Networks are under constant attack from Internet intruders. Hackers can use a variety of methods to compromise the security of your firewall. Internet based attackers have the advantage of being able to work on a planned attack against your network over days, weeks or months. During that interval, Internet attackers leave a trail of evidence that can be used to prevent a successful attack and successfully prosecute the attacker. Firewalls need to detect and prevent both network and application layer attacks, such as those based on IP packet fragmenting and DNS protocol exploits. ISA Server 2000 firewalls come with a collection of network and application layer intrusion detection filters that can detect and block common attacks. These intrusion detection filters can also be configured to log the attacks in the firewall’s Event log and send a message to the security administrator.

In this document we will discuss each of these issues and how ISA Server 2000 solves them. This document also includes step by step examples on how to configure the ISA Server 2000 firewall to detect common attacks and report them, how to configure the packet filter logs and finally, how to create a packet filter to allow selective reporting for blocked packets.

The Problem: Detecting and Blocking Attacks Against the ISA Server 2000 Firewall

Firewalls are under constant attack from Internet intruders. The firewall at the edge of the network is the first to receive attack packets from Internet based attackers. These attacks continue around the clock because of the worldwide and “always-on” availability of corporate Internet connections.

Internet intruders are using increasingly complex and effective methods to attack the front-end firewall and gain access to corporate network resources. The Internet-based attackers typically have the advantage of time; they can continue to test your firewall defenses around the clock until they find an effective method to overcome firewall functionality.

Attackers often spend days, weeks or months reconnoitering your firewall security infrastructure before they are able to mount a successful attack. The Internet intruder typically tries a variety of techniques before finding the one that compromises firewall protection. If you can find a method of detecting the attacker’s early attempts at defeating your defenses, then you can take proactive countermeasures and report the attacker’s activities to the proper law enforcement authorities.

The firewall needs to be able to detect application and network layer attacks. There are a number of network layer attack, such as those based on fragmented IP packets and IP Options that allow the attacker to change the routing behavior on the firewall.

Traditional packet filtering firewalls can detect network layer attacks but are unable to effectively detect application layer attacks because the packet filtering firewall does not understand the application layer protocols. Application layer aware firewalls have the ability to detect an application layer attack and report their findings.

The Solution: ISA Server 2000 Intrusion Detection, Fragment Filtering, Options Filtering and Packet Filter Logging

ISA Server 2000 firewalls provide powerful solutions to each of these problems. The ISA Server 2000 firewall is able to detect application layer and network layer intrusions, detect and block IP fragment and IP Options based attacks, log all packets moving through the ISA Server 2000 firewall and alert you to attack conditions so that you can respond in real time.

All of these goals are met by the following ISA Server 2000 firewall features:

ISA Server 2000 intrusion detection filters
IP fragment filtering
Options filtering
Packet filter logging

ISA Server 2000 Intrusion Detection

The built-in intrusion detection system used by ISA Server 2000 detects two general types of attacks:

Application layer intrusion detection filters
Network layer intrusion detection filters

Application layer attacks take advantage of potential flaws in the server service that is being attacked. For example, an attacker may use a buffer overflow attack in the application layer commands for the SMTP or DNS service. Detection and prevention of application layer attacks requires that the firewall have an understanding of the application layer protocols.

Network layer attacks are aimed at lower levels of the TCP/IP protocol “stack”. Examples of network layer attacks include the ping of death attack and the IP half scan. The goal of network layer attacks is to disable the networking capabilities of the firewall or server being attacked. This creates a denial of service condition by removing the server from the network, either because the networking component of the server no longer functions, or because the entire operating system is disabled.

Application Layer Intrusion Detection Filters

ISA Server 2000 has two built-in application layer intrusion detection filters:

The DNS intrusion detection application layer filter
The POP intrusion detection application layer filter

DNS intrusion detection application layer filter

The DNS intrusion detection filter works together with DNS Server Publishing rules. The filter intercepts and analyzes all inbound DNS traffic destined for the internal network. You can configure the filter to check for the following intrusion attempts:

DNS hostname overflow
DNS length overflow
DNS zone transfer from privileged ports (1–1024)
DNS zone transfer from high ports (above 1024)

DNS hostname overflow

A DNS hostname overflow occurs when a DNS response for a host name exceeds a certain fixed length. Applications that do not check the length of the host names may overflow internal buffers when copying this host name, allowing a remote attacker to execute arbitrary commands on a targeted computer.

