Chapter 15 MONITORING NETWORK SECURITY AND USAGE 423 INTRODUCTION All your efforts to configure ISA Server to provide manageable and efficient Web access while preventing external access to your private network are meaningless if you don’t understand how to monitor the security of your network and determine how it is really being used. Are you really blocking access? What parts are open? What are the potential sources of attack? Is anyone attempting to breech your security? Have they? It’s necessary to understand logging, alerting, and the tools that are available to assist you evaluating your security setup. There are two broad areas to cover: á Monitoring Security and Network Usage with Logging and Alerting á Troubleshooting Problems with Security and Network Usage Monitoring Security and Network Usage with Logging and Alerting Monitor security and network usage by using logging and alerting. ISA logs and alerts can be used to monitor security and network usage. To do so, you need to understand the information in them. Configuring intrusion detection is easy, being sure you understand what you have done and how to use it is not. In order to understand the logs and how to use the intrusion detection facilities, you need to learn about: á Configuring logs á Configuring intrusion detection á Configuring alerts á Automating alert configuration á Monitoring alert status 21 mcse CH15 6/5/01 1:22 PM Page 423 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 424 Part V MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER Configuring Logs By default, ISA Server logs information to three files in the ISALogs folder in the ISA Server installation folder. There are three logs: á IPPEXTDyyyykmmdd.log. Information on blocked (by default) and allowed (if configured) packets. To enable the log- ging of “allowed” packets check the Log Packets from Allow filters check box on the IP Packet Filters property page (see Figure 15.1). á FWSEXTDyyyymmdd.log. Information on packets handled by the firewall service. á WEBEXTDyyyymmdd.log. Information handled by the Web proxy service. Each log is configured in a similar manner. Understanding Log Choices There are four configurable areas of the logs: á Log storage format. Log information, by default, is placed in a W3C extended log format file but can be changed to ISA Server Format or logged to an ODBC database (SQL Server or Access). See the section, “Logging to an ODBC Database” later in this chapter. á Enabling or disabling the log. A check box on the Log tab of the log properties page controls whether data is logged (see Figure 15.2). á Log options. You can decide to create a new log daily, weekly, monthly, or yearly. You decide how many log files to keep. Log files can be moved to the folder of your choice and can be compressed. á Log fields—Each log allows selection of a variety of fields (see Figure 15.3). FIGURE 15.1 Allowing allowed packets to be logged. FIGURE 15.2 Log options. 21 mcse CH15 6/5/01 1:22 PM Page 424 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 15 MONITORING NETWORK SECURITY AND USAGE 425 TABLE 15.1 LOG FORMAT DIFFERENCES W3C Extended ISA Format Contains Data and info about Just data data Are all fields logged? Unselected fields are Unselected fields are logged not logged as dashes Delimiter Tab Comma Date and time format GMT Local time Logging to an ODBC Database Logging data to an ODBC database allows you to have more control over where data is logged. You also can record all data from various ISA Servers in one database, at one location. However, you will have to create your own database, including tables and other objects and be prepared to create your own reports for interpreting the data. ISA Server provides support by making ODBC database logging a sim- ple matter of a simple configuration change and by providing sam- ple SQL scripts for creating the necessary tables. To complete the process, you must do the following: á Create the database and tables to hold the data. á Create the ODBC Data Source Name (DSN). This allows ISA Server to transfer data to the database. á Configure the ISA Server logs to log to the ODBC database. Instructions follow for logging the packet filter log to an Access database. Repeat these instructions to move logging of other data to tables in your Microsoft Access database. However, I recommend this in a test environment only. Using a Microsoft SQL Server data- base on a separate machine is a better enterprise solution. Security can be tighter and your options are more flexible. In either case, you will have to develop your own queries, reports, and so on. FIGURE 15.3 Selection log fields to record. NOTE W3C Versus ISA Format There are a num- ber of differences in these two formats that you should take note of in making your choice. Table 15.1 compares them. Take spe- cial note that W3C format date and time is GMT—otherwise you will be rather unclear as to what is happening in the log. TIP SMS 1.0 Based Questions The lo- cation of the SMS.INI file was the root of the C:\ drive in SMS version 1.0, which has been