In order to understandthe logs and how to use the intrusion detection facilities, you need to learn about: á Configuring logs á Configuring intrusion detection á Configuring alerts á Aut
Trang 1I NTRODUCTIONAll your efforts to configure ISA Server to provide manageable andefficient Web access while preventing external access to your privatenetwork are meaningless if you don’t understand how to monitor thesecurity of your network and determine how it is really being used.
Are you really blocking access? What parts are open? What are thepotential sources of attack? Is anyone attempting to breech yoursecurity? Have they? It’s necessary to understand logging, alerting,and the tools that are available to assist you evaluating your securitysetup There are two broad areas to cover:
á Monitoring Security and Network Usage with Logging andAlerting
á Troubleshooting Problems with Security and Network Usage
Monitoring Security and Network Usage with Logging and AlertingMonitor security and network usage by using logging and alerting
ISA logs and alerts can be used to monitor security and networkusage To do so, you need to understand the information in them
Configuring intrusion detection is easy, being sure you understandwhat you have done and how to use it is not In order to understandthe logs and how to use the intrusion detection facilities, you need
to learn about:
á Configuring logs
á Configuring intrusion detection
á Configuring alerts
á Automating alert configuration
á Monitoring alert status
Trang 2Configuring Logs
By default, ISA Server logs information to three files in the ISALogsfolder in the ISA Server installation folder There are three logs:
á IPPEXTDyyyykmmdd.log Information on blocked (by
default) and allowed (if configured) packets To enable the ging of “allowed” packets check the Log Packets from Allowfilters check box on the IP Packet Filters property page (seeFigure 15.1)
log-á FWSEXTDyyyymmdd.log Information on packets handled
by the firewall service
á WEBEXTDyyyymmdd.log Information handled by the Web
proxy service
Each log is configured in a similar manner
Understanding Log Choices
There are four configurable areas of the logs:
á Log storage format Log information, by default, is placed in
a W3C extended log format file but can be changed to ISAServer Format or logged to an ODBC database (SQL Server orAccess) See the section, “Logging to an ODBC Database”later in this chapter
á Enabling or disabling the log A check box on the Log tab of
the log properties page controls whether data is logged (seeFigure 15.2)
á Log options You can decide to create a new log daily, weekly,
monthly, or yearly You decide how many log files to keep Logfiles can be moved to the folder of your choice and can becompressed
á Log fields—Each log allows selection of a variety of fields
(see Figure 15.3)
F I G U R E 1 5 1 Allowing allowed packets to be logged.
F I G U R E 1 5 2 Log options.
Trang 3TA B L E 1 5 1
LO G FO R M AT DI F F E R E N C E S
W3C Extended ISA Format
Contains Data and info about Just data
data Are all fields logged? Unselected fields are Unselected fields are logged
not logged as dashes
Date and time format GMT Local time
Logging to an ODBC Database
Logging data to an ODBC database allows you to have more controlover where data is logged You also can record all data from variousISA Servers in one database, at one location However, you will have
to create your own database, including tables and other objects and
be prepared to create your own reports for interpreting the data ISAServer provides support by making ODBC database logging a sim-ple matter of a simple configuration change and by providing sam-ple SQL scripts for creating the necessary tables To complete theprocess, you must do the following:
á Create the database and tables to hold the data
á Create the ODBC Data Source Name (DSN) This allows ISAServer to transfer data to the database
á Configure the ISA Server logs to log to the ODBC database
Instructions follow for logging the packet filter log to an Accessdatabase Repeat these instructions to move logging of other data totables in your Microsoft Access database However, I recommendthis in a test environment only Using a Microsoft SQL Server data-base on a separate machine is a better enterprise solution Securitycan be tighter and your options are more flexible In either case, youwill have to develop your own queries, reports, and so on
F I G U R E 1 5 3 Selection log fields to record.
TE W3C Versus ISA Formatber of differences in these two formats thatThere are a
num-you should take note of in making num-your choice Table 15.1 compares them Take spe- cial note that W3C format date and time is GMT—otherwise you will be rather unclear as
to what is happening in the log.
SMS 1.0 Based Questions The cation of the SMS.INI file was the root of the C:\ drive in SMS version 1.0, which has been changed in version 1.2
Trang 4Creating the Database and Tables
Files (fwsrv.sql, pf.sql, w3proxy.sql) with sample SQL code for ing the tables are located in the ISA Server CDROM\ISA folder Tocreate the tables, you can paste the statement text in the query win-dow of Microsoft SQL Server or Microsoft Access and run thequery Instructions for creating a single table in Microsoft Access arelisted in Step by Step 15.1
4 In the Objects column, select Query
5 On the toolbar, click New
6 Select Design View and click OK
7 In the Show Table dialog box, click Close
8 Right-click the Query window and select SQL Specific,then Data Definition
9 Paste (Ctrl + V) the Create Table Statement
10 From the menu bar, select Query\Run to run the queryand create the table
11 Close the Query window
12 From the Object list, select Table, and open the table tosee if it was created correctly
13 Save the database and close Microsoft Access
Trang 5Creating the Data Source Name
Next you must create the Data Source Name to be used by ISAServer to access the database This is done in the ODBC DataSource Administrator and listed in Step by Step 15.2
S T E P B Y S T E P
15.2 Using the Delegation of Control Wizard
1 Open the Start, Programs, Administrative Tools, ODBCData Sources (ODBC) program
2 Click the System DSN tab
3 Click the Add button
4 Select the Microsoft Access Driver (*mdb) and clickFinish
5 On the ODBC Microsoft Access Setup page, enter theData Source Name (see Figure 15.4)
Configuring ISA Server to Log to the Database
Finally, you must point ISA Server to the DSN by using theProperties page of the log file in the ISA Server ManagementConsole See Step by Step 15.3
F I G U R E 1 5 4 Completing the DSN.
Trang 6S T E P B Y S T E P
15.3 Configuring the ODBC Log Option
1 Click Internet Security and Acceleration Server\Servers
and Arrays\name\Monitoring Configuration\Logs.
2 Double-click the Packet Filters log icon in the details pane
to expose its property pages
3 Click the Database button under Log Storage Format
4 Enter the name of the ODBC data source
5 Enter the name of the Table name
6 Click the Set Account button, select the account to beused, enter the password, and click OK
7 Click OK
To confirm a successful change to the logging status, open the base in Access and browse the table (see Figure 15.5) Check eventlogs for information to troubleshoot failed attempts
data-F I G U R E 1 5 5 Results in Access.
Trang 7Configuring Intrusion DetectionConfigure intrusion detection
Intrusion detection capabilities are configured in two places:
á Intrusion Detection of common attacks is enabled at IP PacketFilters\properties
á Additional Intrusion Detection Filters for specific protocols isfound in the Extensions\Application filters folder
Detection of Common Attacks
ISA Server comes with an intrusion detection alerts for several mon attacks This functionality is based on technology licensed fromInternet Security Systems, Inc (http://www.iss.net/cgi-bin/dbt- display.exe/db_data/press_rel/release/070300266.plt) To effec-tively utilize the intrusion detection capabilities for ISA Server, youmust be able to configure it, as well as understand the meaning ofthe alerts it generates and what to do about them This section givesyou specifics about configuring intrusion detection (see Step by Step15.4) You must use the following sections on alerts to understandthe results generated
com-Table 15.2 defines the alerts, and provides information on the alertsand events each attack may generate Information on these alertsand the steps to creating new alerts can be found in later sections
TA B L E 1 5 2
IN T R U S I O N DE T E C T I O N
Attack Description Associated Built-In
Alerts/Event Messages
WinNuke Windows out-of-band attack: Intrusion detected alert; event
A denial-of-service attack message 15001; 15101 attempt against an internal
computer that includes unexpected information, or lacks expected information
continues
Trang 8Land A TCP SYN packet sent with Intrusion detected; IP spoofing;
a spoofed source IP address Event message 15003; 15103 and port number matching
the destination IP address and port
Ping of death A large amount of information Intrusion detected; event message
is appended to an Internet 15007; 151007 Control Message Protocol
(ICMP) echo request (ping) packet
IP half scan Many attempts at connection Intrusion detected alert; event
to a computer made, but no message 15002; 15102 corresponding ACK packets
communicated.
UDP bomb UDP packets constructed Intrusion detected; event message
with illegal values in some 15006; 15106 fields are being sent.
Port scan An attempt to access at more Intrusion detected alert; event
than the configured number message 15004 and 15104
of ports (settable threshold) (enumerated); event message
15005 and 15105 (generic)
Detect after attacks on x
well-known attacks and (detect after
attacks on x ports).
S T E P B Y S T E P
15.4 Configuring Intrusion Detection
1 Right-click Internet Security and Acceleration
Server\Servers and Arrays\name\Access Policy\IP Packet
Filters folder, and select Properties
2 Check the Enable packet filtering and Enable IntrusionDetection check boxes (see Figure 15.6)
Trang 93 Change to the Intrusion Detection tab and select thecheck boxes for the attack that you want to generateevents Table 15.2 lists and describes the attacks (seeFigure 15.7)
4 If you select the Port Scan check box you must also decideand fill in your choices for the number of attacks that willgenerate an event (Two choices exist one for “well-knownports” and one for “ports.”)
5 Click OK
6 Visit the Monitoring Configuration\Alerts folder to createnew alerts and assure alerts for these attacks are configuredand enabled
Application Filters
In addition to these intrusion detection filters, which are triggered
by an inspection of packets, two application filters perform intrusiondetection chores for the DNS and POP protocols These filters areenabled/disabled in the Extensions\Application Filters folder
The DNS intrusion detection filter looks for common DNS relatedattacks Its configuration is detailed in Step by Step 15.5 When thisfilter is enabled, the “DNS intrusion alert” is triggered in response toactivity that meets your configuration choices
S T E P B Y S T E P
15.5 Configuring the DNS Intrusion DetectionApplication Filter
1 Click Internet Security and Acceleration Server\Servers
and Arrays\name\Extensions\Application Filters.
2 Double-click the DNS intrusion detection filter to displaythe properties page
3 On the General page, click the Enable box to enable thefilter
F I G U R E 1 5 6 Enabling intrusion detection.
F I G U R E 1 5 7 Selecting attack signatures.
continues
Trang 104 Select the Attacks page and select the check boxes theattacks need to filter for Table 15.3 lists and describes theattacks (see Figure 15.8).
DNS hostname overflow A DNS hostname in a response is too large and might
overflow internal buffers thus potentially allowing an attacker to execute arbitrary code on the target com- puter
DNS length overflow The length of a DNS response for IP addresses is set for
a length of four bytes If an application doing the lookup returns a DNS response with a larger value internal buffers may overflow
DNS zone transfer from DNS zone transfers from unauthorized sources can privileged ports (1–1024) provide an attacker with information about your inter-
nal network The DNS server should be configured to only allow transfer requests from approved servers This filter can detect attempts to obtain zone transfers from internal systems The ports 1–1024 the privileged, or well-known ports are used by services, and the request therefore, is more likely to be coming from another server (and possibly be valid).
DNS zone transfer from See the previous entry Requests from ports above 1024 privileged ports (above are likely to be coming from client systems You may 1024) want to be able to tell if the transfer was attempted from
a client or server, thus the separation of two There is no need to allow zone transfers to a client system You may need to permit zone transfers through the firewall and yet want to prevent unauthorized attempts In either case, you need to secure DNS and not allow zone trans- fers except to authorized systems
TE Well-Known Portsends of logical connections, it makes senseBecause ports name the
to control the numbers assigned to many well-known computer services The Internet Assigned Numbers Authority ( www.iana.org ) assigns these ports The latest RFC that refer- ences the assignments is RFC 1700
rfc1700.txt) which also describes the list
of ports used by the server process as known ports The term has come to mean the ports commonly restricted to assignment by IANA—ports 0–1023 Some also include port
continued
Trang 11The POP intrusion filter looks for common POP buffer overflowattacks It requires no configuration but can be enabled or disabled.
The “POP Intrusion Alert” is triggered in response to activity thatmeets its definition
Configuring Alerts Configure an alert to send an email message to an administrator
Alerts are simply ISA Server’s way of notifying you that some eventhas occurred Although there are many default alerts, you can alsocreate alerts to respond to specific events and conditions Defaultand custom alerts can be configured to respond only to a definedthreshold, such as
á Event frequency threshold How many times per second and
event occurs before an alert is issued
á Total number of events How many events occur before an
alert is issued
á Reissue How long to wait before reissuing an alert.