DNS length overflow

DNS responses for IP addresses contain a length field, which should be four bytes. By formatting a DNS response with a larger value, some applications executing DNS lookups will overflow internal buffers, allowing a remote attacker to execute arbitrary commands on a targeted computer.

DNS zone transfer from privileged ports (1–1024)

A DNS zone transfer from privileged ports (1–1024) occurs when a client system uses a DNS client application to transfer zones from an internal DNS server. The source port number is a privileged port number (between 1 and 1024), indicating a client process. A zone transfer is not necessarily an attack. For example, external DNS servers in your perimeter network may need to perform zone transfers from source port UDP 53.

DNS zone transfer from high ports (above 1024)

A DNS zone transfer from high ports (above 1024) occurs when a client system uses a DNS client application to transfer zones from an internal DNS server. The source port number is a privileged port number (between 1 and 1024), indicating a client process. A DNS zone transfer from a high port indicates that an attacker may be gathering information about the resources in your domain by learning about hosts listed in your resource records.

POP intrusion detection application layer filter

The Post Office Protocol (POP) intrusion detection filter works together with POP3 Server Publishing Rules to intercept and analyze POP3 traffic destined for the internal network. The POP3 application filter checks for POP3 buffer overflow attacks. A POP3 buffer overflow attack occurs when a remote attacker attempts to gain control of a POP3 server by overflowing an internal buffer on the server.

Network Layer Intrusion Detection

ISA Server 2000 can detect a number of network layer intrusions. These include:

All ports scan attack
Well-known port scan attack
IP half scan attack
Land attack
Ping of death attack
UDP bomb attack
Windows out-of-band attack

All ports scan attack

This alert notifies you that an attempt was made to access more than the preconfigured number of ports. You can specify a threshold, indicating the number of ports that can be accessed without triggering this alert.

Enumerated port scan attack

This alert notifies you that an attempt was made to count services running on a computer by probing each port for a response. If this attack is detected, you should check the packet filter logs and identify the source of the port scan. Compare your findings from the packet filter log analysis with services running on the target computer. Check the packet filter, Web Proxy and Firewall service logs for indications of unauthorized access. You should consider the system compromised and take appropriate action if you detect indications of unauthorized access,

Port scanning, in itself, does no harm to your network or system, but it provides hackers with information they can use to penetrate the network.

IP half scan attack

This attack takes place when repeated attempts to connect to a destination computer are made with no corresponding ACK packets. A standard TCP connection is established by sending a SYN packet to the destination computer. If the destination is waiting for a connection on the specified port, it responds with a SYN/ACK packet. The connection is established when the initial sender replies with an ACK packet. If the destination computer is not waiting for a connection on the specified port that it receives the ACK packet, it responds with an RST packet.

Most system logs do not log completed connections until the final ACK packet is received from machine that sent the initial SYN packet. Sending an RST packet instead of the final ACK results in the connection never being established. The connection is not logged because the connection attempt was never fully completed. Because the initial sender can identify whether the destination sent a SYN/ACK or RST packet, an attacker can determine which ports are open for connections, without the destination being aware of the probing.

Log the address from which the scan occurs. If appropriate, configure the ISA Server policy rules or Internet Protocol (IP) packet filters to block traffic from the source of the scans if the ISA Server 2000 firewall detects this attack. You should also consider informing the ISP of the attacker about the attack and forwarding packet filter logs to the ISP when they are requested.

Land attack

This attack takes place when a TCP SYN packet is sent with a spoofed source IP address and port number that matches the destination IP address and port. The Land attack can cause some TCP/IP protocol implementations to go into a loop that crashes the computer. Configure ISA Server 2000 IP packet filters to inhibit traffic from the source of the scans if this alert occurs.

Ping of death attack

This attack takes place when a large amount of information is appended to an Internet Control Message Protocol (ICMP) echo request (ping) packet. When the computer attempts to respond, a kernel buffer overflow can result and crash the computer. Create a packet filter that specifically denies incoming ICMP echo request packets from the Internet If this alert occurs,

UDP bomb attack

This attack takes place when someone sends an illegal User Datagram Protocol (UDP) packet. A UDP packet has illegal values in certain fields, and this causes some older operating systems to crash. It is often difficult to determine the cause if the target machine crashes.

