Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Module 8: Monitoring and Reporting Overview Planning a Monitoring and Reporting Strategy Monitoring Intrusion Detection Monitoring ISA Server Activity Analyzing ISA Server Activity by Using Reports Monitoring Real-Time Activity Testing the ISA Server Configuration Planning a Monitoring and Reporting Strategy Categorize the information that you need to collect Determine what information is most critical Document your strategy Create a strategy for how to respond to critical events Create a schedule for regular review of logs Design a plan for archiving logs Monitoring Intrusion Detection IP Packet–Level Attacks Application–Level Attacks Configuring Intrusion Detection ISA Server Events Configuring Alerts Configuring Advanced Alert Properties IP Packet–Level Attacks All Ports Scan Attack IP Half Scan Attack Land Attack Ping of Death Attack UDP Bomb Attack Windows Out-of-Band Attack Application–Level Attacks DNS Hostname Overflow DNS Length Overflow DNS Zone Transfer from Privileged Ports (1–1024) DNS Zone Transfer from High Ports (Above 1024) POP Buffer Overflow Configuring Intrusion Detection IP Packet Filters Properties General Packet Filters Intrusion Detection PPTP DNS intrusion detection filter Properties General Attacks Select Attacks Filter incoming traffic for the following: Enable detection of the selected attacks: Windows out-of-band (WinNuke) DNS host name overflow Land Ping of death IP half scan UDP bomb DNS length overflow Select the options that are required to implement your monitoring strategy. DNS zone transfer from privileged ports (1-1024) DNS zone transfer from high ports (above 1024) Port scan Detect after attacks on 10 well-known ports Detect after attacks on 20 ports To receive alerts about intrusion attacks, see the properties for specific alerts in the Alerts folder. Intrusion detection functionality based on technology from Internet Security Systems, Inc., Atlanta, GA, USA, www.iss.net OK Cancel Apply OK Cancel Apply ISA Server Alert Events ISA Management Intrusion detected Properties Action View Tree Internet Security and Acceleration Server Servers and Arrays LONDON Monitoring Computer Access Policy Site and Content Rules Protocol Rules IP Packet Filters Publishing Bandwidth Rules Policy Elements Cache Configuration Monitoring Configuration Alerts Logs Report Jobs Extensions Application Filters Web Filters Network Configuration Client Configuration H.323 Gatekeepers Name Alert action failure Cache container initialization error Cache container recovery complete Cache file resize failure Cache initialization failure Cache restoration completed Cache write error Cached object discarded Component load failure Configuration error Dial-on-demand failure DNS intrusion Event log failure Firewall communication failure Intrusion detected Invalid dial-on-demand credentials Invalid ODBC log credentials IP packet dropped IP Protocol violation IP spooling Log failure Missing installation component Network configuration changed No available ports OS component conflict Oversized UDP packet POP intrusion Report Summary Generation Failure Description General Server Events Actions PHOENIX The action associated with this alert fa… The cache container initialization faile… Recovery of a single cache container… The operation to reduceName: the size of the… The Web cache proxy was disabled to… The cache content restoration was co… There was a failure in writing content… During cache recovery, an object with… Failed to loadDescription an extension component… An error occurred while reading config… (optional): Failed to create a dial-on-demand con… A host name overflow, length overflow… An attempt to logEnable the event informaito… There is a failure in communication bet… An intrusion was attempted by an exte… Dial-on-demand credentials are invalid The specified user name or password… IP packet was dropped according to s… A packet with invalid IP options was d… The IP packet source address is not v… One of the service logs failed A component that was configured for t… A network configuration change that a… Failed to create a network socket bec… There is a conflict with one of the oper… ISA Server dropped a UDP packet be… POP buffer overflow detected An error occurred while generating a r… Event Alert action failure PHOENIX Cache container initialization PHOENIX Cache container recovery… PHOENIX Intrusion detectedCache file resize failure PHOENIX Cache initialization failure PHOENIX Cache restoration completed PHOENIX Cache write error PHOENIX Cache object discarded An external user attempted an intrusion PHOENIX Component load failure PHOENIX Configuration error PHOENIX Dial-on-demand failure PHOENIX DNS intrusion PHOENIX Event log failure PHOENIX Client/server communica.. PHOENIX Intrusion detected PHOENIX Invalid dial-on-demand cr.. PHOENIX Invalid ODBC log credent… PHOENIX IP packet dropped PHOENIX IP Protocol violation PHOENIX IP spooling PHOENIX Log failure PHOENIX Missing installation comp… PHOENIX Network configuration ch… PHOENIX No available ports PHOENIX Operating system comp… PHOENIX Oversize UDP packet PHOENIX POP intrusion PHOENIX Report Summary Ganer… OK Cancel atta Apply Configuring Alerts Intrusion detected Properties Intrusion detected Properties General Events Actions General Events Actions Event: Intrusion detected Description An intrusion was attempted by an external Additional condition: Any intrusion Send e-mail Browse… SMTP server: europe.london.msft To: [email protected] Cc: From: [email protected] Actions will be executed when the selected conditions occur: Test Number of occurrences before the alert is issued: 1 Number of events per second before the alert is issued: 0 Program Run this program: Recurring actions are performed: Immediately Browse… Set Account… Use this account: After manual reset of alert If time since last execution is more than OK minutes Cancel Report to Windows 2000 event log Stop selected services Start selected services Apply OK ISA Administrator Select… Select… Cancel Apply Configuring Advanced Alert Properties Intrusion detected Properties General Events Actions Event: Intrusion detected Description An intrusion was attempted by an external Additional condition: Any intrusion Actions will be executed when the selected conditions occur: Choose options to customize alert action for the event. Number of occurrences before the alert is issued: 1 Number of events per second before the alert is issued: 0 Recurring actions are performed: Immediately After manual reset of alert If time since last execution is more than OK minutes Cancel Apply Monitoring ISA Server Activity Configuring Logging Logging Packet Filter Activity Configuring Logging Firewall service Properties Log Click File to save logs to a file by using the W3C format or ISA format. Click Database to save logs to an ODBC database. Fields Log storage format: File Format: W3C extended log file format Create a new file: Daily Name: FWSEXTDyyyymmdd.log Options… Database ODBC data source (DSN): db1 Table name: Table1 Use this account: Set Account… Enable logging for this service OK Cancel Apply Logging Packet Filter Activity DNS Block Properties General Filter Type Local Computer Remote Computer Name: DNS Block IP Packet Filters Properties General Mode: Events Intrusion Detection PPTP Block packet transmission between specified IP addresses, ports, and protocols Use this page to configure packet filter properties. Description (optional): Program Enable filtering of IP fragments Clear to prevent logging blocked packets. Enable filtering IP options Log packets from ‘Allow’ filters Log any packets matching this filter Select to log allowed packets. Enable this filter OK Cancel Apply OK Cancel Apply Analyzing ISA Server Activity by Using Reports Configuring Log Summaries Creating Report Jobs Using Predefined Report Formats Viewing and Saving Reports Creating Report Jobs Start Name the Report Specify the Duration Specify When to Generate Specify the Rate of Recurrence Specify User Credentials Finish Configuring Log Summaries Report Jobs Properties General Log Summaries Enable daily and monthly summaries Location of saved summaries: ISASummaries folder (in the ISA Server installation folder) Browse… Directory Number of summaries saved: Choose the number of daily and monthly summaries. Daily summaries 35 Monthly summaries: 13 OK Cancel Apply Viewing and Saving Reports Viewing Reports Saving Reports Saving reports as Web pages Saving reports as an Excel workbooks Using Predefined Report Formats Monitoring Real-Time Activity Viewing and Disconnecting ISA Server Sessions Using Performance Objects Monitoring H.323 Gatekeeper Sessions Viewing and Disconnecting ISA Server Sessions Viewing Sessions Disconnecting Sessions Using Performance Objects ISA Server Bandwidth Control ISA Server Cache ISA Server Firewall Service ISA Server Packet Filter ISA Server Web Proxy Service Monitoring H.323 Gatekeeper Sessions Viewing H.323 Gatekeeper Clients Viewing Active H.323 Sessions Testing the ISA Server Configuration Using Third-Party Tools Using Telnet Using Network Monitor Lab A: Monitoring and Reporting Review Planning a Monitoring and Reporting Strategy Monitoring Intrusion Detection Monitoring ISA Server Activity Analyzing ISA Server Activity by Using Reports Monitoring Real-Time Activity Testing the ISA Server Configuration