Logging and Reporting in ISA Server 2006
Microsoft ISA Server 2006 provides you with network perimeter protection that enables secure remote access to applications and data while protecting your IT infrastructure from Internet-based threats. With ISA Server 2006 you can securely publish content for remote access, establish secure connections with branch office sites, and defend against both internal and external Web-based threats.
Sitting on the front line of the network perimeter and acting as the authentication gatekeeper for authorized remote access, the ISA Server typically receives a significant amount of network traffic. When it comes to monitoring the performance of ISA Server, assessing network security, or conducting a forensic analysis of ISA Server traffic as a function of incident response, you will need to understand how to work with the logging and reporting features of ISA Server.
Working With ISA Server 2006 Built-In Reports
Thankfully, Microsoft thought of that and built relatively robust logging and reporting capabilities into ISA Server 2006. ISA Server 2006 reports let you view general traffic patterns, analyze which applications or protocols are used most frequently, which sites are being accessed, unauthorized or malicious attempts to access network resources, and more.
ISA Server 2006 Default Logging
ISA Server aggregates data from the Web proxy and firewall logs using Dailysum.exe. The Dailysum.exe program is part of ISA Server and runs by default at 12:30am each day to extract and summarize the log data from those sources. Even if no reports are configured to run, Dailysum.exe will run, unless it is disabled. At the beginning of each month Dailysum.exe also generates a summary of the previous month’s activity. By default, at least 35 daily summaries and 13 monthly summaries are saved. These summaries are stored as *.ILS database files in the ISASummaries folder which can be found within the ISA Server installation folder.
Built-in Report Types
ISA Server 2006 comes with a variety of predefined report types that enable you to quickly and easily review common traffic data and critical security information. The built-in report types are:
- Summary - The Summary report provides a general overview of network traffic sorted by application.
- Web Usage - Illustrates Web usage on the network by displaying data regarding frequent Web users, browsers being used, and sites being visited.
- Application Usage - Provides details on Internet application usage including top users, and most used applications.
- Traffic and Utilization - Displays overall Internet usage including average network traffic, peak connections, cache hit ratios, and more.
- Security - Lists unauthorized access attempts and other potential efforts to breach network security.
Filtering Results and Creating Custom Reports
With these reports as a base, ISA Server 2006 allows you to customize or filter the results using the following criteria:
- Top protocols - Displays the selected number of most used protocols used during the report timeframe
- Top Users - Displays the selected number of users who used the network the most, or generated the most traffic during the report timeframe
- Top Sites - Shows the selected number of top sites visited by users during the report timeframe
- Cache hit ratio - This criteria displays the ratio between the number of Web requests and the number that were served locally from the cache
- Object types - Shows only the specified number of most frequently requested object types
- Browsers - Report shows the specified number of most-used Web browsers
- Operating systems - Displays the specified number of most-used client operating systems
- Destinations - Filters the results to display a specified number of most frequently visited Internet destinations=
- Client applications – Limits the report to display the specified number of client applications generating the most network traffic
- Dropped packets - Displays the specified number of clients that have had the highest number of dropped packets during the report timeframe
- Authorization failures - Shows the specified number of clients causing the most failed authorization requests during the reporting period
You use the ISARepGen.exe application, installed by default with ISA Server, to generate one-time or recurring reports. You can create a one-time report using the New Report Wizard. By definition the report will run only one time once you complete the wizard. Follow these steps to generate a one-time report:
Click the Reports tab on the Monitoring node
Select the Tasks tab
Click Generate a New Report
You can also configure recurring reports to be generated on a predefined periodic basis such as daily, weekly, or monthly. To create a new recurring report you have to run the New Report Job Wizard and specify the criteria to define what content the report should cover and the frequency that the report should be generated. Follow these steps to create a recurring report:
Click the Reports tab on the Monitoring node
Select the Tasks tab
Click Create and Configure Report Jobs
Whether you are creating a one-time or recurring report, you will need to supply information to the wizard such as the name of the report, the content that should be included within the report, the reporting timeframe or frequency schedule (depending on whether it is a one-time or recurring report), the directory the report should be published to and any access credentials necessary for ISA Server to write to that directory, and whether or not an email notification should be generated when the report is created and any SMTP or email address information necessary to facilitate that notification.
Extracting Per-User Details from ISA Logs
Log data can be written to a text file, however, even in small and medium-sized business environments the text file can quickly grow to a cumbersome size. The better logging options are to use a SQL Server database, or SQL Server’s scaled down cousin- MSDE. There are some security and performance advantages to using an external SQL Server for maintaining log data, but SQL Server requires separate licensing. MSDE provides many of the same features as SQL Server, but in a less robust database that runs locally on the ISA Server.
Regardless of whether you store log data in MSDE or SQL Server, you can use SQL queries to extract information. SQL queries enable you to filter log data on a very granular level and export data to Excel spreadsheets where it can be easier to work with and manipulate it.
For example, assume that while reviewing a standard daily ISA Server 2006 Security report you notice an inordinate number of failed authorization attempts by one specific user account, MaryN. The user in question is out on maternity leave and the Failed Access events appear to indicate an attempt to compromise the user account and breach the network. What you would want to do is to review data which is specific to this user account over the past week and try to determine the scope of the problem and at what point the issue began.
When filtering the log data, you need to specify the criteria that you want to filter, the conditional argument to apply, and the value. In our example you might filter on the following:
Filter by: ‘Client Username’
Condition: ‘equal to’
In order to investigate the anomalous failed authorizations, you want to examine log data for the past week for MaryN. So, you would also want to narrow the results using:
Filter by: ‘GMT Log Time’
Condition: ‘On or After’
Value: enter a calendar date a week prior to display information after that point
Protecting the Network With ISA Server 2006
Third party tools such as GFI WebMonitor for ISA Server provide even more detailed and valuable reports to help you administer access to your network and protect your users and network from malicious activity. In addition to the expanded reporting capabilities, GFI WebMonitor for ISA Server also extends the security and traffic-filtering functionality of ISA Server 2006. GFI WebMonitor for ISA Server enables you to enforce Internet acceptable use policies with ISA Server 2006, filter web content based on categories, prevent data leakage by filtering outbound files, and protect against malware compromise by scanning inbound traffic.
ISA Server 2006 is a powerful and effective tool for your network perimeter. It enables remote users to connect to internal resources securely while protecting the internal network from unauthorized access. To be effective though, you need to have procedures in place for when and how to review log and report data, and how to respond when malicious or anomalous activity is detected. Third-party tools can extend the functionality of ISA Server 2006 itself, as well as helping to automate and simplify management of network security, providing more robust and effective reporting.