It is debatable whether this is really something useful
to alert on. In reality, any system on the Internet is being port-scanned numerous times
each day, and if you do not tweak the alerting for this type of attack you will pick up
false positives in addition to real port scans. It may be better to keep the logs fairly
clear so that when one of the other attack types is detected, it will clearly be visible
in your alerts.
DNS attack detection is also enabled by default, and three types of attacks are
enabled. One important one, zone transfer attack detection, is disabled by default.
If your company does not have DNS servers that should legitimately be making zone
transfers on the external side of the ISA fi rewall, then by all means enable the zone transfer
attack detection. This type of attack is very dangerous. A malicious party will request
to download the entire zone fi le from your DNS server, effectively capturing your
entire internal network layout.
This section is moderately helpful in keeping fi rewall administrators abreast of
potentially malicious events occurring at the perimeter. However, there is not enough
Configuring Microsoft Internet Security and Acceleration Server 2006 ??? Chapter 11 401
fl exibility to confi gure attack detection to make this a really robust Intrusion Detection
System (IDS). Unfortunately, if you wish to monitor for potential zone transfer attacks
and have DNS servers outside the fi rewall that are allowed to make zone transfers,
there is no perfect solution for your situation.
Pages:
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397