module 8: monitoring and reporting. overview planning a monitoring and reporting strategy monitoring...
TRANSCRIPT
Module 8:Monitoring and
Reporting
Overview
Planning a Monitoring and Reporting Strategy
Monitoring Intrusion Detection
Monitoring ISA Server Activity
Analyzing ISA Server Activity by Using Reports
Monitoring Real-Time Activity
Testing the ISA Server Configuration
Without a monitoring and reporting strategy in place for a Microsoft® Internet Security and Acceleration (ISA) Server 2000 computer, network administrators may be unaware of important events or trends, be confronted with a profusion of false alerts, or configure logs and reports that do not monitor the appropriate activities. By using alerts, logs, reports, and real-time monitoring effectively, network administrators can better manage the activities that can compromise the security or the performance of an ISA Server computer. In addition, network administrators can use specialized assessment tools to monitor network security.
After completing this module, you will be able to:
Plan a strategy for monitoring and reporting ISA Server activities.
Configure alerts to monitor intrusion detection.
Configure logging to monitor ISA Server activity.
Use reports to analyze ISA Server activity.
Monitor ISA Server computer activity.
Test the ISA Server configuration.
Planning a Monitoring and Reporting Strategy
Categorize the information that you need to collect Categorize the information that you need to collect
Determine what information is most critical Determine what information is most critical
Document your strategy Document your strategy
Create a schedule for regular review of logs Create a schedule for regular review of logs
Design a plan for archiving logs Design a plan for archiving logs
Create a strategy for how to respond to critical events Create a strategy for how to respond to critical events
Consider the following guidelines when you plan a monitoring and reporting strategy:
Categorize the information that you need to collect, including the following items: Categorize the information that you need to collect, including the following items:
• Real-time alerts• Trends of performance• Trends of security-related events
• Real-time alerts• Trends of performance• Trends of security-related events
Determine the information that is the most critical, and then: Determine the information that is the most critical, and then:
• Configure real-time alerting for only the most critical issues.• Review the logs frequently for events that may signal serious issues and that may require prompt, but not immediate, attention.• Review all of the logs for important trends. Ensure that your summary reports capture the information that is the most important to you.
• Configure real-time alerting for only the most critical issues.• Review the logs frequently for events that may signal serious issues and that may require prompt, but not immediate, attention.• Review all of the logs for important trends. Ensure that your summary reports capture the information that is the most important to you.
Document your strategy. Document your strategy.
Create a strategy for how to respond to critical events, such as: Create a strategy for how to respond to critical events, such as:
• Network security breaches.• Denial of services attacks.• Unusual usage patterns.
• Network security breaches.• Denial of services attacks.• Unusual usage patterns.
Create a schedule for regular review of the logs. Create a schedule for regular review of the logs.
Design a plan for archiving the logs. Design a plan for archiving the logs.
• You can use archived logs to discover trends, to investigate the source of future alerts, or for legal purposes.
• You can use archived logs to discover trends, to investigate the source of future alerts, or for legal purposes.
Monitoring Intrusion Detection
IP Packet–Level Attacks
Application–Level Attacks
Configuring Intrusion Detection
ISA Server Events
Configuring Alerts
Configuring Advanced Alert Properties
ISA Server includes an integrated intrusion detection system. You can set an alert to trigger when the intrusion system detects an attack or a specific system event. ISA Server can implement intrusion detection at both the Internet Protocol (IP) packet level and the application level.
You can also configure actions for the system to perform when the intrusion system detects an attack on a computer in your network. These actions can include sending an e-mail message or a page to the administrator, stopping the Microsoft Firewall service, writing to the system event log, or running a program or script.
Important:
Although alerts are an important tool for monitoring intrusion attempts, you can also use the alerting capabilities of ISA Server as part of a more comprehensive monitoring strategy. For example, you can configure alerts so that ISA Server notifies you when an ISA Server service shuts down unexpectedly.
IP Packet–Level Attacks
All Ports Scan Attack
IP Half Scan Attack
Land Attack
Ping of Death Attack
UDP Bomb Attack
Windows Out-of-Band Attack
At the IP packet level, ISA Server can detect the following attacks:
All ports scan attack
IP half scan attack
Land attack
Ping of death attack
UDP bomb attack
Windows out-of-band attack
All ports scan attack.All ports scan attack.
Occurs when an intruder attempts to gain access to more than the preconfigured number of ports. The administrator specifies a threshold for ports, which then determines the number of ports that are available for access. Intruders use port scanning to find open ports on a computer. Open ports represent entry points into a computer and an attacker may subsequently attempt attacks through one or more of these ports.
IP half scan attack.IP half scan attack.
Occurs when an intruder makes repeated attempts to connect to a destination computer and the TCP packets contain certain flags. This action can indicate that an attacker is probing for open ports, while evading logging by the system.
