ISA Server 2006 as a Kitchen Utensil: Part 2 – Internal Attacks

If you missed the first part in this article series please read ISA Server 2006 as a Kitchen Utensil: Part 1 – External Attacks.

This is the final part of a two part article on how hackers see our firewalls. In this part we’ll see how ISA Server reacts to attacks coming from the internal network, like ARP poisoning, spoofing and man in the middle attacks.

Ok, now I know my external surface. Can I take a break?

Unfortunately, no. 80% of attacks come from the internal network. Usually you will have, at most, a dozen servers published on the Internet, but you can have hundreds of servers in your internal network.

The figure below provides a high level view of the example network used in this article.

Diagram 1: Example Network

Internal networks are a nightmare for security administrators. Internal networks are usually segmented into DMZs but it is common to find users and servers in the same network.

For servers that do not live in DMZs, you can use IPSec or local firewalls, but…. What happens with the DMZs if the hacker is inside?

There are two possibilities in this nightmare; ARP Poisoning with all its variants, and the sniffers.

In internal networks ISA Server administrators can use two elements in order to distinguish the authorized users:

  • The source IP: the IP of a computer is easily replaced. And with ARP techniques it is possible to hijack a network through IP and a MAC. Internet hackers can only see the ports that the firewalls publish to all IPs or their public subnet, but in internal networks, hackers can find all ports that the firewalls publish to internal networks although the hacker does not have the appropriate IP to access them.
  • The user logged in the source computer; using ARP Poisoning and a sniffer, it is easy to sniff passwords. In internal networks the security is less than on the Internet, hundreds of different services are running, in many cases, with old unpatched versions. Basic and clear authentication and services like low encrypted terminal services, proxies or webs make it possible for a hacker to sniff passwords.

For the following tests our ISA will have a rule allowing the traffic from the whole internal network except an IP (internal hacker) to a server in the DMZ (

Figure 1: ISA Server Rule for internal testing

Figure 2: Rule details (1)

Figure 3: Rule details (2)

At this point, if you scan the Web server in DMZ, the results are that all the ports are open or filtered.

Figure 4: Scan results

The only thing that separates us from our objective is our source IP and a password.

What if we use Nmap to send the packets spoofing an IP? What if the IP is from another ISA´s network?

Figure 5: Using NMap to spoof an IP of other segment with the command; “nmap –p 80-90 –e eth0 –S –P0”

Figure 6: ISA detects the spoofed packet and denies the traffic

Figure 7: ISA detects the spoofing attack and creates an event

OK, but what if the packet comes from the correct network?

We can use Nmap to spoof MACs and IPs, but the best tool for this job is IRS from the Cain & Abel developers.

With IRS we can scan a specific target and port, spoofing IPs on the entire subnet. Additionally we can spoof the source MAC.

Figure 8: Using IRS (1)

Figure 9: Using IRS (2), setting the interface

Figure 10: Using IRS(3), setting the target

Figure 11: Using IRS (4), Results

Now you know which addresses can access the resource.

ARP and sniffers provide us with other interesting options.

We could sniff the network searching for passwords. In the real world, security is a relative thing, either everything is secure or nothing is secure. If you have insecure systems and you can’t secure them, isolate them from the rest of your systems. Create another domain for insecure systems and use separate user accounts for the users that need access to them. If your users use the same password to access secure systems and insecure systems, a hacker can use a sniffer and ARP attacks like man-in-the-middle (mitm) to discover user passwords. Software, like Ettercap, can do both, sniff the network using protocol decodes, search for passwords, and also makes it possible for a hacker to do some types of “man-in-the-middle” attacks.

Figure 12: Using Ettercap (1) Sniffing the network

Figure 13: Using Ettercap (2) Protocol and plugins loaded, starting sniffing

Figure 14: Using Ettercap (3) Passwords detected

Figure 15: Using Ettercap (4), Mitm attacks

With these two steps, hackers within internal networks have all the information they need to attack your DMZ services, but… what if a hacker is a really bad man and we have not taken precautions; hackers can avoid the firewall communication with other networks including internet? In our example network the firewall reaches Internet through a router with IP What if a hacker deceives the firewall, communicating a false router´s MAC? Answer: the firewall can´t communicate with the internet; this attack is a D.O.S (Denial Of Service).

Figure 16: Using Nemesis to inject an ARP packet to firewall

Ok, you have seen the bad and the worst, let me show you the good

The first thing you need to know is that the ARP and MITM attacks are very difficult to do on the Internet. The hackers have tools, but the admins do too. To avoid DOS or MITM ARP attacks you must add static ARP entries in your firewall and network devices. You can use the ARP command to add a static ARP entry in your firewall.

Figure 17: Creating a static ARP entry

Network devices can be the best allies to fight spoofing and sniffing. You can make VLANS avoid ARP broadcast, and many network devices have features to make your network more secure. Other tools for administrators are IDS (Intrusion Detection System). IDS use sniffers to analyze network traffic and find malicious patterns. To find these patterns they use rules. Snort is one of the most famous free IDS programs and IDSCenter is a front end for snort. You can configure snort to detect ARP attacks to specified IPs, like firewalls, routers, proxys, etc. Snort also detects port scans, and hundreds of other security related events.

Figure 18: Configure Snort to detect ARP attacks

Also, you can configure Snort to run a script to block the traffic from the hacker IP or send an email when an alert is logged.

Figure 19: Configure snort alert notification

Figure 20: Snort event: ARP Spoof detected

Figure 21: Snort event: Port scan detected

If you install MOM agent in the snort server, you can read the snort alert in the event logs and trigger an alert in the MOM console.

Flood Mitigation

Some of the new features in ISA 2006 are the flood mitigation options. These options allow us to avoid D.O.S attacks, worms, and other risks.

Figure 22: Flood mitigation (1)

Figure 23: Flood mitigation (2)

Figure 24: Flood mitigation (3)

For each potential attack you can define a limit and custom limit. The custom limit only applies to the IP exception list. In this example, we will include the IP of one internal computer in the list of IP exceptions and also define a custom limit of 3 to the concurrent TCP/IP connections.

Figure 25: Flood mitigation (4)

Figure 26: Flood mitigation (5)

Figure 27: Flood mitigation (6)

With these settings the computer with the IP has limited its concurrent connections to 3.

We will use telnet from to create connections and performance monitor in ISA Server to view the concurrent TCP Connection counter.

Figure 28: Flood mitigation (7)

When the computer tries to make fourth concurrent connection, ISA denies the traffic and logs an event.


ISA Server is a great product, has high level security certifications and is “secure by default”. Windows provides us with many security features to help us fight hackers, but the final responsibility of having a secure network is in your hands, your work, and of course your skills.

If you missed the first part in this article series please read ISA Server 2006 as a Kitchen Utensil: Part 1 – External Attacks.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top