Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 8: Monitoring and Reporting

Similar presentations


Presentation on theme: "Module 8: Monitoring and Reporting"— Presentation transcript:

1 Module 8: Monitoring and Reporting

2 Overview Planning a Monitoring and Reporting Strategy
Monitoring Intrusion Detection Monitoring ISA Server Activity Analyzing ISA Server Activity by Using Reports Monitoring Real-Time Activity Testing the ISA Server Configuration

3 Planning a Monitoring and Reporting Strategy
Categorize the information that you need to collect Determine what information is most critical Document your strategy Create a strategy for how to respond to critical events Create a schedule for regular review of logs Design a plan for archiving logs

4 Monitoring Intrusion Detection
IP Packet–Level Attacks Application–Level Attacks Configuring Intrusion Detection ISA Server Events Configuring Alerts Configuring Advanced Alert Properties

5 IP Packet–Level Attacks
All Ports Scan Attack IP Half Scan Attack Land Attack Ping of Death Attack UDP Bomb Attack Windows Out-of-Band Attack

6 Application–Level Attacks
DNS Hostname Overflow DNS Length Overflow DNS Zone Transfer from Privileged Ports (1–1024) DNS Zone Transfer from High Ports (Above 1024) POP Buffer Overflow

7 Configuring Intrusion Detection
IP Packet Filters Properties General Packet Filters Intrusion Detection PPTP DNS intrusion detection filter Properties Enable detection of the selected attacks: General Attacks Select Attacks Windows out-of-band (WinNuke) Land Ping of death IP half scan UDP bomb Port scan Filter incoming traffic for the following: DNS host name overflow DNS length overflow DNS zone transfer from privileged ports (1-1024) DNS zone transfer from high ports (above 1024) Select the options that are required to implement your monitoring strategy. Detect after attacks on 10 well-known ports Detect after attacks on 20 ports To receive alerts about intrusion attacks, see the properties for specific alerts in the Alerts folder. Intrusion detection functionality based on technology from Internet Security Systems, Inc., Atlanta, GA, USA, OK Cancel Apply OK Cancel Apply

8 ISA Server Alert Events
ISA Management Action View Tree Name Description Server Event Internet Security and Acceleration Server Servers and Arrays LONDON Monitoring Computer Access Policy Site and Content Rules Protocol Rules IP Packet Filters Publishing Bandwidth Rules Policy Elements Cache Configuration Monitoring Configuration Alerts Logs Report Jobs Extensions Application Filters Web Filters Network Configuration Client Configuration H.323 Gatekeepers Alert action failure The action associated with this alert fa… PHOENIX Alert action failure Cache container initialization error The cache container initialization faile… PHOENIX Cache container initialization Cache container recovery complete Recovery of a single cache container… PHOENIX Cache container recovery… Cache file resize failure The operation to reduce the size of the… PHOENIX Cache file resize failure Cache initialization failure The Web cache proxy was disabled to… PHOENIX Cache initialization failure Cache restoration completed The cache content restoration was co… PHOENIX Cache restoration completed Cache write error There was a failure in writing content… PHOENIX Cache write error Cached object discarded During cache recovery, an object with… PHOENIX Cache object discarded Component load failure Failed to load an extension component… PHOENIX Component load failure Configuration error An error occurred while reading config… PHOENIX Configuration error Dial-on-demand failure Failed to create a dial-on-demand con… PHOENIX Dial-on-demand failure DNS intrusion A host name overflow, length overflow… PHOENIX DNS intrusion Event log failure An attempt to log the event informaito… PHOENIX Event log failure Firewall communication failure There is a failure in communication bet… PHOENIX Client/server communica.. Intrusion detected An intrusion was attempted by an exte… PHOENIX Intrusion detected Invalid dial-on-demand credentials Dial-on-demand credentials are invalid PHOENIX Invalid dial-on-demand cr.. Invalid ODBC log credentials The specified user name or password… PHOENIX Invalid ODBC log credent… IP packet dropped IP packet was dropped according to s… PHOENIX IP packet dropped IP Protocol violation A packet with invalid IP options was d… PHOENIX IP Protocol violation IP spooling The IP packet source address is not v… PHOENIX IP spooling Log failure One of the service logs failed PHOENIX Log failure Missing installation component A component that was configured for t… PHOENIX Missing installation comp… Network configuration changed A network configuration change that a… PHOENIX Network configuration ch… No available ports Failed to create a network socket bec… PHOENIX No available ports OS component conflict There is a conflict with one of the oper… PHOENIX Operating system comp… Oversized UDP packet ISA Server dropped a UDP packet be… PHOENIX Oversize UDP packet POP intrusion POP buffer overflow detected PHOENIX POP intrusion Report Summary Generation Failure An error occurred while generating a r… PHOENIX Report Summary Ganer… Intrusion detected Properties General Events Actions Name: Intrusion detected Description An external user attempted an intrusion atta (optional): Enable OK Cancel Apply

