Module 8: Monitoring and Reporting
Download
Report
Transcript Module 8: Monitoring and Reporting
Module 8:
Monitoring and
Reporting
Overview
Planning a Monitoring and Reporting Strategy
Monitoring Intrusion Detection
Monitoring ISA Server Activity
Analyzing ISA Server Activity by Using Reports
Monitoring Real-Time Activity
Testing the ISA Server Configuration
Without a monitoring and reporting strategy in place for
a Microsoft® Internet Security and Acceleration (ISA)
Server 2000 computer, network administrators may be
unaware of important events or trends, be confronted
with a profusion of false alerts, or configure logs and
reports that do not monitor the appropriate activities. By
using alerts, logs, reports, and real-time monitoring
effectively, network administrators can better manage
the activities that can compromise the security or the
performance of an ISA Server computer. In addition,
network administrators can use specialized assessment
tools to monitor network security.
After completing this module, you will be able to:
Plan a strategy for monitoring and reporting ISA
Server activities.
Configure alerts to monitor intrusion detection.
Configure logging to monitor ISA Server activity.
Use reports to analyze ISA Server activity.
Monitor ISA Server computer activity.
Test the ISA Server configuration.
Planning a Monitoring and Reporting Strategy
Categorize the information that you need to collect
Determine what information is most critical
Document your strategy
Create a strategy for how to respond to critical events
Create a schedule for regular review of logs
Design a plan for archiving logs
Consider the following guidelines when you
plan a monitoring and reporting strategy:
Categorize the information that you
need to collect, including the following items:
• Real-time alerts
• Trends of performance
• Trends of security-related events
Determine the information that is the most
critical, and then:
• Configure real-time alerting for only the
most critical issues.
• Review the logs frequently for events that
may signal serious issues and that may
require prompt, but not immediate, attention.
• Review all of the logs for important trends.
Ensure that your summary reports capture the
information that is the most important to you.
Document your strategy.
Create a strategy for how to respond to
critical events, such as:
• Network security breaches.
• Denial of services attacks.
• Unusual usage patterns.
Create a schedule for regular review of the logs.
Design a plan for archiving the logs.
• You can use archived logs to discover trends,
to investigate the source of future alerts, or
for legal purposes.
Monitoring Intrusion Detection
IP Packet–Level Attacks
Application–Level Attacks
Configuring Intrusion Detection
ISA Server Events
Configuring Alerts
Configuring Advanced Alert Properties
ISA Server includes an integrated intrusion detection
system. You can set an alert to trigger when the
intrusion system detects an attack or a specific system
event. ISA Server can implement intrusion detection at
both the Internet Protocol (IP) packet level and the
application level.
You can also configure actions for the system to perform
when the intrusion system detects an attack on a
computer in your network. These actions can include
sending an e-mail message or a page to the administrator,
stopping the Microsoft Firewall service, writing to the
system event log, or running a program or script.
Important:
Although alerts are an important tool for monitoring
intrusion attempts, you can also use the alerting
capabilities of ISA Server as part of a more
comprehensive monitoring strategy. For example, you can
configure alerts so that ISA Server notifies you when an
ISA Server service shuts down unexpectedly.
IP Packet–Level Attacks
All Ports Scan Attack
IP Half Scan Attack
Land Attack
Ping of Death Attack
UDP Bomb Attack
Windows Out-of-Band Attack
At the IP packet level, ISA Server can detect the
following attacks:
All ports scan attack
IP half scan attack
Land attack
Ping of death attack
UDP bomb attack
Windows out-of-band attack
All ports scan attack.
Occurs when an intruder attempts to gain access to
more than the preconfigured number of ports. The
administrator specifies a threshold for ports, which then
determines the number of ports that are available for
access. Intruders use port scanning to find open ports
on a computer. Open ports represent entry points into a
computer and an attacker may subsequently attempt
attacks through one or more of these ports.
IP half scan attack.
Occurs when an intruder makes repeated attempts to
connect to a destination computer and the TCP packets
contain certain flags. This action can indicate that an
attacker is probing for open ports, while evading
logging by the system.
Land attack.
Occurs when an intruder establishes a Transmission
Control Protocol (TCP) connection with a spoofed
source IP address and port number that matches a
destination IP address and port number. Spoofing refers
to tricking a computer to provide information to allow
unauthorized access by using a false IP address. A land
attack can cause computers that are running certain
TCP implementations to stop responding, which denies
service to legitimate users.
Ping of death attack.
Occurs when an intruder adds a large amount of data to
an Internet Control Message Protocol (ICMP) echo
request packet. This attack can cause computers that
are running certain TCP implementations to stop
responding, which denies service to legitimate users.
UDP bomb attack.
