Module 8: Monitoring and Reporting

Download Report

Transcript Module 8: Monitoring and Reporting

Module 8:
Monitoring and
Reporting
Overview

Planning a Monitoring and Reporting Strategy

Monitoring Intrusion Detection

Monitoring ISA Server Activity

Analyzing ISA Server Activity by Using Reports

Monitoring Real-Time Activity

Testing the ISA Server Configuration
Planning a Monitoring and Reporting Strategy
Categorize the information that you need to collect
Determine what information is most critical
Document your strategy
Create a strategy for how to respond to critical events
Create a schedule for regular review of logs
Design a plan for archiving logs
Monitoring Intrusion Detection

IP Packet–Level Attacks

Application–Level Attacks

Configuring Intrusion Detection

ISA Server Events

Configuring Alerts

Configuring Advanced Alert Properties
IP Packet–Level Attacks

All Ports Scan Attack

IP Half Scan Attack

Land Attack

Ping of Death Attack

UDP Bomb Attack

Windows Out-of-Band Attack
Application–Level Attacks

DNS Hostname Overflow

DNS Length Overflow

DNS Zone Transfer from Privileged Ports (1–1024)

DNS Zone Transfer from High Ports (Above 1024)

POP Buffer Overflow
Configuring Intrusion Detection
IP Packet Filters Properties
General Packet Filters Intrusion Detection
PPTP
DNS intrusion detection filter Properties
General Attacks
Select Attacks
Filter incoming traffic for the following:
Enable detection of the selected attacks:
Windows out-of-band (WinNuke)
DNS host name overflow
Land
Ping of death
IP half scan
UDP bomb
DNS length overflow
Select the options that are
required to implement your
monitoring strategy.
DNS zone transfer from privileged ports (1-1024)
DNS zone transfer from high ports (above 1024)
Port scan
Detect after attacks on
10
well-known ports
Detect after attacks on
20
ports
To receive alerts about intrusion attacks, see the properties for
specific alerts in the Alerts folder.
Intrusion detection functionality based on technology from Internet
Security Systems, Inc., Atlanta, GA, USA, www.iss.net
OK
Cancel
Apply
OK
Cancel
Apply
ISA Server Alert Events
ISA Management
Intrusion detected Properties
Action View
Tree
Internet Security and Acceleration Server
Servers and Arrays
LONDON
Monitoring
Computer
Access Policy
Site and Content Rules
Protocol Rules
IP Packet Filters
Publishing
Bandwidth Rules
Policy Elements
Cache Configuration
Monitoring Configuration
Alerts
Logs
Report Jobs
Extensions
Application Filters
Web Filters
Network Configuration
Client Configuration
H.323 Gatekeepers
Name
Alert action failure
Cache container initialization error
Cache container recovery complete
Cache file resize failure
Cache initialization failure
Cache restoration completed
Cache write error
Cached object discarded
Component load failure
Configuration error
Dial-on-demand failure
DNS intrusion
Event log failure
Firewall communication failure
Intrusion detected
Invalid dial-on-demand credentials
Invalid ODBC log credentials
IP packet dropped
IP Protocol violation
IP spooling
Log failure
Missing installation component
Network configuration changed
No available ports
OS component conflict
Oversized UDP packet
POP intrusion
Report Summary Generation Failure
Description
General
Server
Events Actions
PHOENIX
The action associated with this alert fa…
The cache container initialization faile…
Recovery of a single cache container…
The operation to reduceName:
the size of the…
The Web cache proxy was disabled to…
The cache content restoration was co…
There was a failure in writing content…
During cache recovery, an object with…
Failed to loadDescription
an extension component…
An error occurred
while reading config…
(optional):
Failed to create a dial-on-demand con…
A host name overflow, length overflow…
An attempt to logEnable
the event informaito…
There is a failure in communication bet…
An intrusion was attempted by an exte…
Dial-on-demand credentials are invalid
The specified user name or password…
IP packet was dropped according to s…
A packet with invalid IP options was d…
The IP packet source address is not v…
One of the service logs failed
A component that was configured for t…
A network configuration change that a…
Failed to create a network socket bec…
There is a conflict with one of the oper…
ISA Server dropped a UDP packet be…
POP buffer overflow detected
An error occurred while generating a r…
Event
Alert action failure
PHOENIX
Cache container initialization
PHOENIX
Cache container recovery…
PHOENIX
Intrusion detectedCache file resize failure
PHOENIX
Cache initialization failure
PHOENIX
Cache restoration completed
PHOENIX
Cache write error
PHOENIX
Cache object discarded
An external user
attempted
an intrusion
PHOENIX
Component
load failure
PHOENIX
Configuration error
PHOENIX
Dial-on-demand failure
PHOENIX
DNS intrusion
PHOENIX
Event log failure
PHOENIX
Client/server communica..
PHOENIX
Intrusion detected
PHOENIX
Invalid dial-on-demand cr..
PHOENIX
Invalid ODBC log credent…
PHOENIX
IP packet dropped
PHOENIX
IP Protocol violation
PHOENIX
IP spooling
PHOENIX
Log failure
PHOENIX
Missing installation comp…
PHOENIX
Network configuration ch…
PHOENIX
No available ports
PHOENIX
Operating system comp…
PHOENIX
Oversize UDP packet
PHOENIX
POP intrusion
PHOENIX
Report Summary Ganer…
OK
Cancel
atta
Apply
Configuring Alerts
Intrusion detected Properties
Intrusion detected Properties
General Events Actions
General Events Actions
Event:
Intrusion detected
Description
An intrusion was attempted by an external
Additional condition:
Any intrusion
Send e-mail
Browse…
SMTP server:
europe.london.msft
To:
[email protected]
Cc:
From:
[email protected]
Actions will be executed when the selected conditions occur:
Test
Number of occurrences before the alert is issued:
1
Number of events per second before the alert is issued:
0
Program
Run this program:
Recurring actions are performed:
Immediately
Browse…
Set Account…
Use this account:
After manual reset of alert
If time since last execution is more than
OK
minutes
Cancel
Report to Windows 2000 event log
Stop selected services
Start selected services
Apply
OK
ISA Administrator
Select…
Select…
Cancel
Apply
Configuring Advanced Alert Properties
Intrusion detected Properties
General Events Actions
Event:
Intrusion detected
Description
An intrusion was attempted by an external
Additional condition:
Any intrusion
Actions will be executed when the selected conditions occur:
Choose options to
customize alert
action for the
event.
Number of occurrences before the alert is issued:
1
Number of events per second before the alert is issued:
0
Recurring actions are performed:
Immediately
After manual reset of alert
If time since last execution is more than
OK
minutes
Cancel
Apply
Monitoring ISA Server Activity

Configuring Logging

Logging Packet Filter Activity
Configuring Logging
Firewall service Properties
Log
Click File to save
logs to a file by using
the W3C format or
ISA format.
Click Database to
save logs to an
ODBC database.
Fields
Log storage format:
File
Format:
W3C extended log file format
Create a new file:
Daily
Name:
FWSEXTDyyyymmdd.log
Options…
Database
ODBC data source (DSN):
db1
Table name:
Table1
Use this account:
Set Account…
Enable logging for this service
OK
Cancel
Apply
Logging Packet Filter Activity
DNS Block Properties
General Filter Type Local Computer Remote Computer
Name:
DNS Block
IP Packet Filters Properties
General
Mode:
Events
Intrusion Detection PPTP
Block packet transmission between specified IP
addresses, ports, and protocols
Use this page to configure packet filter properties.
Description
(optional):
Program
Enable filtering of IP fragments
Clear to prevent
logging blocked
packets.
Enable filtering IP options
Log packets from ‘Allow’ filters
Log any packets matching this filter
Select to log
allowed packets.
Enable this filter
OK
Cancel
Apply
OK
Cancel
Apply
Analyzing ISA Server Activity by Using Reports

Configuring Log Summaries

Creating Report Jobs

Using Predefined Report Formats

Viewing and Saving Reports
Creating Report Jobs
Start
Name the Report
Specify the Duration
Specify When to Generate
Specify the Rate of Recurrence
Specify User Credentials
Finish
Configuring Log Summaries
Report Jobs Properties
General Log Summaries
Enable daily and monthly summaries
Location of saved summaries:
ISASummaries folder
(in the ISA Server installation folder)
Browse…
Directory
Number of summaries saved:
Choose the
number of daily
and monthly
summaries.
Daily summaries
35
Monthly summaries:
13
OK
Cancel
Apply
Viewing and Saving Reports

Viewing Reports

Saving Reports

Saving reports as Web pages

Saving reports as an Excel workbooks
Using Predefined Report Formats
Monitoring Real-Time Activity

Viewing and Disconnecting ISA Server Sessions

Using Performance Objects

Monitoring H.323 Gatekeeper Sessions
Viewing and Disconnecting ISA Server Sessions

Viewing Sessions

Disconnecting Sessions
Using Performance Objects

ISA Server Bandwidth Control

ISA Server Cache

ISA Server Firewall Service

ISA Server Packet Filter

ISA Server Web Proxy Service
Monitoring H.323 Gatekeeper Sessions

Viewing H.323 Gatekeeper Clients

Viewing Active H.323 Sessions
Testing the ISA Server Configuration

Using Third-Party Tools

Using Telnet

Using Network Monitor
Lab A: Monitoring and Reporting
Review

Planning a Monitoring and Reporting Strategy

Monitoring Intrusion Detection

Monitoring ISA Server Activity

Analyzing ISA Server Activity by Using Reports

Monitoring Real-Time Activity

Testing the ISA Server Configuration