Microsoft announced the general availability of a significantly revamped version of its old ISA Server 2006 VPN/firewall called the Threat Management Gateway (TMG), which adds enhanced URL filtering, anti-malware, and intrusion prevention technologies to defend against Web attacks against unsuspecting corporate end users. The software giant also released a beta version of the Unified Access Gateway 2010 (UAG), which is a next-generation version of its Intelligent Application Gateway that handles remote access to applications by mobile devices, as well as PCs and laptops.
The two new endpoint security products advance Microsoft's offerings for securing corporate users and their access to corporate resources. UAG also relies heavily on identity-based access and policy, which Microsoft is pushing as one of the key elements of security: "We think of this as our solution for security...to redefine how people talk about protection and access -- with identity," says John "JG" Chirapurath, director of the identity and security business group for Microsoft. "We are making identity a first-class citizen in security."
Rob Enderle, principal analyst at the Enderle Group, says Microsoft's new products demonstrate how it's forging its own solutions for security, especially at the endpoint. "Microsoft continues to reverse an early mistake of leaving security to third parties to create and aggressively enhance their own offerings," Enderle says. "These latest offerings focus on the long-term problem of assuring that remote employees are properly identified, and the more recent problem of hostile Web phishing attacks on employees."
It's the user who is often the weakest link in enterprise security. "Often security solutions focus on internal infrastructure and assets and forget that the employee is likely the most exposed part of any solution. By focusing on the employee, Microsoft is beginning to address what I believe are some of the most vulnerable parts of the current enterprise," Enderle says. "With this, Microsoft is beginning to transition from a company trying to catch up to the market to one that is trying to lead it."
The new TMG product is a Web security gateway that taps Microsoft's Reputation Services, a cloud-based service that draws URL reputation, malware, and vulnerability data from multiple partners and its own data to detect malicious Web pages and potential Web threats before users go there. "A Web request is proxied to TMG, which is sitting on the edge. It assesses the reputation of that link, checking with the cloud whether it's safe or not. It either immediately blocks it or enables it," Chirapurath says.
Microsoft's cloud-based Web reputation service pulls data from 10 partners, including Brightcloud, M8e6, and FutureSoft, as well as from Microsoft's own Hotmail, Internet Explorer 8's SmartScreen, and Windows Live Security Platform.
TMG is a big leap from its old ISA product, says Chenxi Wang, principal analyst for security and risk management at Forrester. "This is a major step up from what ISA could do in securing Web access," Wang says. "If Microsoft wants to play more in the enterprise security game, it needs to add more functionality to it, and they did in this release."
Wang expects Microsoft to eventually package its Microsoft Reputation Services as a separate offering. "They could sell MRS to other vendors...similar to what other [Web security vendors] are doing, like Websense and BlueCoat," she says.
Architectural firm Pei Cobb Freed & Partners, a TMG customer, uses the gateway to protect both its end users and the business from malware when its users visit social networking or other sites. "I'm not against Facebook [and we allow our users to access it], but when you're using it, we don't want you to wander off to a malware site," says George Podolak, director of IT at Pei Cobb Freed & Partners. "This replaced [having to write] egress filters...which we had to pay for through a third party."
Podolak says his firm traditionally had a strong perimeter defense, but never a good solution for the egress filtering, which is now handled by TMG and allows "granular" filtering that's integrated with Active Directory.
The only missing element, he says, is data leakage prevention. "That's one of the issues we're facing. You can attack it with content filtering, but we want to make it easy so that someone can't take an important document and splash it on a blog page somewhere," he says. "I'd like to see more of that [capability]."
Microsoft's new UAG beta is basically an application-specific remote access gateway that supports remote or mobile workers coming in from laptops or other mobile devices. "You can set granular guidelines that 'I want this person to access this Website [and these applications, for instance]," Chirapurath says. "If a user is traveling and receives a link, it makes sure you have the same privileges on SharePoint" that you have at the home office.
UAG will hit general availability in the first half of 2010; pricing will start at $2,500 for a server plus $15 per user. TMG is priced at $1,500 for a standard edition version.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.