Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Troubleshooting NIS on TMG 2010


Published on

Published in: Technology
  • Login to see the comments

  • Be the first to like this

Troubleshooting NIS on TMG 2010

  1. 1. Troubleshooting Network Inspection System (NIS) on Forefront TMG 2010<br />Yuri Diogenes | Senior Technical Writer<br />Microsoft Windows iX IT PRO Security Team<br /><br />
  2. 2. NIS: Powered by GAPA<br />Generic Application Protocol Analyzer<br />A framework and platform for safe and rapid low level protocol parsers development<br />Supports extensibility and layering<br />Enables creating parsing based “rules” for checking and applying specific conditions (signatures) <br />
  3. 3. The NIS Architecture<br />Design Time<br />GAPAL (GAPA Language)<br />Compiler<br />Signatures & <br />Protocol Parsers<br />Protocol Parsers<br />Signatures<br />Microsoft Update<br />Run Time<br />Telemetry<br />& Portal<br />NIS Engine<br />Network Interception<br />3<br />
  4. 4. NIS Value Proposition<br />Protections against exploitation of known vulnerabilities<br />Avg survival time of un-patched Win XP <20 Min<br />Only ~2% of windows machine have no insecure program installed <br />Zero-Day-Protection: <br />Close the vulnerability window between security patch announcement and deployment <br />Respond to newly discovered vulnerabilities<br />
  5. 5. NIS Events<br />Logged in the Windows Application Event Log<br />
  6. 6. Signatures for Testing<br />HTML test signature:<br />Access!2@34$5%6^[{NIS-Test-URL}]1!2@34$5%6^<br />SMB test signature:<br />Copy file C0AABD79-351B-4c98-8AE7-69F4279FEF54.txt to a remote share<br />
  7. 7. NIS Alerts<br />A dashboard for detection information<br />
  8. 8. Troubleshooting NISWrong Detection<br />False negative detection<br />Isolate the signature that is causing problem<br />Confirm that is not blocking a suspicious traffic<br />Validate<br />Collect Netmon traces<br />Contact Microsoft<br />False positive detection<br />Isolate the signature that is causing problem<br />Confirm that is blocking a valid traffic<br />Temporary set the signature to Detect Only (or disable)<br />Contact Microsoft<br />
  9. 9. Troubleshooting NISHigh CPU<br />High utilization on wspsrv.exe<br />Use Process Monitor for initial assessment<br />Collect Perfmon (before and while issue is happening<br />Collect user mode dump from wspsrv.exe<br />Verify if trace is enabled under<br />HKLMSOFTWAREMicrosoftNetwork Inspection SystemWPPComponentsGAPA or NIS<br />
  10. 10. Troubleshooting NISReviewing the Dump<br />Look for patterns<br />Check for Critical Sections<br />Review threads that are locked in Critical Sections<br />Check if most of threads are from GapaEngine<br />
  11. 11. Troubleshooting NISSignature Update Flow<br />TMG Job Scheduler<br />Windows Update<br />UpdateAgent<br />Updateagent.exe<br />%windir%tempISA_updateagent.log<br />WSUS<br />Windows Update API<br />%windir%WindowsUpdate.log<br />
  12. 12. Troubleshooting NISSignature Update<br />NIS signature uses regular Windows update mechanism (BITS)<br />Are you using WSUS or WU?<br />
  13. 13. Troubleshooting NISSignature Update<br />Review TMG Update Center for initial troubleshooting<br />Review %windir%WindowsUpdate.log<br />
  14. 14. Troubleshooting NISSignature Update<br />Registry key settings:<br />HKLMSOFTWAREMicrosoftFpcNIS<br />LatestSnapshotVersion - contain the version of the most recent update<br />LatestSnapshotFilepath - contain the full file path of the most recent signature set file<br />ReinstallApplicableUpdate – control whether to force re-installation of the latest update (TMG COM control this on force full update option)<br />