Land attack.Land attack.
Occurs when an intruder establishes a Transmission Control Protocol (TCP) connection with a spoofed source IP address and port number that matches a destination IP address and port number. Spoofing refers to tricking a computer to provide information to allow unauthorized access by using a false IP address. A land attack can cause computers that are running certain TCP implementations to stop responding, which denies service to legitimate users.
Ping of death attack.Ping of death attack.
Occurs when an intruder adds a large amount of data to an Internet Control Message Protocol (ICMP) echo request packet. This attack can cause computers that are running certain TCP implementations to stop responding, which denies service to legitimate users.
UDP bomb attack.UDP bomb attack.
Occurs when an intruder attempts to send an illegal User Datagram Protocol (UDP) packet. A UDP packet that is constructed with illegal values in certain fields will cause computers that are running some older operating systems to crash when the packet is received.
Windows out-of-band attack.Windows out-of-band attack.
Occurs when an intruder attempts an out-of-band, denial-of-service attack against a computer that is protected by ISA Server. A denial-of-service attack is an attempt to disable a computer or network. This attack can cause the computer to stop responding or to lose network connectivity.
Application–Level Attacks
DNS Hostname Overflow
DNS Length Overflow
DNS Zone Transfer from Privileged Ports (1–1024)
DNS Zone Transfer from High Ports (Above 1024)
POP Buffer Overflow
At the application level, ISA Server can detect the following attacks:
DNS hostname overflow
DNS length overflow
DNS zone transfer from privileged ports (1-1024)
DNS zone transfer from high ports (above 1024)
POP buffer overflow
DNS hostname overflow.DNS hostname overflow.
Occurs when a Domain Name System (DNS) response for a host name exceeds a certain fixed length. This attack can cause improperly written applications that do not check the length of the host names to overflow the internal buffers when copying the host name. This attack can allow a remote attacker to execute arbitrary commands on a targeted computer.
DNS length overflow.DNS length overflow.
Occurs when an IP address contains a length field with a value larger than 4 bytes. This attack can cause improperly written applications that perform DNS lookups to overflow the internal buffers. This attack can allow a remote attacker to execute arbitrary commands on a targeted computer.
DNS zone transfer from privileged ports (1-1024).DNS zone transfer from privileged ports (1-1024).
Occurs when a computer uses a DNS client application to transfer zones from an internal DNS server. DNS zone information should not usually be transferred to external computers, because it may contain sensitive information about your network. The ports between 1 and 1024 are privileged ports, which are reserved for server applications. Typically, a zone transfer request from a port number between 1 and 1024 indicates that the request originates from a server application, although there is no guarantee that it originates from a server application.
DNS zone transfer from high ports (above 1024).DNS zone transfer from high ports (above 1024).
Is similar to a DNS zone transfer from a privileged port. Typically, a zone transfer request from a port number over 1024 indicates that the request originates from a client application, although there is no guarantee that it originates from a client application.
POP buffer overflow.POP buffer overflow.
Occurs when an intruder attempts to gain privileged access to computers that are running certain versions of a Post Office Protocol (POP) server by overflowing an internal buffer on the server.
Configuring Intrusion Detection IP Packet Filters Properties
General
OK Cancel
Enable detection of the selected attacks:
Packet Filters PPTP
Windows out-of-band (WinNuke)
Land
Ping of death
IP half scan
UDP bomb
Port scan
Intrusion Detection
Detect after attacks on 10 well-known ports
Detect after attacks on 20 ports
To receive alerts about intrusion attacks, see the properties for specific alerts in the Alerts folder.
Intrusion detection functionality based on technology from Internet Security Systems, Inc., Atlanta, GA, USA, www.iss.net
Apply
DNS intrusion detection filter Properties
General
OK Cancel
Filter incoming traffic for the following:
Attacks
DNS host name overflow
DNS length overflow
DNS zone transfer from privileged ports (1-1024)
DNS zone transfer from high ports (above 1024)
ApplyApplyApplyApply
Select Attacks
Select the options that are required to implement your monitoring strategy.
When you configure intrusion detection, ISA Server identifies when an attack is attempted against your network and then performs a set of preconfigured actions. To detect unwanted intruders, ISA Server compares network traffic and log entries to well-known attack methods. Possible actions that you can configure include connection termination, service termination, e-mail alerts, and logging.
Important:
Although ISA Server generates events whenever a selected intrusion attack occurs, ISA Server generates alerts only if you specifically configure ISA Server to do so.
Configuring IP Intrusion Detection
To configure IP intrusion detection:
1. In ISA Management, in the console tree, expand your server or array, expand Access Policy, right-click IP Packet Filters, and then click Properties.
