Today that 1.5 Mbps T-1 would feel like a slow pig. Consumers can buy 500 Mbps FiOS connections to their homes for slightly over $300 per month <http://bgr.com/2013/07/25/verizon-fios-quantum-500mbps/> â€" which is half what we paid for our T-1 when we finally got it in the early 2000s. Google’s 1 gigabit connection can be had for only $70 per month.

So we’re connecting to the Internet more and more quickly, but most of us are still depending on firewalls of some kind to protect our networks, and that means we need faster and faster firewall throughput in order to keep up â€" not to mention firewalls that are used to create perimeters within our even-faster internal networks. Otherwise, we can find ourselves in situations where our firewalls become the bottlenecks that are slowing down our networks â€" and that’s not good.

Firewall vendors are recognizing that cloud providers, carrier-level networks and the largest enterprise datacenters need high performance firewalls, and they’re responding to those demands. One such new product is Fortinet’s FortiGate 3700D <http://efytimes.com/e1/fullnews.asp?edid=120178> that claims to achieve top firewall throughput in large scale environments. Fortinet seems to have found their niche, concentrating on building the fastest possible firewalls. The FortiGate 5140B is one model that the company has tested at throughput rates of more than 500 Gbps of application traffic and they bill it as the world’s fastest firewall. Fortinet was named as one of the key vendors <http://www.businesswire.com/news/home/20131104006353/en/Research-Markets-Global-Security-Spending-Market-2012-2016> dominating the global IT security market in a recent report from BusinessWire.

F5 Networks <http://slashdot.org/topic/datacenter/f5-or-fortinet-who-has-the-fastest-firewall/> is another company that was focusing this past year on constructing the speediest firewalls possible. They claimed 640 Gbps firewall throughput for the BIG-IP firewall. The BIG-IP products are available on a number of different hardware configurations, including VIPRION.

Fortinet says the 5140B’s high speed comes from the special ASIC processors they use. These Application Specific Integrated Circuit chips are dedicated to a particular purpose (in this case, firewall processing) and thus can perform more efficiently than general purpose processors.

However, the speed of a firewall is dependent on many different factors. Other important considerations that can impact performance include amount and type of memory, operating system overhead, and how the firewall’s security features are implemented. Of course the raw throughput speed must also be measured against the number of simultaneous connection sessions it can handle.

These new high speed firewalls are packaged as appliances. Most TMG admins are used to working with TMG as a software firewall that you can install yourself on different hardware configurations, with the selected hardware (including the network adapters) having a big impact on performance and throughput. It’s always important to look at the hardware as well as the software when performance is a priority.

If you’re looking ahead now at possible replacements for your TMG firewall as support ends, performance is one of several things that you’ll want to take into consideration, but the good news is that depending on the firewall features you need, you should be able to find a firewall out there that will deliver superb performance.

*TechGenix Launches CloudComputingAdmin.com!*

TechGenix is pleased to announce CloudComputingAdmin.com â€" a new site that offers a unique perspective on the quickly evolving world of cloud computing.

To celebrate the launch of CloudComputingAdmin.com, we will be giving away a Google Nexus 10 to one lucky newsletter subscriber! All you need to do to be eligible to win is sign up for any of the new CloudComputingAdmin.com newsletters and provide your name, email address, and country of residence.

Subscribe to a newsletter here:
http://www.cloudcomputingadmin.com/pages/sign-up-newsletter-chance-win-google-nexus.html

The prize giveaway will run until Saturday, December 14, 2013. Be sure to sign up today for your chance to win!

See you next month! â€" Deb.

dshinder@isaserver.org

=======================
Quote of the Month - I have not failed. I’ve just found 10,000 ways that won’t work. â€" Thomas A. Edison
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

Using the TMG Firewall in Azure Infrastructure Services (Part 5)
http://www.isaserver.org/articles-tutorials/configuration-general/using-tmg-firewall-azure-infrastructure-services-part5.html

Publish Remote Desktop Services RemoteApp with Forefront UAG
http://www.isaserver.org/articles-tutorials/publishing/publish-remote-desktop-services-remoteapp-forefront-uag.html

Publishing Exchange 2013 Outlook Web App with Forefront Threat Management Gateway (TMG) 2010
http://www.isaserver.org/articles-tutorials/configuration-general/publishing-exchange-2013-outlook-web-app-forefront-threat-management-gateway-tmg-2010.html

