Forefront Threat Management Gateway 2010 (TMG) added a Network Inspection System (NIS) feature which detects vulnerabilities and exploits in multiple protocols. To learn more about NIS read this whitepaper.
Forefront TMG comes with a free complementary NIS subscription, through which we constantly update NIS with new signatures to help protect against current vulnerabilities and exploits.
We are happy to announce that we have published signatures to help protect from commonly used exploitations of the SQL injection and Cross-site scripting vulnerabilities.
The Microsoft Malware Protection Center encyclopedia has more information about these signatures:
If you are using Forefront TMG and have chosen to use NIS (you should!!), you will receive these signatures automatically through the update center.
Author: Ori Yosefi - Senior Program Manager, Forefront TMG
Reviewers: Ziv Mador - Senior Program Manager, Protection Team Gabriel Koren – Test Team, Forefront Edge
I have a test TMG 2010 server setup. The NIS filter is enabled, and signatures from MS update hourly.
Yet by default, HTTP.URL.XSS! is set for 'Enabled / Detect Only' and HTTP.URL.SQLInj! is set for 'disabled / detect only'. Is this by design? Are these filters exceptionally processor consuming if set for 'Enable / Block'? So even if the Signatures are set to auto update, by default these pretty important filters wont be doing anything even with NIS enabled.
My primary concern is to block SQL attacks fromweb applications (in there own vLAN, which are web published) servers, by placing production SQL servers in there own vLAN and using TMG to ‘publish’ the SQL servers. My understanding is the NIS filters will continue to work, can you confirm this.
ALSO, should we be looking at more (3rd party) SQL NIS filters for SQL servers, or are these two default filters ‘enough’?
I am also concerned on what type of hardware is need for TMG to keep up w/ 1G wire speed when using the NIS filters.
Jreininger (at) yahoo
If we look at the latest Gartner report. MS NIS is no where in the quadrant ? Can you publish details about how to disable NIS from TMG and from Forefront ?