2. In the IP Packet Filters Properties dialog box, on the General tab, select the Enable packet filtering and the Enable Intrusion detection check boxes.
3. On the Intrusion Detection tab, select the IP packet-level intrusion options that are required to implement your monitoring strategy, and then click OK.
Configuring IP Intrusion Detection (continued)
4. If you select the Port scan check box, perform the following actions, and then click OK:
In the Detect after attacks on ... well-known ports box, type the maximum number of well-known ports that can be scanned before generating an event. Well-known ports are UDP and TCP ports in the range 0-2048. Intruders frequently scan well-known ports because most services listen for connections on these ports. An intruder is most likely to find vulnerable ports by scanning well-known ports.
In the Detect after attacks on ... ports box, type the total number of ports that can be scanned before generating an alert.
Configuring the DNS Intrusion Detection Filter
The DNS intrusion detection filter intercepts and analyzes DNS traffic destined for the internal network.
To configure the DNS intrusion detection filter:
1. In ISA Management, in the console tree, expand your server or array, expand Extensions, and then click Application Filters.
2. In the details pane, right-click DNS intrusion detection filter, and then click Properties.
3. On the Attacks tab, select the options that are required to implement your monitoring strategy, and then click OK.
Configuring the POP Intrusion Detection Filter
The POP intrusion detection filter detects attempts to perform POP buffer overflow attacks.
To configure the POP intrusion detection filter:
1. In ISA Management, in the console tree, expand your server or array, expand Extensions, and then click Application Filters.
2. In the details pane, right-click POP intrusion detection filter, and then click Properties.
3. On the General tab, select the Enable this filter check box, and then click OK.
ISA Server Alert Events
ISA ManagementAction View
Tree Name Description Server EventInternet Security and Acceleration Server
Servers and ArraysLONDON
MonitoringComputerAccess Policy
Site and Content RulesProtocol RulesIP Packet Filters
PublishingBandwidth RulesPolicy ElementsCache ConfigurationMonitoring Configuration
AlertsLogsReport Jobs
ExtensionsApplication FiltersWeb Filters
Network ConfigurationClient Configuration
H.323 Gatekeepers
Alert action failure The action associated with this alert fa… PHOENIX Alert action failureCache container initialization error The cache container initialization faile… PHOENIX Cache container initializationCache container recovery complete Recovery of a single cache container… PHOENIX Cache container recovery…Cache file resize failure The operation to reduce the size of the… PHOENIX Cache file resize failureCache initialization failure The Web cache proxy was disabled to… PHOENIX Cache initialization failureCache restoration completed The cache content restoration was co… PHOENIX Cache restoration completedCache write error There was a failure in writing content… PHOENIX Cache write errorCached object discarded During cache recovery, an object with… PHOENIX Cache object discardedComponent load failure Failed to load an extension component… PHOENIX Component load failureConfiguration error An error occurred while reading config… PHOENIX Configuration errorDial-on-demand failure Failed to create a dial-on-demand con… PHOENIX Dial-on-demand failureDNS intrusion A host name overflow, length overflow… PHOENIX DNS intrusionEvent log failure An attempt to log the event informaito… PHOENIX Event log failureFirewall communication failure There is a failure in communication bet… PHOENIX Client/server communica..Intrusion detected An intrusion was attempted by an exte… PHOENIX Intrusion detectedInvalid dial-on-demand credentials Dial-on-demand credentials are invalid PHOENIX Invalid dial-on-demand cr..Invalid ODBC log credentials The specified user name or password… PHOENIX Invalid ODBC log credent…IP packet dropped IP packet was dropped according to s… PHOENIX IP packet droppedIP Protocol violation A packet with invalid IP options was d… PHOENIX IP Protocol violationIP spooling The IP packet source address is not v… PHOENIX IP spoolingLog failure One of the service logs failed PHOENIX Log failureMissing installation component A component that was configured for t… PHOENIX Missing installation comp…Network configuration changed A network configuration change that a… PHOENIX Network configuration ch…No available ports Failed to create a network socket bec… PHOENIX No available portsOS component conflict There is a conflict with one of the oper… PHOENIX Operating system comp…Oversized UDP packet ISA Server dropped a UDP packet be… PHOENIX Oversize UDP packetPOP intrusion POP buffer overflow detected PHOENIX POP intrusionReport Summary Generation Failure An error occurred while generating a r… PHOENIX Report Summary Ganer…
Intrusion detected Properties
General
OK Cancel
Events
Name: Intrusion detected
ApplyApplyApplyApply
Actions
Description An external user attempted an intrusion atta(optional):
Enable
Events are conditions that ISA Server can detect during its operation, such as an intrusion attempt, a problem with a service running on an ISA Server computer, or a communication failure. You use events when you configure an alert. An alert defines the actions that ISA Server performs when it detects an event. When you create an alert, you must specify an event that triggers the alert.
