Planning for the intrusion prevention system

[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

Software products, including applications and operating systems, are known to have flaws. A security flaw that enables an attacker to gain unauthorized access to restricted resources or to execute tasks as another user is regarded as a vulnerability. The attacker does this by writing specific exploit code that takes advantage of a known vulnerability to achieve a goal. Since computers have been connected to the Internet, a third-party attacker can be virtually anyone in the world. Exploits of vulnerabilities often cause significant damage or losses to users..

Until now, the only answer that Microsoft provides to customers is patches for known security flaws. However, patches only solve the problem in the long term after the patch is fully deployed on all computers. According to the recent studies, the probability of patch deployment obeys a Poisson distribution with µ = 49 days. Therefore, in a typical organization there is a high probability of infection until a patch is deployed. This probability is likely to increase because the time between the discovery of a vulnerability and the creation of exploit code has been decreasing.

Although software vendors typically provide patches for their products after a security flaw is discovered, only a few software vendors have implemented a mechanism like Microsoft Update that proactively distributes patches to all their users. Some non-Microsoft products have implemented a Windows update-like solution that deploys patches to users automatically. Other products have no automatic solution for patch deployment. For these products, the average time that elapses until a patch can be deployed is significantly longer.

Unfortunately, there is no single solution to this problem. Instead there are several techniques that can be used to attempt to mitigate the problem.

One solution is an intrusion prevention system (IPS). An IPS is not a single algorithm, but a concept that embraces various types of solutions. It can be based on antivirus software, firewall policies, or vulnerability definitions. A definition is a set of conditions that, when met, indicate some type of intrusion event. Definition-based intrusion detection is not limited to pattern matching. An algorithm used for definition-based intrusion detection can be based on other technologies. Definition-based solutions include pattern matching and protocol decode-based analysis.

Definition-based intrusion detection works by inspecting traffic for the purpose of identifying exploit code that matches the definition of a known vulnerability. In an ideal solution, an IPS would identify all traffic containing an exploit with zero false positives and zero false negatives.

The Forefront TMG IPS is a definition-based system that can detect and block attacks against vulnerable network resources. 

The Forefront TMG IPS can be enabled or disabled. When the IPS is enabled, definitions for known vulnerabilities that are downloaded from the Microsoft Update are used to detect and potentially block malicious traffic. The definitions can be deployed on the Forefront TMG computers in a much shorter time than patches can be deployed on all the vulnerable network resources in an organization. The definitions can be used to protect the network resources until the corresponding patches are fully deployed. Then the definitions can be disabled to improve performance.

Configuring the IPS

In Forefront TMG, the elements of the IPS configuration include the following.

  • Enabling and disabling the IPS
  • Vulnerability definitions
  • IPS exceptions
  • Initial definition configuration
  • Resetting the configuration

Enabling and disabling the IPS

You can turn on and off all IPS functionality. Disabling the IPS is equivalent to disabling all vulnerability definitions, although the definition configuration itself remains unchanged. If you turn off the IPS and then turn it back on, the configuration settings of all the definitions will be the same as they were before you disabled the IPS.

Definitions

Each definition corresponds to a specific vulnerability and has a unique name (identifier). A definition is defined by a blob of data and specifies a default response, which is the action that is recommended by Microsoft. One of the following two default responses is specified in each definition.

  • Block and log. Block every malicious packet containing exploit code that corresponds to the definition by dropping the affected packet and resetting the connection if TCP is being used and create a log entry that specifies the applicable definition for the event.
  • Log. Create a log entry that specifies the name of the applicable definition for every malicious packet detected without blocking it.

You can configure the IPS to use the recommended default response (block and log malicious packets or only log them) specified in each definition or to log malicious packets that are detected and generate events without blocking the traffic for all definitions, or you can disable the IPS. If you disable the IPS, the responses of all definitions will be disabled.

Each definition also includes the date on which it was published. In addition, definitions may contain data for the following fields:

  • Business Impact. The possible business-impact levels are low, medium, and high.
  • Confidence. The possible confidence levels are low, medium, high, and perfect.
  • Severity. The possible vulnerability severity levels are low, moderate, important, and critical.
  • Risk Level. The possible risk levels are low, medium, and high.
  • Related Bulletins. A list of related security bulletins published by the Microsoft Response Center.
  • Protocol. The targeted protocol.
  • Type. The possible types of malware are trojan, adware, spyware, botnet, and other.

