While previous versions of the firewall had a very rudimentary IDS/IPS system, the NIS is a full fledged, enterprise grade, IDS/IPS. NIS uses GAPA, the Generic Application Protocol Analyzer to look at the data stream and match components of the traffic with signatures the TMG firewall downloads from the MS site.
Unlike the old IPS/IDS feature, this one looks at more than just network layer exploits (the hint was that it uses the “application” protocol analyzer). This give NIS the ability to look at traffic to see if there are matches for traffic patterns above layer 3.
But in order to get more of an appreciation of how NIS works, and indeed see some evidence that it does work, you need to see it actually do something. That’s where the article Exercising NIS with test signature on the ISA/TMG Firewall Team Blog at https://blogs.technet.com/isablog/archive/2009/04/12/exercising-nis-with-test-signature.aspx comes in handy. Evgeney Ryzhyk does nice job show you the TMG firewalls IPS chops in that piece.
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer