Configuring Network Inspection System (NIS)

  • Article

 

Network Inspection System (NIS), the vulnerability signature component of TMG Intrusion Prevention System (IPS), comes with a pre-defined recommended policy out of the box – this is the recommended configuration for NIS. Nevertheless, NIS supports granular control and policy configuration to comply with your specific organization needs, troubleshooting and investigation requirements.

In this blog, I would like to explore NIS configuration options while in subsequent blog postings, we will explore how they can be used for specific detailed scenarios.

General configuration

You can easily locate configuration options on the Task Menu of the NIS IPS Tab.

clip_image002

Once you click on Configure Properties task, the main NIS Properties Configuration Pane is ready to use.

Enabling NIS– Properties Configuration Pane:

NIS is enabled by default.

clip_image004

If NIS is disabled, click on Configure Properties the main NIS Properties Configuration Pane.

Check Enable NIS à you are ready to go!

You can choose to Enable or Disable NIS. If you choose to Disable NIS, your policy configuration (signature overrides, new signature policy, exception list etc) are still saved. Once you enable NIS you are up and running again with no further action required. NIS it will immediately check for new updates and comply with your signature snapshot update policy.

Configuring Signature Sets Updates

NIS uses signatures developed by the Microsoft Malware Protection Center to protect un-patched systems from attacks that exploit known vulnerabilities of Microsoft operating systems and applications. To keep your systems protected from the latest threats, we recommend that you verify that you have connectivity to the appropriate update source (Microsoft Update or WSUS) and that you enable automatic installation of the latest signatures.

Before you can use Forefront TMG to block attacks on known vulnerabilities, you must first download the latest NIS signature set. Follow the instructions below to configure NIS signature set updates.

To manage NIS signature set downloads:

  1. In the Forefront TMG Management console, in the tree, click the Intrusion Prevention System node.
  2. On the Tasks tab, click Configure Settings.
  3. On the Update Configuration tab, under Select automatic update action, select one of the following options:
    • Check for and install updates (recommended) — select this configuration to automatically download and install the latest signature updates.
    • Only check for updates — select this configuration to be notified of the availability of new signatures for download.
    • Do nothing — select this configuration to disable automatic updates.
  4. Select Automatic Polling Frequency – Recommended default is 15 minutes. Definition Updates will be downloaded only when new ones are available!
  5. Under Select the response policy for new signatures, select one of the following options:
    • Microsoft default policy (recommended) — select this configuration to accept the default response to the signature.
    • Detect only response — select this configuration to record a log only when traffic matching this signature is detected.
    • No response (disable signature) — select this configuration to take no action and to not record a log if traffic matching this signature is detected.

clip_image006

You can click the Version Control button to select older signature snapshot. This feature should be used only for troubleshooting scenario; this will be discussed in detail in a future blog posting; stay tuned…

You can verify the NIS overall Signature Update Configuration in the Information Bubble in the main Pane:

clip_image008

or through the TMG Update Center, the centralized management console for all TMG protection mechanisms definition updates. This is an area for a dedicated blog; stay tuned…

Configuring Exceptions

NIS allows you to exclude network entities from inspection. You may choose to exclude any network objects known to TMG (IP Sets, URLs Sets etc) for capacity planning or troubleshooting scenarios. When you exclude a network object both incoming and outgoing traffic is excluded from inspection.

To manage NIS exceptions:

1. In the Forefront TMG Management console, click the Intrusion Prevention System node.

2. On the Tasks tab, click Define Network Inspection System Exceptions.

3. On the Exceptions tab, click Add, and then select the network entities you want to exclude from inspection.

4. When finished, on the Apply Changes bar, click Apply.

clip_image010

Configuring Protocol Anomaly Policy

Network Inspection System (NIS) checks that the network traffic is in compliance with protocol standards. In some cases, an anomaly is by design and for a legitimate purpose, but in others it may be a network attack designed to evade intrusion prevention systems. You can choose which action NIS takes when detecting traffic with a protocol anomaly: Allow, avoiding blocking legitimate traffic or Block, to tighten security.

clip_image012

Configuring Global Setting

NIS can be operated in Either Microsoft Recommended Default (Discussed more in Signature Overrides section next) or as Intrusion Detection System (IDS). Once Global Policy is chosen new signature updates will receive the Global Policy setting automatically.

clip_image014

Configuring Signatures Overrides

NIS allows you to have granular control over policy configuration. Basically, NIS comes with a pre-defined recommended policy out of the box – this is the recommended configuration for NIS. The NIS Response Team set the Recommended Policy based on multiple factors including the vulnerability severity and business impact. Microsoft Malware Protection Center may change the recommended policy automatically through signature snapshot update. If you choose your own policy, such as setting a “Block” mode signature to "Detect Only" we will not change it automatically for you.

You can change the policy for a specific signature, multiple selection signatures or a group of signatures.

To select a group of signatures, you should group the signature by choosing one of the pull down options available in the NIS IPS Tab: Response, Policy Type, Business Impact, Category, Date Published, Severity, Fidelity, Protocol or Status.

clip_image016

Once a group is selected , you can choose the appropriate policy from the Task Menu or by right click options available below:

clip_image017

You can also perform an operation on all signatures to enable NIS as an Intrusion Detection System (IDS) by setting all responses to “Detect Only” or Intrusion Prevention System (IPS) by setting all responses to Microsoft Recommended Defaults.

clip_image018

Watch for our upcoming blog entries and whitepapers planned for the near future discussing NIS deployment, monitoring and troubleshooting in depth.

Author

Moshe Golan, GAPA Program Manager – Forefront

Reviewers

 

David B. Cross, Product Unit Manager – Forefront

Avi Ben-Menahem, GAPA Group Manager – Forefront

Evgeny Skarbovsky, GAPA Senior Development Lead – Forefront

Erez Sharvit, GAPA Software Developer Engineer – Forefront