Securing the edge in a post-TMG world

As we’ve all come to understand, Microsoft has pulled the plug on one of the best products it has ever made, Forefront Threat Management Gateway 2010.

Being one of the most vocal supporters for this product, I have long believed it to be irreplacable. The specific blend of features, integration and support we’ve seen for this product is hard to compete against, especially at that price.

Unfortunately, time has come to find a viable replacement. The world has moved on, and so should we.

In this 6-part blog I’ll describe my journey to find a functional replacement for TMG. We’ll look at the most-used features in TMG and compare them to the competition. We’ll look at each product’s strengths and weaknesses and evaluate our experience working with them. And last, but not least, we’ll compare the licensing costs for each evaluated product with the relevant licensing for a medium sized TMG deployment (aprox 500 concurrent users).

So, with the introduction out of the way, let’s get started :-)

In order to determine what makes a succesful TMG replacement we (me and my collegues) wrote down the most implemented and best liked features throughout all deployments we have ever built, and we came up with the following list:

  • Stateful packet filtering
  • Client VPNs
    • PPTP
    • L2TP with IPSEC
    • SSTP VPNs
  • Site-to-site VPN
    • Mostly IPSEC
    • But the support for dail-on-demand style PPTP or L2TP network tunnels has it’s uses too
  • Foward proxy
    • URL filtering with URLCategories
    • Content scanning
    • Malware filtering
    • HTTPS inspection
    • User authentication
      • Active Directory Integration
      • Or using Basic or NTLM authentication
      • With two-factor support using client certificates
  • Reverse proxy
    • SSL offloading
    • Loadbalaning
    • Forms Based Authentication
      • Active Directory Integration
      • RSA
      • Radius (with OTP support)
      • LDAP
      • TACACS(+)
    • Single Sign-on with delegation
      • Using basic, NTLM or Kerberos Constrained Delegation
  • Network Insepection System  (inline IDS/IPS)
  • Exchange integration (inline anti-spam and anti-malware mostly, EdgeSync is a nice plus)
  • Multi-node redundancy
    • Central management
    • Active/active (with unequal loadsharing)
    • Built-in loadbalancing
  • ISP redundancy
  • Central logging
  • Reporting
  • Monitoring (using SCOM)
  • Support for Hyper-V virtualisation
  • a very easy to master GUI

Or to put it bluntly, we were using pretty much every available feature of TMG out in the field.

Naturally, the next step was to scratch our heads wondering if there was such a thing as a full replacement for TMG, seeing the list we had compiled.
We decided to trim the list to make the search a bit easier, and thus we named the following features “nice to have, but will work without”:

  • Multiple WAN support (ISP redundancy) – We’ve got routers for that
  • SSTP client VPNs – Least used VPN type, usually dropped in favor of DirectAccess
  • Email hygiëne – E-mail as a whole is moving to the cloud
  • IDS/IPS functionality – We’ve got appliances for that
  • Change tracking – It’s nice to know which command killed your firewall, but usually, this can be deduced from some kind of log anyway
  • SCOM integration – Seeing as how SCOM works with SNMP these days, we should be able to at least pull some info from just about any device

Furthermore, after testing the waters and finding there were way, way more vendors and appliances/software available than we could possible thoroughly evaluate in any normal timeframe, we decided to do the evaluation in two rounds.

In the first round we sorted all products based on the vendor’s specifications only, any devices that doesn’t include at least 90 percent of the required features would be automatically skipped for further testing.

As a result of this, we were able to discard the following products/vendors:

