Keep in mind that the information in this article is based on a beta version of Microsoft Forefront TMG and is subject to change.
A few months ago, Microsoft released Beta 2 from Microsoft Forefront TMG (Threat Management Gateway), which has a lot of new exiting features. Before we start explaining the NIS features in Microsoft Forefront Threat Management Gateway (TMG), we first have to explain what NIS is and on what protocols and techniques it is based on.
Defining NIS and IPS
TMG is a vulnerability-based Intrusion Prevention System (IPS). An IPS should protect your internal network from known and unknown vulnerabilities if TMG is being used directly on the edge of the internal network on the Internet. All network traffic must flow through TMG, so TMG is the first line of defense to protect against different vulnerabilities.
An IPS is defined at two levels:
- System level
- Solution level
On the System level, IPS is an aggregation of multiple protection mechanisms.
On the Solution level, IPS is applied on internal Host or at devices at the Edge, in this case, on Microsoft Forefront TMG.
TMG NIS IPS features block un/known attacks at the network level to fight against vulnerabilities.
TMG uses a signature based IPS. A signature based IPS protects your hosts against exploitation of vulnerabilities which are found. A signature based IPS is used to close the time window between an announcement of a vulnerability and the patch deployment of all possible vulnerable hosts. Practice tells us that an attacker can create and exploit faster than Administrators can deploy patches provided by the software developer. Signatures are available and may be deployed faster than patches, so, Administrators have time to deploy patches on all effected systems during which time they are protected through the TMG NIS feature.
Zero Day Vulnerability
Zero Day Vulnerability is when an attack is made on the vulnerable areas of a system. Typical protection against Zero Day Vulnerability consists of the following steps:
- A vulnerability is discovered
- The Microsoft Response Team (MRT) creates and tests the vulnerability signature
- The signature is released by Microsoft through a distribution service
- TMG uses this signature for the NIS protection feature
- All internal (unpatched) hosts behind TMG are now protected until a Patch is developed by Microsoft and rolled out through Windows Update, WSUS or other patch distribution systems.
To create signatures for a vulnerability, Microsoft uses the GAPA (Generic Application Protocol Analyzer) protocol. NIS in TMG is based on GAPA.
GAPA is a framework and platform for safe and fast low-level protocol parsing. GAPA has been architected and prototyped by Microsoft. GAPA uses GAPAL (Generic Application Protocol Analyzer Language). According to Microsoft’s documentation, GAPA allows rapid creation of protocol analyzers, greatly reducing the time needed for development.
Network Inspection System walkthrough
NIS configuration in Forefront TMG is quite easy and requires only a few steps. In the following figure you can see the default signatures which come with the Standard installation of TMG. It is possible to group the signatures to find specific signatures easier.
Figure 1: Intrusion Prevention System
As a first step, you should configure the default Network Inspection Settings. It is possible to define exceptions for the NIS scan. One of the most important configuration settings is to configure the NIS automatic definition update action. It is also possible to trigger an alert if update definitions are not installed in the last X number of days. The standard setting is 45 days. The default response for new applied signatures from Microsoft is Response only. It is possible to change the default response policy if you want to do that.
Figure 2: Definition Update Configuration
In the NIS task pane it is possible to reset the NIS configuration actions and response on all NIS signatures. The default action is to block or only detect the vulnerable network traffic based on the signature setting as you can see in the following figure.
Figure 3: Reset NIS Configuration
For every signature it is possible to get more information about the vulnerability. It is also possible to set the default action for this signature to Detect or block the network traffic.
Figure 4: Signature Information Properties
If you want to get more information about the signature, click the Details tab and you will find more helpful information. For every signature, Microsoft also published a CVE number for which you will find more information about the functionality and dangerous of the vulnerability. You will find more information about the specific threat on the Microsoft security bulletin website.
Figure 5: Signature Information Properties - Details
How to test the NIS functionality
One way to test the NIS functionality is to open a test signature in your web browser and to see if the NIS protection in TMG is working as expected. TMG comes with a test signature. Enter the following URL in your web browser to test NIS. If NIS is working, the attempt to open the website should be blocked by TMG with a TMG generated message.
TMG alert settings
If the NIS component detected or blocked network traffic because a matching signature was found in the network traffic, a default alert action is configured in the TMG alert section which creates an entry in the Event Log of the TMG server. Other alert actions like a program execution or stopping a service is possible.
Figure 6: NIS alert definitions
In this article, I gave you an overview about the Microsoft Forefront Threat Management Gateway NIS features. I also tried to show you the configuration of the NIS functionality and how Administrators can protect its networks against different vulnerabilities. The NIS functionality is a great weapon for TMG Administrators to fight against different network intrusion attempts.