Testing and Monitoring Forefront TMG Malware Inspection and Intrusion Prevention (NIS) Systems

Forefront TMG's Intrusion Prevention System has been one of TMG's major selling points due to the introduction of the Network Inspection System (NIS). NIS is a fully fledged enterprise level intrusion detection and prevention system (IDS/IPS) that utilizes a 'Generic Application Protocol Analyzer' (GAPA) to match traffic patterns above layer 3.

Forefront TMG also comes with a comprehensive Malware Inspection system for scanning, cleaning, and blocking harmful HTTP content and files.

Once you have enabled these features, it is a good idea to test and monitor their behaviour to ensure your network is adequately protected.

Testing Forefront TMG's Intrusion Prevention System (IPS / NIS)

Once you have enabled and configured NIS, it is a good idea to test that it is working. The Forefront TMG Team detailed how to do this using a test signature (see  Exercising NIS with test signature), however this article is now outdated, as the test signature has been renamed, and there is no longer a link to the test signature URL in the properties dialog.

I have therefore copied the signature URL below for your testing pleasure:

http://www.contoso.com/testNIS.aspx?testValue=1!2@34$5%6^

					\[%7BNIS-Test-URL%7D\]1!2@34$5%6^

Make sure you have enabled and configured Forefront TMG's Intrusion Prevention System, then hit the URL above. You will be presented with TMG's block page:

Monitoring IPS Events

If you are running Fastvue TMG Reporter, you will soon see this event appear on the Firewall dashboard in the IPS Events section.

You can also use TMG Reporter to email you a detailed alert when IPS events occur.

Testing Forefront TMG's Malware Inspection System

Forefront TMG's Malware Inspection system can also easily be tested by downloading the Eicar Anti Malware test file(s). When attempting to download these files you will again be presented with TMG's block page.

Note that you will not be presented with the block page when downloading the Eicar zip files, but TMG does indeed intercept them and silently removes (cleans) the infected files from the zip file.

Monitoring Malware Events

Again, you will soon see these events appear in the Fastvue Firewall Dashboard in the Malware Events section.

And of course, you can configure TMG Reporter to email you these details when they occur.

Conclusion

By actively monitoring Forefront TMG's Intrusion Prevention and Malware Inspection events, you can identify the source of these vulnerabilities and take immediate action. This might involve cleaning an infected machine, modifying access rules, or even adding URL Category overrides to categorize a newly identified malicious site. If you do not take action, and if Forefront TMG is ever removed from your network, the threat will re-emerge and you are open to an attack.

Happy monitoring!