Occurs when an intruder attempts to send an illegal
User Datagram Protocol (UDP) packet. A UDP packet
that is constructed with illegal values in certain fields
will cause computers that are running some older
operating systems to crash when the packet is received.
Windows out-of-band attack.
Occurs when an intruder attempts an out-of-band,
denial-of-service attack against a computer that is
protected by ISA Server. A denial-of-service attack is an
attempt to disable a computer or network. This attack
can cause the computer to stop responding or to lose
network connectivity.
Application–Level Attacks
DNS Hostname Overflow
DNS Length Overflow
DNS Zone Transfer from Privileged Ports (1–1024)
DNS Zone Transfer from High Ports (Above 1024)
POP Buffer Overflow
At the application level, ISA Server can detect the
following attacks:
DNS hostname overflow
DNS length overflow
DNS zone transfer from privileged ports (1-1024)
DNS zone transfer from high ports (above 1024)
POP buffer overflow
DNS hostname overflow.
Occurs when a Domain Name System (DNS) response
for a host name exceeds a certain fixed length. This
attack can cause improperly written applications that do
not check the length of the host names to overflow the
internal buffers when copying the host name. This
attack can allow a remote attacker to execute arbitrary
commands on a targeted computer.
DNS length overflow.
Occurs when an IP address contains a length field with
a value larger than 4 bytes. This attack can cause
improperly written applications that perform DNS
lookups to overflow the internal buffers. This attack can
allow a remote attacker to execute arbitrary commands
on a targeted computer.
DNS zone transfer from privileged ports (1-1024).
Occurs when a computer uses a DNS client application
to transfer zones from an internal DNS server. DNS zone
information should not usually be transferred to
external computers, because it may contain sensitive
information about your network. The ports between 1
and 1024 are privileged ports, which are reserved for
server applications. Typically, a zone transfer request
from a port number between 1 and 1024 indicates that
the request originates from a server application,
although there is no guarantee that it originates from a
server application.
DNS zone transfer from high ports (above 1024).
Is similar to a DNS zone transfer from a privileged port.
Typically, a zone transfer request from a port number
over 1024 indicates that the request originates from a
client application, although there is no guarantee that it
originates from a client application.
POP buffer overflow.
Occurs when an intruder attempts to gain privileged
access to computers that are running certain versions
of a Post Office Protocol (POP) server by overflowing an
internal buffer on the server.
Configuring Intrusion Detection
IP Packet Filters Properties
General Packet Filters Intrusion Detection
PPTP
DNS intrusion detection filter Properties
General Attacks
Select Attacks
Filter incoming traffic for the following:
Enable detection of the selected attacks:
Windows out-of-band (WinNuke)
DNS host name overflow
Land
Ping of death
IP half scan
UDP bomb
DNS length overflow
Select the options that are
required to implement your
monitoring strategy.
DNS zone transfer from privileged ports (1-1024)
DNS zone transfer from high ports (above 1024)
Port scan
Detect after attacks on
10
well-known ports
Detect after attacks on
20
ports
To receive alerts about intrusion attacks, see the properties for
specific alerts in the Alerts folder.
Intrusion detection functionality based on technology from Internet
Security Systems, Inc., Atlanta, GA, USA, www.iss.net
OK
Cancel
Apply
OK
Cancel
Apply
When you configure intrusion detection, ISA Server
identifies when an attack is attempted against your
network and then performs a set of preconfigured
actions. To detect unwanted intruders, ISA Server
compares network traffic and log entries to well-known
attack methods. Possible actions that you can configure
include connection termination, service termination, email alerts, and logging.
Important:
Although ISA Server generates events whenever a
selected intrusion attack occurs, ISA Server generates
alerts only if you specifically configure ISA Server to do
so.
Configuring IP Intrusion Detection
To configure IP intrusion detection:
1. In ISA Management, in the console tree, expand your
server or array, expand Access Policy, right-click IP
Packet Filters, and then click Properties.
2. In the IP Packet Filters Properties dialog box, on the
General tab, select the Enable packet filtering and the
Enable Intrusion detection check boxes.
3. On the Intrusion Detection tab, select the IP packetlevel intrusion options that are required to implement
your monitoring strategy, and then click OK.
Configuring IP Intrusion Detection (continued)
4. If you select the Port scan check box, perform the
following actions, and then click OK:
In the Detect after attacks on ... well-known ports
box, type the maximum number of well-known
ports that can be scanned before generating an
event. Well-known ports are UDP and TCP ports in
the range 0-2048. Intruders frequently scan wellknown ports because most services listen for
connections on these ports. An intruder is most
likely to find vulnerable ports by scanning wellknown ports.
In the Detect after attacks on ... ports box, type the
total number of ports that can be scanned before
generating an alert.
Configuring the DNS Intrusion Detection Filter
The DNS intrusion detection filter intercepts and
analyzes DNS traffic destined for the internal network.
