Microsoft NIS and the misplaced “state-of-the-art”

by adrian 26. July 2011 16:32

Apparently Microsoft’s NIS made some sparkles on the web the other days.

It all seems to have started with a somehow badly formulated blog entry that touched a little bit of pride somewhere Winking smile. [1]

This prompted Robert Graham to chip in and draw some missing lines. [2]

The thing is that NIS is not particularly here to solve false or positives negatives with a “state-of-the-art” IPS incorporating protocol analysis.

The missing link. [3]
The original blog entry looks to miss one piece of information(although linked into another document used as reference) that seems to have had as a result the “state-of-the-art” label misplaced.

The only “state-of-the-art” + protocol analysis combination that Microsoft itself originally mentioned(to my current knowledge) refers to the ability of creating easily protocols analyzers, without developing them using languages like C, see [3].

Regarding NIS and TMG a couple of things must be noted:

  • currently it only provides protection for MS products.
  • small database of signatures –> small threat coverage; many of them are exploit based, fewer are vulnerability based.
  • as writing does not provide generic vulnerability based signatures for class of attacks.
  • it does provide protocol anomaly detection for a number of protocols.

References
[1] https://www.infosecisland.com/blogview/15029-Threat-Blocking-With-Network-Inspection-System-NIS.html
[2] http://erratasec.blogspot.com/2011/07/those-who-dont-know-state-of-art-are.html
[3] http://research.microsoft.com/pubs/70223/tr-2005-133.pdf

Tags:

Forefront TMG

Comments are closed

Home | Hire me

Support this blog

Adds

Book Shelf

 

Month List