Managing ISA | Microsoft Small Business Server 2003 Unleashed

Managing ISA Server is as simple as clicking down through the ISA Management Console and seeing what's there. However, each network, even in an SBS environment, is unique, and therefore your management needs may vary from the standard configuration. This section describes some of the changes you may want to implement.

Customize the Dashboard

The Dashboard can be customized to a limited extent. The Dashboard, shown in Figure 24.1, consists of informational displays for the Connectivity Verifier, Services, Alerts, Sessions, and Performance. Most small businesses won't create Connectivity Verifiers because they don't have remote server connections. If you are not using this particular feature, roll up the Connectivity Verifier and leave room on the Dashboard to unroll the more interesting Performance Monitor, as shown in Figure 24.1.

Figure 24.1. ISA Dashboard with rolled-up Connectivity Verifier.

To roll up or unroll an item on the Dashboard, click on the arrow on the right of each section.

Acknowledging Alerts

In Chapter 23, "Internet Security and Acceleration Server 2004 Basics," in the "Administration Delegation," section the acknowledgment of alerts was left to administrators. When an alert occurs the administrator needs experience to know whether the alert is significant to the business and if so, how to react to it. There are two options for handling alerts: Reset the alert, which makes it go away entirely, or acknowledge it (or them). Resetting the alert removes the alert. Acknowledging the alert changes the status to acknowledged, removes the alert from the Dashboard, but leaves the alert on the Alerts tab for your reference. Acknowledging the alert is the more conservative action to take. An acknowledged alert can be referenced while a solution is being sought. After you are finished troubleshooting the acknowledged alert, reset it.

To acknowledge an alert from the Dashboard, right-click on the alert and click Acknowledge All Instances, as shown in Figure 24.2.

Figure 24.2. From the Dashboard, alerts can be reset or acknowledged.

To reset an alert from the Dashboard, right-click on the alert and click Reset. Or if you have previously acknowledged an alert and are now ready to reset that alert, go to the Alerts tab, right-click on the alert, and click Reset, as Figure 24.3 shows.

Figure 24.3. Once acknowledged from the Dashboard the status of the alert also changes on the Alerts tab.

DHCP Spoof Detection

Using a static IP address on all interfaces on the SBS server is preferable. However, many small business owners do not feel that they can afford the extra cost that the ISP charges for Internet service with a static IP address, and so they use DHCP on the external network card. The danger is that your SBS server can be spoofed into accepting an IP address that isn't offered from your ISP but rather from someone attempting to hack your network. DHCP spoofing is a technique whereby a "fake" DHCP server offers SBS an IP address that it will accept if not for DHCP spoof detection. In DHCP spoof detection, ISA keeps note of the network from which it received a DHCP address. If during the renewal process ISA is offered an address outside the previous network, it will reject the offer. Many commonly used inexpensive PPPOE DSL networks that small businesses use provide addresses from a wide range of networks. So the DHCP spoof detection may cause ISA to reject a legitimate offer. To let ISA accept any DHCP offer, simply reset the network card. This can be done in the Alerts task pane after you select the Invalid DHCP Offer alert.

Configure a Wireless Access Point

Setting up a wireless access point for employee laptops is a breeze in ISA 2004. With the ISA Server set up and functioning on your network, all the rules governing internal client access to the network apply to your employee laptops as well so long as you connect the wireless access point to the internal side of your server and set up the access point to allow the DHCP server on SBS to assign IP addresses to the clients. This simple wireless network configuration results in your laptops becoming members of the Internal Network group in ISA, and they receive all the access rights associated with that network.

The exact setup instructions vary according to brand of wireless router that you are using, so this chapter describes the procedure in general terms. During the initial set up of most wireless routers, you have the option of choosing Access Point or Wireless Gateway. Choosing Access Point allows the wireless router to provide wireless access to your network from the internal NIC of your server. Client computers connected in this manner have the same access to your network as those using an Ethernet cable. Connect an Ethernet cable to one of the LAN ports on the wireless router and connect the other end of the cable to your network switch or hub. The port that you connected each end to should light up.

Wireless Network Security

When using a wireless access point remember that any wireless adapter within reach may attempt to access your network. Set up strong security for your wireless network. Use the strongest security that your client computers will support with the longest most complex key available. When configuring a WEP access code use a complex password as the security key. To be sure that your laptops enjoy the same user experience as "hard-wired" computers on the network, join all laptops to the domain.

If you do not want your laptop computer users to have the same privileges as other computers in your DHCP server you'll need to create reservations so that your laptop computers are always assigned the same IP address. The next step is to create a Wireless Network network in ISA and assign your laptops to this network. This network can then be added to any ISA Firewall Policy rule allowing the administrator to control which resources the laptops can access.

