Planning to protect against known vulnerabilities
Published: November 15, 2009
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
This topic is designed to help you plan how to use Forefront TMG to protect your network against operating system and application vulnerabilities.
Forefront TMG protects your network against exploits of known vulnerabilities in operating systems and applications with the Network Inspection System (NIS), the signature-based part of the Forefront TMG Intrusion Prevention System.
NIS is a traffic inspection system based on protocol decoding that uses signatures of known vulnerabilities to detect and potentially block attacks on network resources by providing:
Comprehensive protection for Microsoft network vulnerabilities; research and response capabilities are provided by Microsoft Malware Protection Center (MMPC). For information about MMPC, see Malware Protection Center (http://go.microsoft.com/fwlink/?LinkId=160624).
An operational signature distribution channel that enables dynamic signature snapshot distribution through Microsoft Update. For information, see Planning for updates of protection definitions.
NIS inspects internal users’ Web traffic and, based on protocol analysis by the Microsoft Generic Application-level Protocol Analyzer (GAPA), detects and blocks malicious traffic. NIS can be updated with MMPC signatures as soon as they are created, to protect against new classes of attacks and vulnerabilities, including zero-day attacks, to minimize the vulnerability window between vulnerability disclosures and patch deployment, from weeks to a few hours. For information on GAPA, see Generic Application-Level Protocol Analyzer and its Language (http://go.microsoft.com/fwlink/?LinkId=160623).
When you plan to deploy NIS in your organization, consider the following:
NIS protects against network vulnerabilities; it does not protect against file vulnerabilities, such as virus or spyware transport. Protection against file vulnerabilities is handled by the malware inspection feature. For information, see Planning to protect against malicious web content.
NIS supports only MMPC authored and certified signatures.
To keep your systems protected from the latest threats, verify that Forefront TMG has connectivity to the selected update source, Microsoft Update or Windows Server Update Services (WSUS), and that automatic installation of the latest signature set is enabled. For more information, see Planning for updates of protection definitions.
When you download new signature sets from the MMPC, they are applied to new connections only. When you create your security policy, consider the convenience of users of long lasting connections (such as virtual private network connections), against the security of applying the most up-to-date protection to all connections.
On the local host (the Forefront TMG computer), NIS inspects only the HTTP, HTTPS, and e-mail protocols.
NIS inspects RPC over TCP; it does not inspect RPC over UDP. It is recommended that you use a firewall rule to block RPC over UDP traffic. For information, see Configuring firewall policy.