TechEd EMEA IT: Day 2 - Threat Management Gateway

Posted by Rik Hepworth on Tuesday, November 4, 2008

Andy and I are now in a TMG preview demo. This looks really interesting - we spoke to the guys at ATE last night and saw a few items that I hope to see now in more detail. TMG is ISA Server vnext - codenamed ‘Nitrogen’ and part of the ‘Stirling’ next wave of Forefront.

Stirling family members exchange information to allow ‘dynamic response’ - trigger actions from different forefront elements (client sec etc) based on alerts from other elements (eg mail scanner). That looks really powerful.

New in TMG is web client protection - threat protection. Scan downloaded files as they pass through for malware. This blocks download of malware and shows the user a message page. Finally - way to save some users from themselves!

TMG can now also inspect ssl traffic! TMG encrypts between client and itself using it’s own certificate to the client, assuming the cert from the actual site is valid. Notably, if you enable https inspection you can make TMG tell the users - warn them, if you like - that their ‘secure’ connection is being inspected. You can also exclude categories of sites from this inspection.

For large files, TMG will show the user a ‘comforting’ page informing them that the file has been downloaded by TMG and is being scanned for malware.

TMG inspects traffic and will try to detect if a download manager is being used. At that point the ‘comforting’ page won’t be displayed. Interestingly, you can also block the download of encrypted zip files if you like - i.e. if TMG can’t scan it, don’t let it through.

TMG can also now do URL filtering. This is category-based, so you can block categories of sites. The site lists can be acquired through an external service. Can override the https inspection for categories of sites as well - e.g. banking sites.

These are gathered into the heading of Web Access Policies, which cover URL filtering, https inspection and malware inspection.

Also interesting is the Intrusion Prevention Systems which allows TMG to detect and block exploits for vulnerabilities, even if the hotfix is not yet released (such as the sql worm, for example). The demo of this was really cool, albeit in a geeky kind of a way. The exploit protection uses signatures which will be dowloaded and deployed, and my understanding is that they are not limited to TMG.

The firewall can also now continue to run if the logging DB server goes away. TMG creates a log queue locally, continues to operate normally, and will update the DB when it comes back online. The log viewer also continues to work, albeit only accessing the local queued items.

This is all cool stuff. There’s lots more too, but the things I’ve mentioned here are of use to everyone, whereas some of the other stuff covered is certainly less applicable to us at BM because of the way we work. Another solid-looking new product that I would recommend anybody to look into, and particularly if you’re currently using ISA 2006.