Embed Size (px)
Citation preview
Module 8:Monitoring and
Reporting
Overview
Planning a Monitoring and Reporting Strategy
Monitoring Intrusion Detection
Monitoring ISA Server Activity
Analyzing ISA Server Activity by Using Reports
Monitoring Real-Time Activity
Testing the ISA Server Configuration
Planning a Monitoring and Reporting Strategy
Categorize the information that you need to collect Categorize the information that you need to collect
Determine what information is most critical Determine what information is most critical
Document your strategy Document your strategy
Create a schedule for regular review of logs Create a schedule for regular review of logs
Design a plan for archiving logs Design a plan for archiving logs
Create a strategy for how to respond to critical events Create a strategy for how to respond to critical events
Monitoring Intrusion Detection
IP Packet–Level Attacks
Application–Level Attacks
Configuring Intrusion Detection
ISA Server Events
Configuring Alerts
Configuring Advanced Alert Properties
IP Packet–Level Attacks
All Ports Scan Attack
IP Half Scan Attack
Land Attack
Ping of Death Attack
UDP Bomb Attack
Windows Out-of-Band Attack
Application–Level Attacks
DNS Hostname Overflow
DNS Length Overflow
DNS Zone Transfer from Privileged Ports (1–1024)
DNS Zone Transfer from High Ports (Above 1024)
POP Buffer Overflow
Configuring Intrusion Detection IP Packet Filters Properties
General
OK Cancel
Enable detection of the selected attacks:
Packet Filters PPTP
Windows out-of-band (WinNuke)
Land
Ping of death
IP half scan
UDP bomb
Port scan
Intrusion Detection
Detect after attacks on 10 well-known ports
Detect after attacks on 20 ports
To receive alerts about intrusion attacks, see the properties for specific alerts in the Alerts folder.
Intrusion detection functionality based on technology from Internet Security Systems, Inc., Atlanta, GA, USA, www.iss.net
Apply
DNS intrusion detection filter Properties
General
OK Cancel
Filter incoming traffic for the following:
Attacks
DNS host name overflow
DNS length overflow
DNS zone transfer from privileged ports (1-1024)
DNS zone transfer from high ports (above 1024)
ApplyApplyApplyApply
Select Attacks
Select the options that are required to implement your monitoring strategy.
ISA Server Alert Events
ISA ManagementAction View
Tree Name Description Server EventInternet Security and Acceleration Server
Servers and ArraysLONDON
MonitoringComputerAccess Policy
Site and Content RulesProtocol RulesIP Packet Filters
PublishingBandwidth RulesPolicy ElementsCache ConfigurationMonitoring Configuration
AlertsLogsReport Jobs
ExtensionsApplication FiltersWeb Filters
Network ConfigurationClient Configuration
H.323 Gatekeepers
Alert action failure The action associated with this alert fa… PHOENIX Alert action failureCache container initialization error The cache container initialization faile… PHOENIX Cache container initializationCache container recovery complete Recovery of a single cache container… PHOENIX Cache container recovery…Cache file resize failure The operation to reduce the size of the… PHOENIX Cache file resize failureCache initialization failure The Web cache proxy was disabled to… PHOENIX Cache initialization failureCache restoration completed The cache content restoration was co… PHOENIX Cache restoration completedCache write error There was a failure in writing content… PHOENIX Cache write errorCached object discarded During cache recovery, an object with… PHOENIX Cache object discardedComponent load failure Failed to load an extension component… PHOENIX Component load failureConfiguration error An error occurred while reading config… PHOENIX Configuration errorDial-on-demand failure Failed to create a dial-on-demand con… PHOENIX Dial-on-demand failureDNS intrusion A host name overflow, length overflow… PHOENIX DNS intrusionEvent log failure An attempt to log the event informaito… PHOENIX Event log failureFirewall communication failure There is a failure in communication bet… PHOENIX Client/server communica..Intrusion detected An intrusion was attempted by an exte… PHOENIX Intrusion detectedInvalid dial-on-demand credentials Dial-on-demand credentials are invalid PHOENIX Invalid dial-on-demand cr..Invalid ODBC log credentials The specified user name or password… PHOENIX Invalid ODBC log credent…IP packet dropped IP packet was dropped according to s… PHOENIX IP packet droppedIP Protocol violation A packet with invalid IP options was d… PHOENIX IP Protocol violationIP spooling The IP packet source address is not v… PHOENIX IP spoolingLog failure One of the service logs failed PHOENIX Log failureMissing installation component A component that was configured for t… PHOENIX Missing installation comp…Network configuration changed A network configuration change that a… PHOENIX Network configuration ch…No available ports Failed to create a network socket bec… PHOENIX No available portsOS component conflict There is a conflict with one of the oper… PHOENIX Operating system comp…Oversized UDP packet ISA Server dropped a UDP packet be… PHOENIX Oversize UDP packetPOP intrusion POP buffer overflow detected PHOENIX POP intrusionReport Summary Generation Failure An error occurred while generating a r… PHOENIX Report Summary Ganer…
Intrusion detected Properties
General
OK Cancel
Events
Name: Intrusion detected
ApplyApplyApplyApply
Actions
Description An external user attempted an intrusion atta(optional):
Enable
Configuring Alerts
Intrusion detected Properties
General
OK Cancel
Events
Send e-mail
Browse…Browse…Browse…Browse…
Actions
Program
SMTP server: europe.london.msft
Cc:
From: [email protected]
Browse…
Test
Set Account…Set Account…Set Account…Set Account…
Select…Select…Select…Select…
Select…Select…Select…Select…
Apply
Run this program:
Use this account:
Report to Windows 2000 event logStop selected servicesStart selected services
Intrusion detected Properties
General
OK Cancel
Events Actions
Actions will be executed when the selected conditions occur:
Event: Intrusion detected
Description An intrusion was attempted by an external
Additional condition: Any intrusion
Apply
Number of occurrences before the alert is issued: 1
Number of events per second before the alert is issued: 0
Recurring actions are performed:Immediately
After manual reset of alert
If time since last execution is more than minutes
ISA AdministratorISA Administrator
Configuring Advanced Alert Properties
Intrusion detected Properties
General
Cancel
Events Actions
Actions will be executed when the selected conditions occur:
Event: Intrusion detected
Description An intrusion was attempted by an external
Additional condition: Any intrusion
Number of occurrences before the alert is issued: 1
Number of events per second before the alert is issued: 0
Recurring actions are performed:Immediately
After manual reset of alert
If time since last execution is more than minutes
Choose options to customize alert action for the event.
ApplyOK
Monitoring ISA Server Activity
Configuring Logging
Logging Packet Filter Activity
Configuring Logging
Firewall service Properties
Log
OK Cancel
Fields
ApplyApplyApplyApply
Log storage format:
File
Format: W3C extended log file format
Create a new file: Daily
Name: FWSEXTDyyyymmdd.log Options…
Database
ODBC data source (DSN): db1
Table name: Table1
Use this account:
Set Account…Set Account…Set Account…Set Account…
Enable logging for this service
Click File to save logs to a file by using the W3C format or ISA format.
Click Database to save logs to an ODBC database.
Logging Packet Filter Activity DNS Block Properties
General
OK Cancel
Filter Type
Name: DNS Block
Local Computer
Program
Apply
Mode: Block packet transmission between specified IPaddresses, ports, and protocols
Clear to prevent logging blocked packets.
Remote Computer
Description(optional):
Log any packets matching this filter
Enable this filter
IP Packet Filters Properties
General
OK Cancel
Events Intrusion Detection
Apply
Select to log allowed packets.
PPTP
Use this page to configure packet filter properties.
Enable filtering of IP fragments
Enable filtering IP options
Log packets from ‘Allow’ filters
Analyzing ISA Server Activity by Using Reports
Configuring Log Summaries
Creating Report Jobs
Using Predefined Report Formats
Viewing and Saving Reports
Creating Report Jobs
Name the ReportName the Report
Specify the Duration Specify the Duration
Specify When to Generate Specify When to Generate
Specify the Rate of Recurrence Specify the Rate of Recurrence
Specify User CredentialsSpecify User Credentials FinishFinishFinishFinish
StartStartStartStart
Configuring Log Summaries
Report Jobs Properties
General
OK Cancel
Log Summaries
Apply
Enable daily and monthly summaries
ISASummaries folder(in the ISA Server installation folder)
Directory
Location of saved summaries:
Browse…Browse…Browse…Browse…
Daily summaries 35
Monthly summaries: 13
Number of summaries saved:
Choose the number of daily and monthly summaries.
Viewing and Saving Reports
Viewing Reports
Saving Reports
Saving reports as Web pages
Saving reports as an Excel workbooks
Using Predefined Report Formats
Monitoring Real-Time Activity
Viewing and Disconnecting ISA Server Sessions
Using Performance Objects
Monitoring H.323 Gatekeeper Sessions
Viewing and Disconnecting ISA Server Sessions
Viewing Sessions
Disconnecting Sessions
Using Performance Objects
ISA Server Bandwidth Control
ISA Server Cache
ISA Server Firewall Service
ISA Server Packet Filter
ISA Server Web Proxy Service
Monitoring H.323 Gatekeeper Sessions
Viewing H.323 Gatekeeper Clients
Viewing Active H.323 Sessions
Testing the ISA Server Configuration
Using Third-Party Tools
Using Telnet
Using Network Monitor
Lab A: Monitoring and Reporting
Review
Planning a Monitoring and Reporting Strategy
Monitoring Intrusion Detection
Monitoring ISA Server Activity
Analyzing ISA Server Activity by Using Reports
Monitoring Real-Time Activity
Testing the ISA Server Configuration