9 Configuring Alerts ISA Administrator Intrusion detected Properties
General Events Actions Intrusion detected Properties General Events Event: Intrusion detected Description An intrusion was attempted by an external Additional condition: Any intrusion Actions Send SMTP server: europe.london.msft To: Cc: From: Browse… Actions will be executed when the selected conditions occur: Test Number of occurrences before the alert is issued: 1 Number of events per second before the alert is issued: 0 Program Run this program: Recurring actions are performed: Browse… Immediately After manual reset of alert If time since last execution is more than minutes Use this account: Set Account… Report to Windows 2000 event log Stop selected services Start selected services Select… Select… OK Cancel Apply OK Cancel Apply ISA Administrator

10 Configuring Advanced Alert Properties
Intrusion detected Properties General Events Actions Event: Intrusion detected Description An intrusion was attempted by an external Additional condition: Any intrusion Actions will be executed when the selected conditions occur: Number of occurrences before the alert is issued: 1 Number of events per second before the alert is issued: 0 Choose options to customize alert action for the event. Recurring actions are performed: Immediately After manual reset of alert If time since last execution is more than minutes OK Cancel Apply

11 Monitoring ISA Server Activity
Configuring Logging Logging Packet Filter Activity

12 Configuring Logging Firewall service Properties Log OK Cancel Fields Apply Log storage format: File Format: W3C extended log file format Create a new file: Daily Name: FWSEXTDyyyymmdd.log Options… Database ODBC data source (DSN): db1 Table name: Table1 Use this account: Set Account… Enable logging for this service Click File to save logs to a file by using the W3C format or ISA format. Click Database to save logs to an ODBC database.

13 Logging Packet Filter Activity
DNS Block Properties General Filter Type Local Computer Remote Computer Name: DNS Block IP Packet Filters Properties General Events Intrusion Detection PPTP Mode: Block packet transmission between specified IP addresses, ports, and protocols Use this page to configure packet filter properties. Description (optional): Clear to prevent logging blocked packets. Program Enable filtering of IP fragments Enable filtering IP options Log packets from ‘Allow’ filters Select to log allowed packets. Log any packets matching this filter Enable this filter OK Cancel Apply OK Cancel Apply

14 Analyzing ISA Server Activity by Using Reports
Configuring Log Summaries Creating Report Jobs Using Predefined Report Formats Viewing and Saving Reports

15 Creating Report Jobs Start Finish Name the Report Specify the Duration
Specify When to Generate Specify the Rate of Recurrence Finish Specify User Credentials

16 Configuring Log Summaries
Report Jobs Properties General Log Summaries Enable daily and monthly summaries Location of saved summaries: ISASummaries folder (in the ISA Server installation folder) Directory Browse… Number of summaries saved: Choose the number of daily and monthly summaries. Daily summaries 35 Monthly summaries: 13 OK Cancel Apply

17 Viewing and Saving Reports
Viewing Reports Saving Reports Saving reports as Web pages Saving reports as an Excel workbooks

18 Using Predefined Report Formats

19 Monitoring Real-Time Activity
Viewing and Disconnecting ISA Server Sessions Using Performance Objects Monitoring H.323 Gatekeeper Sessions

20 Viewing and Disconnecting ISA Server Sessions
Viewing Sessions Disconnecting Sessions

21 Using Performance Objects
ISA Server Bandwidth Control ISA Server Cache ISA Server Firewall Service ISA Server Packet Filter ISA Server Web Proxy Service

22 Monitoring H.323 Gatekeeper Sessions
Viewing H.323 Gatekeeper Clients Viewing Active H.323 Sessions

23 Testing the ISA Server Configuration
Using Third-Party Tools Using Telnet Using Network Monitor

24 Lab A: Monitoring and Reporting

25 Review Planning a Monitoring and Reporting Strategy
Monitoring Intrusion Detection Monitoring ISA Server Activity Analyzing ISA Server Activity by Using Reports Monitoring Real-Time Activity Testing the ISA Server Configuration


Download ppt "Module 8: Monitoring and Reporting"

Similar presentations


Ads by Google