Windows out-of-band attack (WinNuke)

The out-of-band (OOB) attack exploits a vulnerability in Microsoft networks. The WinNuke program (and variations such as Sinnerz and Muerte) creates an out-of-band data transmission that crashes the victim machine. A TCP/IP connection is established with the target IP address, using port 139 (the NetBIOS port). Then the program sends data using a flag called MSG_OOB (or Urgent) in the packet header. This flag instructs Windows sockets (Winsock) to send data called out of band data.

Upon receipt, the targeted Windows server expects a pointer to the position in the packet where the Urgent data ends, with normal data following, but the OOB pointer in the packet created by WinNuke points to the end of the frame with no data following. The machine does not know how to handle this and ceases communicating on the network. A WinNuke attack usually requires a reboot of the affected system to reestablish network communications.

ISA Server 2000 Fragment Filtering

All fragmented packets are dropped when ISA Server 2000 filters packet fragments. The “teardrop” attack and its variants involve sending fragmented packets and then reassembling them in such a way that may cause harm to the system. The teardrop attack works a little differently from the Ping of Death, but with similar results. The teardrop program creates IP fragments, which are pieces of an IP packet into which an original packet can be divided as it travels through the Internet. The problem is that the offset fields on these fragments, which are supposed to indicate the portion (in bytes) of the original packet that is contained in the fragment, overlap.

For example, normally two fragments’ offset fields might appear as shown below:

Fragment 1: (offset) 100 – 300

Fragment 2: (offset) 301 – 600

This indicates that the first fragment contains bytes 100 through 300 of the original packet, and the second fragment contains bytes 301 through 600.

Overlapping offset fields would appear something like this:

Fragment 1: (offset) 100 – 300

Fragment 2: (offset) 200 – 400

When the destination computer tries to reassemble these packets, it is unable to do so and may crash, hang or reboot.

Fragment filtering can interfere with streaming audio and video. In addition, L2TP/IPSec connections may not be successfully established because packet fragmentation may take place during certificate exchange. Disable fragment filtering if you have problems with streaming media and IPSec based VPN connections.

ISA Server 2000 Options Filtering

You can configure ISA Server to refuse all packets that have the words "IP Options" in the header. The most problematic options are the source routing options. TCP/IP supports source routing, which is a means to permit the sender of network data to route the packets through a specific point on the network. There are two types of source routing:

· Strict source routing: the sender of the data can specify the exact route (rarely used).

· Loose source record route (LSRR): the sender can specify certain routers (hops) through which the packet must pass.

The source route option in the IP header allows the sender to override routing decisions which are normally made by the routers between the source and destination machines. Network administrators can use source routing to map the network or to troubleshoot routing and communications problems. Source routing can also be used to force traffic through a route providing the best performance. Unfortunately, source routing can be exploited by attackers.

An intruder can use source routing to reach private internal addresses on the LAN that normally are not reachable from the Internet by routing the traffic through another machine that is reachable from both the Internet and the internal machine

ISA Server 2000 Packet Filter Logging

All packets passing through the ISA Server 2000 firewall can be logged to the packet filter log. You can configure which packets are logged:

All dropped packets are logged to the packet filter log by default. Logging is turned off when you disable packet filtering.
You can configure the ISA Server 2000 firewall to disable logging for packets dropped due to deny IP packet filters.
You can configure the ISA Server 2000 firewall to log all packets received at the external interface. All packets passing through ISA Server are logged in the packet filter log when you enable logging of allowed packets.

Logging allowed packets and blocked packets causes a considerable processing load on the server and consumes large amounts of disk space.

Packet filter event messages

These messages refer to events connected to packet filtering in Microsoft Internet Security and Acceleration (ISA) Server.

Message ID	Description
14038	ISA Server packet filter log service could not allocate memory.
14039	ISA Server packet filter logging component cannot obtain the log contents.
14043	Could not create the system-wide packet filter log event.
14044	The packet filter is dropping IP packets.
14046	Packet filter protocol violation.
14086	Insecure configuration detected.
14119	An external interface could not be found for packet filtering.
14120	The ISA Server services could not create a packet filter %1.
14121	The packet filter dial-out interface cannot be rebound.
14122	A packet filter interface could not be bound.
14123	Failed to create the IP packet filter.
14124	Filtering disabled as requested.