  •  Cisco ASA
    • No additional features, simple SPI firewall
    • Some IDS/IPS capabilities, but only on some models (5585-X and up) – requires additional hardware
    • Hardware only – no virtual appliances / not viable for cloud deployment
  • Cisco ASA CX
    • No virtual appliance – not viable for cloud deployment
    • TCO far higher than average size TMG deployment (initial investment 20k euro + additional licensing and support)
  • Juniper
    • No real URL filtering options (integration with cloud-based solutions like Websense and Surf-Control is available, but no bundled licensing)
    • No virtual appliance – not viable for cloud deployment
  • F5 Networks – Access Policy Manager
    • Publishing platform only – Designed to let users in, not allow users out (UAG competitor)
    • Very high TCO for mid size deployment – initial investment at least 26k euro, excluding support options
  • F5 Networks – Application Security Manager
    • Primarily a firewall with sandbox capabilities – aimed outward
    • Not a UTM-style device like TMG (most advanced user filtering options are not available, such as URL filtering)
  • Fortinet – Fortigate series
    • No reverse proxy capabilities (no SSL offloading or web farm loadbalancing either)
    • No virtual appliance – not viable for cloud deployment
  • IPCop
    • Geared towards SOHO/Small business (support options unclear)
    • Webfiltering requires in-depth knowledge of DansGuardian in order to setup (limited integration – functions like a seperate component)
  • PFSense
    • Webfiltering relies on DansGuardian – which requires separate setup like with IPCop
    • Proxy capabilities require Apache configuration – no GUI available

In stage two of the evaluation we set up a testbed environment and went to work deploying each of the remaining firewall solutions.

In an attempt to make sure we were testing in the most ife-like situation we used Ciscos SPAN port mirroring to mirror outbound and inbound traffic to and from our TMG production systems to the evaluated products.

Overview testsetup

Visual representation of our setup

After the deployment, setup and a week of continous operation we used the on-board metrics to determine how these products were running and compared results with our TMG deployment to see which system worked best.

Apart from this “technical” test we were also keen on figuring out how fast we were able to get the interface figured out and master the product.
Since about 70 percent of our TMG deployments are maintained by our customers, this is a crucial point.

What products did we test in round two, you ask?

You were afraid we had nothing left, after the above list, were you not? ;-)
Thankfully the world has many firewall vendors and all of the units from the list above passed the mark for the first test (more or less – we’ll get back to you on that).

As promised, this is going to be a six-parter blog, so each next itteration we are going to talk about one product and then wrap it up with a conclusion on which firewall we chose as our prefered TMG replacement.

So, stay with me for part two – First up: Untangle

Update: After internal review, we decided to drop all vendors that do not have a virtual appliance available or avaiable in the near future.
As a result of this, Palo Alto and Sonicwall were dropped from the second stage of evaluation.

Pre-Sales Engineer at Sophos http://nl.linkedin.com/in/jornlutters

Posted in Forefront TMG, General
30 comments on “Securing the edge in a post-TMG world
  1. Uilson souza says:

    Very good post!

    Greetings from Brazil!

  2. Morten says:

    Hi good read

    Have been looking into this myself.
    Another candidate might be the Bluecoat ProxySG product. Looking at the configuration instructions for this product it seems much closer to the TMG use I treasured the most.

    Kerb Contrained delegation, SSO, reverse transparent proxy

    Looking forward to read the rest

    • Jorn Lutters says:

      Hello Morten,

      In all honesty, we have looked at Bluecoat’s Proxy SG product, but we chose not to include it in our further search due to pricing.
      I forgot to list it in our overview though, a miss on my part.

      • Morten says:

        Thanks for the answer

        I have not looked into pricing as of yet, but it does not surprise me that their products are premium priced.

  3. Gary Roberts says:

    Surely Fortinet has a virtual product?

  4. Andy says:

    What about Astaro Security Gateway? In the newest beta Version they support rpc over https (reverse proxing with ssl offloading), vpn’s, virtualization and lot more.

  5. Patrik says:

    Does Netscaler have site-to-site vpn ?
    I didn’t think so.

    • Hello Patrik,
      You are right, it does not support site-to-site VPN.
      Please wait until the final blog post is published.
      My colleague is currently very busy that’s why he didn’t publish the final part yet, it will be published soon.

  6. Jorn Lutters says:

    Allow me to just step in and quickly point out that the last review I am working on in the series is a giant wrapup in which I review both Citrix Netscaler, Kemp ESP and Sophos UTM.

    It’s been taking quite a bit longer than previously anticipated, but please bare with me, it should be out shortly.

  7. Dons says:

    Hi,
    do you have any info regarding Check Point. Can it replace TMG?
    thank you

    • We didn’t review Checkpoint since it didn’t pass the criteria listed above.

      • Dave says:

        I think you’ll find Check Point can do most of that

        • One of the requirements is, it should be possible to run a virtual appliance on the hyper-v platform.
          As far as I know, Checkpoint cannot do that. It only supports Vmware.
          I am not so sure about the reverse proxy features either, but this can be my lack of knowledge about Checkpoint.

