Stirling/TMG Firewall Honeypot Detection

Did you know that the upcoming TMG firewall has a “honeypot detector” feature? Well, it does, but in order to take advantage of it you need to join the TMG firewall to a Stirling security server. Once you do that, you’ll be offered the opportunity to designate a “honeypot” IP address. The honeypot IP address is a phantom address that isn’t actually used on the network. When the TMG firewall detects that repeated connection attempts are being made to a non-existent IP address, it can assume that there may be a worm scanning the network.

The Stirling and TMG firewall teams put together a nice article on their experiences with the TMG/Stirling honeypot detector.

The figure below from their article shows the alert they saw. Indeed! Honeypot detection works for them.

image

But you’ll want to see the “rest of the story”. Check it out at:

https://blogs.technet.com/isablog/archive/2009/03/09/it-worked-for-us-honey-pot-sensor-catches-malware.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

image
Prowess Consulting www.prowessconsulting.com

PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top