Contents
Overview 1
Planning a Monitoring and
Reporting Strategy 2
Monitoring Intrusion Detection 3
Monitoring ISA Server Activity 14
Analyzing ISA Server Activity by
Using Reports 19
Monitoring Real-Time Activity 27
Testing the ISA Server Configuration 32
Lab A: Monitoring and Reporting 34
Review 41
Module 8: Monitoring
and Reporting
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
Creative Director, Media/Sim Services: David Mahlmann
CD Build Specialist: Julie Challenger
Manufacturing Support: Laura King; Kathy Hershey
Operations Coordinator: John Williams
Lead Product Manager, Release Management: Bo Galford
Group Manager, Business Operations: David Bramble
Group Manager, Technical Services: Teresa Canady
Group Product Manager, Content Development: Dean Murray
General Manager: Robert Stewart
Module 8: Monitoring and Reporting iii
Instructor Notes
This module provides students with the knowledge and skills to monitor
Microsoft
®
Internet Security and Acceleration (ISA) Server 2000 activities by
using alerts, logging, reporting, and real-time monitoring.
After completing this module, students will be able to:
Plan a strategy for monitoring and reporting ISA Server activities.
Configure alerts to monitor intrusion detection.
Configure logging to monitor ISA Server activity.
Use reports to analyze ISA Server activity.
Read Module 8, "Monitoring and Optimizing Performance in
Windows 2000," in Course 2152B, Implementing Microsoft Windows
®
2000
Professional and Server.
Review the \sdk\bin\isasdk.chm file on the ISA Server compact disc.
Presentation:
45 Minutes
Lab:
30 Minutes
iv Module 8: Monitoring and Reporting
Instructor Setup for Lab
Lab A: Monitoring and Reporting
To prepare for the lab:
1. Open a command prompt window.
2. At the command prompt, type cd C:\MOC\2159a\Labfiles\Lab8
3. When a student asks you during the lab to perform a simulated port scan
attack, type portscan ip_address (where ip_address is the IP address of the
student’s ISA Server computer on the classroom network), and then press
ENTER.
Module 8: Monitoring and Reporting v
Module Strategy
Explain that the ISA Server real-time monitoring feature enables you to
centrally monitor ISA Server computer activity, including the current
sessions. Point out the ISA Server Performance Monitor on the Microsoft
ISA Server menu.
Testing the ISA Server Configuration
Explain that after configuring ISA Server, it is recommended that you test
your configuration to ensure that ISA Server correctly enforces the security
settings. Explain that you can use a third-party intrusion detection system or
the applications that are included with Windows 2000 to test the ISA Server
configuration.
vi Module 8: Monitoring and Reporting
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server 2000.
Lab Setup
The following list describes the setup requirements for the lab in this module.
Setup Requirement 1
The lab in this module requires that ISA Server be installed on all ISA Server
computers. To prepare student computers to meet this requirement, perform one
Important
Module 8: Monitoring and Reporting vii
Setup Requirement 4
The lab in this module requires that the all ISA Server client computers be
configured to use the ISA Server computer’s IP address on the private network
as their default gateway. To prepare student computers to meet this
requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Configure the default gateway manually.
Setup Requirement 5
The lab in this module requires that Microsoft Internet Explorer be configured
on all student computers to use the ISA Server computer as a Web Proxy
server. To prepare student computers to meet this requirement, perform one of
the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Configure Internet Explorer manually.
Setup Requirement 6
The lab in this module requires that Internet Information Services (IIS) be
configured on all ISA Server computers to use Transmission Control Protocol
Enable packet filtering manually.
viii Module 8: Monitoring and Reporting
Lab Results
Performing the lab in this module introduces the following configuration
changes:
Intrusion detection is enabled.
Alerts are configured for port scanning.
Reports are created.
The ISA Server computer is published as a Network News Transfer Protocol
(NNTP) server.
The ISA Server client computer is published as a Simple Mail Transfer
Protocol (SMTP) and Internet Message Access Protocol (IMAP) server. Module 8: Monitoring and Reporting 1
Overview
Planning a Monitoring and Reporting Strategy
Monitoring Intrusion Detection
Monitoring ISA Server Activity
Use reports to analyze ISA Server activity.
Monitor ISA Server computer activity.
Test the ISA Server configuration.
Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about monitoring ISA Server
activities by using alerts,
logging, reporting, and real-
time monitoring.
2 Module 8: Monitoring and Reporting
Planning a Monitoring and Reporting Strategy
Categorize the information that you need to collect
Categorize the information that you need to collect
Determine what information is most critical
Determine what information is most critical
Document your strategy
Document your strategy
Create a schedule for regular review of logs
Create a schedule for regular review of logs
Design a plan for archiving logs
Design a plan for archiving logs
Create a schedule for regular review of the logs.
Design a plan for archiving the logs.