Definitions are obtained from Microsoft Update over the Internet. The IPS automatically checks for and downloads new and updated definitions for the Forefront TMG inspection services according to a user-defined updating schedule. The schedules for obtaining definitions for the IPS, antispam, e-mail antivirus, and Web antivirus services are configured separately. At any time, you can also request Forefront TMG to check for new and updated definitions for the IPS or any of the other services. The schedules for all the services are accessed through the Update Center node in Forefront TMG Management. For each service, the time when the last check for new updates was made, the time when the last update was obtained, and the status of the last attempt to obtain updates are displayed in the details pane. New definitions can also be imported from a file.

The vulnerability definitions available to the IPS are listed at the Intrusion Protection System node in Forefront TMG Management. The definitions for the following categories are listed separately.

  • Virtual Patching. These definitions are characterized by a unique name, the date on which they were published, a severity level, a response, a protocol, a business-impact level, a confidence level, and a list of related security bulletins.
  • IM/P2P Blocking. These definitions are characterized by a unique name, the date on which they were published, a risk level, and a response.
  • Malware. These definitions are characterized by a unique name, the date on which they were published, a risk level, a type, a response, and a protocol.
  • Other. These definitions are characterized by a unique name, the date on which they were published, a response, and a protocol.

The IPS allows rapid development of vulnerability-based definitions that can be used until patches are deployed (as opposed to “exploit definitions” which need to be written for specific attacks). Note that a definition is used to detect exploits of the corresponding vulnerability, while a patch removes the vulnerability from the software and renders the exploit code ineffective.

Vulnerability definitions contain the policy updates needed to identify and block new vulnerabilities in Microsoft products. IPS definition releases parallels the Microsoft patch release process. When a vulnerability is discovered, a Microsoft definition authoring team becomes responsible for writing the IPS definitions. Definitions are associated with Microsoft Response Center bulletins, although in some cases they may be released before a bulletin is available. Definitions are packaged by a Microsoft response team, and are distributed to Forefront TMG customers worldwide from Microsoft Update.

A definition is never removed from Forefront TMG. After a definition has been downloaded, it remains in Forefront TMG until Forefront TMG itself is uninstalled. Even previous versions of definitions are kept in Forefront TMG, in case you encounter problems with the updated definition and want to roll-back.

Definitions are obtained for the inspection services from Microsoft Update. Nitrogen can automatically check for new definitions and definition updates and download them periodically. Nitrogen computers can also be updated manually. The Nitrogen update client detects definitions which it does not have, as well as any updated versions of existing definitions, and downloads the applicable packages. After definitions are downloaded and processed, they are available for configuration by the administrator or the auto-activation policy.

You must subscribe to obtain definition updates for each service.

A definition can impose a policy that blocks RPC calls on a particular UUID, or blocks calls to a vulnerable function.

The administrative tasks for vulnerability definitions include configuring the schedule for updating them, activating their response, and defining exceptions for them.

For more information about configuring the schedule for updating vulnerability definitions, see Updating definitions.

A Forefront TMG administrator can manually enable and disable definitions and modify their responses in Forefront TMG Management. When a definition is enabled, network traffic matching the definition causes the definition to execute its response (provided the traffic is not otherwise exempt due to inclusion in an exception list) and for a log entry to be created. When a definition is disabled, no action is taken when matching network traffic is detected.

IPS exceptions

You can create lists of two types of exceptions that define sources and destinations of traffic that will be excluded from the IPS.

  • Excluded IP addresses. The IP addresses included in specific network entities can be excluded from the IPS. In particular, non-HTTP traffic whose source or destination is an IP address included in the network entities listed in the global IPS exception list and HTTP traffic whose source is an IP address included in these network entities will not be scanned or in any way affected by the IPS. The network entities included in this list may be computers, computer sets, networks, network sets, subnets, and IP address ranges.
  • Excluded domain name sets. A list of domain name sets can also be excluded from the IPS. HTTP traffic sent to destinations included in the domain name sets in this list will not be inspected or in any way affected by the IPS.

