Microsoft NIS and the misplaced “state-of-the-art”

Apparently Microsoft’s NIS made some sparkles on the web the other days.

It all seems to have started with a somehow badly formulated blog entry that touched a little bit of pride somewhere Winking smile. [1]

This prompted Robert Graham to chip in and draw some missing lines. [2]

The thing is that NIS is not particularly here to solve false or positives negatives with a “state-of-the-art” IPS incorporating protocol analysis.

The missing link. [3]
The original blog entry looks to miss one piece of information(although linked into another document used as reference) that seems to have had as a result the “state-of-the-art” label misplaced.

The only “state-of-the-art” + protocol analysis combination that Microsoft itself originally mentioned(to my current knowledge) refers to the ability of creating easily protocols analyzers, without developing them using languages like C, see [3].

Regarding NIS and TMG a couple of things must be noted:

  • currently it only provides protection for MS products.
  • small database of signatures –> small threat coverage; many of them are exploit based, fewer are vulnerability based.
  • as writing does not provide generic vulnerability based signatures for class of attacks.
  • it does provide protocol anomaly detection for a number of protocols.


Comments are closed