• You can use archived logs to discover trends, to investigate the source of
future alerts, or for legal purposes.
Topic Objective
To describe guidelines to
consider when planning a
monitoring and reporting
strategy.
Lead-in
Consider the following
guidelines when you plan a
monitoring and reporting
strategy.
Module 8: Monitoring and Reporting 3
Monitoring Intrusion Detection
IP Packet–Level Attacks
Application–Level Attacks
Configuring Intrusion Detection
to monitoring intrusion
detection.
Lead-in
ISA Server includes an
integrated intrusion
detection system.
Delivery Tip
Remind students that
although this course
presents alerting in the
context of intrusion
detection, students can also
use alerting for other
purposes.
Important
4 Module 8: Monitoring and Reporting
IP Packet–Level Attacks
All Ports Scan Attack
IP Half Scan Attack
Land Attack
Ping of Death Attack
UDP Bomb Attack
Windows Out-of-Band Attack
attack can cause computers that are running certain TCP implementations to
stop responding, which denies service to legitimate users.
Topic Objective
To describe the types of
attacks that ISA Server can
detect at the IP packet level.
Lead-in
At the IP packet level,
ISA Server can detect the
following attacks.
Delivery Tip
Point out that all attacks at
the IP packet level attempt
intrusion by using a single
IP packet or a connection
sequence.
Do not explain each attack
in detail, but use one or two
of them as examples.
Module 8: Monitoring and Reporting 5
UDP bomb attack. Occurs when an intruder attempts to send an illegal User
Datagram Protocol (UDP) packet. A UDP packet that is constructed with
illegal values in certain fields will cause computers that are running some
older operating systems to crash when the packet is received.
Windows out-of-band attack. Occurs when an intruder attempts an out-of-
band, denial-of-service attack against a computer that is protected by
ISA Server. A denial-of-service attack is an attempt to disable a computer or
targeted computer.
DNS length overflow. Occurs when an IP address contains a length field
with a value larger than 4 bytes. This attack can cause improperly written
applications that perform DNS lookups to overflow the internal buffers.
This attack can allow a remote attacker to execute arbitrary commands on a
targeted computer.
DNS zone transfer from privileged ports (1–1024). Occurs when a computer
uses a DNS client application to transfer zones from an internal DNS server.
DNS zone information should not usually be transferred to external
computers, because it may contain sensitive information about your
network. The ports between 1 and 1024 are privileged ports, which are
reserved for server applications. Typically, a zone transfer request from a
port number between 1 and 1024 indicates that the request originates from a
server application, although there is no guarantee that it originates from a
server application.
DNS zone transfer from high ports (above 1024). Is similar to a DNS zone
transfer from a privileged port. Typically, a zone transfer request from a
port number over 1024 indicates that the request originates from a client
application, although there is no guarantee that it originates from a client
application.
POP buffer overflow. Occurs when an intruder attempts to gain privileged
access to computers that are running certain versions of a Post Office
Protocol (POP) server by overflowing an internal buffer on the server.
Topic Objective
To describe the types of
IP half scan
UDP bomb
Port scan
Intrusion Detection
Detect after attacks on 10 well-known ports
Detect after attacks on 20 ports
To receive alerts about intrusion attacks, see the properties for
specific alerts in the Alerts folder.
Intrusion detection functionality based on technology from Internet
Security Systems, Inc., Atlanta, GA, USA, www.iss.net
Apply
DNS intrusion detection filter Properties
General
OK Cancel
Filter incoming traffic for the following:
Attacks
DNS host name overflow
DNS length overflow
DNS zone transfer from privileged ports (1-1024)
DNS zone transfer from high ports (above 1024)
Apply
Apply
Apply
Select Attacks
Select the options that are
required to implement your
monitoring strategy.
*****************************
ILLEGAL FOR NON
intrusion detection,
ISA Server identifies when
an attack is attempted
against your network and
then performs a set of
preconfigured actions.
Key Point
Although ISA Server
generates events whenever
a selected intrusion attack
occurs, ISA Server
generates alerts only if you
specifically configure
ISA Server to do so.
Important
8 Module 8: Monitoring and Reporting
4. If you select the Port scan check box, perform the following actions, and
then click OK:
• In the Detect after attacks on … well-known ports box, type the
maximum number of well-known ports that can be scanned before
generating an event. Well-known ports are UDP and TCP ports in the
range 0–2048. Intruders frequently scan well-known ports because most
services listen for connections on these ports. An intruder is most likely
to find vulnerable ports by scanning well-known ports.
• In the Detect after attacks on … ports box, type the total number of
ports that can be scanned before generating an alert.
