Intrusions and Alerts

Forefront TMG features an intrusion-detection mechanism that identifies when an attack is attempted against your network. You can configure Forefront TMG to generate an "Intrusion detected" event, which is defined in the stored Forefront TMG configuration, whenever specific types of attacks are detected. The definition of this event includes additional keys for subevents that correspond to the specific types of attacks. For each subevent, you can define and enable an alert, which specifies the actions to be taken in response to the event and is issued by the Microsoft Firewall service when all the conditions specified in the alert are met. The actions that can be triggered by an alert include sending an email message, invoking a command, writing to a log, and starting or stopping Forefront TMG services.

To detect unwanted intruders, Forefront TMG compares network traffic and log entries to well-known attack methods. If attack detection is enabled for a specific type of attack, suspicious activity that is indicative of that type of attack will generate an event and, when all the conditions specified in the applicable alert are met, trigger the actions defined in the alert.

In particular, Forefront TMG can monitor for the following types of attacks:

  • All-port scan attack.
  • Well-known port scan attack.
  • IP half-scan attack.
  • Land attack.
  • Ping-of-death attack.
  • UDP bomb attack.
  • Windows out-of-band (WinNuke) attack.

You can enable and configure attack detection for these types of attacks through the properties of the FPCAttackDetection object.

For more information about intrusion detection, see the Forefront TMG product documentation.



Build date: 7/12/2010