Field position	Descriptive name (field name)	Description
1	Date (date)	Date the packet was received.
2	Time (time)	The time the packet was received (service info fields)
3	Source IP (source-ip)	The Internet Protocol (IP) address of the source (remote) computer. The source computer is the computer from which the data packets originated.
4	Destination IP (destination-ip)	The IP address of the destination (local) computer. The destination computer is usually the ISA Server computer.
5	Protocol (protocol)	The particular transport level protocol that is used during the connection, such as Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP).
6	Source port (or protocol type, if ICMP) (param#1)	For TCP and UDP protocols, the remote port used to create a connection. For ICMP protocol, the type used when creating the connection.
7	Destination port (or protocol code, if ICMP) (param#2)	For TCP and UDP protocols, the local port used to create a connection. For ICMP protocol, the code used when creating the connection.
8	TCP flags (tcp-flags)	For a TCP data packet, represents the TCP flag value in the IP header. The possible values are FIN, SYN, RST, PSH, ACK, and URG.
9	Interface (filter-rule)	Indicates whether the packet was accepted (1) or dropped (0). By default, only dropped packets are logged.
10	Interface IP address (interface)	Interface on which the packet was received; usually only one interface.
11	Header (ip-header)	The entire IP header of the data packet that generated the alert event. The IP header is logged in hexadecimal format.
12	Payload (payload)	A listing of a portion of the data packet (after the IP header). The IP packet is logged in hexadecimal format.

Placing ISA Server 2000 on Your Network

The ISA Server 2000 firewall can be the only firewall on your network, or you can integrate ISA Server 2000’s powerful application layer filtering protection with your existing firewall infrastructure. Some of the common ISA Server 2000 network topologies are:

ISA Server 2000 acting as front-end firewall
ISA Server 2000 acting as back-end firewall
ISA Server 2000 acting as front-end and back-end firewalls
ISA Server 2000 acting as application layer filtering gateway in a perimeter network

ISA Server 2000 Front-end Firewall Topology

Smaller organizations or organizations that do not already have a large investment in a current firewall infrastructure may prefer to make the ISA Server 2000 firewall a front-end firewall. The front-end firewall has a network interface on the corporate network and a network interface directly connected to the Internet. All communications into and out of the corporate network are exposed to ISA Server 2000’s deep application layer inspection. The advantages of this configuration include:

All communications into and out of the corporate network are exposed to firewall policy
You only need to learn how to configure the ISA Server 2000 firewall software; this avoids the potential for firewall misconfiguration when multiple vendor firewalls are used
All inbound and outbound access can be controlled on a granular, user or group basis. Users only access the content and servers you want them to access, based on the rules you configure
This configuration is easy to set up and maintainFigure D shows the network topology for the ISA Server 2000 front-end firewall placement.

ISA Server 2000 Back-end Firewall Topology

Organizations that already have an existing firewall infrastructure may prefer to leave the current firewalls in place and put the ISA Server 2000 firewall behind the current firewalls. This topology allows third party firewalls to provide high speed packet filtering (stateful filtering) before forwarding the remaining packets to the application aware ISA Server 2000 firewall. The network between the third party front-end firewalls and the ISA Server is a perimeter network where publicly accessible services can be placed.

The third-party packet filtering firewalls have an interface directly connected to the Internet and an interface connected to a perimeter network between the third-party packet filtering firewalls and the ISA Server 2000 application layer aware firewall. The ISA Server 2000 firewall has an interface on the perimeter network and an interface on the protected corporate LAN.

Advantages of this configuration include:

Organizations do not need to perform a major redesign of their current firewall infrastructures
Third party hardware-based firewalls can perform high-speed packet filtering. This offloads packet filtering overhead from the ISA Server 2000 firewall and increases the resources available on the ISA Server 2000 firewall to perform deep application layer inspection
Resources located on the corporate network are protected by the ISA Server 2000 firewall’s enhanced application layer inspection mechanisms
Granular inbound and outbound access control can be done on a user/group basis

ISA Server 2000 Front-end and Back-end Firewalls

The ISA Server 2000 front-end and back-end firewall configuration uses two ISA Server 2000 computers, one as the Internet edge firewall and one as the corporate LAN edge firewall. The front-end ISA Server 2000 firewall has an interface directly connected to the Internet and an interface on the perimeter network between the firewalls. The back-end ISA Server 2000 firewall has an interface on the perimeter network and an interface on the protected corporate LAN.

The advantages of this configuration include:

A single firewall system; this reduces the training overhead and the probability of a configuration error
Sophisticated application layer filtering protects hosts on the perimeter network and the corporate network
You can leverage Web Proxy chaining and firewall chaining to significantly increase access control from perimeter network servers and users on the internal network. This prevents attackers from using compromised servers on the perimeter network as a launch point for outbound attacks from the perimeter network
Granular outbound user/group based access control for hosts on both the corporate network and the perimeter network
Excellent support for highly secure VPN passthrough, allowing access to protected resources on the corporate network

Figure F shows the topology for the ISA Server 2000 front-end back-end firewall configuration.

ISA Server 2000 Application Layer Filtering Web Proxy in the Perimeter Network

Some organizations already have an existing firewall infrastructure that includes front-end and back-end firewalls. These organizations have a large investment in their current firewall infrastructures and prefer to leave them intact. You can still leverage ISA Server 2000’s application layer filtering features by making the ISA Server an application layer filtering proxy. This ISA Server 2000 proxy can be placed on the perimeter network between the front-end and back-end third party packet filtering firewalls or you can place the ISA Server 2000 application layer proxy on the corporate network.

Advantages of the application layer filtering proxy configuration include:

The ability to leave the current firewall infrastructure intact; you can “drop in” the ISA Server 2000 application layer filtering proxy virtually anywhere
The third party front-end and back-end packet filtering firewalls can pass packets at high speed while allowing the ISA Server 2000 to provide a very high level of security for communications passed through its application layer inspection mechanisms
A hardened ISA Server 2000 proxy can be placed on the perimeter network segment to reduce the attack surface
In reverse Web Proxy scenarios, the ISA Server 2000 application layer filtering proxy can forward user credentials across the back-end firewall to pre-authenticate remote users

Figure G shows the topology of the application layer filtering proxy configuration.

Configuring ISA Server 2000 Intrusion Detection

ISA Server 2000’s collection of intrusion detection mechanisms allows you to detect and block a number of common attacks. Procedures required to detect intrusion attempts include:

Enabling intrusion detection
Selecting the intrusions to detect
Configuring Alerts to report on the intrusion
Viewing intrusion details in the Event Viewer

The first step is to enable intrusion detection and selecting the intrusions you wish the ISA Server 2000 to intercept. Perform the following steps to enable intrusion detection and select intrusions to detect:

In the ISA Management console, expand the Servers and Arrays node and then expand your server name. Expand the Access Policy node. Right click on the IP Packet Filters node and click Properties.

In the IP Packet Filter Properties dialog box, place a checkmark in the Enable Intrusion detection checkbox. Click Apply.

Click on the Intrusion Detection tab. Place a checkmark in the checkbox of each intrusion you want the ISA Server 2000 firewall to detect.

For the Detect after attacks on X well-known ports intrusion, enter a value for the number of ports you want scanned before the port scan is interpreted as an intrusion. A well-known port is a TCP or UDP port number in the range of 1-2048. In this example, the number of well-known ports is set to 10. You may want to set the value lower in a high security environment. For example, if an attack scans ports 25, 53, 80 and 110, it indicates a focused scan and you may want to know about this.

For the Detect after attacks on X ports, enter a value for the total number of ports you want scanned before the ISA Server 2000 firewall interprets the port scan as an attack. This represents the total number of ports scanned, not just the well-known ports. A value of 20 is used in this example. You may want to set a lower value if you have a very high security environment.

Warning:

In some circumstances a slow responding DNS server generates a port scan attack. The reason for this is that the state table has timed-out the entry and the ISA Server 2000 firewall does not recognize the response. You should view the packet filter log to confirm that the port scan is not an attack. Slow DNS responses generally do not represent a security risk.

Click Apply and then click OK.

Intrusion detection is now enabled and the ISA Server 2000 firewall will detect and block these attacks. The next step is to configure Alerts so that you will be informed of the attack. Perform the following tasks to configure intrusion detection alerts:

1. In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Expand the Monitoring Configuration node and click on the Alerts node. You will see the pre-built ISA Server 2000 Alerts in the right pane.

2. Double click on the Intrusion detected alert. The General tab shows the name of the Alert and describes the purpose of the Alert. Make sure that the Enable checkbox has a checkmark in it.

3. Click on the Events tab. Click the down arrow for the Additional condition drop down list. The default value is to trigger an alert for any intrusion. However, you can select a specific intrusion from the list. This provides a high level of customization for alerts.

For example, you may want to be immediately notified by the first occurrence of a Land attack, but you want multiple occurrences of an All port scan attack to take place before being notified. You can create one Alert for the Land attack and a separate Alert for the Well-known port scan attack.

The options on this tab include:

Event -- Displays a list of events defined by ISA Server. An event is an action that occurs as the result of an exception in ISA Server. An alert notifies you when specified events occur and can be configured to trigger a series of actions as a result of these events.

