Tag Archives: TMG

Forefront TMG 2010 SP2 and Forefront UAG 2010 SP1 Update 1

Leave a reply

Microsoft recently announced the availability of two new updates for their Forefront Edge products:

  • Service Pack 2 for Forefront TMG 2010
  • Update 1 for Forefront UAG 2010 Service Pack 1

You can download the SP2 for TMG on http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=27603 and the Update 1 for UAG SP1 on http://www.microsoft.com/downloads/details.aspx?FamilyID=15218e0c-309a-49e1-8e19-1b3141428e21. And of course, you can find more information about the new capabilities and fixed bugs on this sites.

But what’s regarding co-existence of both new updates? Can I install the TMG SP2 on my UAG box? Can I install the SP1 Update 1 when TMG SP2 is installed?
No worries, the installation of UAG SP1 w/o Update 1 is fully supported with TMG SP2. And regarding the installation order, Microsoft recommends starting from the new SP2 for TMG.

So finally, happy updating…

Improvements for Signature Expl:Win/HTTP.URL.XSS!0000-0000 from TMG 2010 NIS

Leave a reply

You probably have noticed that Microsoft released a generic Exploit-based signature for Cross-site scripting attacks last year (btw I wrote about it as well, see http://blogs.ecreation.ch/2010/05/02/tmgs-network-inspection-system-nis-helps-to-protect-against-sql-injection-and-cross-site-scripting/).

Now, based on a specific customer project I did some research about this generic Exploit-based signature and I found the following blog article from Adrian F. Dimcev: http://carbonwind.net/Forefront_TMG/NIS_XSS_Sig/NIS_XSS_Sig.htm.

A really great article with very detailed information about the capabilities and limitations of the generic detection approach, but NOT up-to-date!!!

What does this mean not up-to-date? First of all, Microsoft changed the name and type of the signature. It’s no longer an Exploit-based signature, it’s now a Policy-based signature according to the description on http://blogs.technet.com/b/isablog/archive/2010/11/30/nis-signature-types-or-why-some-signatures-are-disabled-by-default.aspx:

1. Vulnerability-based: These signatures will detect most variants of exploits against a given vulnerability.

2. Exploit-based: These signatures will detect a specific exploit of a given vulnerability.

3. Policy-based: These signatures that are generally used for auditing purposes and are developed when neither vulnerability nor an exploit-based signature can be written.

Therefore the new name of that signature is Plcy:Win/HTTP.URL.XSS!0000-0000 and is disabled out of the box (more details can be found on http://www.microsoft.com/security/portal/Threat/Encyclopedia/NIS.aspx?threat=Plcy-Win-HTTP-URL-XSS-0000-0000).

Secondly, and that is more important, Microsoft has updated the signature to support canonicalization (or called encoded requests in Adrian’s blog). Based on that improvement, TMG NIS is now able to detect such requests. Let’s see an example:

image
Figure 1: Forefront TMG 2010 NIS Logs: XSS detected

As you can see in the figure 1 above, the NIS is able to detect an encoded XSS attack. And the same result with an double-encoded request:

image
Figure 2: Forefront TMG 2010 NIS Logs: XSS detected

TMG Custom Error Pages are not displayed with IE 8/9 for HTTPS Sites

Leave a reply

Have you asked yourself why IE 8 or 9 doesn’t render the custom error page when a HTTPS is blocked? Especially because it works for a HTTP site?

The good answer: That’s not a bug, it’s by design. The IE product group made a design decision not to render error pages as discussed in the below article:

“…Internet Explorer 8 has a feature that ensures that the secure connection is made all the way to the target server. If it isn’t, then no page is displayed…”

And the reason why this decision was made:

“…since a page from the proxy is never processed, it would not gain access to cookies belonging to the target domain that the user was trying to connect to.”

http://msdn.microsoft.com/en-us/magazine/dd565641(VS.85).aspx