The list of excluded IP addresses and the list of excluded domain name sets apply to all definitions enabled.

Initial IPS configuration

When you run the Getting Started Wizard, you will be asked whether to enable the IPS. If you enable the IPS, you can select one of the following options:

  • Use the Microsoft recommended default action included in each definition (block and log or just log traffic that matches the definition).
  • Detect and report malicious traffic and events, but do not block any traffic.

You will also be asked to define a schedule for obtaining updates of the IPS definitions from Microsoft Update. The following types of schedules can be configured.

  • Checking for updates every time that a fixed user-selected time period elapses. This is the only option that allows checking for updates more than once a day.
  • Checking for updates once every day at a user-selected time.
  • Checking for updates only on specific user-selected days of the week.
  • Never checking for updates automatically.

All of these initial IPS settings can be modified at any time in Forefront TMG Management.

Resetting the IPS configuration

At any time, you can modify the IPS configuration for all the IPS definitions that have already been downloaded. When you reset the IPS configuration, you can select one of the following options:

  • Use the Microsoft recommended default action included in each definition (block and log or just log traffic that matches the definition).
  • Detect and report malicious traffic and events, but do not block any traffic.

When you reset the IPS configuration for definitions that have already been downloaded, you can also apply the option selected to new definitions that will be downloaded.

Activity Statistics

The overall activity of the IPS is reported in the following two fields in the Forefront TMG activity statistics.

  • Packets inspected by the IPS
  • Packets blocked by the IPS

Scenarios

The Forefront TMG IPS is designed to protect users in the following scenarios.

Edge Firewall – Outgoing Access

Internal clients access the Internet for both business and leisure purposes. An internal user in your organization may access a malicious resource on the Internet that contains exploit code for a new vulnerability in a network protocol that is already known to Microsoft, but the patch has not yet been deployed on this user's computer.

In this scenario, Forefront TMG serves as an edge firewall that inspects traffic initiated by internal clients to the Internet. Forefront TMG already downloaded the vulnerability definition and terminates the session with a malicious Internet resource, so that the client is not infected. In addition, the IPS may protect the client from vulnerabilities in non-browser applications such as Instant Messaging, or newsgroup reader (MS05-30 for example). The Forefront TMG administrator reviews logs and alerts and learns about the exploit attempt.

Edge Firewall – Publishing

The IT manager in the organization publishes an internal server to the Internet through Forefront TMG to allow partners and Internet users to access the resources that the organization provides. Malicious clients on the Internet connect to the published server and attempt to use exploit code that takes advantage of a new vulnerability in a network protocol to attack the server. As in the first scenario, the vulnerability is already known to Microsoft, but the patch has not yet been deployed on the published server.

Forefront TMG already downloaded the vulnerability definition and terminates the session initiated by the malicious client. The published server is not infected. The Forefront TMG administrator reviews logs and alerts and learns about the exploit attempt.

Roaming clients

A corporate user connects to the corporate network using his home computer. The home computer is infected with some new malware that contains an exploit for a known vulnerability and starts attacking other corporate computers through the VPN tunnel connection. Forefront TMG already downloaded the vulnerability definition and terminates any session that is trying to infect corporate network using an exploit of the vulnerability. In addition, Forefront TMG detects that the VPN client has been compromised and disconnects the VPN connection with it.

Branch Office

The IT manager deploys Forefront TMG as a branch office firewall, connecting a remote office with the headquarters. All the traffic between computers in the branch office and the headquarters go through Forefront TMG.

An internal user brought his laptop to the branch office from home, where it was infected with a virus. The virus infects other computers in the branch office, but is stopped by Forefront TMG and does not contaminate the headquarters.

Company with IsaNCentro

A small company has a set of servers running Essential Business Server, which includes Forefront TMG. Active Directory, DNS, a Web server, and Exchange 2007 are all deployed on this set of computers.

An employee in the company deliberately tries to attack the Essential Business Server computers using an exploit of a new vulnerability in a core Windows service. Forefront TMG, which is protecting the Essential Business Server computers has already downloaded the definition and blocks the employee's attempt. An alert is signaled by Forefront TMG, and the IT administrator identifies the computer from which the thwarted attack was made inside the company. The incident can be reported to the company's management, which can take disciplinary action against the employee.