changed in version 1.2. EXAM 21 mcse CH15 6/5/01 1:22 PM Page 425 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 426 Part V MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER Creating the Database and Tables Files (fwsrv.sql, pf.sql, w3proxy.sql) with sample SQL code for creat- ing the tables are located in the ISA Server CDROM\ISA folder. To create the tables, you can paste the statement text in the query win- dow of Microsoft SQL Server or Microsoft Access and run the query. Instructions for creating a single table in Microsoft Access are listed in Step by Step 15.1. STEP BY STEP 15.1 Creating a Microsoft Access Packet Filter Log Table 1. Open the pf.sql file in Notepad, select the Create Table statement, and copy it to the Clipboard (Ctrl + C). 2. Close Notepad. 3. Open Microsoft Access and create a new Microsoft Access Database. 4. In the Objects column, select Query. 5. On the toolbar, click New. 6. Select Design View and click OK. 7. In the Show Table dialog box, click Close. 8. Right-click the Query window and select SQL Specific, then Data Definition. 9. Paste (Ctrl + V) the Create Table Statement. 10. From the menu bar, select Query\Run to run the query and create the table. 11. Close the Query window. 12. From the Object list, select Table, and open the table to see if it was created correctly. 13. Save the database and close Microsoft Access. 21 mcse CH15 6/5/01 1:22 PM Page 426 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 15 MONITORING NETWORK SECURITY AND USAGE 427 Creating the Data Source Name Next you must create the Data Source Name to be used by ISA Server to access the database. This is done in the ODBC Data Source Administrator and listed in Step by Step 15.2. STEP BY STEP 15.2 Using the Delegation of Control Wizard 1. Open the Start, Programs, Administrative Tools, ODBC Data Sources (ODBC) program. 2. Click the System DSN tab. 3. Click the Add button. 4. Select the Microsoft Access Driver (*mdb) and click Finish. 5. On the ODBC Microsoft Access Setup page, enter the Data Source Name (see Figure 15.4). 6. Enter a description. 7. Click the Select Database button, browse to the database, and click OK. 8. Click OK twice to complete the task and exit the program. Configuring ISA Server to Log to the Database Finally, you must point ISA Server to the DSN by using the Properties page of the log file in the ISA Server Management Console. See Step by Step 15.3. FIGURE 15.4 Completing the DSN. 21 mcse CH15 6/5/01 1:22 PM Page 427 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 428 Part V MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER STEP BY STEP 15.3 Configuring the ODBC Log Option 1. Click Internet Security and Acceleration Server\Servers and Arrays\name\Monitoring Configuration\Logs. 2. Double-click the Packet Filters log icon in the details pane to expose its property pages. 3. Click the Database button under Log Storage Format. 4. Enter the name of the ODBC data source. 5. Enter the name of the Table name. 6. Click the Set Account button, select the account to be used, enter the password, and click OK. 7. Click OK. To confirm a successful change to the logging status, open the data- base in Access and browse the table (see Figure 15.5). Check event logs for information to troubleshoot failed attempts. FIGURE 15.5 Results in Access. 21 mcse CH15 6/5/01 1:22 PM Page 428 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 15 MONITORING NETWORK SECURITY AND USAGE 429 Configuring Intrusion Detection Configure intrusion detection. Intrusion detection capabilities are configured in two places: á Intrusion Detection of common attacks is enabled at IP Packet Filters\properties. á Additional Intrusion Detection Filters for specific protocols is found in the Extensions\Application filters folder. Detection of Common Attacks ISA Server comes with an intrusion detection alerts for several com- mon attacks. This functionality is based on technology licensed from Internet Security Systems, Inc. ( http://www.iss.net/cgi-bin/dbt- display.exe/db_data/press_rel/release/070300266.plt ). To effec- tively utilize the intrusion detection capabilities for ISA Server, you must be able to configure it, as well as understand the meaning of the alerts it generates and what to do about them. This section gives you specifics about configuring intrusion detection (see Step by Step 15.4). You must use the following sections on alerts to understand the results generated. Table 15.2 defines the alerts, and provides information on the alerts and events each attack may generate. Information on these alerts and the steps to creating new alerts can be found in later sections. TABLE 15.2 INTRUSION DETECTION Attack Description Associated Built-In Alerts/Event Messages WinNuke Windows out-of-band attack: Intrusion detected alert; event A denial-of-service attack message 15001; 15101 attempt against an internal computer that includes unexpected information, or lacks expected information. continues 21 mcse CH15 6/5/01 1:22 PM Page 429 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 430 Part V MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER Land A TCP SYN packet sent with Intrusion detected; IP spoofing; a spoofed source IP address Event message 15003; 15103 and port number matching the destination IP address and port. Ping of death A large amount of information Intrusion detected; event message is appended to an Internet 15007; 151007 Control Message Protocol (ICMP) echo request (ping) packet. IP half scan Many attempts at connection Intrusion detected alert; event to a computer made, but no message 15002; 15102 corresponding ACK packets communicated. UDP bomb UDP packets constructed Intrusion detected; event message with illegal values in some 15006; 15106 fields are being sent. Port scan An attempt to access at more Intrusion detected alert; event than the configured number message 15004 and 15104 of ports (settable threshold). (enumerated); event message 15005 and 15105 (generic) Detect after attacks on x well- known attacks and (detect after attacks on x ports). STEP BY STEP 15.4 Configuring Intrusion Detection 1. Right-click Internet Security and Acceleration Server\Servers and Arrays\name\Access Policy\IP Packet Filters folder, and select Properties. 2. Check the Enable packet filtering and Enable Intrusion Detection check boxes (see Figure 15.6). TABLE 15.2 INTRUSION D ETECTION Attack Description Associated Built-In Alerts/Event Messages continued 21 mcse CH15 6/5/01 1:22 PM Page 430 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 15 MONITORING NETWORK SECURITY AND USAGE 431 3. Change to the Intrusion Detection tab and select the check boxes for the attack that you want to generate events. Table 15.2 lists and describes the attacks (see Figure 15.7). 4. If you select the Port Scan check box you must also decide and fill in your choices for the number of attacks that will generate an event. (Two choices exist one for “well-known ports” and one for “ports.”) 5. Click OK. 6. Visit the Monitoring Configuration\Alerts folder to create new alerts and assure alerts for these attacks are configured and enabled. Application Filters In addition to these intrusion detection filters, which are triggered by an inspection of packets, two application filters perform intrusion detection chores for the DNS and POP protocols. These filters are enabled/disabled in the Extensions\Application Filters folder. The DNS intrusion detection filter looks for common DNS related attacks. Its configuration is detailed in Step by Step 15.5. When this filter is enabled, the “DNS intrusion alert” is triggered in response to activity that meets your configuration choices. STEP BY STEP 15.5 Configuring the DNS Intrusion Detection Application Filter 1. Click Internet Security and Acceleration Server\Servers and Arrays\name\Extensions\Application Filters. 2. Double-click the DNS intrusion detection filter to display the properties page. 3. On the General page, click the Enable box to enable the filter. FIGURE 15.6 Enabling intrusion detection. FIGURE 15.7 Selecting attack signatures. continues 21 mcse CH15 6/5/01 1:22 PM Page 431 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 432 Part V MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER 4. Select the Attacks page and select the check boxes the attacks need to filter for. Table 15.3 lists and describes the attacks (see Figure 15.8). 5. Click OK. TABLE 15.3 DNS INTRUSION DETECTION FILTER ATTACK F OOTPRINTS Attack Description DNS hostname overflow A DNS hostname in a response is too large and might overflow internal buffers thus potentially allowing an attacker to execute arbitrary code on the target com- puter. DNS length overflow The length of a DNS response for IP addresses is set for a length of four bytes. If an application doing the lookup returns a DNS response with a larger value internal buffers may overflow. DNS zone transfer from DNS zone transfers from unauthorized sources can privileged ports (1–1024) provide an attacker with information about your inter- nal network. The DNS server should be configured to only allow transfer requests from approved servers. This filter can detect attempts to obtain zone transfers from internal systems. The ports 1–1024 the privileged, or well-known ports are used by services, and the request therefore, is more likely to be coming from another server (and possibly be valid). DNS zone transfer from See the previous entry. Requests from ports above 1024 privileged ports (above are likely to be coming from client systems. You may 1024) want to be able to tell if the transfer was attempted from a client or server, thus the separation of two. There is no need to allow zone transfers to a client system. You may need to permit zone transfers through the firewall and yet want to prevent unauthorized attempts. In either case, you need to secure DNS and not allow zone trans- fers except to authorized systems. NOTE Well-Known Ports Because ports name the ends of logical connections, it makes sense to control the numbers assigned to many well-known computer services. The Internet Assigned Numbers Authority ( www.iana.org) assigns