Addition Condition -- When applicable, displays a list of additional keys for the selected event. An additional key means an additional condition that must be fulfilled in order for the alert to be triggered.

Name of occurrences before the alert is issued -- Specifies a threshold level of how many events should pass before the alert is reissued. If a value is typed in here, and a value is also typed in Number of events per second before the alert is reissued, then both limits must be reached before an alert is reissued.

Number of events per second before the alert is issued -- Specifies whether the alert should be reissued if the specified number of events occur per second. If a value is typed in here, and a value is also typed in Number recurrences before the alert is reissued, then both limits must be reached before an alert is reissued.

Immediately -- Specifies that the action should be executed immediately after the specified conditions occur.

After manual reset of alert -- Specifies that the action should be executed only after the alert is manually reset.

If time since last execution is more than X minutes -- Specifies that the action should be executed again if the specified number of minutes has passed since it was previously executed.

Click Apply and then click OK.

4. Double click on the IP Protocol violation Alert in the right pane of the console. On the General tab, you see a description of the Alert. This Alert is trigged only when you have enabled IP Options filtering. We will demonstrate how to enable IP Options filtering later in this document. Make sure that there is a checkmark in the Enable checkbox.

5. Click on the Events tab. The default values for this alert are:

Number of occurrences before the alert is issued is set to 15.

If time since last execution is more than X minutes is set to 5.

These settings prevent spurious Alert actions from being triggered.

Click Apply and then click OK.

6. Double click on the IP spoofing Alert in the right pane of the console. The General tab includes a description of the Alert. A spoofed packet is a packet that has an invalid IP address as its source address. The ISA Server 2000 firewall interprets a spoofed packet as one that should not be reachable from the external interface. Addresses in the ISA Server 2000 firewall’s Local Address Table (LAT) are not reachable because they must go through the internal interface of the ISA Server 2000 firewall to get to the external interface.

Another example of a spoofed packet is one that has a source address in the loopback range. The loopback range includes any IP address on network ID 127.0.0.1. A common cause for spoofed packets is msblaster related exploits.

Click Apply and then click OK.

Warning:
You can disable spoof detection if you are under a spoofing attack. Please refer to Microsoft KB article 284811 at http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q284811

7. When an Alert meets the specifications on the Events tab, an Alert action is triggered. The Alert action is determined by the settings on the Actions tab. You have the following options on the Actions tab:

Send e-mail -- Specifies whether an e-mail should be sent when the alert conditions are met. Select this option only if an internal Simple Mail Transfer Protocol (SMTP) server can be used to send the e-mail. In order to check whether an SMTP Server is available, click Servers and Arrays, click Name , click Extensions, click Application Filters and then click SMTP Filter and check Server properties.

SMTP server -- Provides a space for you to type the Internet protocol (IP) address or name of the Simple Mail Transfer Protocol (SMTP) server.

To: -- Provides a space for you to type the e-mail address of the recipient.

Cc: -- Provides a space for you to type the e-mail address of the person who receives a copy of the mail.

From: -- Provides a space for you to type the e-mail address of the sender.

Test -- Click to test e-mail facility.

Program -- Specifies whether a program should be executed when the alert conditions are met.

Run this program -- Provides a space for you to type the location and name of the program you want to run. If you are not sure of the program's location or file name, click Browse.

Use this account -- Displays the name of the selected user account or local system account that will be used to run the specified program.

Report to Windows 2000 event log -- Specifies whether the event should be written to the Windows 2000 event log when the alert conditions are met.

Stop selected services -- Specifies whether the selected services should be stopped when the alert conditions are met. If you set the alert actions to start and stop a service, then the service is first stopped and then restarted.

Start selected services -- Specifies whether the selected services, Firewall Proxy and Web Proxy, should be started when the alert conditions are met. If you set the alert actions to start and stop a service, the service is first stopped then restarted.

In this example, we select the Send e-mail option and enter the IP address of an internal network SMTP server. The Alert message is sent to the security administrator and mail administrator. In the From text box we enter an email address for the Alert. This allows the administrators receiving the Alert to configure their Outlook email clients to alert them when the Alert message is sent to them by the ISA Server 2000 firewall.

The Report to Windows 2000 event log option is selected. This allows the alert to appear in the Event logs for later viewing. Both the Stop selected services and Start selected services options are enabled. For both of these selections, click the Select button and select the Firewall option.

