Detecting Common Attacks using TMG Intrusion Detection

Apart from those complicated and advanced-level attacks that are targeted against every network every once in a while, there are common attacks that could be really troublesome. A lot of time this happens when people believe that their network does not contain any important data to even go under attack and when the attack occurs, they panic because they don’t expect it and in fact they have nothing to even stop this type of attacks.

Forefront Threat Management Gateway 2010 has an IDS (Intrusion Detection System) inside as one of its features that can detect many of these attacks. To access and configure this feature in TMG you need to go to Intrusion Prevention System and then click on Behavioral Intrusion Detection and first click on Configure Detection Settings for Common Network Attacks:

Here you can see a list of different types of attacks that if checked will be detected and a log will be created for them in the Monitoring section of the TMG. For instance if you check the Port Scan, you can specify the number of ports to be scanned before the TMG considers the traffic as a port scanning attack and can log it.

In the other tab, we can also detect different types of attacks against the DNS service:

Coming back to the Behavioral Intrusion Detection tab in TMG, you can also click on Configure IP Options Filtering to filter specific IP options that may be included in the IP packet’s header. Most IP options in the packer header are harmless but there are some of them that could indicate malicious traffic and must be checked. They are shown below in the picture. If there is any traffic containing these options in the packet header, they will be dropped if you select Deny packets with the selected IP options.

Under the other tab called IP Fragment, you can block IP fragments to block the type of traffic generated from those applications that fragment the packets so that they will not be detected by the firewall but you have to keep in mind that if you enable blocking of IP fragments, you may also block other types of traffic such as L2TP which is pretty common in every network having remote users.

Again under Behavioral Intrusion Detection in TMG, if you click on Configure Flood Mitigation Settings, you will be able to detect and block flood attacks towards the TMG and facing the network. Using this feature you will be able to specify the number of allowed different types of connections to a host and if there are more requests than that, it will be detected as a flood attack and will be denied. You can click on Edit to configure the settings for any of the connection types:

After all this configuration, if there is any traffic detected as attack, it will be logged under the Monitoring section in TMG and will be visible under Alerts. After knowing the source of the attack you will be able to easily block it using the firewall feature if it is not by default blocked.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below: