TMG Network Inspection System
Previous versions of the ISA firewall had a rudimentary intrusion detection and prevention system, mostly based on network layer attacks that were popular in the 1990s. For industrial strength IDS/IPS, you had to look somewhere else.
With the introduction of the TMG firewall, a new and vastly improved IDS/IPS is included. This is known as the Network Inspection System (NIS). The NIS is based on the Generic Application Protocol Analyzer (GAPA), which is able to intercept packets in the datastream and evaluate whether they contain potential threats. NIS is a signature based product and is focused primarily on preventing known exploits in Microsoft products.
NIS right now can inspect a number of application layer protocols, such as SMTP, IMAP, POP3, and RPC. The current focus and goal of NIS is to buy the network admin time for updating. Often security and other updates can’t be applied until testing takes place, so there’s a lag between the time a vulnerability becomes known and the time an update is released, and then there’s time between when the update is released and when it’s applied.
In order to reduce your exposure during these two windows of vulnerability, you can take advantage of the TMG NIS. Since Microsoft has intimate knowledge regarding security issues with their products, they’ll be able to send out updates to the NIS before a fix is released, or after a fix is released but before you have time to roll it out.
Attackers won’t be able to reverse engineer the information in the signatures in an attempt to create an exploit, since the signatures are encrypted. At this time you can’t create your own signatures, but this is something that might be possible in the future.
There’s not much to configuring the TMG NIS. You either enable the system or you don’t, and then you configure what actions you want TMG to take when NIS detects a problem. Or, most likely, you’ll do what I do and just go with the Microsoft default settings for each signature, with some of them set to detect and report mode and some of them configured to block the dangerous communications.
If you want more information about NIS and how to configure it, check out this blog post by Moshe Golan on the TMG Firewall Team blog site over at https://blogs.technet.com/isablog/archive/2009/06/28/configuring-network-inspection-system-nis.aspx
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer