Forefront "Stirling" Shows More Heads are Better Than One

I wrote a little about the introduction of Forefront “Stirling” last week, after it had been announced at the RSA conference in San Francisco. If you haven’t heard about Stirling, the short story is that it’s designed to bring together multiple Microsoft security technologies so that you can benefit from the integration of all these technologies and leverage the information gathered by each of them to provide both proactive and fast reactive responses to potential security incidents.

While all this sounds pretty neat, and example would be useful. It’s one thing to say that “integration” and “proactive and reactive intervention” is a good thing, but what do those things really mean?

OK, here’s an example of how Stirling might work in one scenario. Suppose you have the new Forefront Threat Management Gateway (the future version of the ISA Firewall) on the perimeter of your network. The TMG notices that an abnormally large number of TCP connections are being made outbound from one particular host. The TMG will shut down that computer’s access to the Internet in order to prevent the potential exploit from escaping the security zone on which the potentially compromised host is located.

However, Stirling allows us to do much more than that. Because the TMG is part of the Stirling solution, it is able to communicate what it’s detected to other components of the Stirling suite of security technologies. Forefront Client Security is part of the Stirling suite of security solutions. When the TMG detects a potential exploit active on one of the host computers, it can communicate that to Stirling. Now Stirling shares this information with Forefront Client Security, which leads to Forefront Client Security to run an anti-malware scan on that computer in an attempt to remove the exploit.

But it doesn’t stop there! While the TMG was able to stop the machine from communicating with machines in other security zones through the TMG device, the compromised computer can still potentially infect over the network machines in the same security zone, which isn’t perimeterized by the TMG. In this case, Stirling, being aware of the network security issues that TMG informed it about, will be able to activate a Network Access Protection (NAP) policy that will essentially disconnect the compromised machine from the network until the security incident is resolved.

As you can see, the Stirling solution was able to leverage information garnered from one member of the Stirling security suite and enable other security solutions in the suite to take action on the event. And all of this is done automatically and doesn’t incur the delay that would happen if an administrator had to be informed of the issue, and then look up the machine that might have been compromised and then go to that machine and manually run a scan and maybe even disconnect the machine from the network. That manual approach could take minutes or hours, With Stirling, all the incident response steps can take place in a matter of seconds.

This is just one example of what Stirling can do. Keep in mind that this example only included the TMG, NAP and Forefront Client Security pieces of the Stirling suite. Forefront Security for Exchange and Forefront Security Security for SharePoint are also part of the security solution. So you could imagine scenarios where these solutions could be brought into play. If you can’t, don’t worry, I share more scenarios with you in the future in this blog and in future articles on Stirling here at



Thomas W Shinder, M.D.

Email: [email protected]
MVP – Microsoft Firewalls (ISA)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top