The following table lists some of the events that ISA Server can detect.
Event Event Description Description
DNS intrusion Indicates that a host name overflow, length overflow, zone high port, or zone transfer attack has occurred.
Intrusion detected Indicates that an external user attempted an intrusion attack.
IP packet dropped Indicates that an IP packet that is not allowed by an access policy was dropped.
IP protocol violation Indicates that ISA Server detected and dropped a packet with invalid IP options.
IP spoofing Indicates an IP packet source address is not valid.
POP intrusion Detects a POP buffer overflow attack.
SOCKS request was refused
Indicates that ISA Server refused a SOCKS request due to a policy violation.
Windows Media Technology (WMT) live stream splitting failure
Indicates that the streaming application filter encountered an error during the WMT live stream splitting.
Note:
For a full list of the events that are recognized by ISA Server, see "ISA Server events" in ISA Server Help.
Configuring Alerts
Intrusion detected Properties
General
OK Cancel
Events
Send e-mail
Browse…Browse…Browse…Browse…
Actions
Program
SMTP server: europe.london.msft
Cc:
From: [email protected]
Browse…
Test
Set Account…Set Account…Set Account…Set Account…
Select…Select…Select…Select…
Select…Select…Select…Select…
Apply
Run this program:
Use this account:
Report to Windows 2000 event logStop selected servicesStart selected services
Intrusion detected Properties
General
OK Cancel
Events Actions
Actions will be executed when the selected conditions occur:
Event: Intrusion detected
Description An intrusion was attempted by an external
Additional condition: Any intrusion
Apply
Number of occurrences before the alert is issued: 1
Number of events per second before the alert is issued: 0
Recurring actions are performed:Immediately
After manual reset of alert
If time since last execution is more than minutes
ISA AdministratorISA Administrator
The alert service of ISA Server monitors events and then performs an action if a specific event occurs. You can configure an alert to send an e-mail notification, run a program, or start and stop a service. For example, you can configure ISA Server to send you an e-mail message when a specified number of intrusion attempts have occurred.
Note:
In addition, you can use scripts to configure advanced actions for ISA Server. For example, you can create a program that scans the logs for the IP address of an intruder and then creates a protocol filter that blocks connections from the intruder's IP address. You can then run the program whenever ISA Server generates an alert that is based on an intrusion attempt.
Creating Alerts
To create an alert:
1. In ISA Management, in the console tree, expand your server or array, expand Monitoring Configuration, right-click Alerts, point to New, and then click Alert.
2. In the New Alert Wizard, type the name of the alert, and then click Next.
3. On the Events and Conditions page, select the event that will trigger the alert. If the event allows you to specify additional conditions, select those conditions, and then click Next.
4. On the Actions page, select from the following actions, click Next, and then click Finish:
If you selectIf you select ThenThen
Send an e-mail message Provide the name or the IP address of the Simple Mail Transfer Protocol (SMTP) server, a recipient, a return address, and any recipients to include on the Cc: list. Ensure that no packet filters prevent the ISA Server computer from communicating with the SMTP server by using TCP port 25.
Run a program Provide the full path of the program that ISA Server will run. If you run the program in the security context of a user account other than the local system account, provide the user name and password for that account.
Report the event to a Microsoft Windows® 2000 event log
No further action is required.
Stop selected ISA Server services
Select the service or services to stop. Valid choices are the Firewall service, the Microsoft Web Proxy service, and the Microsoft Scheduled Cache Content Download service.
Start selected ISA Server services
Select the service or services to start.
Viewing and Resetting Alerts
When an alert occurs, ISA Server performs the alert action and then records the alert in the Event log. You can view all of the alerts that ISA Server issued and the time that ISA Server issued the alert. After you view the alert, you can reset it. Resetting an alert removes it from the list of recent events. If you configured the alert to perform an action only after a manual reset of the alert, you must reset the alert before ISA Server will issue the same alert again.
Viewing and Resetting Alerts (continued)
To view and reset an alert:
1. In ISA Management, in the console tree, under Monitoring, click Alerts.
2. In the details pane, view the alerts that have occurred.
3. To reset an alert, right-click the alert, and then click Reset.
Configuring Advanced Alert Properties
Intrusion detected Properties
General
Cancel
Events Actions
Actions will be executed when the selected conditions occur:
Event: Intrusion detected
Description An intrusion was attempted by an external
Additional condition: Any intrusion
Number of occurrences before the alert is issued: 1
Number of events per second before the alert is issued: 0
Recurring actions are performed:Immediately
After manual reset of alert
If time since last execution is more than minutes
Choose options to customize alert action for the event.
ApplyOK
After you create an alert, you can configure the alert properties. For example, you can configure ISA Server to alert you by using e-mail messages only when there are a specified number of intrusion attempts.
Important:
A large number of alert actions may cause you to overlook important events, such as an important event log entry that appears among many duplicate entries that are less important.
To configure advanced alert properties:
1. In ISA Management, in the console tree, expand Monitoring Configuration, and then click Alerts.
2. In the details pane, right-click the alert, and then click Properties.
3. On the Events tab, choose one or more of the following options to customize the alert action for an event, and then click OK:
ToTo Do thisDo this
Specify the number of occurrences before an alert is issued
Select the Number of occurrences before the alert is issued check box, and then type the number of occurrences.
Specify the number of events per second to occur before an alert is issued
Select the Number of events per second before the alert is issued check box, and type the number of events per second.
Reissue an alert immediately if an event recurs
Click Immediately. Selecting this option can result in a large number of alert actions because ISA Server performs the alert action each time that it detects a specific event.
Reissue an alert only after the alert is reset
Click After manual reset of alert. Selecting this option results in a single alert action even when there are multiple events.
Reissue an alert after a specified amount of time
Click If time since last execution is more than number minutes, and then type the number of minutes. Selecting this option results in multiple event actions only when the events occur a specified number of minutes apart.
Monitoring ISA Server Activity
Configuring Logging
Logging Packet Filter Activity
You can monitor ISA Server activity by configuring logging. ISA Server logs incoming and outgoing requests and how ISA Server responded to these requests. When you configure logging, ISA Server generates logs for each server in the array. ISA Server includes logs for access and for security activity. You can configure ISA Server to generate logs in several data formats and then analyze the logs for usage, performance, and security monitoring.
Configuring Logging
Firewall service Properties
Log
OK Cancel
Fields
ApplyApplyApplyApply
Log storage format:
File
Format: W3C extended log file format
Create a new file: Daily
Name: FWSEXTDyyyymmdd.log Options…
Database
ODBC data source (DSN): db1
Table name: Table1
Use this account:
Set Account…Set Account…Set Account…Set Account…
Enable logging for this service
Click File to save logs to a file by using the W3C format or ISA format.
Click Database to save logs to an ODBC database.
When you configure logging, ISA Server creates log files on every ISA Server computer in the array. ISA Server can produce the following log files:
Packet filter logs. Record attempts to pass packets through the ISA Server computer.
Firewall service logs. Record attempts to communicate by using the Firewall service.
Web Proxy service logs. Record attempts to communicate by using the Web Proxy service.
Log Formats
By default, ISA Server saves all of the log files to the ISALogs folder under the ISA Server installation folder. You can save log files in the following formats:
W3C format
ISA format
ODBC database
W3C format.W3C format.
Use this format for compatibility with the reporting applications that recognize the World Wide Web Consortium (W3C) format. The W3C format contains data and information that describes the version, date, and logged fields. ISA Server does not log the unselected fields. This format uses the tab character as a delimiter, and the date and time fields are in Greenwich Mean Time.
ISA format.ISA format.
Use this format when you use a reporting application that can interpret ISA Server logs. The ISA format contains only data with no information about the data format. ISA Server always logs all of the fields. ISA Server logs the unselected fields as dashes to indicate that they are empty. This format uses the comma character as a delimiter, and the date and time fields are in local time.
ODBC database.ODBC database.
Use this format to save the logs to an Open Database Connectivity (ODBC) database.
Note:
The ISA Server compact disc includes sample scripts that you can use to create your own log database. These scripts are located in the MSA folder. For more information about logging to a database, see "Logging to a database" in ISA Server Help.
Configuring Logs
To configure log settings:
1. In ISA Management, in the console tree, click Logs.
2. In the details pane, right-click Packet filters, Firewall service, or Web Proxy Service, and then click Properties.
3. On the Log tab, specify how to save the logs, and then ensure that the Enable logging for this service check box is selected:
ToTo Do thisDo this
Save to a file Click File, and then select a log format. In the Create new file list, select a time period that specifies how often to create a new log file, and then click Options to specify where to store the logs and to limit the number of log files that you save.
Save to a database Click Database, and then confirm or modify the following parameters:
• ODBC data source (DSN)
• Table name
• Use this account
Configuring Logs (continued)
4. On the Fields tab, select the fields that you want ISA Server to include in the logs, and then click OK.
Note:
For more information about the fields, see "Firewall and Web Proxy log fields" and "Packet Filter log fields" in ISA Server Help.
Logging Packet Filter Activity DNS Block Properties
General
OK Cancel
Filter Type
Name: DNS Block
Local Computer
Program
Apply
Mode: Block packet transmission between specified IPaddresses, ports, and protocols
Clear to prevent logging blocked packets.
