RE: ISA, VPNs and false positives
- From: v-crinal@xxxxxxxxxxxxxxxxxxxx ("Crina Li")
- Date: Thu, 25 May 2006 06:36:16 GMT
Hi Tami,
Thank you for posting in SBS newsgroup.
To narrow down the problem, would you please help me describe your issue in
more detail?
Currently I will provide some information regarding ISA 2004 log and
intrusion detection as following:
You can configure ISA 2004 log as follows:
1. Open ISA 2004 management console.
2. Expand the server node and highlight 'Monitoring'.
3. In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.
4. In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
5. Switch to the 'Fields' tab, click 'Select All', and then click OK.
6. In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
7. Switch to the 'Fields' tab, click 'Select All', and then click OK.
8. Click 'Apply' to save changes and update the configuration.
9. You can find W3C logs under 'C:\Program Files\Microsoft ISA
Server\ISALogs'.
You can also refer to the following KB article:
838241 How to configure logging in ISA Server 2004
http://support.microsoft.com/default.aspx?scid=kb;EN-US;838241
Regarding intrusion-detection, ISA Server features an intrusion-detection
mechanism that identifies when an attack is attempted against your network.
You can configure ISA Server to generate an "Intrusion detected" event,
which is defined in the stored ISA Server configuration, whenever specific
types of attacks are detected.
To detect unwanted intruders, ISA Server compares network traffic and log
entries to well-known attack methods. Suspicious activities trigger alerts.
Actions include connection termination, service termination, e-mail alerts,
logging, and others. If you have enabled the intrusion detection on ISA,
you will receive the warning when you are attacked.
You can check if you have enabled the intrusion detection as following:
1. On ISA Management, expand Server name and Configuration.
2. Click General.
3. In the right pane, click Enable Intrusion Detection and DNS Attack
Detection.
4. Then you can enable it or not.
If intrusion detection is enabled, you can configure which of the following
intrusions trigger alerts:
- All-port scan attack.
- Well-known port scan attack.
- IP half-scan attack.
- Land attack.
- Ping-of-death attack.
- UDP bomb attack.
- Windows out-of-band (WinNuke) attack.
For more information regarding ISA 2004, you may need to refer the
following documents:
How to configure networks in ISA Server 2004
http://support.microsoft.com/?id=867483
What's New and Improved in ISA Server 2004
http://www.microsoft.com/isaserver/evaluation/whatsnew.asp
ISA Server 2004 Performance Best Practices
http://www.microsoft.com/technet/prodtechnol/isa/2004/performancebestpractic
es.mspx
ISA Server 2004 Quick Start Guide
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe8
76f06/ISA2004SE_quickstartguide-Rev%201%2003.doc
ISA Server 2004 ISA Server 2004 Configuration Guide
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe8
76f06/ISA2004SE_configguide-Rev%201%2003.doc
Please feel free to let me know if there is anything I can do for you.
I appreciate your time and look forward to hearing from you.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: ISA, VPNs and false positives
| thread-index: AcZ/cqY7PIi8G8dQQWiuzh4EDlQhHg==
| X-WBNR-Posting-Host: 216.58.8.163
| From: =?Utf-8?B?VGFtaSBGYXJyZWxseQ==?=
<TamiFarrelly@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: ISA, VPNs and false positives
| Date: Wed, 24 May 2006 13:43:01 -0700
| Lines: 31
| Message-ID: <7D627BCA-8500-4F24-82BF-1A7F3A2EFEB8@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:270619
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Ok
|
| Have been running ISA 2004 for a few months now
| have the logging turned on...(whats the use of running a firewall if you
| dont have logs??)
|
| I have noticed the ISA will report IP spoofing when my remote users VPN
in.
| Consistently........
|
| Also it reports Intrusion Detections from legit web sites and services we
| are running...all port scans.
|
| I have a router between the isps modem and the external nic of the
ISA....so
| I wonder why it is reporting an all port scan....when my router is
actually
| taking care of most of the noise out there.
|
| Also....I would like to see the actual flat file where this new GUI
| dashboard is reporting from.
|
| I use to be able to view all connections out in a very flat text file
which
| also reported the application which was making the connection.
|
| .....making it easy to detect spyware and other malicious activity....
|
| The new reporting doesnt allow this....from what I can see...I have to
KNOW
| the application name ...to report on it.
|
| Any pointers to this over bloated app would be greatly appreciated.
|
| Tami
|
|
.
- Prev by Date: RE: sbs 2003 fax service ignoring dialing rules
- Next by Date: Re: "...the service fwsrv stopped responding..."
- Previous by thread: RE: sam errors
- Next by thread: RE: Ldap Mad.exe error event id 2061
- Index(es):
Relevant Pages
|
