This topic is designed to help you plan how to use Forefront TMG to protect your network against operating system and application vulnerabilities.
Forefront TMG protects your network against exploits of known vulnerabilities in operating systems and applications with the Network Inspection System (NIS), the signature-based part of the Forefront TMG Intrusion Prevention System.
NIS is a traffic inspection system based on protocol decoding that uses signatures of known vulnerabilities to detect and potentially block attacks on network resources by providing:
- Comprehensive protection for Microsoft
network vulnerabilities; research and response capabilities are
provided by Microsoft Malware Protection Center (MMPC). For
information about MMPC, see Malware Protection Center
(http://go.microsoft.com/fwlink/?LinkId=160624).
- An operational signature distribution channel
that enables dynamic signature snapshot distribution through
Microsoft Update. For information, see Planning for updates of
protection definitions.
NIS inspects internal users’ Web traffic and, based on protocol analysis by the Microsoft Generic Application-level Protocol Analyzer (GAPA), detects and blocks malicious traffic. NIS can be updated with MMPC signatures as soon as they are created, to protect against new classes of attacks and vulnerabilities, including zero-day attacks, to minimize the vulnerability window between vulnerability disclosures and patch deployment, from weeks to a few hours. For information on GAPA, see Generic Application-Level Protocol Analyzer and its Language (http://go.microsoft.com/fwlink/?LinkId=160623).
When you plan to deploy NIS in your organization, consider the following:
- NIS protects against network vulnerabilities;
it does not protect against file vulnerabilities, such as virus or
spyware transport. Protection against file vulnerabilities is
handled by the malware inspection feature. For information, see
Planning to
protect against malicious Web content.
- NIS supports only MMPC authored and certified
signatures.
- To keep your systems protected from the
latest threats, verify that Forefront TMG has connectivity to the
selected update source, Microsoft Update or Windows Server Update
Services (WSUS), and that automatic installation of the latest
signature set is enabled. For more information, see Planning for updates of
protection definitions.
- When you download new signature sets from the
MMPC, they are applied to new connections only. When you create
your security policy, consider the convenience of users of long
lasting connections (such as virtual private network connections),
against the security of applying the most up-to-date protection to
all connections.
- On the local host (the Forefront TMG
computer), NIS inspects only the HTTP, HTTPS, and e-mail
protocols.