Remote Computer
Description(optional):
Log any packets matching this filter
Enable this filter
IP Packet Filters Properties
General
OK Cancel
Events Intrusion Detection
Apply
Select to log allowed packets.
PPTP
Use this page to configure packet filter properties.
Enable filtering of IP fragments
Enable filtering IP options
Log packets from ‘Allow’ filters
You can log all of the packets that pass through ISA Server to the packet filter log. By default, ISA Server logs only dropped packets. To reduce server load, you can configure ISA Server to disable logging for packets that are dropped because they are blocked by an IP packet filter. Disable logging for dropped packets only if your security policy does not require this information. You can also configure ISA Server to log the allowed packets. ISA Server can only log the blocked or allowed packets if packet filtering is enabled.
Important:
Logging both allowed packets and blocked packets can cause a considerable load on the server. Enable logging for allowed packets for diagnostic purposes only.
Preventing Logging of Blocked Packets
To prevent logging of packets that are blocked by a specific filter:
1. In ISA Management, in the console tree, expand Access Policy, and then click IP Packet Filters.
2. In the details pane, click a packet filter that blocks access, and then click Configure a Packet Filter.
3. On the General tab, click to clear the Log any packets matching this filter check box, and then click OK.
Logging Allowed Packets
To log allowed packets for all packet filters:
1. In ISA Management, in the console tree, right-click IP Packet Filters.
2. In the details pane, click Configure Packet Filtering and Intrusion Detection, and then click Properties.
3. On the Packet Filters tab, select the Log packets from ‘Allow’ filters check box, and then click OK
Analyzing ISA Server Activity by Using Reports
Configuring Log Summaries
Creating Report Jobs
Using Predefined Report Formats
Viewing and Saving Reports
You can use ISA Server or a third-party reporting application to analyze ISA Server activity. ISA Server generates reports from a database that includes the data collated from the ISA Server log files. ISA Server saves this data in daily or monthly summaries, as specified. For example, you can save summary data every day for 20 days and then generate reports based on those daily summaries. ISA Server also includes a set of predefined report formats to assist administrators in analyzing their security and Internet usage patterns.
Configuring Log Summaries
Report Jobs Properties
General
OK Cancel
Log Summaries
Apply
Enable daily and monthly summaries
ISASummaries folder(in the ISA Server installation folder)
Directory
Location of saved summaries:
Browse…Browse…Browse…Browse…
Daily summaries 35
Monthly summaries: 13
Number of summaries saved:
Choose the number of daily and monthly summaries.
Because ISA Server creates reports from log summaries, the first step in creating a report is configuring log summaries. You can schedule log summaries to be generated on a recurring, periodic basis: daily, weekly, monthly, or yearly. Log summaries can include daily, weekly, monthly, or yearly data.
Important:
ISA Server reports require summaries of saved logs. ISA Server creates these summaries each day at 12:30 A.M. You can create an ISA Server report only after ISA Server has created at least one daily summary.
To configure log summaries:
1. In ISA Management, in the console tree, expand Monitoring Configuration, right-click Report Jobs, and then click Properties.
2. In the Report Jobs Properties dialog box, on the Log Summaries tab, select the Enable daily and monthly summaries check box.
3. Select the ISASummaries folder or another folder as the location of the logs.
4. Choose the number of daily and monthly summaries that ISA Server saves, and then click OK.
Creating Report Jobs
Name the ReportName the Report
Specify the Duration Specify the Duration
Specify When to Generate Specify When to Generate
Specify the Rate of Recurrence Specify the Rate of Recurrence
Specify User CredentialsSpecify User Credentials FinishFinishFinishFinish
StartStartStartStart
Before you can view a report, you must create a report job. After ISA Server has run the report job, you can view the report. You can configure ISA Server to run a report job at a specific time or at regular intervals. When you create a scheduled report job, ISA Server generates the reports on the server from which you configure the job. If the server belongs to a multi-server array, the user generating the reports must have appropriate permissions to gain access to and use the reporting mechanism on each ISA Server computer in the array.
You must also specify user credentials that meet the following criteria:
Must be a local administrator on every ISA Server computer in the array.
Must be able to gain access to and launch Distributed Component Object Model (DCOM) objects on every ISA Server computer in the array.
To create a report job:
1. In ISA Management, in the console tree, expand Monitoring Configuration, right-click Report Jobs, point to New, and then click Report Job.
2. On the General tab, type a name for the report, and then ensure that the Enable check box is selected.
3. On the Period tab, select the duration of the report job.
4. On the Schedule tab, select when to generate the report job.
Important:
Because the database generation process can be resource intensive, reports may not appear instantly in the Report subfolders. You may want to schedule reports to run once a day in the early morning or during off-peak hours.