To configure the DNS intrusion detection filter:
1. In ISA Management, in the console tree, expand your
server or array, expand Extensions, and then click
Application Filters.
2. In the details pane, right-click DNS intrusion detection
filter, and then click Properties.
3. On the Attacks tab, select the options that are required
to implement your monitoring strategy, and then click
OK.
Configuring the POP Intrusion Detection Filter
The POP intrusion detection filter detects attempts to
perform POP buffer overflow attacks.
To configure the POP intrusion detection filter:
1. In ISA Management, in the console tree, expand your
server or array, expand Extensions, and then click
Application Filters.
2. In the details pane, right-click POP intrusion detection
filter, and then click Properties.
3. On the General tab, select the Enable this filter check
box, and then click OK.
ISA Server Alert Events
ISA Management
Intrusion detected Properties
Action View
Tree
Internet Security and Acceleration Server
Servers and Arrays
LONDON
Monitoring
Computer
Access Policy
Site and Content Rules
Protocol Rules
IP Packet Filters
Publishing
Bandwidth Rules
Policy Elements
Cache Configuration
Monitoring Configuration
Alerts
Logs
Report Jobs
Extensions
Application Filters
Web Filters
Network Configuration
Client Configuration
H.323 Gatekeepers
Name
Alert action failure
Cache container initialization error
Cache container recovery complete
Cache file resize failure
Cache initialization failure
Cache restoration completed
Cache write error
Cached object discarded
Component load failure
Configuration error
Dial-on-demand failure
DNS intrusion
Event log failure
Firewall communication failure
Intrusion detected
Invalid dial-on-demand credentials
Invalid ODBC log credentials
IP packet dropped
IP Protocol violation
IP spooling
Log failure
Missing installation component
Network configuration changed
No available ports
OS component conflict
Oversized UDP packet
POP intrusion
Report Summary Generation Failure
Description
General
Server
Events Actions
PHOENIX
The action associated with this alert fa…
The cache container initialization faile…
Recovery of a single cache container…
The operation to reduceName:
the size of the…
The Web cache proxy was disabled to…
The cache content restoration was co…
There was a failure in writing content…
During cache recovery, an object with…
Failed to loadDescription
an extension component…
An error occurred
while reading config…
(optional):
Failed to create a dial-on-demand con…
A host name overflow, length overflow…
An attempt to logEnable
the event informaito…
There is a failure in communication bet…
An intrusion was attempted by an exte…
Dial-on-demand credentials are invalid
The specified user name or password…
IP packet was dropped according to s…
A packet with invalid IP options was d…
The IP packet source address is not v…
One of the service logs failed
A component that was configured for t…
A network configuration change that a…
Failed to create a network socket bec…
There is a conflict with one of the oper…
ISA Server dropped a UDP packet be…
POP buffer overflow detected
An error occurred while generating a r…
Event
Alert action failure
PHOENIX
Cache container initialization
PHOENIX
Cache container recovery…
PHOENIX
Intrusion detectedCache file resize failure
PHOENIX
Cache initialization failure
PHOENIX
Cache restoration completed
PHOENIX
Cache write error
PHOENIX
Cache object discarded
An external user
attempted
an intrusion
PHOENIX
Component
load failure
PHOENIX
Configuration error
PHOENIX
Dial-on-demand failure
PHOENIX
DNS intrusion
PHOENIX
Event log failure
PHOENIX
Client/server communica..
PHOENIX
Intrusion detected
PHOENIX
Invalid dial-on-demand cr..
PHOENIX
Invalid ODBC log credent…
PHOENIX
IP packet dropped
PHOENIX
IP Protocol violation
PHOENIX
IP spooling
PHOENIX
Log failure
PHOENIX
Missing installation comp…
PHOENIX
Network configuration ch…
PHOENIX
No available ports
PHOENIX
Operating system comp…
PHOENIX
Oversize UDP packet
PHOENIX
POP intrusion
PHOENIX
Report Summary Ganer…
OK
Cancel
atta
Apply
Events are conditions that ISA Server can detect during
its operation, such as an intrusion attempt, a problem
with a service running on an ISA Server computer, or a
communication failure. You use events when you
configure an alert. An alert defines the actions that ISA
Server performs when it detects an event. When you
create an alert, you must specify an event that triggers
the alert.
The following table lists some of the events that ISA
Server can detect.
Event
Description
DNS intrusion
Indicates that a host name overflow, length overflow,
zone high port, or zone transfer attack has occurred.
Intrusion detected
Indicates that an external user attempted an intrusion
attack.
IP packet dropped
Indicates that an IP packet that is not allowed by an
access policy was dropped.
IP protocol violation
Indicates that ISA Server detected and dropped a
packet with invalid IP options.
