O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Troubleshooting NIS on TMG 2010

7.821 visualizações

Publicada em

Publicada em: Tecnologia
  • Entre para ver os comentários

  • Seja a primeira pessoa a gostar disto

Troubleshooting NIS on TMG 2010

  1. 1. Troubleshooting Network Inspection System (NIS) on Forefront TMG 2010<br />Yuri Diogenes | Senior Technical Writer<br />Microsoft Windows iX IT PRO Security Team<br />http://blogs.technet.com/yuridiogenes<br />
  2. 2. NIS: Powered by GAPA<br />Generic Application Protocol Analyzer<br />A framework and platform for safe and rapid low level protocol parsers development<br />Supports extensibility and layering<br />Enables creating parsing based “rules” for checking and applying specific conditions (signatures) <br />
  3. 3. The NIS Architecture<br />Design Time<br />GAPAL (GAPA Language)<br />Compiler<br />Signatures & <br />Protocol Parsers<br />Protocol Parsers<br />Signatures<br />Microsoft Update<br />Run Time<br />Telemetry<br />& Portal<br />NIS Engine<br />Network Interception<br />3<br />
  4. 4. NIS Value Proposition<br />Protections against exploitation of known vulnerabilities<br />Avg survival time of un-patched Win XP <20 Min<br />Only ~2% of windows machine have no insecure program installed <br />Zero-Day-Protection: <br />Close the vulnerability window between security patch announcement and deployment <br />Respond to newly discovered vulnerabilities<br />
  5. 5. NIS Events<br />Logged in the Windows Application Event Log<br />
  6. 6. Signatures for Testing<br />HTML test signature:<br />Access http://www.contoso.com/testNIS.aspx?testValue=1!2@34$5%6^[{NIS-Test-URL}]1!2@34$5%6^<br />SMB test signature:<br />Copy file C0AABD79-351B-4c98-8AE7-69F4279FEF54.txt to a remote share<br />
  7. 7. NIS Alerts<br />A dashboard for detection information<br />
  8. 8. Troubleshooting NISWrong Detection<br />False negative detection<br />Isolate the signature that is causing problem<br />Confirm that is not blocking a suspicious traffic<br />Validate<br />Collect Netmon traces<br />Contact Microsoft<br />False positive detection<br />Isolate the signature that is causing problem<br />Confirm that is blocking a valid traffic<br />Temporary set the signature to Detect Only (or disable)<br />Contact Microsoft<br />
  9. 9. Troubleshooting NISHigh CPU<br />High utilization on wspsrv.exe<br />Use Process Monitor for initial assessment<br />Collect Perfmon (before and while issue is happening<br />Collect user mode dump from wspsrv.exe<br />Verify if trace is enabled under<br />HKLMSOFTWAREMicrosoftNetwork Inspection SystemWPPComponentsGAPA or NIS<br />
  10. 10. Troubleshooting NISReviewing the Dump<br />Look for patterns<br />Check for Critical Sections<br />Review threads that are locked in Critical Sections<br />Check if most of threads are from GapaEngine<br />
  11. 11. Troubleshooting NISSignature Update Flow<br />TMG Job Scheduler<br />Windows Update<br />UpdateAgent<br />Updateagent.exe<br />%windir%tempISA_updateagent.log<br />WSUS<br />Windows Update API<br />%windir%WindowsUpdate.log<br />
  12. 12. Troubleshooting NISSignature Update<br />NIS signature uses regular Windows update mechanism (BITS)<br />Are you using WSUS or WU?<br />
  13. 13. Troubleshooting NISSignature Update<br />Review TMG Update Center for initial troubleshooting<br />Review %windir%WindowsUpdate.log<br />
  14. 14. Troubleshooting NISSignature Update<br />Registry key settings:<br />HKLMSOFTWAREMicrosoftFpcNIS<br />LatestSnapshotVersion - contain the version of the most recent update<br />LatestSnapshotFilepath - contain the full file path of the most recent signature set file<br />ReinstallApplicableUpdate – control whether to force re-installation of the latest update (TMG COM control this on force full update option)<br />