I always wonder if a IPS/IDS is actually doing anything useful when protecting my network. I mean, if we create rational firewall rules and make sure that we don’t use the firewall as a workstation, does the IDS provide us with any extra protection?
As with most things, it depends. A good example of protection you get with protocol validation is the blaster worm. While some firewalls had the capability to allow inbound RPC communications to an Exchange Server, they allowed all traffic. In contrast, the ISA firewall allowed only legitimate RPC connections to the Exchange Server. So, if you were publishing your Exchange Server using another firewall, you got nailed. If you were publishing it with an ISA firewall, you weren’t hurt at all. That’s an example of an application layer firewall doing what it’s supposed to do.
The TMG team posted yesterday that they caught their first Zero Day threat related to a reported problem with the SMB2 protocol. The TMG NIS was able to catch this in a matter of hours after reports that the exploit was seen in the wild.
My first thought was “wow! That is great! The TMG NIS is already showing its value”. Then my second thought was “so what? Who in his right mind is publishing SMB to the Internet?”.
While it’s true that no one in his right mind publishes SMB to the Internet, there are other scenarios where the NIS would have saved the day. Consider branch offices. Someone comes in with an infected laptop and infects the main office over a TMG site to site VPN link. Well, that wouldn’t happen because the TMG NIS would have blocked the exploit.
Conclusion? TMG NIS rocks! While there’s not a lot to configure to make it work, I see that as a plus. NIS just works, you don’t have to wade through pages of documentation to find out secret tweaks to get it doing what its supposed to do.
Check out the TMG firewall team’s post on this subject at:
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer