You can configure ISA Server to detect common types of network attacks. By default, when you enable intrusion detection, ISA Server writes a message to the Windows 2000 Event Log whenever an attack is detected. You can also configure ISA Server to respond to detected intrusions by sending an e-mail, starting a specified program, and starting or stopping selected ISA Server services.
After this lesson, you will be able to Describe the types of network attacks that can be detected by ISA Server Configure ISA Server to detect external network attacks and intrusions Estimated lesson time: 25 minutes Intrusion Types and Alerts
ISA Server features intrusion detection, which identifies when an attack is attempted against your network. When an attack (see Figure 4.14) is detected by ISA Server, ISA Server performs a set of configured actions (or alerts). The following events are considered intrusions:
Port scan attack IP half scan attack Land attack Ping of death attack UDP bomb attack Windows out-of-band attack
Figure 4.14 Types of attacks detected by ISA Server intrusion detection
Two types of port scan attacks trigger an alert in ISA Server: All Ports Scan Attacks and Enumerated Port Scan Attacks.
This alert notifies you that an attempt was made to access more than the preconfigured number of ports. You can specify a threshold, which indicates the number of ports that can be accessed.
This alert notifies you that an attempt was made to count the services running on a computer by probing each port for a response.
If this alert occurs, you should identify the source of the port scan. Compare this with the services that are running on the target computer. Also, identify the source and intent of the scan. Check the access logs for indications of unauthorized access. If you do detect indications of unauthorized access, you should consider the system compromised and take appropriate action.
This alert notifies that repeated attempts to a destination computer were made, and no corresponding ACK (acknowledge) packets were communicated.
A standard TCP connection is established by sending a SYN (synchronize/start) packet to the destination computer. If the destination is waiting for a connection on the specified port, it responds with a SYN/ACK (synchronizeacknowledge) packet. The initial sender replies with an ACK packet, and the connection is established. If the destination computer is not waiting for a connection on the specified port, it responds with an RST (reset) packet.
Most system logs do not log completed connections until the final ACK packet is received from the source. Sending an RST packet instead of the final ACK results in the connection never actually being established, and therefore the connection is not logged. Because the source can identify whether the destination sent a SYN/ACK or RST packet, an attacker can determine exactly which ports are open for connections without the destination being aware of the probing.
If this alert occurs, log the address from which the scan occurs. If appropriate, configure the ISA Server policy rules or IP packet filters to block traffic from the source of the scans.
This alert notifies you that a TCP SYN packet was sent with a spoofed source IP address and port number that matches that of the destination IP address and port. If the attack is successfully mounted, it can cause some TCP implementation to go into a loop that crashes the computer.
If this alert occurs, configure the ISA Server policy rules or IP packet filters to inhibit traffic from the source of the scans.
This alert notifies you that a large amount of information was appended to an Internet Control Message Protocol (ICMP) echo request (ping) packet. If the attack is successfully mounted, a kernel buffer overflows when the computer attempts to respond, which crashes the computer.
If this alert occurs, create a protocol rule that specifically denies incoming ICMP echo request packets from the Internet.
This alert notifies you that there is an attempt to send an illegal UDP packet. A UDP packet that is constructed with illegal values in certain fields will cause some older operating systems to crash when the packet is received. If the target machine does crash, it is often difficult to determine the cause.
Windows Out-of-Band Attack (WinNuke)
This alert notifies you that there was an out-of-band denial-of-service attack attempted against a computer protected by ISA Server. If mounted successfully, this attack causes the computer to crash or causes a loss of network connectivity on vulnerable computers.
Intrusion detection functionality is based on technology from Internet Security Systems, Inc., Atlanta, Georgia.
Configuring Intrusion Detection
To detect unwanted intruders, ISA Server compares network traffic and log entries to well-known attack methods. Suspicious activities trigger a set of configured actions, or alerts. Actions include connection termination, service termination, e-mail alerts, logging, and running a program of your choice.
To enable this feature, select the Enable Intrusion Detection check box on the IP Packet Filters Properties dialog box, as shown in Figure 4.15.
Figure 4.15 Enabling intrusion detection
ISA Server includes an alert preconfigured for intrusion detection named Intrusion Detected, which is shown in Figure 4.16. By default, when intrusion detection is enabled, this alert writes a message to the Windows 2000 Event Log whenever any intrusion type is detected. You can modify the Intrusion Detected alert to carry out additional responses whenever any intrusion is detected. You can also create a new alert to perform any available alert response when a specific intrusion type is detected. In addition, when configuring port scan alerts, you can configure how many port attacks trigger an alert.
Figure 4.16 The preconfigured alert: Intrusion Detected
Follow these steps to configure intrusion detection: In the console tree of ISA Management, right-click IP Packet Filters and then click Properties. On the General tab, select the Enable Packet Filtering check box if it is not already selected, and select the Enable Intrusion Detection check box. On the Intrusion Detection tab, click the types of attacks that should generate events: Windows Out-Of-Band (WinNuke) Land Ping Of Death IP Half Scan UDP Bomb Port Scan If you select Port Scan, do the following: In the Well-Known Ports text box, type the maximum number of well-known ports that can be scanned before generating an event. In the Ports text box, type the total number of ports that can be scanned before generating an alert.
A well-known port is any port in the range of 0 to 1023.
Practice: Configuring Intrusion Detection on ISA Server
In this exercise, you enable ISA Server to detect all six intrusion types.
To enable intrusion detection for all intrusion types In ISA Management, navigate to Servers And Arrays, MyArray, Access Policy, IP Packet Filters. Right-click the IP Packet Filters folder, and click Properties.
The IP Packet Filters Properties dialog box appears.
On the General tab, click the Enable Intrusion Detection check box. Click the Intrusion Detection tab. Click the Windows Out-Of-Band (WinNuke), Land, Ping Of Death, IP Half Scan, UDP Bomb, and Port Scan check boxes.
The two Detect After Attacks On text boxes become available.
Leave the default settings in these text boxes and click OK. Lesson Summary
When you enable intrusion detection on the IP Packet Filters properties dialog box in ISA Management, you can configure ISA Server to detect any of six common network attacks. These attacks include a port scan attack, an IP half scan attack, a land attack, a ping of death attack, a UDP bomb attack, and a Windows-out-of-band (WinNuke) attack. By default, when you enable intrusion detection, ISA Server writes a message to the Windows 2000 Event Log that appears as an alert in Event Viewer whenever one of these six attacks is detected. You can also configure ISA Server to respond to attacks by sending an e-mail to an administrator, by starting a specified program, or by starting or stopping selected ISA Server services.