Stirling/TMG Firewall Honeypot Detection
Did you know that the upcoming TMG firewall has a “honeypot detector” feature? Well, it does, but in order to take advantage of it you need to join the TMG firewall to a Stirling security server. Once you do that, you’ll be offered the opportunity to designate a “honeypot” IP address. The honeypot IP address is a phantom address that isn’t actually used on the network. When the TMG firewall detects that repeated connection attempts are being made to a non-existent IP address, it can assume that there may be a worm scanning the network.
The Stirling and TMG firewall teams put together a nice article on their experiences with the TMG/Stirling honeypot detector.
The figure below from their article shows the alert they saw. Indeed! Honeypot detection works for them.
But you’ll want to see the “rest of the story”. Check it out at:
https://blogs.technet.com/isablog/archive/2009/03/...e.aspx
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)
Thomas Shinder Blog » Blog Archive » Stirling/TMG bFirewall/b b…/b | Software Downloads Says:
March 11th, 2009 at 10:55 am
[…] Excerpt from: Thomas Shinder Blog » Blog Archive » Stirling/TMG bFirewall/b b…/b […]
John Says:
May 15th, 2009 at 7:08 am
Dr. Tom, I am puzzled by the differences between TMG Beta 2 and Stirling. Are they the same thing just different names? If different, what purpose does Stirling serve?