David Monahan is Research Director for Enterprise Management Associates (EMA) and is a featured guest blogger.
I was recently briefing with a customer when a question was raised about Microsoft Forefront Threat Management Gateway (TMG) and its end of life. The question was what would be my recommendations for replacing it. My first glib thought was “quickly” but I bit my tongue and went on with a better formed recommendation along the same lines.
Microsoft TMG is a multifunction security gateway that acts as an Internet traffic proxy gateway providing additional network antivirus scanning, firewall, VPN termination, and web caching services. From a value standpoint, it was an attempt to provide more, with less of a datacenter footprint, by integrating common/commodity security services. And it did this when there weren’t a lot of vendors delivering composite solutions. I have never supported it so I can’t speak to how well it performed but it lasted for 15 years in its varied incarnations so adoption/market acceptance must have been reasonable. The final iteration of the solution was discontinued in 2012 and hits the end of mainstream support in 2015 with extended support going through 2020.
As with any product that has been “end of life-d,” there are no more vendor resources being applied to producing features. There are also few to no efforts being applied to proactively develop patches. With all of the vulnerabilities being found, publicized and exploited, it is merely a matter of time before we see the remaining production devices compromised. So, owners should have a plan to migrate to another technology, regardless of whether it is still working and/or support is available. Several other concerns are the lack of support for OS’s beyond Microsoft Server 2008 R2; no more native support for newer versions of Microsoft applications like Exchange and SharePoint and the built-in deployment wizards only provide support for publishing Exchange and SharePoint 2010 (which, require significantly more manual configuration and raising additional supportability issues). TMG cannot be supported on Microsoft Server 2012 and even if you can install it, it doesn’t take advantage of some of the newer security features built into that OS.
Usefulness and performance of some of the advanced features will begin to decline in 2016. As of December 31, 2015, Microsoft announced cessation of support for the URL Reputation Services (URS) that TMG uses for web site categorization. They will also discontinue production of anti-malware and Network Inspection System (NIS) signature updates, so newer threats will not be detected. The deprecation of these functions means that if you’re relying on these services to provide intelligent threat management for the advanced forward web proxy they will be significantly impacted well before the support expires for the product.
Maybe I am a bit naïve but I would have expected that with more than two years of notice, organizations using the TMG would already be engaged in research with plans for procurement and deploying a replacement product. The good news is there are plenty of options. Whether you are using all of its functionality or only parts of it, there are a myriad of companies that offer comparable and even greater combined functionality with equal and higher performance. If you are only looking for one or two functions, vendors supply them as point solutions and they are relatively easy to research.
For those looking to replace the combined functionality, I would recommend reviewing vendors delivering Unified Threat Management (UTM) solutions. UTM’s provide next-generation (and proxy) firewall, network intrusion prevention, VPN termination, gateway antivirus (AV), gateway anti-spam email inspection, content filtering, load balancing, network-based data leak prevention (DLP), and on-appliance reporting services. By this point, considerable similarities with TMG should be obvious.
Organizations already using TMG should already know the Pros and Cons of a UTM deployment. For the broader audience, I think it is important to mention a few of the more key aspects. First, using a single integrated device and service reduces overall complexity and simplifies deployment, lifecycle management, and support. Second, a single vendor/solution reduces technical training requirements and costs. Lastly, the unified reporting for all services simplifies regulatory compliance management and reporting. The top vendors in the space not only have a singular appliance but also use key-based licensing activation rather than module installation. The code base is unified so when you need new services, you only need to purchase the activation key and install it to activate the feature. You do not need to upgrade or install new components.
Key disadvantages for the UTM solutions include the possibility of a single point of compromise. If a single technology vendor is deployed and is found to have a vulnerability that leaves the protected organization more vulnerable. Scoping for performance and size is a crucial factor, not only for the current environment but for the environment that is expected to exist in the lifecycle of the product (3-5 years) so a “rip-and-replace” or other similarly impacting upgrade is not necessary to keep up with traffic processing requirements. As with any inline solution, a solid high-availability option and back-up and restore process are crucial to avoid extended outages due to attack or failure.
Also note: Most vendors in this space do not currently offer a software only or virtual machine image installation due to the high system resources required to drive all of these functions. Investigate any claims for these options by comparing them to the dedicated hardware form similar and other competing vendors.
David is a senior information security executive with over 15 years of experience. He has organized and managed both physical and information security programs, including Security and Network Operations for organizations ranging from Fortune 100 companies to local government and small public and private companies. He has diverse Audit and Compliance and Risk and Privacy experience – providing strategic and tactical leadership, developing, architecting and deploying assurance controls, delivering process and policy documentation and training, as well as other aspects associated with educational and technical solutions. Aside from his full-time practice in the security field, David has been an adjunct faculty member for Capitol College in Laurel, Maryland since 2007, providing security instruction on both the undergraduate and graduate level. He has also presented briefings to numerous forums including SANSFire, Forrester and the Colorado Digital Government Conference.