В связи с завершением разработки Microsoft Forefront Threat Management Gateway (TMG) множество организаций, использующих или планировавших использовать TMG столкнулись с дилеммой: как и, более важно, что администраторы будут использовать для защиты своих приложений Microsoft, имеющих доступ в Интернет типа Exchange, SharePoint и Lync?
F5 Networks предлагает ответ на эти вопросы. Подробности описываются в данной презентации.
3. Threat Management Gateway vs F5
До f5 С f5
Internet
Devices
Load Balancing,
DDoS Protection,
Firewall
Data Center
Exchange Lync SharePointWeb
Servers
Exchange Lync SharePointWeb
Servers
[Hardware
Firewall]
[Hardware
Firewall]
Internet
4. TMG – Traffic Management
Use case
Traffic Management is a core focus of F5, and the TM feature set found in
BIG-IP LTM far exceeds anything else in the market today.
До f5
С f5
TMG включает в себя базовый функционал по обработке http трафика.
• Простая балансировка HTTP/HTTPs соединений
• Три варианта мониторинга: Simple get, ICMP, TCP port check
• Два варианта устойчивости: Source, Cookie
• SSL Engine: Offloading / Bridging / Rewrite Redirect Support
F5 является лидером рынка по балансировке и обеспечению балансировки и
высокоустойчивости любых приложений.
• Балансировка трафика любых протоколов в режиме full proxy
• Monitoring: Application aware health and availability, Synthetic client transactions
• Persistence: Multiple options with custom abilities
• SSL Engine: Full hardware based PKI support with advanced functionality
5. TMG – Client Authentication
Use case
Customers migrating to F5 will be able to take advantage of a rich set of
authentication and authorization features unique to F5. Endpoint inspection, AD
interrogation, & layered auth are compelling capabilities that will be new to your
customer. Management through the Visual Policy Editor will also make managing
the advanced functionality even easier.
Before f5
with f5
TMG offered customers a broad spectrum of authentication schemes (KCD, Basic,
NTLM, Negotiate, Kerb, LDAP, Radius, AD, OTP, Client Cert, etc) with support for
authentication translation.
• Landing Pages: Customized
• Cross forest: Supported
• Single Sign On: Limited
Release 11.3 added client NTLM support, the BIG-IP matches up well against TMGs
range of supported authentication schemes and translation functionality.
• Landing Pages: Customized
• Cross forest: Supported
• Single Sign On: Full
6. TMG – Network Layer (3,4) Firewall
Use case
With historically strong DOS & DDOS mitigation technology (syn cookies,
connection limits, resource thresholds/watermarks, etc), recent certifications (ICSA)
give credibility to F5s posture as a perimeter security device. Add to that BIG-IPs
global address map & filtering capabilities, and you have firewalling with geographic
awareness.
Before f5
with f5
TMG is a certified (CC EAL4+) network firewall suitable for placement at the perimeter
of
any network. DOS prevention is supported via a set of connection (TCP, Half Open,
UDP,
HTTP RPS, non-TCP) limits per IP per second.
• Layer 3,4 Firewall Rules Supported
• Layer 3,4 DOS Prevention Connection Limits
BIG-IP is an ICSA & CC certified network firewall suitable for placement at the
perimeter of
any network as well.
• Layer 3,4 Firewall Rules Supported
• Layer 3,4 DOS Prevention Advanced with DDOS prevention
7. TMG – Remote Access & VPN
Use case
Customers migrating to F5 will be able to take advantage of a rich set of
authentication and authorization features unique to F5.
Before f5
with f5
TMG included an RA/VPN engine with several access protocols.
• Access Protocols L2TP, PPTP, SSTP
• Methods Site to Site (IPSec) , Remote User
• Quarantine Supported
• Authentication Username/Password, Certificate
APM/EDGE delivers a rich & full remote access & site to site feature set that provides
clientless or client based options, endpoint inspection, quarantining. Providing client
access over browser based HTTPS connections means that client management will no
longer be an administrative burden. Management through APMs VPE (Virtual Policy
Editor) makes management of complex security rules easy.
8. TMG – Application Layer 7 Firewall
Use case
F5 provides bespoke security policies for a broad range of Microsoft
Applications and Services
Before f5
with f5
TMG offered L7 firewalling in a set of application filters that covered several protocols
• Protocol filters HTTP, SMTP, ……
• Added Protection Virus Scanning, SPAM filtering
• TMGs L7 firewalling does rely on subscription services to keep maintained.
F5’s ASM is designed with a focus on HTTP, SMTP, FTP, & XML security, with the
flexibility to build policies specific to applications leveraging those protocols & data
types. An automatic policy building engine will adapt to application updates, and
visibility/analytics are presented through a web based real time dashboard. Pre-built
policies ship for popular applications such as SharePoint and Exchange.
9. A Strategic Point of Control for Application Delivery
• An application delivery controller provides a strategic point of control where
corporate applications can be deployed more securely and policy can be
implemented consistently.
• BIG-IP provides a central point from which to administer access to multiple
applications. Without this central management point solution, access must be
configured and managed separately at each internal resource, such as Exchange
and SharePoint.
• Single Sign-On, (SSO) across multiple on-premise and cloud-based applications.
• Endpoint Inspection
• With the BIG-IP® Access Policy Manager® (APM), administrators can manage
access to corporate resources based upon the device that is trying to connect.
Administrators can also ensure that the approved device adheres to corporate
policies for AV status, OS versions, patch levels, and more.
Reverse Proxy / Pre-Authentication
“Much like a nightclub bouncer working the door, the ADC isolates internal resources from external access, allowing only
authenticated and authorized users to enter the corporate LAN and use internal resources.”
10. • Multi-factor Authentication and Authorization
• Remote access solutions provide a much more secure authentication mechanism than what
can be natively found on most applications.
• The BIG-IP with APM, (Access Policy Manager) integrates with a number of authentication
mechanisms including RSA SecurID, RADIUS OTP, and client-side certificates.
• Using the flexibility of the BIG-IP APM Visual Policy Editor (see below) and BIG-IP
iRules®, administrators can integrate with a variety of authentication providers and
technologies.
Figure 1: BIG-IP APM Visual Policy Editor.
• Ability to query Active Directory for user attributes such as AD group membership, assigned
mailbox database, and device IDs. Attributes, along with deep packet inspection, can then
be used to dynamically apply policy further enhancing device security.
Reverse Proxy / Pre-Authentication