Enabling Intrusion Detection

Intrusion detection is one of the things that businesses expect their firewall to do. It is somehow gratifying (and a little frightening) to see the Event Viewer filled with blocked attack attempts. Although no one likes the idea that someone is trying to get in, those events are evidence that ISA really is protecting your network. By default, however, intrusion detection is not enabled.

ISA groups attacks into two major categories: common and DNS. Click on General and then under Additional Security Policy click on Enable Intrusion Detection; then click on DNS Attack tab. Each of the listed attacks is well described by clicking on the question mark in the upper right corner of this dialog box. To enable intrusion detection, move to the Common Attacks tab and check the Enable Intrusion Detection box. As shown in Figure 24.4, check each of the common attack types. When you select Port Scan, the option to select the number of well-known ports scanned and the number of total ports scanned before the alert is triggered becomes active. The defaults are a good place to start. Finally check the Log Dropped Packets box.

Figure 24.4. ISA intrusion detection common attack types.

Note

False positive all-port scans are known to occur. The most common reason for false all-port scan alerts is a rudely reset session on the remote end. This results in ISA not receiving an acknowledgement that the session has ended, and trailing packets from that session trigger the all-port scan alert. These can be identified by seeing whether there is normal traffic coming from the same IP address earlier in the logs. If so, the alert can be safely discarded.

Select the DNS Attacks tab, as shown in Figure 24.5. Check Enable Detection and Filtering of DNS Attacks. Check all attack types except DNS Zone Transfer. The DNS server on your SBS server does not allow zone transfers. The Zone Transfer attack is therefore prevented by the SBS DNS configuration, so it is not necessary to have ISA also look out for this type of attack. The other types of DNS attacks are buffer overflow attacks and could create a denial of service condition. Click OK.

Figure 24.5. ISA intrusion detection of DNS attacks.

In this same section you'll also notice an item called Define IP Preferences, also shown in Figure 24.6. In general, these settings should not be changed. Although they at first appear to be additional security settings waiting to be selected, doing so could result in unintended consequences. Filtering IP fragments may interfere with IPSec and L2TP VPN clients, or streaming multimedia. Routing IP traffic causes the entire packet to be sent to the requested resource, whereas leaving it unchecked causes ISA to send only the data portion of the packet. Although enterprise networks with high volume may choose to modify the default settings, in general SBS networks should have no need to do so.

Figure 24.6. IP filtering options, in general, should not be changed.

Best Practice: Intrusion Detection Effect on Event Logs

Intrusion detection is probably the one thing that people think of when they think about what a firewall is going to do for them. Intrusion detection can be enabled on ISA server and the resulting blocked packets logged in the Event Viewer. Doing so may give the administrator a heads-up on potential problems, but it also increases the length of your event logs because the most common attacks now happen frequently.

So configure your event log size accordingly. By default, the setting is 16MB per log. The blocked packet entries appears in the application event log, so the log retention size should be doubled to make sure that you aren't overwriting events too quickly.

Setting Up Automatic Detection for the Firewall Client

The Firewall Client can be set up to automatically detect the ISA Server. Doing so resolves the problem with laptop computers that roam between networks and enables them to automatically detect whether they should use the ISA Server. This saves laptop users from having to reconfigure their Internet access when they switch between networks. It also saves the administrator from having to touch each client computer to manually enter the name of the ISA Server into the Configuration tab on the Firewall Client. Configuring automatic detection for the Firewall Client depends on the Firewall Client being able to access information in your DNS server, IIS, and ISA. The configuration for this is significantly different on SBS servers than on other implementations of ISA.

The heart of the automatic detection is a file called WPAD.dat. This file contains the Firewall Client configuration data. WPAD stands for Web Proxy Auto Discovery. When the Firewall Client configuration is set for Automatically Detect the ISA Server, the Firewall Client asks DNS for the location of the WPAD information. DNS points it to the IIS locationhttp://SBS/wpad.dat. The information in this file configures the Firewall Client.

The first step is to obtain a WPAD.dat file that is configured for SBS. This can be found at http://isatools.org/sbs_wpad_2.zip. Download the file onto your SBS server and expand it. This gives you two files, wpad.dat and sbs_wpad.txt.

Caution

The sbs_wpad files are currently in beta. Use caution and test your configuration before deploying the files on a production SBS server.

Instructions and current beta status information is also contained in the sbs_wpad.txt file. Read it thoroughly before beginning your implementation because the directions may change as the beta progresses. Following the beta period, the file and instructions will be moved to the Microsoft Downloads page for ISA at http://www.microsoft.com/isaserver/downloads/2004/default.mspx.