Figure 1
Here you will see the intrusion detection feature is enabled and configured by default to identify, block and record the following attacks:
Figure 2
Also, by selecting the DNS Attacks tab, you will see that the TMG firewall also has the ability to provide advanced application layer protection for many common attacks targeting public DNS servers, such as DNS. hostname overflow and DNS length overflow . The TMG firewall can prevent DNS roaming (but is not enabled by default).
Figure 3
Intrusion detection and prevention in Forefront TMG also allows filtering IP options that are in the header of an IP packet. Filtering IP options is enabled by default and can be configured by clicking the Configure IP Options Filtering link in the main control window.
Figure 4
Most IP options are harmless. However, there are still some IP options that indicate signs of potential malicious behavior. By default, the TMG firewall is configured to allow IP filter filtering and will remove IP packets containing IP options 7 (Record Route), 68 (Time Stamp), 131 (Loose Source Route) and 137 (Strict Source Route). If the IP packet has enabled specific option numbers, the TMG firewall administrator can adjust the action that took place. Any packages containing IP options can be ignored, packages with selected IP options can be rejected or all packages except the one with the selected IP option will be rejected.
Figure 5
The TMG firewall may also prevent packet forwarding that contains IP fragments. This option is not enabled by default. Blocking IP fragments can cause unwanted effects, so be careful when enabling this feature.
Figure 6
Mitigation is a critical component of Forefront TMG firewall. This feature helps mitigate the impact of some types of attacks on firewalls. Help mitigate potential DoS attacks by enforcing some restrictions on the amount of traffic a host can create. The mitigation flood is enabled by default and can be configured by clicking the Configure Flood Mitigation Settings link in the main control window.
Figure 7
The flood mitigation can control the following network parameters:
Figure 8
Clicking Edit . next to the flood mitigation parameters will allow administrators to configure connection restrictions to apply to IP exception.
Figure 9
When a host creates enough volume to exceed the pre-set restrictions, the TMG firewall will start dropping packets from this host and create alerts.
Figure 10
Note:
One important thing to note is that communication is allowed by counting to the connection quota.
If the host in question is stopped sending requests, or reducing the frequency of requests emitted from it to below the established limit, after a minute, the TMG firewall will increase the permissions of new connections. from this host.
Normally, when a host exceeds the connection limit, it will be suspected of malicious traffic or possibly a poorly written application. However, there are some cases where hosts create a huge amount of legitimate traffic. Some examples are DNS server and SMTP server. However, some administrators will try to resolve these problems by adding default connection restrictions, or even completely disabling flood mitigation. This approach is not recommended. The proper way to handle this scenario is to create an IP exception , then execute a certain threshold for systems that fall into this object group.
Figure 11
With the introduction of SIP filters in TMG 2010, the firewall is currently capable of enforcing quota for SIP traffic. TMG places restrictions on the following SIP parameters:
Click Edit . next to each parameter will allow the administrator to configure the thresholds according to their requirements.
Figure 12
The intrusion detection and prevention feature based on Forefront TMG's behavior provides a basic level of protection against common network attacks. It helps prevent the spread of IP packets with suspicious or potentially malicious IP options. In addition, TMG reduces DoS attacks (Denial of Service) by enforcing restrictive connections, avoiding users who have malicious intent or hosts infected with malicious code that could flood the connection. TMG firewall administrators can also configure quotas for the number of SIP traffic created by protected clients.