Alerts can also be configured to respond with a specific alert action:
á Send email
á Take action
á Log event in Windows 2000 event log (default)
á Start or stop ISA Server service
If an application is executed and a user account is required, youshould specify the name of a user account to be used Be sure thisuser account has the Log on as a Batch Account privilege This isconfigured in Security policies
To modify alerts, double-click the alert and change the Propertypages To configure a new alert follow Step by Step 15.6
TE Array Caveatning of a program, you must locate the pro-If your alert specifies the
run-gram at the same absolute path or logical path on each server For logical paths, use environmental variables (such as
%SystemDrive%) in the path.
Trang 12S T E P B Y S T E P
15.6 Creating a New Alert
1 Right-click Internet Security and Acceleration Server\
Servers and Arrays\name\Monitoring Configuration\Alerts
and select New Alert
2 Enter the name for the alert, and click Next
3 If in an ISA Server array, select either Any Server to figure for all servers in the array, or This Server to specifywhich server will trigger the alert Click Next
con-4 Select an event from the Event drop-down box If theevent has additional conditions, the Additional Conditiondrop-down box will be active and you can select an addi-tional condition (see Figure 15.9) Click Next
5 Choose an action that will be performed when the alert istriggered This step-by-step details the Send an E-mailMessage action Other actions are displayed in Figure15.10 and offer areas to enter the path and user creden-tials (for running a program); or check boxes for services
to stop or start The Report the Event to a Windows 2000Event Log supplies no additional configuration pages.Click Next
6 On the Sending E-Mail Messages page, browse to or enterthe FQDN name of the SMTP server and enter From, To,and Cc addresses (see Figure 15.11) Click Next
F I G U R E 1 5 1 0 Selecting an action.
F I G U R E 1 5 1 1 Configuring email.
Trang 13Automating Alert Configuration Automate alert configuration
Alert configuration can be automated in three ways:
á Setting alert recurring actions
á Writing scripts
á Using arrays Setting alert recurring actions avoids having to manually reset analert You can either have alerts reset immediately (once an alert isissued, the alert can immediately respond to another event) or set towait some amount of time before being reset
The management functions of ISA Server are COM functions mented in the ISA Server SDK The potential for selecting and set-ting multiple alerts to email an administrator, and other scenariosfor configuring multiple alerts to use the same actions is a good use
docu-of this functionality
In an enterprise, group ISA Servers into arrays and set the alerts onetime for the entire array This is the default action However, alertscan be directed to respond only to events at a single server
Monitoring Alert Status Monitor alert status
Alert status can be monitored by visiting the Internet Security and
Acceleration Server\Servers and Arrays\name\Monitoring\Alerts
folder Those alerts that have occurred are listed here If alerts havebeen configured to write events to the event log, you will also finduseful information there
Trang 14T ROUBLESHOOTING P ROBLEMS WITH
Troubleshoot problems with security and network usage.Monitoring alerts and the event viewer and having alerts run pro-grams or notify administrators with email is a big plus for maintain-ing security, but are there proactive things that you can do? Theultimate, of course, is to be able to test that the security you haveworked to put into place is there With ISA Server, you can proac-tively monitor three areas:
á Confirming configuration with security configuration andanalysis
á Detecting connections with Netstat
á Testing external port status with telnet and network monitor
Confirming Configuration with Security Configuration and Analysis
One of the steps you should have taken in setting up ISA Server wasconfiguring security, either by using the provided security templatesand the security wizard in ISA Server, and/or by manually configur-ing security settings This is not enough, however You should peri-odically audit your settings to be sure that things have not beenmodified One way to do this is to use the Security Configurationand Analysis console to analyze the current machine status againstwhat it should be For example, if you selected “Limited Services” asthe security level for your ISA Server This equates to the
securews.inf template By running an analysis, you can determinewhere security items are not in conformance, and therefore takesteps to fix them To run an analysis, follow Step by Step 15.7
Trang 15S T E P B Y S T E P
15.7 Auditing Security Status
1 Open an MMC console (Start, Run – MMC)
2 On the Console menu, select Add/Remove snap-in
3 Click Add
4 Select Security Configuration and Analysis and click Add
Click Close, and click OK
5 Right-click the Security Configuration and Analysis nodeand select Open Database
6 Enter the name of a new database
7 On the Import Template window, select securews.inf
11 Close all windows
F I G U R E 1 5 1 2