these ports. The latest RFC that refer- ences the assignments is RFC 1700 ( http://www.isi.edu/in-notes/ rfc1700.txt) which also describes the list of ports used by the server process as well- known ports. The term has come to mean the ports commonly restricted to assignment by IANA—ports 0–1023. Some also include port 1024, which is defined in RFC 1700 as a “registered” port number reserved by IANA but also listed in the “well-known-ports “ list. A more up-to-date reference on port assign- ments and other IANA assigned numbers can be found at http://www.iana.org/numbers.htm. FIGURE 15.8 Configuring the DNS intrusion detection filter. continued 21 mcse CH15 6/5/01 1:22 PM Page 432 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... performance of the ISA Server computer Considerations include capacity planning, allocation priorities, and trend analysis Analyze the performance of the ISA Server computer by using Performance Monitor Analyze the performance of the ISA Server computer by using reporting and logging Control the total RAM used by ISA Server for caching In order to utilize reporting information to optimize ISA Server, you... additional ISA Servers to the array To be able to do this, you must spend time learning how to use reports, logs, and Performance Monitor to gather information, and then analyze what it means This information can then be your guide in optimizing the system This chapter gets you started by covering these topics: á Analyze ISA Server Performance Using Reports á Optimize ISA Server Performance ANALYZING ISA SERVER. .. exam: Analyze the performance of ISA Server by using reports Report types include summary, Web usage, application usage, traffic and utilization, and security What reports does ISA Server generate? What do they show? How can they be used to determine whether ISA Server is performing its job efficiently and effectively? When we talk about analyzing the performance of a server we often think of speed as... 21 mcse CH15 444 6/5/01 Par t V 1:23 PM Page 444 MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER A P P LY Y O U R K N O W L E D G E Exercises 15.1 In all the excitement of setting up ISA Server, it’s easy to forget why it is being done Ultimately, you will want to know if your hard work is helping to protect your network To do so, you must configure intrusion detection and alerting, and test your ISA. .. program 21 mcse CH15 6/5/01 1:23 PM Page 448 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 22 mcse CH16 6/5/01 12:17 PM Page 449 OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Monitoring, Managing, and Analyzing ISA Server section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server. .. logical path on each server For logical paths, use environmental variables (such as %SystemDrive%) in the path Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 21 mcse CH15 434 6/5/01 1:22 PM Par t V Page 434 MONITORING, ANALYZING, AND OPTIMIZING ISA SERVER STEP BY STEP 15.6 Creating a New Alert 1 Right-click Internet Security and Acceleration Server\ Servers and Arrays\name\Monitoring... Server\ Servers and Arrays\name\Monitoring Configuration\Alerts and select New Alert 2 Enter the name for the alert, and click Next 3 If in an ISA Server array, select either Any Server to configure for all servers in the array, or This Server to specify which server will trigger the alert Click Next FIGURE 15.9 Configure an alert 4 Select an event from the Event drop-down box If the event has additional... of information provided in the reports Examine the Registry keys mentioned Are they set to some value by default? Use ISA Server Performance Monitor to observe normal operations Generate activity, or observe a production ISA Server to look at peak and offpeak activity Configure ISA Server to automatically log performance data during a peak usage time and examine the logs produced 459 460 461 464 467... amount of time before being reset The management functions of ISA Server are COM functions documented in the ISA Server SDK The potential for selecting and setting multiple alerts to email an administrator, and other scenarios for configuring multiple alerts to use the same actions is a good use of this functionality In an enterprise, group ISA Servers into arrays and set the alerts one time for the entire... (TCP, UDP, ICMP, IP) basis IN THE FIELD Even a simple tool can lead to interesting results I was recently asked to audit the setup of an ISA Server Figure 15.13, which is a snapshot of a portion of a window after running netstat –na on an ISA Server with a published Web server, clearly shows the Web proxy port 8080 open and listening on the internal interface and the port 80 open and listening on the external . ANALYZING, AND OPTIMIZING ISA SERVER Configuring Logs By default, ISA Server logs information to three files in the ISALogs folder in the ISA Server installation. program. Configuring ISA Server to Log to the Database Finally, you must point ISA Server to the DSN by using the Properties page of the log file in the ISA Server Management Console.