  8. Nathaniel says:

    Smoothwall do provide an appliance for their UTM. At my last employer we had a Smoothwall UTM physical appliance and used the Virtual for HA.

  9. George says:

    Please, pay attention for 5nine Security Manager for Hyper-V .
    In case of the virtual enviroment it replaces TMG :
    http://www.5nine.com/windows8-server2012-anti-virus-anti-malware-and-virtual-firewall-datacenter.aspx

  10. Ewald says:

    Is there anything that can do federated authentication (ie. with SAML2) ?

    • Sander de Wit says:

      Hi Ewald,

      Currently it’s not known to me.
      Maybe I can ask Jorn.

      • Jorn Lutters says:

        Hello Ewald,

        If you want to deploy SAML federated Authentication you are not going to find it in any of the tested products. Most firewall/reverse proxy products focus on single sign on and pre-autneitcation, if they do anything with authentication at all.

        Federation and single sign on are not the same technique or even technology, though one (single sign on) can be used once the other has been deployed (federation). To put it differently, while federation or a shared authentication source is a prerequisite to enable single sign on, it is quite possible to NOT do SSO even when federated.

        So, to recap: Federation (based on SAML2, ADFS, or anything) would require it’s own servers and system, since none of the tested products fully integrate with, or even enable the use of, federation products.

  11. Shane says:

    FYI, FortiGate products do perform SSL offloading, web farm load balancing and they do provide a VMware compatible virtual FortiGate.

    Been a very happy user of FortiGates for the last 6 years or so.

    As far as I know however, FortiGates do not support reverse proxy, for which the FortiWeb product can be used for.

  12. quicky2g says:

    Palo Alto does have a virtual appliance. See here:

    https://www.paloaltonetworks.com/products/platforms/virtualized-firewalls/vm-series/overview.html

    They can satisfy just about every requirement you have and give you additional features that weren’t available in the TMG. Look through the free online training course it’s really good:

    https://support.paloaltonetworks.com/101_ver5/player.html

    • Jorn Lutters says:

      Thanks for pointing this out, this was not the case when we spoke to them last year (or at least, according to their Sales rep).
      I stand by my conclusion however that Palo Alto do not offer a viable TMG replacement, as they do not have a functional reverse proxy in place, nor do they intend to create one in the near or even distant future.

  13. David Attard says:

    Hi Jorn and all,

    this is David Attard – Product Manager for GFI WebMonitor. I came across this post whilst doing some research about TMG EOL.

    For those still using TMG and have run out of their Web Protection Subscription, GFI still provides and supports a TMG plugin which offers URL filtering and web security. So for any users who still want to use TMG (which still has some life in it), you can replace the Web Protection subscription with GFI WebMonitor.

    You can get more details here:

    http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-webmonitor

    This isn’t just a sales pitch, we’re plugging a hole for existing TMG customers who have no other alternative.

    Hope this helps

    David

    • Jorn Lutters says:

      It does sound quite a lot like a sales pitch to me ;)

      But we’ll allow it, since this is indeed a viable option to extend the lifespan of a TMG solution.

      Thanks for the suggestion.

  14. Dear all,

    Please check the SecPoint.com website and checkout UTM Product ” The Protector” Ready in seconds as Appliance or as Virtual Edition running on VMware en Hyper-V from a 10 user license to Large networks. No hiden cost, super Support try it for free for 30 Days and see for yourself Please test this product and let us know what you think about it

5 Pings/Trackbacks for "Securing the edge in a post-TMG world"
  1. [...] (If you haven't read the introduction yet, feel free to read it here) [...]

  2. [...] (If you haven't read the introduction or the previous installations in this series yet, feel free to read them here) [...]

  3. [...] (If you haven't read the introduction or the previous installations in this series yet, feel free to read them here) [...]

  4. [...] (If you haven't read the introduction or the previous installations in this series yet, feel free to read them here) [...]

  5. [...] (If you haven't read the introduction or the previous installations in this series yet, feel free to read them here) [...]

Leave a Reply

Your email address will not be published. Required fields are marked *

*



You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>