IP spoofing
Indicates an IP packet source address is not valid.
POP intrusion
Detects a POP buffer overflow attack.
SOCKS request was
refused
Indicates that ISA Server refused a SOCKS request
due to a policy violation.
Windows Media
Technology (WMT) live
stream splitting failure
Indicates that the streaming application filter
encountered an error during the WMT live stream
splitting.
Note:
For a full list of the events that are recognized by ISA
Server, see "ISA Server events" in ISA Server Help.
Configuring Alerts
Intrusion detected Properties
Intrusion detected Properties
General Events Actions
General Events Actions
Event:
Intrusion detected
Description
An intrusion was attempted by an external
Additional condition:
Any intrusion
Send e-mail
Browse…
SMTP server:
europe.london.msft
To:
[email protected]
Cc:
From:
[email protected]
Actions will be executed when the selected conditions occur:
Test
Number of occurrences before the alert is issued:
1
Number of events per second before the alert is issued:
0
Program
Run this program:
Recurring actions are performed:
Immediately
Browse…
Set Account…
Use this account:
After manual reset of alert
If time since last execution is more than
OK
minutes
Cancel
Report to Windows 2000 event log
Stop selected services
Start selected services
Apply
OK
ISA Administrator
Select…
Select…
Cancel
Apply
The alert service of ISA Server monitors events and then
performs an action if a specific event occurs. You can
configure an alert to send an e-mail notification, run a
program, or start and stop a service. For example, you
can configure ISA Server to send you an e-mail
message when a specified number of intrusion attempts
have occurred.
Note:
In addition, you can use scripts to configure advanced
actions for ISA Server. For example, you can create a
program that scans the logs for the IP address of an
intruder and then creates a protocol filter that blocks
connections from the intruder's IP address. You can
then run the program whenever ISA Server generates an
alert that is based on an intrusion attempt.
Creating Alerts
To create an alert:
1. In ISA Management, in the console tree, expand your
server or array, expand Monitoring Configuration,
right-click Alerts, point to New, and then click Alert.
2. In the New Alert Wizard, type the name of the alert, and
then click Next.
3. On the Events and Conditions page, select the event
that will trigger the alert. If the event allows you to
specify additional conditions, select those conditions,
and then click Next.
4. On the Actions page, select from the following actions,
click Next, and then click Finish:
If you select
Then
Send an e-mail message
Provide the name or the IP address of the Simple Mail
Transfer Protocol (SMTP) server, a recipient, a return
address, and any recipients to include on the Cc: list.
Ensure that no packet filters prevent the ISA Server
computer from communicating with the SMTP server by
using TCP port 25.
Provide the full path of the program that ISA Server will
run. If you run the program in the security context of a
user account other than the local system account,
provide the user name and password for that account.
No further action is required.
Run a program
Report the event to a
Microsoft Windows® 2000
event log
Stop selected ISA Server Select the service or services to stop. Valid choices are
services
the Firewall service, the Microsoft Web Proxy service,
and the Microsoft Scheduled Cache Content Download
service.
Start selected ISA Server Select the service or services to start.
services
Viewing and Resetting Alerts
When an alert occurs, ISA Server performs the alert
action and then records the alert in the Event log. You
can view all of the alerts that ISA Server issued and the
time that ISA Server issued the alert. After you view the
alert, you can reset it. Resetting an alert removes it from
the list of recent events. If you configured the alert to
perform an action only after a manual reset of the alert,
you must reset the alert before ISA Server will issue the
same alert again.
Viewing and Resetting Alerts (continued)
To view and reset an alert:
1. In ISA Management, in the console tree, under
Monitoring, click Alerts.
2. In the details pane, view the alerts that have occurred.
3. To reset an alert, right-click the alert, and then click
Reset.
Configuring Advanced Alert Properties
Intrusion detected Properties
General Events Actions
Event:
Intrusion detected
Description
An intrusion was attempted by an external
Additional condition:
Any intrusion
Actions will be executed when the selected conditions occur:
Choose options to
customize alert
action for the
event.
Number of occurrences before the alert is issued:
1
Number of events per second before the alert is issued:
0
Recurring actions are performed:
Immediately
After manual reset of alert
If time since last execution is more than
OK
minutes
Cancel
Apply
After you create an alert, you can configure the alert
properties. For example, you can configure ISA Server
to alert you by using e-mail messages only when there
are a specified number of intrusion attempts.
Important:
A large number of alert actions may cause you to
overlook important events, such as an important event
log entry that appears among many duplicate entries
that are less important.
To configure advanced alert properties:
1. In ISA Management, in the console tree, expand
Monitoring Configuration, and then click Alerts.
2. In the details pane, right-click the alert, and then click
Properties.
3. On the Events tab, choose one or more of the
following options to customize the alert action for an
event, and then click OK:
To
Do this
Specify the number of
Select the Number of occurrences before the alert
occurrences before an alert is issued check box, and then type the number of
is issued
occurrences.
Specify the number of
events per second to occur
before an alert is issued
Select the Number of events per second before the
alert is issued check box, and type the number of
events per second.
Reissue an alert
immediately if an event
recurs
Click Immediately. Selecting this option can result
in a large number of alert actions because ISA
Server performs the alert action each time that it
detects a specific event.
Reissue an alert only after
the alert is reset
Click After manual reset of alert. Selecting this
option results in a single alert action even when
there are multiple events.
Reissue an alert after a
specified amount of time
Click If time since last execution is more than
number minutes, and then type the number of
minutes. Selecting this option results in multiple
event actions only when the events occur a
specified number of minutes apart.
Monitoring ISA Server Activity
Configuring Logging
Logging Packet Filter Activity
You can monitor ISA Server activity by configuring
logging. ISA Server logs incoming and outgoing
requests and how ISA Server responded to these
requests. When you configure logging, ISA Server
generates logs for each server in the array. ISA Server
includes logs for access and for security activity. You
can configure ISA Server to generate logs in several
data formats and then analyze the logs for usage,
performance, and security monitoring.
Configuring Logging
Firewall service Properties
Log
Click File to save
logs to a file by using
the W3C format or
ISA format.
Click Database to
save logs to an
ODBC database.
Fields
Log storage format:
File
Format:
W3C extended log file format
Create a new file:
Daily
Name:
FWSEXTDyyyymmdd.log
Options…
Database
ODBC data source (DSN):
db1
Table name:
Table1
Use this account:
Set Account…
Enable logging for this service
OK
Cancel
Apply
When you configure logging, ISA Server creates log
files on every ISA Server computer in the array. ISA
Server can produce the following log files:
Packet filter logs. Record attempts to pass packets
through the ISA Server computer.
Firewall service logs. Record attempts to communicate
by using the Firewall service.
Web Proxy service logs. Record attempts to
communicate by using the Web Proxy service.
Log Formats
By default, ISA Server saves all of the log files to the
ISALogs folder under the ISA Server installation folder.
You can save log files in the following formats:
W3C format
ISA format
ODBC database
W3C format.
Use this format for compatibility with the reporting
applications that recognize the World Wide Web
Consortium (W3C) format. The W3C format contains
data and information that describes the version, date,
and logged fields. ISA Server does not log the
unselected fields. This format uses the tab character as
a delimiter, and the date and time fields are in
Greenwich Mean Time.
ISA format.
Use this format when you use a reporting application
that can interpret ISA Server logs. The ISA format
contains only data with no information about the data
format. ISA Server always logs all of the fields. ISA
Server logs the unselected fields as dashes to indicate
that they are empty. This format uses the comma
character as a delimiter, and the date and time fields are
in local time.
ODBC database.
Use this format to save the logs to an Open Database
Connectivity (ODBC) database.
Note:
The ISA Server compact disc includes sample scripts
that you can use to create your own log database.
These scripts are located in the MSA folder. For more
information about logging to a database, see "Logging
to a database" in ISA Server Help.
Configuring Logs
To configure log settings:
1. In ISA Management, in the console tree, click Logs.
2. In the details pane, right-click Packet filters, Firewall
service, or Web Proxy Service, and then click
Properties.
3. On the Log tab, specify how to save the logs, and then
ensure that the Enable logging for this service check
box is selected:
To
Do this
Save to a file
Click File, and then select a log format. In the Create new
file list, select a time period that specifies how often to
create a new log file, and then click Options to specify
where to store the logs and to limit the number of log files
that you save.
Save to a database
Click Database, and then confirm or modify the following
parameters:
• ODBC data source (DSN)
• Table name
• Use this account
Configuring Logs (continued)
4. On the Fields tab, select the fields that you want ISA
Server to include in the logs, and then click OK.
Note:
For more information about the fields, see "Firewall
and Web Proxy log fields" and "Packet Filter log
fields" in ISA Server Help.
Logging Packet Filter Activity
DNS Block Properties
General Filter Type Local Computer Remote Computer
Name:
DNS Block
IP Packet Filters Properties
General
Mode:
Events
Intrusion Detection PPTP
Block packet transmission between specified IP
addresses, ports, and protocols
Use this page to configure packet filter properties.
Description
(optional):
Program
Enable filtering of IP fragments
Clear to prevent
logging blocked
packets.
Enable filtering IP options
Log packets from ‘Allow’ filters
Log any packets matching this filter
Select to log
allowed packets.
Enable this filter
OK
Cancel
Apply
OK
Cancel
Apply
You can log all of the packets that pass through ISA
Server to the packet filter log. By default, ISA Server
logs only dropped packets. To reduce server load, you
can configure ISA Server to disable logging for packets
that are dropped because they are blocked by an IP
packet filter. Disable logging for dropped packets only if
your security policy does not require this information.
You can also configure ISA Server to log the allowed
packets. ISA Server can only log the blocked or allowed
packets if packet filtering is enabled.
Important:
Logging both allowed packets and blocked packets can
cause a considerable load on the server. Enable logging
for allowed packets for diagnostic purposes only.
Preventing Logging of Blocked Packets
To prevent logging of packets that are blocked by a
specific filter:
1. In ISA Management, in the console tree, expand
Access Policy, and then click IP Packet Filters.
2. In the details pane, click a packet filter that blocks
access, and then click Configure a Packet Filter.
3. On the General tab, click to clear the Log any packets
matching this filter check box, and then click OK.
Logging Allowed Packets
To log allowed packets for all packet filters:
1. In ISA Management, in the console tree, right-click IP
Packet Filters.
2. In the details pane, click Configure Packet Filtering
and Intrusion Detection, and then click Properties.
3. On the Packet Filters tab, select the Log packets from
‘Allow’ filters check box, and then click OK
Analyzing ISA Server Activity by Using Reports
Configuring Log Summaries
Creating Report Jobs
Using Predefined Report Formats
Viewing and Saving Reports
You can use ISA Server or a third-party reporting
application to analyze ISA Server activity. ISA Server
generates reports from a database that includes the
data collated from the ISA Server log files. ISA Server
saves this data in daily or monthly summaries, as
specified. For example, you can save summary data
every day for 20 days and then generate reports based
on those daily summaries. ISA Server also includes a
set of predefined report formats to assist administrators
in analyzing their security and Internet usage patterns.
Configuring Log Summaries
Report Jobs Properties
General Log Summaries
Enable daily and monthly summaries
Location of saved summaries:
ISASummaries folder
(in the ISA Server installation folder)
Browse…
Directory
Number of summaries saved:
Choose the
number of daily
and monthly
summaries.
Daily summaries
35
Monthly summaries:
13
OK
Cancel
Apply
Because ISA Server creates reports from log
summaries, the first step in creating a report is
configuring log summaries. You can schedule log
summaries to be generated on a recurring, periodic
basis: daily, weekly, monthly, or yearly. Log summaries
can include daily, weekly, monthly, or yearly data.
Important:
ISA Server reports require summaries of saved logs. ISA
Server creates these summaries each day at 12:30 A.M.
You can create an ISA Server report only after ISA
Server has created at least one daily summary.
To configure log summaries:
1. In ISA Management, in the console tree, expand
Monitoring Configuration, right-click Report Jobs, and
then click Properties.
2. In the Report Jobs Properties dialog box, on the Log
Summaries tab, select the Enable daily and monthly
summaries check box.
3. Select the ISASummaries folder or another folder as
the location of the logs.
4. Choose the number of daily and monthly summaries
that ISA Server saves, and then click OK.
Creating Report Jobs
Start
Name the Report
Specify the Duration
Specify When to Generate
Specify the Rate of Recurrence
Specify User Credentials
Finish
Before you can view a report, you must create a report
job. After ISA Server has run the report job, you can
view the report. You can configure ISA Server to run a
report job at a specific time or at regular intervals. When
you create a scheduled report job, ISA Server generates
the reports on the server from which you configure the
job. If the server belongs to a multi-server array, the
user generating the reports must have appropriate
permissions to gain access to and use the reporting
mechanism on each ISA Server computer in the array.
You must also specify user credentials that meet the
following criteria:
Must be a local administrator on every ISA Server
computer in the array.
Must be able to gain access to and launch Distributed
Component Object Model (DCOM) objects on every ISA
Server computer in the array.
To create a report job:
1. In ISA Management, in the console tree, expand
Monitoring Configuration, right-click Report Jobs,
point to New, and then click Report Job.
2. On the General tab, type a name for the report, and
then ensure that the Enable check box is selected.
3. On the Period tab, select the duration of the report
job.
4. On the Schedule tab, select when to generate the
report job.
Important:
Because the database generation process can be
resource intensive, reports may not appear
instantly in the Report subfolders. You may want
to schedule reports to run once a day in the early
morning or during off-peak hours.
5. Under Recurrence pattern, select the rate of
recurrence for the report job.
6. On the Credentials tab, in the Username box, type
the name of a user with permissions to generate
the report; in the Domain box, type the user's
domain; in the Password box, type the user's
password, and then click OK.
Using Predefined Report Formats
You can generate several types of ISA Server reports.
Reports that are generated by ISA Server are displayed
as Web pages so that you can view them in any Web
browser. You can also save reports as Web pages and
then perform further formatting. ISA Server can generate
the following types of reports:
Summary Reports
Summary reports include a set of statistics about ISA
Server usage. Summary reports combine data from the
Web Proxy service logs and Firewall service logs.
Web Usage Reports
Web usage reports include a set of reports that display
top Web users, common responses, and Web browsers.
These reports show how an organization uses the Web
and are based on the Web Proxy service logs.
Application Usage Reports
Application usage reports display Internet application
usage, including incoming and outgoing traffic, top
users, client applications, and destinations. Application
usage reports can help you to plan network capacity
and determine bandwidth policies. Application usage
reports are based on the Firewall service logs.
Traffic and Utilization Reports
Traffic and utilization reports display total Internet
usage by application, protocol, and direction; average
traffic and peak simultaneous connections; cache hit
ratios; errors; and other statistics. Traffic and utilization
reports can help you plan and monitor network capacity
and determine bandwidth policies. Traffic and utilization
reports combine data from the Web Proxy service logs
and the Firewall service logs.
Security Reports
Security reports list attempts to breach network
security. Security reports can help identify attacks or
security violations after they have occurred. Security
reports are based on the Web Proxy service logs, the
Firewall service logs, and the Packet filter logs.
Viewing and Saving Reports
Viewing Reports
Saving Reports
Saving reports as Web pages
Saving reports as an Excel workbooks
Reports enable administrators to better understand their
security settings and network usage. By analyzing log
data, administrators can create access rules to better
meet their organizations' needs. You can also save the
reports that you create.
Viewing Reports
To view reports:
1.
In ISA Management, in the console tree, expand
Monitoring, expand Reports, and then click the report
type that you want to view.
2.
In the details pane, double-click the report job that you
want to view in Microsoft Internet Explorer.
Saving Reports
You can save the reports as Hypertext Markup
Language (HTML) files or as a Microsoft Excel
workbook.
Saving Reports (continued)
Saving Reports as Web Pages
To save a report as a Web page:
1.
In ISA Management, in the console tree, expand
Monitoring, expand Reports, and then click the report
type that you want to save.
2.
In the details pane, right-click the applicable report
job, and then click Save As.
3.
In the Save As dialog box, in the File Name box, type a
name for the report, and then in the Save as type list,
select Web Page (*.htm; *html).
Saving Reports (continued)
Saving Reports as Excel Workbooks
After you save a report as an Excel workbook, you can
further analyze results by using Excel.
To save a report as an Excel workbook:
1.
In ISA Management, in the console tree, expand
Monitoring, and then click Reports.
2.
In the details pane, right-click the applicable report
job, and then click Save As.
3.
In the Save As dialog box, in the File Name box, type a
name for the report, and then in the Save as type list,
select Microsoft Excel Workbook (*.xls).
Monitoring Real-Time Activity
Viewing and Disconnecting ISA Server Sessions
Using Performance Objects
Monitoring H.323 Gatekeeper Sessions
The ISA Server real-time monitoring feature enables you
to centrally monitor ISA Server computer activity,
including the current sessions. ISA Server also includes
a large number of performance counters that you can
use to monitor the details of how a variety of ISA Server
components operate. These performance counters help
you to monitor, troubleshoot, and analyze ISA Server
performance and activity. You can also view the active
client sessions to determine which clients are using the
ISA Server computer to communicate with the Internet.
Viewing and Disconnecting ISA Server Sessions
Viewing Sessions
Disconnecting Sessions
To view and disconnect sessions, you must have the
proper permissions for the session object.
Viewing Sessions
To view a client session:
In ISA Management, in the console tree, expand Servers
and Arrays, expand the applicable server or array,
expand Monitoring, and then click Sessions.
The sessions are listed in the details pane.
Disconnecting Sessions
To disconnect a client session:
1.
In ISA Management, in the console tree, expand
Servers and Arrays, expand the applicable server or
array, expand Monitoring, and then click Sessions.
2.
On the View menu, click Advanced.
3.
In the details pane, right-click the applicable session,
and then click Stop.
Using Performance Objects
ISA Server Bandwidth Control
ISA Server Cache
ISA Server Firewall Service
ISA Server Packet Filter
ISA Server Web Proxy Service
Several performance objects that you can use to
monitor system performance are included with ISA
Server. Each of the performance objects contains a
number of counters. You view the performance objects
and their associated performance counters in real-time
in System Monitor. System Monitor is a monitoring tool
that is included with Windows 2000. You can also log
performance data and create alerts from the data by
using Performance Log and Alerts, which is the logging
tool included with Windows 2000. To view the most
critical ISA Server performance counters, open ISA
Server Performance Monitor from the Microsoft ISA
Server menu.
Note:
For more information about performance counters, see
Module 8, "Monitoring and Optimizing Performance in
Windows 2000," in Course 2152B, Implementing
Microsoft Windows 2000 Professional and Server.
