Intrusion-Detection Configuration Options
To protect your network, you will also need to know how to configure your ISA Server for intrusion detection. Intrusion detection identifies when an attack is attempted against your network and performs a set of configured actions, or alerts, in case of an attack. To detect potential attacks, ISA Server compares network traffic and log entries to well-known attacks. When ISA Server detects suspicious activities, it triggers an alert. You can configure the actions that ISA Server will perform in the event of an alert. These actions include connection termination, service termination, e-mail alerts, logging, and others.
Intrusion Detection at the Application Layer
ISA Server also provides built-in application filters that detect DNS networking protocol and Post Office Protocol (POP) intrusions. The DNS intrusion-detection filter detects the following known DNS exploits:
- DNS host name overflow A DNS host name overflow occurs when a DNS response for a host name exceeds a certain fixed length (255 bytes). Applications that do not check the length of the host names may overflow internal buffers on the server when copying this host name, allowing a remote attacker to execute arbitrary commands on a targeted computer. This filter inspects the response that an internal client receives from an external DNS server.
- DNS length overflow DNS responses for IP addresses contain a length field,which should be 4 bytes. By formatting a DNS response with a larger value, some applications executing DNS lookups will overflow internal buffers, potentially allowing a remote attacker to execute arbitrary commands on a targeted computer. This filter inspects the response that an internal client receives from an external
DNS server.
- DNS zone transfer A malicious user executes a zone transfer to gather a list of all the host names in a domain. This filter detects when an Internet user attempts to execute a zone transfer from an internal DNS server through ISA Server.
The POP filter intercepts and analyzes POP traffic destined for the published servers. The application filter checks for POP buffer overflow attacks. A POP buffer overflow attack occurs when a remote attacker attempts to gain root access to a POP server by overflowing an internal buffer on the server.
IP Preferences Configuration Options
Another option on ISA Server 2004 that you can use to improve security is to configure the IP preferences. IP preferences are used to configure how ISA Server will handle specific types of IP packets. Configuring IP preferences is more complicated than configuring intrusion detection because, in most cases, IP preferences can be used to block normal packets that may or may not be used by attackers. You can configure the following IP preferences on ISA Server:
- IP option You can configure ISA Server to refuse all packets that have the IP options flag set in the header, or you can configure ISA Server to drop packets with only specific IP options enabled. The IP options flags that are most commonly used by attackers are the source routing options. The source route option in the IP header allows the sender to override routing decisions that are normally
made by the routers between the source and destination machines. An attacker can use source routing to reach addresses on the internal network that normally are not reachable from other networks, by routing the traffic through another computer that is reachable from both the other network and the internal network. Because source routing can be used in this way, you should disable source routing on your ISA Server computer.
- IP fragments You can also configure ISA Server to drop all IP fragments. A single IP datagram can be separated into multiple datagrams of smaller sizes known as IP fragments. If you enable this option, then all fragmented packets are dropped when ISA Server filters packet fragments. A common attack that uses IP fragments is the teardrop. In the teardrop attack, multiple IP fragments are sent to a server. However, the IP fragments are modified so that the offset fields within the packet overlap. When the destination computer tries to reassemble these packets, it is unable to do so. It may fail, stop responding, or restart. Enabling IP fragment filtering can interfere with streaming audio and video. In addition, Layer Two Tunneling Protocol (L2TP) over IPSec connections may not be established successfully because packet fragmentation may take place during certificate exchange.
- IP routing When IP routing is enabled, ISA Server sends the original network packet from one network to another. ISA Server can filter the network packet. When IP routing is disabled, ISA Server sends only the data (and not the original network packet) to the destination. Also, when IP routing is disabled, ISA Server sends each packet through the firewall in user mode. Disabling IP routing is more secure, but can also decrease router performance.
ISA Server also provides built-in application filters that detect DNS networking protocol and Post Office Protocol (POP) intrusions. The DNS intrusion-detection filter detects the following known DNS exploits:
- DNS host name overflow A DNS host name overflow occurs when a DNS response for a host name exceeds a certain fixed length (255 bytes). Applications that do not check the length of the host names may overflow internal buffers on the server when copying this host name, allowing a remote attacker to execute arbitrary commands on a targeted computer. This filter inspects the response that an internal client receives from an external DNS server.
- DNS length overflow DNS responses for IP addresses contain a length field,which should be 4 bytes. By formatting a DNS response with a larger value, some applications executing DNS lookups will overflow internal buffers, potentially allowing a remote attacker to execute arbitrary commands on a targeted computer. This filter inspects the response that an internal client receives from an external
DNS server.
- DNS zone transfer A malicious user executes a zone transfer to gather a list of all the host names in a domain. This filter detects when an Internet user attempts to execute a zone transfer from an internal DNS server through ISA Server.
The POP filter intercepts and analyzes POP traffic destined for the published servers. The application filter checks for POP buffer overflow attacks. A POP buffer overflow attack occurs when a remote attacker attempts to gain root access to a POP server by overflowing an internal buffer on the server.
IP Preferences Configuration Options
Another option on ISA Server 2004 that you can use to improve security is to configure the IP preferences. IP preferences are used to configure how ISA Server will handle specific types of IP packets. Configuring IP preferences is more complicated than configuring intrusion detection because, in most cases, IP preferences can be used to block normal packets that may or may not be used by attackers. You can configure the following IP preferences on ISA Server:
- IP option You can configure ISA Server to refuse all packets that have the IP options flag set in the header, or you can configure ISA Server to drop packets with only specific IP options enabled. The IP options flags that are most commonly used by attackers are the source routing options. The source route option in the IP header allows the sender to override routing decisions that are normally
made by the routers between the source and destination machines. An attacker can use source routing to reach addresses on the internal network that normally are not reachable from other networks, by routing the traffic through another computer that is reachable from both the other network and the internal network. Because source routing can be used in this way, you should disable source routing on your ISA Server computer.
- IP fragments You can also configure ISA Server to drop all IP fragments. A single IP datagram can be separated into multiple datagrams of smaller sizes known as IP fragments. If you enable this option, then all fragmented packets are dropped when ISA Server filters packet fragments. A common attack that uses IP fragments is the teardrop. In the teardrop attack, multiple IP fragments are sent to a server. However, the IP fragments are modified so that the offset fields within the packet overlap. When the destination computer tries to reassemble these packets, it is unable to do so. It may fail, stop responding, or restart. Enabling IP fragment filtering can interfere with streaming audio and video. In addition, Layer Two Tunneling Protocol (L2TP) over IPSec connections may not be established successfully because packet fragmentation may take place during certificate exchange.
- IP routing When IP routing is enabled, ISA Server sends the original network packet from one network to another. ISA Server can filter the network packet. When IP routing is disabled, ISA Server sends only the data (and not the original network packet) to the destination. Also, when IP routing is disabled, ISA Server sends each packet through the firewall in user mode. Disabling IP routing is more secure, but can also decrease router performance.
