Some ISA Firewall Logging Best Practices

By /

ISA firewalls provide comprehensive logging and reporting. The ISA firewall, right out of the box, logs everything moving to and through the ISA firewall, which makes the ISA firewall a key network infrastructure component for your organization’s overall compliance plan. When the ISA firewall is correctly deployed, you can log information about all user activity that traverses the ISA firewall and log the user name, application, and destination site name the users are visiting.

With the ISA firewall’s exceptional logging capabilities in mind, here are a few ISA firewall logging best practices that will help you get the most out of your ISA firewalls logging and reporting feature set:

  • If you’re using on-box logging, put the log files on a separate NTFS partition, so that only administrators have access to the logs
  • Always allocate a minimum of 8GB to the logs. You can set it higher, but never lower
  • Since logging is a critical part of your network forensics, allow the ISA firewall to fail closed. This is the default setting on the ISA firewall
  • Configure log storage limits to prevent the disk from becoming full (doesn’t apply to SQL logging)
  • Network flood attacks can cause the log file size to grow very quickly. When the nature of the attack is determined, create a rule for that traffic and then configure that rule to not log requests matching that rule
  • If you’re using off-box logging, make sure the log server is on a dedicated perimeter network, protected from compromised hosts. Use IPSec to secure the traffic between the ISA firewall and the log server
  • If you’re using off-box logging, plan for connectivity. For 1-3 array members, you need at least 100Mbps. If there are more than 3 array members, then you should have at least 1Gbps.
  • Text logging provides better performance than MSDE logging. You will see a 10-20% performance improvement when changing from MSDE to .txt logging
  • MSDE logging uses two disk accesses for every MB of data. Text logging uses one disk access for every 10 MB of data
  • Do not use NTFS disk compression on MSDE log files and directories

These are just a few useful tips and tricks. For comprehensive coverage of ISA firewall logging best practices, check out http://www.microsoft.com/technet/prodtechnol/isa/2…s.mspx

HTH,

Tom

Thomas W Shinder, M.D.

Site: www.isaserver.org

Blog: http://blogs.isaserver.org/shinder/

Book: http://tinyurl.com/3xqb7

MVP — ISA Firewalls

About The Author

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top