Consider using ISA Server's robust built-in monitoring and reporting functionality
Many third-party companies have built their success upon extending monitoring and reporting functionality for mainstream vendor products. NetIQ's WebTrends, Hewlett-Packard's HP OpenView, and other products extend the feature set of Microsoft's enterprise products. With Microsoft Internet Security and Acceleration (ISA) Server 2000, however, Microsoft has included substantial built-in monitoring and reporting functionality. Third-party reporting and monitoring tools are expensive add-ons, and you might find the internal monitoring capabilities of ISA Server robust and compelling enough to serve your needs. ISA Server's monitoring features comprise built-in and customizable elements that include alerts, logging, and reporting. You can also view realtime information through the Microsoft Management Console (MMC) ISA Management snap-in or through extended performance monitor counters. For information about configuring ISA Server, see my Windows 2000 Magazine article "ISA Server: Your Network's Lifeguard," http://www.win 2000mag.com, InstantDoc ID 22251.
Although I discuss ISA Server Enterprise Edition installed in an array configuration, much of the monitoring functionality is the same when you install ISA Server in a standalone configuration. The array configuration provides centralized management of multiple ISA servers and integration into Active Directory (AD), features that a standalone installation doesn't support. Also, the examples I include assume that you've installed ISA Server in Integrated mode, which combines the functions of both the Firewall and Caching services. (You can install ISA Server in Caching, Firewall, or Integrated modes. For more information about these modes, see Sean Daily's Windows 2000 Magazine article "Microsoft's Stellar ISA Server," http://www.win2000mag.com, InstantDoc ID 15477.) To take advantage of ODBC logging, you'll need an ODBC-compliant database installed. I describe the ODBC functionality based on using Microsoft SQL Server 2000 and Microsoft Access configurations.
ISA Server Monitoring includes alerts, logs, and report jobs. You access and configure these functions under the Monitoring Configuration node in the ISA Management snap-in. ISA Server monitors for alert conditions on a per-array basis, generates logs for each server, and assembles reports that aggregate the data for the entire array.
Alert! Alert!
Trigger-driven alerts notify you when a significant event occurs on an ISA server. The preinstalled alerts include everything from service failures to detected intrusions. To create a new alert, expand the Monitoring Configuration node, right-click the Alerts folder, select New, then click Alert. Name the alert and select whether a specific ISA server or any server in the array will trigger it. Next, select the event and specify the conditions that trigger the alert. Microsoft includes 45 predefined events, such as Service started, Service shutdown, and Intrusion detected. Conditions are properties of a specific event that let you further define the alert. For example, the Intrusion detected event lets you specify the type of intrusion (e.g., all-port-scan attack, Land attack) as an additional condition.
The ability to use conditions to further specify events is particularly useful in classifying alerts based on your security requirements. For the default installation, Microsoft lumps all intrusion detections into one generically defined alert that writes to the event log. However, I recommend that you create individual alerts and specify particular intrusion detections.
After you create an alert, you choose which actions you want to invoke when events trigger the alert. ISA Server can write to the event log, send an email message, run a program, and start or stop a service. You don't need to install the SMTP service to support sending SMTP messages through an alert. Also, you can run any program under a specified account (the account must have Logon as a batch job privilege). ISA Server supports starting or stopping only the Firewall, Web Proxy, and Scheduled Content Download services. However, you can create a batch file that Net Starts and Net Stops additional services. To do so, select the Program check box, which appears in the Actions tab of the event's Properties dialog box, and enter the name of the batch file in the input box to run the batch file.
After you configure an alert, you can open its Properties dialog box to review its settings. In the General tab, you can enable or disable the alert. In the Events tab, you can further define when and how the alert actions should occur. Figure 1 shows some of the fine-tuning options you can choose to configure an alert. Suppose that after you configure a port-scanning alert, the alert fills your event log with notifications. You can then reconfigure the alert to reissue notifications only after the first alert has been manually reset.
Logging Who Went Where
ISA Server logging is adequate; in addition to proprietary ISA Server log format, ISA Server logging supports World Wide Web Consortium (W3C) extended log-file format logging. (Those of you familiar with Microsoft Internet Information Services—IIS—5.0 logging will be pleased that ISA Server continues to support W3C extended log-file format logging functionality.) ISA Server supports logging to a text file or to an ODBC-compliant database, and you can control which fields and what content from the fields is logged. You can configure three different logs independently: the Firewall Service log, the Web Proxy log, and the Packet Filter log. In addition, you can include or exclude any combination of information from the Firewall service, the Web Proxy service, and packet-filtering functions.
The Firewall Service log shows the Firewall client's activity. This log details activity across the ISA Server—including client username, agent, and IP address; application (or service) identification, destination name, IP address, and port; and transactional information such as processing time, cache information, and rule information.
The Web Proxy log details Web-based client activity and includes Web-related fields such as browser type, HTTP commands (e.g., GET), filenames for each object retrieved (e.g., an image, a Web page), content type, and the rule that allowed access.
Prev. page
[1]
2
3
next page 