5. Under Recurrence pattern, select the rate of recurrence for the report job.
6. On the Credentials tab, in the Username box, type the name of a user with permissions to generate the report; in the Domain box, type the user's domain; in the Password box, type the user's password, and then click OK.
Using Predefined Report Formats
You can generate several types of ISA Server reports. Reports that are generated by ISA Server are displayed as Web pages so that you can view them in any Web browser. You can also save reports as Web pages and then perform further formatting. ISA Server can generate the following types of reports:
Summary Reports
Summary reports include a set of statistics about ISA Server usage. Summary reports combine data from the Web Proxy service logs and Firewall service logs.
Web Usage Reports
Web usage reports include a set of reports that display top Web users, common responses, and Web browsers. These reports show how an organization uses the Web and are based on the Web Proxy service logs.
Application Usage Reports
Application usage reports display Internet application usage, including incoming and outgoing traffic, top users, client applications, and destinations. Application usage reports can help you to plan network capacity and determine bandwidth policies. Application usage reports are based on the Firewall service logs.
Traffic and Utilization Reports
Traffic and utilization reports display total Internet usage by application, protocol, and direction; average traffic and peak simultaneous connections; cache hit ratios; errors; and other statistics. Traffic and utilization reports can help you plan and monitor network capacity and determine bandwidth policies. Traffic and utilization reports combine data from the Web Proxy service logs and the Firewall service logs.
Security Reports
Security reports list attempts to breach network security. Security reports can help identify attacks or security violations after they have occurred. Security reports are based on the Web Proxy service logs, the Firewall service logs, and the Packet filter logs.
Viewing and Saving Reports
Viewing Reports
Saving Reports
Saving reports as Web pages
Saving reports as an Excel workbooks
Reports enable administrators to better understand their security settings and network usage. By analyzing log data, administrators can create access rules to better meet their organizations' needs. You can also save the reports that you create.
Viewing Reports
To view reports:
1. In ISA Management, in the console tree, expand Monitoring, expand Reports, and then click the report type that you want to view.
2. In the details pane, double-click the report job that you want to view in Microsoft Internet Explorer.
Saving Reports
You can save the reports as Hypertext Markup Language (HTML) files or as a Microsoft Excel workbook.
Saving Reports (continued)
Saving Reports as Web Pages To save a report as a Web page:
1. In ISA Management, in the console tree, expand Monitoring, expand Reports, and then click the report type that you want to save.
2. In the details pane, right-click the applicable report job, and then click Save As.
3. In the Save As dialog box, in the File Name box, type a name for the report, and then in the Save as type list, select Web Page (*.htm; *html).
Saving Reports (continued)
Saving Reports as Excel Workbooks After you save a report as an Excel workbook, you can
further analyze results by using Excel.
To save a report as an Excel workbook:
1. In ISA Management, in the console tree, expand Monitoring, and then click Reports.
2. In the details pane, right-click the applicable report job, and then click Save As.
3. In the Save As dialog box, in the File Name box, type a name for the report, and then in the Save as type list, select Microsoft Excel Workbook (*.xls).
Monitoring Real-Time Activity
Viewing and Disconnecting ISA Server Sessions
Using Performance Objects
Monitoring H.323 Gatekeeper Sessions
The ISA Server real-time monitoring feature enables you to centrally monitor ISA Server computer activity, including the current sessions. ISA Server also includes a large number of performance counters that you can use to monitor the details of how a variety of ISA Server components operate. These performance counters help you to monitor, troubleshoot, and analyze ISA Server performance and activity. You can also view the active client sessions to determine which clients are using the ISA Server computer to communicate with the Internet.
Viewing and Disconnecting ISA Server Sessions
Viewing Sessions
Disconnecting Sessions
To view and disconnect sessions, you must have the proper permissions for the session object.
Viewing Sessions
To view a client session:
In ISA Management, in the console tree, expand Servers and Arrays, expand the applicable server or array, expand Monitoring, and then click Sessions.
The sessions are listed in the details pane.
Disconnecting Sessions
To disconnect a client session:
1. In ISA Management, in the console tree, expand Servers and Arrays, expand the applicable server or array, expand Monitoring, and then click Sessions.
2. On the View menu, click Advanced.
3. In the details pane, right-click the applicable session, and then click Stop.
Using Performance Objects
ISA Server Bandwidth Control
ISA Server Cache
ISA Server Firewall Service
ISA Server Packet Filter
ISA Server Web Proxy Service
Several performance objects that you can use to monitor system performance are included with ISA Server. Each of the performance objects contains a number of counters. You view the performance objects and their associated performance counters in real-time in System Monitor. System Monitor is a monitoring tool that is included with Windows 2000. You can also log performance data and create alerts from the data by using Performance Log and Alerts, which is the logging tool included with Windows 2000. To view the most critical ISA Server performance counters, open ISA Server Performance Monitor from the Microsoft ISA Server menu.
