Threat Blocking With Network Inspection System (NIS)

False positives high number and complexity of signatures development can makes some intrusion detection and prevention systems useless. How many time you visit an organization especially small to medium business that do have a firewall includes IDS/IPS and the system manager are even not following logs.

This can leave all system vulnerable as we have more than 80% of attacks are targeting protocols, usually from discovering a vulnerability to fixing it this may take a long time maybe weeks if we are patching the system manually, Vulnerabilities in different operating systems may require considerable time from debugging, testing and applying application updates to all computers on the network.  To reduce time between discovering vulnerabilities and patching from weeks to hours we can consider Forefront Network Inspection System (NIS).

Forefront Network Inspection System (NIS) is Microsoft’s response to this new and growing IT concern.  In its first release NIS is integrated with Threat Management Gateway (TMG) as a component of its Intrusion Prevention System (IPS) offering.

(1) NIS conceptual architecture

NIS is built on network protocol analysis on the Generic Application-Level Protocol Analyzer (GAPA). GAPA was completed and expanded by the TMG development team and is used by all Forefront Security products to protect against network-level suspicious behavior for servers, clients, and network traffic protection.

NIS can detect exploit against vulnerabilities in all Microsoft products and it deals with following protocols: HTTP, DNS, SMB, MSRPC, SMTP, POP3, IMAP, and MIME. But here it is important to note that NIS protects only against Web and Network attacks. NIS Evaluating three aspects of the network traffic:

  • Protocol state The expected condition of the protocol at any point in time
  • Message structure The validation of a message according to the protocol definition
  • Message context The validation of a message in the context of the protocol state

NIS Installation

There are no special difficulties in installing TMG2010, you run The Preparation Tool to verify the current Windows installation and see whether it satisfies the requirements. If it does not, it will take steps to make it capable of installing TMG. When Preparation Tool finishes preparing the system it will notify you that the preparation was done successfully and launch TMG setup Wizard.

NIS Research and Response

New actions may be required to minimize the effect of new threats this means that in many situations companies need to create dynamic responses for more severe threats while keeping the default policy for moderate and lower threats.

  1. Threat Identification: The first stage of the analysis process is to gather reports on new vulnerabilities and attacks.
  2. Threat Research: In order to develop a signature against vulnerability, it is important to understand how the vulnerability could be exploited.
  3. Signature Development: After the vulnerability is analyzed, the final output is a signature used by the NIS engine to detect and block network based attacks.
  4. Signature Testing: After the signature is created, it undergoes various tests to help ensure that it functions as expected.
  5. Signature Release: Once the signatures have been certified through testing, they are digitally signed and packaged for distribution to Microsoft Update servers.

By using Network Inspection System from Microsoft with regular signature update according to default policy you will be able to significantly reduce the risk of most common vulnerable system.

Reference:

(1) Guide for Configuring, Monitoring and Troubleshooting the Network Inspection System (NIS) in Forefront Threat Management Gateway (TMG) 2010 : http://download.microsoft.com/download/F/4/0/F40887FD-648B-40E1-B79B-AAE43CEDCA4C/NIS%20in%20TMG%20Whitepaper.pdf

Share