Configuring Alerting in ISA Server 2004

ISA Server alerts are a wonderful tool. How easy it is to be working away, checking joke emails from friends you never talk to anymore, not knowing that your firewall is under attack. Well, not that I am advocating getting wound up in joke emails, but ISA Server firewalls make use of their own monitoring and alert features which can recognize when intrusions or attacks are taking place. The nicest part about this feature is the ability of the ISA firewall to respond to these types of attacks.

Configuring Alerting in ISA Server 2004
By Greg Mulholland

ISA Server alerts are a wonderful tool. How easy it is to be working away, checking joke emails from friends you never talk to anymore, not knowing that your firewall is under attack. Well, not that I am advocating getting wound up in joke emails, but ISA Server firewalls make use of their own monitoring and alert features which can recognize when intrusions or attacks are taking place. The nicest part about this feature is the ability of the ISA firewall to respond to these types of attacks.

The monitoring of Alerts can be of critical benefit to your organization or network, therefore swift action or recognition is needed to keep problems from escalating.

In ISA 2004, the Monitoring node has a few little features that should be used. The Dashboard is a snapshot of all the monitoring features running. The connectivity and reports tabs can be used to great effect and we won’t ever underestimate the importance or value of logging, will we?

For the point of this document we will focus on the Alerts tab. You will notice on the right hand side we can configure "alert definitions". I have chosen to define what action should be taken in the case of IP Spoofing as an example. There are a few options, firstly, as I have demonstrated I use ISA 2004 to send an alert email to the firewall administrator, in this case me. All you need to do is specify the SMTP server.

I also created a mailbox for firewall_alert@exchange.mine.nu so it looks nice and pretty in my inbox. I recommend testing to see that your alerts will actually be delivered to the person; to do this hit the Test button. As you can see, via the little outlook alert in the lower right corner of the screen, mine has worked fine. One further step is to create a firewall rule that allows the local host network to send SMTP mail (TCP port 25) to your mail server.

As you can see there are a few other choices, running specified programs, reporting to the Event Logs, stopping and starting specified services. You will need to determine what sort of action you will perform for each task. Some are more frequently occurring than others and require special attention.

Click Above to See Full Size

 

Author: Greg Mulholland
Email: gmulholland@optusnet.com.au
Published: March 2004

About Greg Mulholland

Greg is an IT/Network specialist working in his home town of Melbourne, Australia. For the last few years he has been involved in the design, testing and implemtation of Windows networks. His area of speciality these days is implementing effective ISA server solutions for both SME's and public and private schools and colleges.

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on ISAserver.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the ISAserver.org Monthly Newsletter, written by ISA expert Dr. Tom Shinder, containing news, the hottest tips, ISA links of the month and much more. Subscribe today and don't miss a thing!



Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Solution Center

Readers' Choice

Which is your preferred ISA Server Reporting solution?