Note:
For more information about performance counters, see Module 8, "Monitoring and Optimizing Performance in Windows 2000," in Course 2152B, Implementing Microsoft Windows 2000 Professional and Server.
The ISA Server performance objects are:
ISA Server Bandwidth Control
ISA Server Cache
ISA Server Firewall Service
ISA Server Packet Filter
ISA Server Web Proxy Service
ISA Server Bandwidth Control.
Includes performance counters to monitor actual bandwidth and assigned bandwidth. Use these counters to detect potential bandwidth and connection bottlenecks. For example, you can use the Actual outbound bandwidth performance counter to monitor the currently assigned bandwidth priorities for outgoing connections.
ISA Server Cache.
Includes performance counters to monitor the memory, disk, and URL activity associated with the cache. Use these performance counters to monitor the effectiveness of the cache for clients. For example, you can use the Disk URL Retrieve Rate performance counter to determine the rate at which URLs are retrieved from the disk cache.
ISA Server Firewall Service.
Includes performance counters to monitor Firewall service connections and associated services such as DNS. For example, you can use the Active Sessions performance counter to monitor the number of Firewall client sessions that are running simultaneously. By comparing peak times and off-peak times, this performance counter can help you to determine ISA Server usage.
ISA Server Packet Filter.
Includes performance counters to monitor packet filtering activity, including dropped packets and incoming connections made through the packet filters. For example, you can use the Total incoming connections performance counter to monitor the total number of connections that are established through an external interface on an ISA Server computer.
ISA Server Web Proxy Service.
Includes counters to monitor the number of users and the rate at which ISA Server transfers data to remote and upstream servers. For example, you can use the Total Users performance counter to monitor the total number of users that are connected to the Web Proxy service.
Monitoring H.323 Gatekeeper Sessions
Viewing H.323 Gatekeeper Clients
Viewing Active H.323 Sessions
You can use ISA Management to monitor H.323 Gatekeeper sessions.
Viewing H.323 Gatekeeper Clients
To view H.323 Gatekeeper client sessions:
1. In ISA Management, in the console tree, expand H.323 Gatekeepers, expand the applicable server or array, and then click Active Terminals.
2. In the details pane, right-click the client, and then click Properties to view the client's status.
Note:
To unregister a client, right-click the client, and then click Unregister.
Viewing Active H.323 Sessions
To view active H.323 Gatekeeper sessions:
In ISA Management, in the console tree, expand H.323 Gatekeepers, expand the applicable server or array, and then click Active Calls.
The active sessions are listed in the details pane.
Testing the ISA Server Configuration
Using Third-Party Tools
Using Telnet
Using Network Monitor
After configuring ISA Server, it is recommended that you test your configuration to ensure that ISA Server correctly enforces the security settings. To test the ISA Server configuration, you can use a third-party intrusion detection system. If you do not have access to such an application, you can do some limited testing by using the applications that are included with Windows 2000.
Using Third-Party Tools
One of the best ways to test your network security is to use a third-party security assessment tool. These specialized tools scan your network for vulnerabilities and then present reports. For example, a security assessment application might enumerate all open ports on an ISA Server computer and then perform a large number of network attacks in an automated manner. The application will then present you with a report that allows you to assess whether ISA Server is correctly configured.
Using Telnet
You can use Telnet to establish connections to specific TCP ports to test if the ISA Server computer responds to the connection attempts. If the ISA Server computer responds to a connection attempt for a port that you configured not to respond, ISA Server is not configured correctly.
To connect to a TCP port by using Telnet:
At a command prompt, type telnet ip_address port (where ip_address is the external IP address of the ISA Server computer and port is the port to which you are connecting).
Using Telnet (continued)
If the Telnet application reports that it could not establish a connection, ISA Server does not allow TCP connections to the port. If the Telnet application opens a session, even if it immediately closes that session, ISA Server allows connections to that port.
Using Network Monitor
Network Monitor is an optional tool that is included with Microsoft Windows 2000 Server. The limited version of Network Monitor that is included with Windows 2000 Server allows you to capture all unicast network packets that a computer sends and receives. Interpreting this information can help you to diagnose network problems, and it can help you to view the network packets that the ISA Server computer receives and view the responses that it sends.
Microsoft Systems Management Server (SMS) includes the full-featured version of Network Monitor. One of the features of the full version is capturing all of the network packets on a network segment, independent of the sender or the recipient.
Lab A: Monitoring and Reporting
Review
Planning a Monitoring and Reporting Strategy
Monitoring Intrusion Detection
Monitoring ISA Server Activity
Analyzing ISA Server Activity by Using Reports
Monitoring Real-Time Activity
Testing the ISA Server Configuration