Configuring Intrusion Detection in ISA Server








Among the many features of Microsoft’s Internet Security and Acceleration (ISA) Server 2000 are basic intrusion detection tools licensed from ISS (Internet Security Systems- http://www.iss.net/isaserver). 


The licensed subset of tools includes six IP Packet Filters based on common exploits, four DNS Application Filters and a POP Application filter. Compare these with the roughly 500 attack signatures available from ISS in their add-on product for ISA.

Some help is often better than none (especially when its free) so lets give some attention to the built-in set of Intrusion Detection mechanisms.  When enabled, ISA will identify when an attack is attempted against your network and performs a set of manually configured alerts in case of an attack. To detect unwanted intruders, ISA Server compares network traffic and log entries to well-known attack methods. Suspicious activities trigger alerts. Actions include connection termination, service termination, e-mail alerts, logging, and others.

If intrusion detection is enabled, the firewall administrator can configure the following IP Packet intrusion trigger alerts:






  • Windows out-of-band (WinNuke)




  • Land




  • Ping of death




  • IP half scan




  • UDP bomb




  • Port scan




Also available are Domain Name System (DNS) application filters that analyze all incoming traffic for specific intrusions against the corresponding servers. The DNS intrusion detection filters helps you to intercept and analyze DNS traffic destined for the internal network:






  • DNS Hostname Length Overflow




  • DNS Length Field Overflow




  • DNS Zone Transfer from Privileged TCP/IP Ports (1-1024)




  • DNS Zone Transfer from High TCP/IP Ports (above 1024)




 


The POP buffer overflow attack intrusion detection filter, when enabled, intercepts and analyzes POP traffic destined for the internal network.




To configure intrusion detection for IP Packet Filters — 



  1. In the console tree of ISA Management, click

o        Internet Security and Acceleration Server 2000


o        Arrays


o       


o        Access Policy


o        IP Packet Filters



 



  1. IN the right-side pane click Configure Packet Filtering and Intrusion Detection.
  2. On the General tab, click Enable packet filtering and Enable intrusion detection.


 



  1. On the Intrusion detection tab, click which of the following types of attacks should generate events:

    • Windows out-of-band (WinNuke)
    • Land
    • Ping of death
    • IP half scan
    • UDP bomb
    • Port scan

  2. If you select Port scan, then do the following:

    • In Detect after attacks on, type the maximum number of well-known ports that can be scanned before generating an event.
    • In Detect after attacks on, type the total number of ports that can be scanned before generating an alert.



  1. Click “OK” to save changes.
  2. A dialog screen will appear asking if you want to save the changes and give you the choice of restarting the Services immediately or later. Click on your choice and click “OK”.


To configure intrusion detection for DNS and POP Application Filters –


1. In the console tree of ISA Management, click






  • Internet Security and Acceleration Server 2000




  • Arrays








  • Extensions




  • Application Filters





2. In the right pane, double-click DNS Intrusion Detection Filter






  • Click on Enable on the general tab









  •        Click on the filters you wish to enable and click “OK”


 


 


3. Double-click the POP intrusion detection filter and click the box to enable the filter.  Click “OK”.


 

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top