In this example, we have configured the Alert to send an email message to the SMTP server on the internal network at 192.168.1.1. The message is send to the firewall administrator’s account and cc:’d to the security administrator’s account.

The event is also reported to the Event log and the firewall service is configured to stop and restart when the attack is detected.

Click Apply and then click OK.

8. Intrusion attempts are logged to the Event logs by default. You can view these by opening the Event Viewer. Click Start, point to All Programs and then point to Administrative Tools. Click Event Viewer. Click the Applications node in the left pane of the Event Viewer. ISA Server 2000 Alerts appears in the right pane when they occur. The Alert below shows the result of a port scan attack.

9. The Event figure below shows an event triggered by a half-scan attack.

10. The event in the figure below shows an Event triggered by a spoof attack. Further investigation of this event demonstrated it was due to an Internet worm.

Configuring ISA Server 2000 Fragment Filtering

A number of Internet attacks are based on fragmenting IP packets and sending them to the machine to be attacked. The goal is to have the fragmented IP packets reassembled by the receiving machine, with the reassembled code causing a service to fail or allow an attacker to take over the target computer. ISA Server 2000 firewalls can stop fragmented packets at the perimeter.

Note:
Some non-attack packets sometimes require fragmenting IP packets. Some streaming media protocols require packet fragmentation to provide the best user experience. In addition, L2TP/IPSec VPN connections require IP packet fragmentation during the certificate exchange process. Try disabling fragment filtering on the ISA Server 2000 firewall if you experience access problems when fragment filtering is enabled.

Perform the following steps to enable fragment filtering:

In the ISA Management console, expand the Servers and Arrays node and then expand the server node. Expand the Access Policy node and right click on the IP Packet Filters node. Click Properties.

In the IP Packet Filters Properties dialog box, click on the Packet Filters tab. Place a checkmark in the Enable filtering of IP fragments.

Click Apply and then click OK.

Configuring ISA Server 2000 Options Filtering

Attackers can use IP Options to compromise your network. For example, the way packets are routed can be changed via an IP Option setting. You can increase the security provided by the ISA Server 2000 firewall by blocking IP Options at the perimeter.

Perform the following steps to enable IP Options filtering:

1. In the ISA Management console, expand the Servers and Arrays node and then expand your server name. Expand the Access Policy node and right click on the IP Packet Filters node and click Properties.

2. On the IP Packet Filters Properties dialog box, click on the Packet Filters tab. Place a checkmark in the Enable filtering IP options checkbox.

3. Click Apply and then click OK.

Configuring ISA Server 2000 Packet Filter Logging

ISA Server 2000 packet filter logs contain information about packets that were dropped on the external interface of the ISA Server 2000 firewall. All packets not explicitly allowed by a packet filter or publishing rule are dropped. In the rare event that a packet filter is created denying outbound access from the ISA Server 2000 firewall computer itself, the packet filter log will record those packets, too.

Perform the following steps to configure the packet filter logs:

In the ISA Management console, expand the Servers and Arrays node and then expand your server name. Expand the Monitoring Configuration node and click on the Logs node.

Right click the Packet Filters entry in the right pane of the console and click Properties.

The Log tab is the first to appear in the Packet filters Properties dialog box. You can log to either a text file located on the ISA Server 2000 firewall computer or a SQL database located anywhere on the internal network. When you select the File option, a text file containing a record of dropped packets is saved on the ISA Server 2000 firewall computer.

Text logs can be saved in one of two file formats: ISA Server file format or W3C extended log file format. The primary advantage of using the ISA Server file format is that the time field in the log represents the local time. W3C extended log file format uses GMT.

When the File format is selected, you can create a new log file on a Daily, Weekly, Monthly or Yearly basis. Packet filter logs can grow very quickly, so it is usually best to select the Daily format.

Click the Options button. In the Options dialog box you can choose to use the default ISALogs folder (in the ISA Server installation folder) or you can save the logs in an Other folder. Note that you will not be able to create Report Jobs when the log files are not stored in the default location.

The Compress log files option saves the log files using NTFS compression. You must store the log files on an NTFS formatted partition to use this option.

The Limit number of log files option sets the number of log files saved on the ISA Server 2000 firewall computer. You can save disk space on the ISA Server by reducing the number of log files. You can continue to run report jobs on dates for which the log files were removed because the reports are based on log summaries based on the information in the logs.

Click OK after making your selection.

