Some ISA Firewall Logging Best Practices
ISA firewalls provide comprehensive logging and reporting. The ISA firewall, right out of the box, logs everything moving to and through the ISA firewall, which makes the ISA firewall a key network infrastructure component for your organization's overall compliance plan. When the ISA firewall is correctly deployed, you can log information about all user activity that traverses the ISA firewall and log the user name, application, and destination site name the users are visiting.
With the ISA firewall’s exceptional logging capabilities in mind, here are a few ISA firewall logging best practices that will help you get the most out of your ISA firewalls logging and reporting feature set:
- If you’re using on-box logging, put the log files on a separate NTFS partition, so that only administrators have access to the logs
- Always allocate a minimum of 8GB to the logs. You can set it higher, but never lower
- Since logging is a critical part of your network forensics, allow the ISA firewall to fail closed. This is the default setting on the ISA firewall
- Configure log storage limits to prevent the disk from becoming full (doesn’t apply to SQL logging)
- Network flood attacks can cause the log file size to grow very quickly. When the nature of the attack is determined, create a rule for that traffic and then configure that rule to not log requests matching that rule
- If you’re using off-box logging, make sure the log server is on a dedicated perimeter network, protected from compromised hosts. Use IPSec to secure the traffic between the ISA firewall and the log server
- If you’re using off-box logging, plan for connectivity. For 1-3 array members, you need at least 100Mbps. If there are more than 3 array members, then you should have at least 1Gbps.
- Text logging provides better performance than MSDE logging. You will see a 10-20% performance improvement when changing from MSDE to .txt logging
- MSDE logging uses two disk accesses for every MB of data. Text logging uses one disk access for every 10 MB of data
- Do not use NTFS disk compression on MSDE log files and directories
These are just a few useful tips and tricks. For comprehensive coverage of ISA firewall logging best practices, check out http://www.microsoft.com/technet/prodtechnol/isa/2...s.mspx
Thomas W Shinder, M.D.
MVP -- ISA Firewalls