Using the TMG Firewall in Azure Infrastructure Services (Part 4)
http://www.isaserver.org/articles-tutorials/configuration-general/using-tmg-firewall-azure-infrastructure-services-part4.html


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

Availability and scalability are two of the “abilities� that you want to pay the most attention when designing your TMG firewall solution. The question then becomes “which features and technologies are included in the TMG firewall that will help me with availability and scalability?� Do you know what they are? If not, here’s your cheat sheet:

- Enterprise arrays: you can use enterprise arrays to create a single logical TMG firewall. If one of the members of the array becomes unavailable, then another member of the array will take over for the downed member
- Support for multiple ISPs: your TMG firewalls can all be fine, but if the ISP goes down, you’re going to be in a world of hurt. The TMG firewall enables you configure it to use two ISPs, so that if one goes down, you’re still connected to the second ISP. And if both of the ISPs are up, you can aggregate the bandwidth of the two. Nice!
- Web publishing load balancing: in this scenario, you’re not as concerned about the availability and scalability of the firewalls themselves as much as the services behind the firewall. You can use web publishing and load balancing for published web sites so that you won’t need to use an expensive and complex hardware load balancer behind the TMG firewall.

To find more information about availability and scalability of the TMG firewall, check out http://technet.microsoft.com/en-us/library/dd896997.aspx


5. Tip of the Month
--------------------------------------------------------------

I think that we can all agree that the TMG firewall provides one of the best VPN gateways on the market that you can install as a virtual machine. It's easy to set up and configure and it enables granular user/group/protocol/sites/source/destination/time-of-day access controls. However, the VPN server component isn’t enabled by default, so you need to configure the protocols you want to allow the VPN clients to use, and define user groups that you want to access the corporate network through the remote access VPN server. Thus you would assume that you could just get that all set up and click Apply and everything would just magically work. Well, not quite. Before you know it, users are going to be calling you and wanting to know when the VPN server is going to be online. Ouch! What did you forget? What you forgot was to create the access rules that allow the VPN clients access to the corporate network. We’ve all made that error before, so if you've made it, too, you’re in good company. Now you don’t have an excuse for doing it again!


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

Can you believe it? There’s actually an update available for the TMG firewall! Even though we all know the firewall’s future is not bright, there’s still somebody standing vigil over there at Microsoft. What’s included in this update? Quite a bit, actually. Check out this list:


2889345 http://support.microsoft.com/kb/2889345

FIX: Accounts are locked out beyond the AccountLockoutResetTime period in Forefront Threat Management Gateway 2010 SP2

2890549 http://support.microsoft.com/kb/2890549

FIX: Incorrect Performance Monitor values when queried from a .NET Framework app in Forefront Threat Management Gateway 2010

2890563 http://support.microsoft.com/kb/2890563

FIX: "URL" and "Destination Host Name" values are unreadable in the web proxy log of Forefront Threat Management Gateway 2010

2891026 http://support.microsoft.com/kb/2891026

FIX: Firewall Service leaks memory if Malware Inspection is enabled in Forefront Threat Management Gateway 2010

2888619 http://support.microsoft.com/kb/2888619

FIX: A password change is unsuccessful if a user's DN attribute contains a forward slash and an Active Directory LDAP-defined special character in Forefront Threat Management Gateway 2010

2863383 http://support.microsoft.com/kb/2863383

FIX: "Query stopped because an error occurred while it was running" when you run a non-live query in Forefront Threat Management Gateway 2010 SP2

2899720 http://support.microsoft.com/kb/2899720

FIX: Threat Management Gateway 2010 incorrectly sends "Keep-Alive" headers when it replies to Media Player WPAD file requests

2899716 http://support.microsoft.com/kb/2899716

FIX: Firewall service (Wspsrv.exe) crashes when a web publishing request is handled in Forefront Threat Management Gateway 2010

2899713 http://support.microsoft.com/kb/2899713

FIX: Access to certain SSL websites may be unavailable when HTTPS Inspection is enabled in Forefront Threat Management Gateway 2010

For more information, check out the TMG firewall team blog over at http://blogs.technet.com/b/isablog/archive/2013/11/08/tmg-sp2-rollup-4.aspx


