It is also much more difficult to realize these mistakes after the fact.
#FOREFRONT TMG 2010 WINDOWS SERVER 2012 PATCH#
While this is more difficult to do in a physical environment (often requiring running cables and connecting to patch panels, etc.) in a virtual environment this can be accomplished with a simple mouse-click. A systems engineer, in an attempt to rectify a connectivity issue, might inadvertently connect a public network to an internal system, perhaps without even realizing it, and expose an internal system to an untrusted network. Systems engineers and security professionals think very differently, and this can lead to consequences with potentially disastrous effects. Operator error can be a factor as well, and this can be especially troublesome in medium and large sized organizations where the administrative responsibilities for the underlying virtual infrastructure are different from that of the security administrators tasked with managing the TMG firewall.
#FOREFRONT TMG 2010 WINDOWS SERVER 2012 FULL#
A successful attack on the hypervisor could lead to a full compromise of the TMG firewall running on that host. It also introduces a serious security dependency, where the security of the TMG firewall is entirely dependent on the security of the underlying host server and hypervisor. The Law of Unintended Consequences often comes in to play, as virtualization introduces variables that affect services in unexpected ways. Installing Forefront TMG on a virtual server can also have serious security implications. This leads to increased network latency and overall degraded performance for all users. If you are hosting multiple TMG virtual servers on the same host, or co-locating TMG servers with other heavy workloads, the system can be quickly overloaded. This is in addition to the load created by the virtual server’s own CPU, as well as the network I/O and CPU demand generated by any other virtual machines on the same virtual host. It is important to consider that in most virtual environments all the network I/O is processed on the host server’s processor.
TMG is fundamentally a network security device, and as such can process a lot of network traffic. Remember, just because you can virtualize something doesn’t necessarily mean it is a good idea. Also, keep in mind that not all workloads lend themselves well to virtualization, and depending on your configuration and traffic profile it may not be the optimal platform to choose for your TMG deployment. As such, the overhead incurred with any hypervisor will ultimately have a negative effect on the TMG firewall’s peak throughput and performance. Rather, it was intended to improve resource utilization for servers by consolidating workloads that, by themselves, did not use all of the capacity available of a dedicated server. It is important to understand that virtualization was not explicitly designed for performance. Virtualization imposes a performance penalty which, in some environments, can be substantial. However, virtualized deployments have some potential drawbacks and, as with almost anything, these benefits come with some tradeoffs in terms of security and performance. In addition, virtualization provides the ability to create snapshots which can be beneficial for testing updates and for disaster recovery. The speed with which a virtual server can be deployed is typically much faster than with physical servers, providing flexible scalability and allowing administrators to quickly and easily add capacity to a system to meet additional or unforeseen resource demands. Before considering the deployment of TMG on a virtual server, take a hard look at your requirements both in terms of security and performance and carefully weigh the rewards versus the risks of deploying TMG in a virtual infrastructure.ĭeploying Forefront TMG on a virtual server offers several distinct advantages over traditional server installations. The debate about whether or not to deploy TMG on a virtual server is largely philosophical (sometimes bordering on religious!), so my intent here is to provide you with valuable information to use to make the best decision based on your needs and requirements. Although Forefront TMG is fully supported in a virtualized environment, the choice to deploy TMG on a virtual platform should be made with careful consideration toward both security and performance. Today, deploying Forefront Threat Management Gateway (TMG) 2010 on virtual servers has become more popular with the rapid adoption of server virtualization technologies like VMware’s ESX and Microsoft’s Hyper-V. Traditionally Microsoft ISA Server has been deployed on industry standard servers or purpose-built appliances.
0 kommentar(er)
