Overview of protection mechanisms

The diversity and ingenuity of the malicious activity on the Internet continue to increase with the constant appearance of new types of attacks and malware. This activity is aimed at gaining unauthorized access to assets, preventing authorized individuals from accessing information, altering or destroying data, exhausting resources, and more. The damage caused by malicious activity is immeasurable. Microsoft Forefront Threat Management Gateway provides a comprehensive set of defenses to help protect computers and networks in your organization from malicious activity and malware. These defenses include the following technologies:

  • Intrusion detection. As a first line of defense, Forefront TMG provides mechanisms that inspect all traffic to detect packets that were specially crafted for launching specific known types of attacks. For more information, see Overview of intrusion detection.
  • Flood mitigation. Attackers can use large numbers of well-formed packets that are sent from sources to destinations allowed by the firewall policy to mount flood attacks that deplete the victim's resources and disable its services. Forefront TMG uses connection counters and connection limits to identify and block traffic from clients that generate excessive traffic and allow legitimate traffic to continue to flow. For more information, see Overview of flood mitigation.
  • Malware inspection. Web traffic may contain malware (such as worms, viruses, and spyware). Forefront TMG includes comprehensive tools for scanning and blocking harmful content, files, and Web sites. For more information, see Overview of malware inspection.

When Forefront TMG detects malicious activity and blocks traffic, it generates events, which can trigger alerts that are defined in your configuration. You can use these alerts, which are displayed on the Alerts tab of the Monitoring node, to track and mitigate attacks. Alerts can be configured to perform specific actions, which include sending e-mail notifications, invoking a command, starting and stopping services, and logging.

You can also configure the conditions under which an alert is issued for the corresponding event. In particular, you can configure triggering thresholds that specify the total number of times and the number of times per second that the event is generated before the alert is issued, and you can specify the conditions for repeated triggering of the alert. A repeated alert can be issued every time that the triggering thresholds are exceeded, only after the alert is reset, or only after a specified time elapses after the previous instance of the alert. In most cases, after an alert related to malicious activity is issued, the same alert is not issued again until it is reset.

The events that Forefront TMG generates when traffic is blocked by a protection mechanism are recorded in the Forefront TMG log.

When an attack occurs, many events will be logged. By default, if resources are depleted by an attack and Forefront TMG becomes unable to continue logging activity, an event that triggers the "Log Failure" alert, whose default action shuts down the Microsoft Firewall service and causes Forefront TMG to go into lockdown mode, is generated. If you disable the action of the "Log Failure" alert, the Firewall service continues to run when logging failures occur. For more information about modifying this behavior, see Configuring logging to avoid lockdown