The ISA Server performance objects are:
ISA Server Bandwidth Control
ISA Server Cache
ISA Server Firewall Service
ISA Server Packet Filter
ISA Server Web Proxy Service
ISA Server Bandwidth Control.
Includes performance counters to monitor actual
bandwidth and assigned bandwidth. Use these counters
to detect potential bandwidth and connection
bottlenecks. For example, you can use the Actual
outbound bandwidth performance counter to monitor
the currently assigned bandwidth priorities for outgoing
connections.
ISA Server Cache.
Includes performance counters to monitor the memory,
disk, and URL activity associated with the cache. Use
these performance counters to monitor the
effectiveness of the cache for clients. For example, you
can use the Disk URL Retrieve Rate performance
counter to determine the rate at which URLs are
retrieved from the disk cache.
ISA Server Firewall Service.
Includes performance counters to monitor Firewall
service connections and associated services such as
DNS. For example, you can use the Active Sessions
performance counter to monitor the number of Firewall
client sessions that are running simultaneously. By
comparing peak times and off-peak times, this
performance counter can help you to determine ISA
Server usage.
ISA Server Packet Filter.
Includes performance counters to monitor packet
filtering activity, including dropped packets and
incoming connections made through the packet filters.
For example, you can use the Total incoming
connections performance counter to monitor the total
number of connections that are established through an
external interface on an ISA Server computer.
ISA Server Web Proxy Service.
Includes counters to monitor the number of users and
the rate at which ISA Server transfers data to remote
and upstream servers. For example, you can use the
Total Users performance counter to monitor the total
number of users that are connected to the Web Proxy
service.
Monitoring H.323 Gatekeeper Sessions
Viewing H.323 Gatekeeper Clients
Viewing Active H.323 Sessions
You can use ISA Management to monitor H.323
Gatekeeper sessions.
Viewing H.323 Gatekeeper Clients
To view H.323 Gatekeeper client sessions:
1.
In ISA Management, in the console tree, expand H.323
Gatekeepers, expand the applicable server or array,
and then click Active Terminals.
2.
In the details pane, right-click the client, and then click
Properties to view the client's status.
Note:
To unregister a client, right-click the client, and then
click Unregister.
Viewing Active H.323 Sessions
To view active H.323 Gatekeeper sessions:
In ISA Management, in the console tree, expand H.323
Gatekeepers, expand the applicable server or array, and
then click Active Calls.
The active sessions are listed in the details pane.
Testing the ISA Server Configuration
Using Third-Party Tools
Using Telnet
Using Network Monitor
After configuring ISA Server, it is recommended that
you test your configuration to ensure that ISA Server
correctly enforces the security settings. To test the ISA
Server configuration, you can use a third-party intrusion
detection system. If you do not have access to such an
application, you can do some limited testing by using
the applications that are included with Windows 2000.
Using Third-Party Tools
One of the best ways to test your network security is to
use a third-party security assessment tool. These
specialized tools scan your network for vulnerabilities
and then present reports. For example, a security
assessment application might enumerate all open ports
on an ISA Server computer and then perform a large
number of network attacks in an automated manner. The
application will then present you with a report that
allows you to assess whether ISA Server is correctly
configured.
Using Telnet
You can use Telnet to establish connections to specific
TCP ports to test if the ISA Server computer responds to
the connection attempts. If the ISA Server computer
responds to a connection attempt for a port that you
configured not to respond, ISA Server is not configured
correctly.
To connect to a TCP port by using Telnet:
At a command prompt, type telnet ip_address port
(where ip_address is the external IP address of the
ISA Server computer and port is the port to which
you are connecting).
Using Telnet (continued)
If the Telnet application reports that it could not
establish a connection, ISA Server does not allow TCP
connections to the port. If the Telnet application opens a
session, even if it immediately closes that session, ISA
Server allows connections to that port.
Using Network Monitor
Network Monitor is an optional tool that is included with
Microsoft Windows 2000 Server. The limited version of
Network Monitor that is included with Windows 2000
Server allows you to capture all unicast network
packets that a computer sends and receives.
Interpreting this information can help you to diagnose
network problems, and it can help you to view the
network packets that the ISA Server computer receives
and view the responses that it sends.
Microsoft Systems Management Server (SMS) includes
the full-featured version of Network Monitor. One of the
features of the full version is capturing all of the
network packets on a network segment, independent of
the sender or the recipient.
Lab A: Monitoring and Reporting
Review
Planning a Monitoring and Reporting Strategy
Monitoring Intrusion Detection
Monitoring ISA Server Activity
Analyzing ISA Server Activity by Using Reports
Monitoring Real-Time Activity
Testing the ISA Server Configuration