Network Inspection System (NIS) in Threat Management Gateway

by Shijaz Abdulla on 04.01.2010 at 08:04

Network Inspection System (NIS) is the vulnerability signature component of TMG’s Intrusion Prevention System (IPS). NIS is a brand new feature in TMG, and helps prevent zero-day attacks.

This post explains how NIS works. Let’s take a scenario.

  • A vulnerability is detected in a product and disclosed on the internet
  • Software vendors start developing patches for customers affected
    • At the same time, attackers are taking advantage these disclosed vulnerabilities – even before the patch is released for the vulnerability.

Software vendors can take weeks or even a month to develop and release a patch for a disclosed vulnerability. Till then, the vulnerability is out in the open. This means an attacker can compromise the system using the disclosed vulnerability even before the software vendor can develop a patch. This is called a zero-day situation.

How does NIS help in the zero-day situation?

  • NIS is a signature-based IPS. NIS will receive the signatures from the software vendor as soon as a vulnerability is disclosed.
  • While the patches are still being developed, NIS blocks all traffic matching this vulnerability signature, preventing attackers from compromising even unpatched systems.

So, what are the benefits?

  • Closes the ‘vulnerability window’ between vulnerability disclosures and patch deployment from weeks to just a few hours.
  • For Microsoft products that are retired (not supported by Microsoft), new security patches are not developed. As an example, Windows Server 2003 SP1 was retired in April 2009 and when Conflicker emerged, it attacked all unpatched machines – wreaking havoc.
  • NIS signatures for Microsoft products are updated free of charge for all TMG customers.
  • NIS is based on GAPA (General Application-level Protocol Analyzer) by Microsoft Research, and can also be extended to third party products, although at the moment it is protecting only Microsoft products.

How to enable NIS on TMG?

image

  1. On the Forefront TMG console, go to Intrusion Prevention System.
  2. In the Tasks pane, click Configure Properties.
  3. Enable the checkbox “Enable NIS”
  4. You can see the list of signatures. These are updated automatically and free of charge for Microsoft products (does not need a subscription license).
  5. This is what happens when a user tries to browse a website that attempts to attack using a known vulnerability.

image