Configuring the DNS Intrusion Detection Filter
The DNS intrusion detection filter intercepts and analyzes DNS traffic destined
Monitoring
Computer
Access Policy
Site and Content Rules
Protocol Rules
IP Packet Filters
Publishing
Bandwidth Rules
Policy Elements
Cache Configuration
Monitoring Configuration
Alerts
Logs
Report Jobs
Extensions
Application Filters
Web Filters
Network Configuration
Client Configuration
H.323 Gatekeepers
Alert action failure The action associated with this alert fa… PHOENIX Alert action failure
Cache container initialization error The cache container initialization faile… PHOENIX Cache container initialization
Cache container recovery complete Recovery of a single cache container… PHOENIX Cache container recovery…
Cache file resize failure The operation to reduce the size of the… PHOENIX Cache file resize failure
Cache initialization failure The Web cache proxy was disabled to… PHOENIX Cache initialization failure
Cache restoration completed The cache content restoration was co… PHOENIX Cache restoration completed
Cache write error There was a failure in writing content… PHOENIX Cache write error
Cached object discarded During cache recovery, an object with… PHOENIX Cache object discarded
Component load failure Failed to load an extension component… PHOENIX Component load failure
Configuration error An error occurred while reading config… PHOENIX Configuration error
Enable
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Events are conditions that ISA Server can detect during its operation, such as an
intrusion attempt, a problem with a service running on an ISA Server computer,
or a communication failure. You use events when you configure an alert. An
alert defines the actions that ISA Server performs when it detects an event.
When you create an alert, you must specify an event that triggers the alert.
The following table lists some of the events that ISA Server can detect.
Event Description
DNS intrusion Indicates that a host name overflow, length
overflow, zone high port, or zone transfer attack
has occurred.
Intrusion detected Indicates that an external user attempted an
intrusion attack.
IP packet dropped
Indicates that an IP packet that is not allowed by
an access policy was dropped.
IP protocol violation Indicates that ISA Server detected and dropped a
packet with invalid IP options.
IP spoofing Indicates an IP packet source address is not
valid.
POP intrusion Detects a POP buffer overflow attack.
SOCKS request was refused Indicates that ISA Server refused a SOCKS
General
OK Cancel
Events
Send e-mail
Browse…
Browse…
Browse…
Actions
Program
SMTP server: europe.london.msft
To: [email protected]
Cc:
From: [email protected]
Browse…
Test
Set Account…
Set Account…
Set Account…
Select…
Select…
Select…
Select…
Select…
Select…
Apply
Run this program:
Use this account:
Report to Windows 2000 event log
Stop selected services
Start selected services
In addition, you can use scripts to configure advanced actions for
ISA Server. For example, you can create a program that scans the logs for the
IP address of an intruder and then creates a protocol filter that blocks
connections from the intruder’s IP address. You can then run the program
whenever ISA Server generates an alert that is based on an intrusion attempt.
Creating Alerts
To create an alert:
1. In ISA Management, in the console tree, expand your server or array,
expand Monitoring Configuration, right-click Alerts, point to New, and
then click Alert.
2. In the New Alert Wizard, type the name of the alert, and then click Next.
3. On the Events and Conditions page, select the event that will trigger the
alert. If the event allows you to specify additional conditions, select those
conditions, and then click Next.
Topic Objective
To describe the procedure
that you use to configure
alerts.
Lead-in
The alert service of
ISA Server monitors events
and then performs an action
if a specific event occurs.
Note
Module 8: Monitoring and Reporting 11
4. On the Actions page, select from the following actions, click Next, and then
click Finish:
If you select Then
alert in the Event log. You can view all of the alerts that ISA Server issued and
the time that ISA Server issued the alert. After you view the alert, you can reset
it. Resetting an alert removes it from the list of recent events. If you configured
the alert to perform an action only after a manual reset of the alert, you must
reset the alert before ISA Server will issue the same alert again.
To view and reset an alert:
1. In ISA Management, in the console tree, under Monitoring, click Alerts.
2. In the details pane, view the alerts that have occurred.
3. To reset an alert, right-click the alert, and then click Reset.
12 Module 8: Monitoring and Reporting
Configuring Advanced Alert Properties
Intrusion detected Properties
General
Cancel
Events
Actions
Actions will be executed when the selected conditions occur:
Event: Intrusion detected
Description An intrusion was attempted by an external
Additional condition: Any intrusion
Number of occurrences before the alert is issued: 1
Number of events per second before the alert is issued: 0
Recurring actions are performed:
Immediately
After manual reset of alert
If time since last execution is more than minutes
Choose options to
customize alert
alert is issued check box, and then type the
number of occurrences.
Specify the number of events
per second to occur before an
alert is issued
Select the Number of events per second before
the alert is issued check box, and type the number
of events per second.
Reissue an alert immediately
if an event recurs
Click Immediately. Selecting this option can result
in a large number of alert actions because
ISA Server performs the alert action each time that
it detects a specific event.
Topic Objective
To describe the procedure
that you use to configure
advanced alert properties.
Lead-in
After you create an alert,
you can configure the alert
properties.
Important
Copyright: Tài liệu đại học ©