Configuring Intrusion Detection in ISA Server
Among the many features of Microsoft's Internet Security and Acceleration (ISA) Server 2000 are basic intrusion detection tools licensed from ISS (Internet Security Systems- http://www.iss.net/isaserver).
The licensed subset of tools includes six IP Packet Filters based on common exploits, four DNS Application Filters and a POP Application filter. Compare these with the roughly 500 attack signatures available from ISS in their add-on product for ISA.Some help is often better than none (especially when its free) so lets give some attention to the built-in set of Intrusion Detection mechanisms. When enabled, ISA will identify when an attack is attempted against your network and performs a set of manually configured alerts in case of an attack. To detect unwanted intruders, ISA Server compares network traffic and log entries to well-known attack methods. Suspicious activities trigger alerts. Actions include connection termination, service termination, e-mail alerts, logging, and others.
If intrusion detection is enabled, the firewall administrator can configure the following IP Packet intrusion trigger alerts:
Also available are Domain Name System (DNS) application filters that analyze all incoming traffic for specific intrusions against the corresponding servers. The DNS intrusion detection filters helps you to intercept and analyze DNS traffic destined for the internal network:
The POP buffer overflow attack intrusion detection filter, when enabled, intercepts and analyzes POP traffic destined for the internal network.
To configure intrusion detection for IP Packet Filters --
o Internet Security and Acceleration Server 2000
o Access Policy
o IP Packet Filters
To configure intrusion detection for DNS and POP Application Filters -
1. In the console tree of ISA Management, click
2. In the right pane, double-click DNS Intrusion Detection Filter
3. Double-click the POP intrusion detection filter and click the box to enable the filter. Click "OK".