7. Blog Posts
--------------------------------------------------------------

Firewall Exceptions to allow SCCM Remote Control for DirectAccess clients
http://www.isaserver.org/blogs/shinder/firewall-exceptions-allow-sccm-remote-control-directaccess-clients.html

DirectAccess RPC Settings Fail on Activation
http://www.isaserver.org/blogs/shinder/directaccess-rpc-settings-fail-activation.html

Using DPM to Backup the TMG firewall
http://www.isaserver.org/blogs/shinder/using-dpm-backup-tmg-firewall.html

Publishing Lync with UAG
http://www.isaserver.org/blogs/shinder/publishing-lync-uag.html

Is ISATAP Required for DirectAccess?
http://www.isaserver.org/blogs/shinder/isatap-required-directaccess.html

Five Reasons Why You Should Consider DirectAccess
http://www.isaserver.org/blogs/shinder/five-reasons-why-you-should-consider-directaccess.html

Microsoft DirectAccess Best Practices and Troubleshooting
http://www.isaserver.org/blogs/shinder/microsoft-directaccess-best-practices-and-troubleshooting.html

Limiting ISATAP Services to DirectAccess Manage Out Clients
http://www.isaserver.org/blogs/shinder/limiting-isatap-services-directaccess-manage-out-clients.html

Using ZScaler to Extend the Life of Web Protection for the TMG Firewall
http://www.isaserver.org/blogs/shinder/using-zscaler-extend-life-web-protection-tmg-firewall.html

Improving Security for SSL Connections to TMG Firewall Published Web Sites
http://www.isaserver.org/blogs/shinder/improving-security-ssl-connections-tmg-firewall-published-web-sites.html


8. Ask Sgt Deb
--------------------------------------------------------------

QUESTION:

Hey Deb,

I have a question that’s sort of related to TMG, as TMG supports DirectAccess. What I’m interested in is ISATAP. From what I’ve read, ISATAP is required for a DirectAccess deployment. I’ve read some things about ISATAP that say it might not be secure. In fact, if I remember correctly, ISATAP is disabled in the Windows DNS server for this reason. How do I tell my security guys that I need to use ISATAP for my DirectAccess deployment if in fact ISATAP is not secure?

Thanks! â€"Jeri

ANSWER:

Hi Jeri,

First, let’s make it clear that ISATAP is not required for deploying DirectAccess. What ISATAP enables you to do is tunnel IPv6 addressed packets into IPv4 packets. When you do this, you can forward native IPv6 packets on your IPv4-only network. This allows you to deploy DirectAccess when you don’t yet have IPv6 support. However, you don’t really need IPv6 support since you can take advantage of the NAT64 feature to enable DirectAccess clients to connect to your network even when you don’t have IPv6 support. The main reason you might want to enable ISATAP is to allow for “manage out� connections. That is to say, if you want some machines on the corporate network to initiate connections to the DirectAccess clients on the Internet. The good news is that you can use ISATAP on a limited basis so that only specific machines are able to connect through manage out. Jason Jones provides a good description of how to do this and minimize the security impact in his blog article at http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html. With this information in hand, you can give assurance to your security team that ISATAP will not be required and the security implications are mitigated.

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.


ISAserver.org Sections
-----------------------------------------------------------------
- Articles & Tutorials (http://www.isaserver.org/articles-tutorials/)
- Products (http://www.isaserver.org/software/)
- Reviews (http://www.isaserver.org/articles-tutorials/product-reviews/)
- Free Tools (http://www.isaserver.org/software/Free-Tools/)
- Blogs (http://www.isaserver.org/blogs/)
- Forums (http://forums.isaserver.org/)
- Contact Us (http://www.isaserver.org/pages/contact-us.html)



Techgenix Sites
-----------------------------------------------------------------
- MSExchange.org (http://www.msexchange.org/)
- WindowsNetworking.com (http://www.windowsnetworking.com/)
- VirtualizationAdmin.com (http://www.virtualizationadmin.com/)
- WindowSecurity.com (http://www.windowsecurity.com/)
- CloudComputingAdmin.com (http://www.cloudcomputingadmin.com/)
- WServerNews.com (http://www.wservernews.com/)
- MSPanswers.com (http://www.mspanswers.com/)

--
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@ISAserver.org
Copyright ISAserver.org 2013. All rights reserved.

No comments:

Post a Comment