Click the Fields tab. This is where you specify the information you want the packet filter log to save. The default entries provide enough useful information to analyze and troubleshoot most conditions. In certain circumstances, you may wish to log the payload to determine the nature of some communications failures.

Click Apply and then click OK to save your packet filter log settings.

There may be times when you want to log the information for your Allow filters. Allow packet filters allow inbound and outbound access to the external interface of the ISA Server 2000 firewall. Inbound filters are used when you have a application or service running on the ISA Server 2000 firewall itself that you want external users to access. Outbound filters allow outbound access from applications or services running on the ISA Server 2000 firewall itself.

Warning:

You never use packet filters to allow internal network outbound access to the Internet. In addition, you never use packet filters to allow Internet users access to servers on the internal network. Publishing Rules and Protocol Rules control inbound and outbound access into and out of the internal network.

Perform the following steps to allow the ISA Server 2000 firewall to log all packets moving through the external interface:

1. In the ISA Management console, expand the Servers and Arrays node and then expand the server node. Expand the Access Policy node and right click on the IP Packet Filters node. Click Properties.

2. Click on the Packet Filters tab. Place a checkmark in the Log packets from ‘Allow’ filters checkbox.

3. Click Apply and then click OK.

In contrast to the default setting to not log packets from allow packet filters, the default setting for deny filters is to log them. You may wish to not log packets for deny filters if you find that they are causing your log files to grow too quickly and the information in these denied packets provides no useful information.

Note:

ISA Server 2000 firewalls put entries in the packet filter log for packets that are implicitly denied. All packets arriving at the external interface of the ISA Server 2000 are dropped unless there is an explicit packet filter, Protocol Rule or Publishing Rule to support acceptance of the packet. If you find that certain types of packets that are not explicitly denied are filling your packet filter logs, then you can create an explicit deny packet filter for that protocol and then configure the packet filter to not log dropped packets. One example of when you might want to do this is if you find a large number of dropped NetBIOS packets in your packet filter logs.

To demonstrate how to turn logging on and off for deny filters, you will first have to create a deny filter. In general practice, there is usually no need to create a deny filter because all packets not explicitly allowed are blocked. Perform the following steps to create a deny packet filter:

1. In the ISA Management console, expand the Servers and Arrays node and then expand your server name.

2. Enter a name for the packet filter in the IP packet filter name text box on the Welcome to the New IP Packet Filter Wizard page. Click Next.

3. Select the Block packet transmission option on the Filter Mode page.

4. Select the Custom option on the Filter Type page.

5. On the filter settings page, you set the protocol, direction, local port and remote ports for the packet filter. In this example, we create a packet filter to block the primary Kaaza port. Click Next.

6. Select the Default IP addresses for each external interface on the ISA Server computer option on the Local Computer page. Click Next.

7. Select the All remote computers option on the Remote Computers page and click Next.

8. Click Finish on the Completing the New IP Packet Filter Wizard page.

9. Right click the new packet filter in the right pane of the console and click Properties.

10. On the packet filter’s Properties page, click the General tab. Add or remove the checkmark from the Log any packets matching this filter checkbox, depending on whether or not you want to log packets matching this filter.

11. The following lines appear in the packet filter log if you choose to log packets matching this filter:

12/4/2003, 6:53:42, 131.107.1.1, 64.90.168.134, Tcp, 3850, 1214, SYN , BLOCKED, 64.90.59.40, -, -

12/4/2003, 6:53:45, 131.107.1.1, 64.90.168.134, Tcp, 3850, 1214, SYN , BLOCKED, 64.90.59.40, -, -

Summary

Networks are under constant attack from Internet intruders. Hackers can use a variety of methods to compromise the security of your firewall. Internet based attackers have the advantage of being able to work on attacking your network over days, weeks or months. During that interval, Internet attackers leave a trail of evidence that can be used to prevent a successful attack and successfully prosecute the attacker. Firewalls need to be able to detect and prevent application layer attacks such as those based on IP packet fragmenting and DNS protocol exploits. ISA Server 2000 firewalls come with a collection of network and application layer intrusion detection filters that can detect and block common attacks. The intrusion detection filters can also be configured to log the attack in the firewall’s Event log and send a message to the security administrator. In this document, we discussed each of these problems and how the ISA Server 2000 firewall solves them. We then finished up by going through step by step examples of how to configure the ISA Server 2000 firewall to detect common attacks and report them, how to configure the packet filter logs and finally, how to create a packet filter to allow selective reporting for blocked packets.